华为云前置准备
本文主要介绍创建 BYOC 类型仓库涉及的华为云平台相关操作,包括准备 IAM 用户并授权、准备虚拟私有云 VPC 和子网、了解资源编排和资源栈 等。
准备 IAM 用户并授权
创建 BYOC 类型仓库前,需提前准备好具备相关权限的华为云 IAM 用户。
请将此文档发送给您的华为云平台管理员,请求管理员参照此文档为您创建 IAM 用户,并授权。
管理员访问华为云 统一身份认证服务 IAM (opens in a new tab) 控制台,执行以下操作:
创建 IAM 用户
提示: 如果已有 IAM 用户,可以跳过创建 IAM 用户步骤。
点击左侧 用户,进入用户管理页面,点击创建用户,输入相关信息,完成创建。
创建 IAM 用户组
提示: 如果已有 IAM 用户组,可以跳过创建 IAM 用户组步骤。
点击左侧 用户组,进入用户组管理页面,点击创建用户组,输入相关信息,完成创建。
创建权限策略并授权
创建 SelectDB Cloud BYOC 类型仓库时,需要通过资源编排服务(RFS)执行资源栈模板,会创建 ECS、VPC、OBS 等云资源或进行相关操作,因此需要一系列 IAM 权限。
请参照下面步骤为 IAM 用户或用户组添加权限。
1. 创建权限策略: 点击左侧 权限管理 > 权限,进入权限策略管理页面,点击创建自定义策略
对于华为云,一共需要两条权限,分别针对区域级别服务和全局级别服务。 首先创建针对区域级别服务的权限策略,输入名称,切换到JSON模式,清空原有文本框,复制以下脚本,输入文本框。详细的权限说明,请见下文 资源栈模板依赖的权限说明 部分。
{
"Statement": [
{
"Action": [
"ecs:cloudServers:list",
"ecs:cloudServers:createServers",
"ecs:cloudServers:deleteServers",
"ecs:cloudServers:updateServer",
"ecs:cloudServers:changeChargeMode",
"ecs:cloudServers:resize",
"ecs:cloudServers:reboot",
"ecs:cloudServers:stop",
"ecs:cloudServers:start",
"ecs:cloudServers:showServerBlockDevice",
"ecs:cloudServers:listServerBlockDevices",
"ecs:servers:get",
"ecs:servers:list",
"ecs:servers:start",
"ecs:servers:stop",
"ecs:servers:reboot",
"ecs:servers:resize",
"ecs:securityGroups:use",
"ecs:servers:getTags",
"ecs:servers:setTags",
"vpc:ports:create",
"vpc:ports:update",
"vpc:ports:delete"
],
"Condition": {
"StringEquals": {
"g:ResourceTag/resource-created-by": [
"selectdb"
]
}
},
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"ecs:cloudServers:showServer",
"ecs:cloudServers:batchSetServerTags",
"evs:volumeTags:create",
"evs:volumeTags:delete",
"evs:volumes:*",
"evs:volumes:get",
"evs:volumes:extend",
"bss:renewal:update",
"bss:order:view",
"bss:order:pay",
"vpc:vpcs:get",
"vpc:vpcs:list",
"vpc:bandwidths:get",
"vpc:subnets:get",
"vpc:subnetTags:get",
"vpc:publicIps:get",
"vpc:publicIps:list",
"vpc:publicIps:create",
"vpc:publicIps:delete",
"vpc:publicIps:update",
"vpc:publicipTags:create",
"vpc:publicipTags:delete",
"vpcep:epservices:get",
"vpcep:endpoints:get",
"vpcep:quotas:get",
"vpcep:tags:get",
"vpcep:tags:list",
"vpcep:tags:update",
"vpcep:epserviceDesc:get",
"vpcep:endpoints:create",
"vpcep:endpoints:delete",
"vpc:securityGroups:get",
"vpc:securityGroups:create",
"vpc:securityGroups:delete",
"vpc:securityGroups:update",
"vpc:securityGroupRules:get",
"vpc:securityGroupRules:create",
"vpc:securityGroupRules:delete",
"vpc:securityGroupTags:create",
"vpc:securityGroupTags:delete",
"vpc:ports:get",
"elb:loadbalancers:get",
"elb:loadbalancers:list",
"elb:loadbalancers:create",
"elb:loadbalancers:delete",
"elb:loadbalancerTags:get",
"elb:loadbalancerTags:create",
"elb:loadbalancerTags:delete",
"elb:listeners:get",
"elb:listeners:list",
"elb:listeners:create",
"elb:listeners:delete",
"elb:listenerTags:get",
"elb:listenerTags:create",
"elb:listenerTags:delete",
"elb:pools:get",
"elb:pools:list",
"elb:pools:create",
"elb:pools:delete",
"elb:members:get",
"elb:members:list",
"elb:members:create",
"elb:members:delete",
"elb:l7policies:get",
"elb:l7policies:list",
"elb:l7policies:create",
"elb:l7policies:delete",
"elb:l7rules:get",
"elb:l7rules:list",
"elb:l7rules:create",
"elb:l7rules:delete",
"elb:healthmonitors:get",
"elb:healthmonitors:list",
"elb:healthmonitors:put",
"elb:healthmonitors:create",
"elb:healthmonitors:delete",
"elb:ipgroups:get",
"elb:ipgroups:list",
"elb:ipgroups:create",
"elb:ipgroups:put",
"elb:ipgroups:delete"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"rf:*:*"
],
"Resource": [
"*"
]
}
],
"Version": "1.1"
}
同上,创建针对全局级别服务的权限策略,输入名称,切换到JSON模式,清空原有文本框,复制以下脚本,输入文本框。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:bucket:*",
"obs:object:*"
],
"Resource": [
"OBS:*:*:bucket:selectdb-bucket-*",
"OBS:*:*:object:selectdb-bucket-*/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:permissions:addUserToGroup",
"iam:users:listUsersForGroup",
"iam:permissions:removeUserFromGroup",
"iam:groups:listGroupsForUser",
"iam:permissions:checkUserInGroup",
"iam:users:updateUser",
"iam:users:createUser",
"iam:users:listUsers",
"iam:users:getUser",
"iam:users:deleteUser",
"iam:projects:listProjectsForUser",
"iam:roles:getRole",
"iam:roles:listRoles",
"iam:roles:createRole",
"iam:roles:updateRole",
"iam:roles:deleteRole",
"iam:permissions:revokeRoleFromGroup",
"iam:permissions:listRolesForGroupOnDomain",
"iam:permissions:checkRoleForGroupOnDomain",
"iam:permissions:grantRoleToGroup",
"iam:groups:listGroups",
"iam:groups:createGroup",
"iam:permissions:revokeRoleFromGroupOnDomain",
"iam:permissions:listRolesForGroup",
"iam:permissions:grantRoleToGroupOnProject",
"iam:permissions:checkRoleForGroup",
"iam:groups:deleteGroup",
"iam:groups:updateGroup",
"iam:permissions:grantRoleToGroupOnDomain",
"iam:permissions:revokeRoleFromGroupOnProject",
"iam:groups:getGroup",
"iam:permissions:listRolesForAgencyOnDomain",
"iam:permissions:revokeRoleFromAgencyOnDomain",
"iam:permissions:listRolesForAgency",
"iam:permissions:checkRoleForAgencyOnProject",
"iam:permissions:listRolesForGroupOnProject",
"iam:permissions:checkRoleForGroupOnProject",
"iam:permissions:checkRoleForAgency",
"iam:permissions:listRolesForAgencyOnProject",
"iam:permissions:grantRoleToAgencyOnDomain",
"iam:permissions:revokeRoleFromAgencyOnProject",
"iam:permissions:grantRoleToAgency",
"iam:permissions:grantRoleToAgencyOnProject",
"iam:permissions:revokeRoleFromAgency",
"iam:tokens:assume",
"iam:agencies:listAgencies"
],
"Resource": [
"*"
]
}
]
}
点击确定,完成创建权限策略。
2. 为 IAM 用户组授权权限策略:
在用户组列表页,点击授权操作,进入授权页面。
筛选自定义策略,勾选上述步骤创建的自定义策略,点击下一步。
选择所有资源,点击确定,完成授权。
至此,您已完成 IAM 用户及用户组创建,并已完成授权。
准备虚拟私有云 VPC 和子网
提示:
- 如果已有符合地域要求的 VPC,并期望将 BYOC 仓库部署在此 VPC 内,可以跳过下面创建虚拟私有云 VPC 和子网步骤。
- 当前支持的地域和子网可用区为:
| 云平台 | 地域名称 | 地域 ID | 可用区 ID |
|---|---|---|---|
| 华为云 | 北京 | cn-north-4 | 所有 |
| 华为云 | 新加坡 | ap-southeast-3 | 所有 |
| 华为云 | 广州 | cn-south-1 | 所有 |
创建 BYOC 类型仓库前,需要使用上述 IAM 用户提前创建虚拟私有云 VPC 和子网,以下是具体操作。
打开华为云 虚拟私有云 VPC (opens in a new tab) 控制台,点击 创建虚拟私有云,进入 VPC 创建页面。
选择您期望创建 BYOC 仓库的地域,输入名称、选择 IPv4 网段、企业项目,输入子网名称和可用区,点击立即创建完成创建。
了解资源编排和资源栈
当用户创建 BYOC 类型仓库时,会首先借助云厂商的资源编排服务自动部署 Agent,完成 Agent 与 SelectDB Cloud 平台之间的私有连接,然后由 Agent 负责 BYOC 仓库的部署与管理工作。
RFS 资源编排模板说明
SelectDB 提供的资源编排模板运行在您的云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的资源编排模板:
https://selectdb-cloud-online-bj.obs.cn-north-4.myhuaweicloud.com/selectdb/public/hwcloud-byoc.zip当您通过华为云 RFS 执行上述资源模板时,它会自动进行 Agent 的创建与部署。然后 Agent 会与 SelectDB Cloud 建立私有连接,并完成仓库初始化流程。
在完成资源编排脚本执行后,您即可从 SelectDB Cloud 平台进入相应仓库,像使用普通的仓库一样,开始新建用于数据分析的计算集群。
如何查看资源栈信息
您可以通过华为云 RFS 产品界面,查看由 SelectDB 资源栈模板创建的所有资源信息,并可通过资源名称查看特定资源。
注意 所有资源栈模版创建出来的资源,都属于您的云账号,并只在您的 VPC 内使用,不会外泄。
- 虚拟机
- 名称:
- SelectDBAgent(ECS)
- SelectDBEip(VPC EIP)
- 用途:
- 用于部署 Agent、Prometheus、FluentBit 等程序
- 挂载在 Agent 机器上,为访问 BSS 服务提供公网能力
- 名称:
- 终端节点
- 名称:SelectDBEndpoint(VPC Endpoint)
- 用途:与 SelectDB Cloud 平台建立私网连接,从而可以拉取管控指令、推送监控和日志
- 存储桶
- 名称:SelectDBBucket(OBS Bucket)
- 用途:用于存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup(VPC SecurityGroup)
- 用途:绑定在终端节点和 ECS 实例,并通过安全组规则限定特定端口特定子网的流量才能通行(允许来自同一子网的8666端口流量入网,允许所有端口流量出网)
- 子用户
- 名称:
- SelectDBUser(子用户)
- SelectDBUserRegionPolicy(子用户权限---针对地域级别服务)
- SelectDBUserGlobalPolicy(子用户权限---针对全局级别服务)
- 用途:创建出的子用户具备 Agent 所需的最小权限,之后进行的所有业务操作均使用该子用户的身份(所有子用户信息只会在用户 VPC 内使用,不会外泄)
- 名称:
资源栈模板依赖的权限说明
在您的云账号下通过资源编排服务(RFS)执行资源栈模板时,会创建 ECS、VPC、OBS 等云资源或进行相关操作,因此需要一系列 IAM 权限。在正式执行前,请确保执行此模板的用户具备相应权限,否则可能会遇到执行模板失败的情况。
注意 资源栈模版的执行过程完全在您的云账号下进行,创建出来的资源也都属于您的云账号。SelectDB 不会获取您的云账号信息,也无法使用该账号的相应 IAM 权限。
以下是根据模板中定义的资源和操作所需的权限:
-
权限汇总:
- 针对区域级别服务策略
{ "Statement": [ { "Action": [ "ecs:cloudServers:list", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete" ], "Condition": { "StringEquals": { "g:ResourceTag/resource-created-by": [ "selectdb" ] } }, "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "ecs:cloudServers:showServer", "ecs:cloudServers:batchSetServerTags", "evs:volumeTags:create", "evs:volumeTags:delete", "evs:volumes:*", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:view", "bss:order:pay", "vpc:vpcs:get", "vpc:vpcs:list", "vpc:bandwidths:get", "vpc:subnets:get", "vpc:subnetTags:get", "vpc:publicIps:get", "vpc:publicIps:list", "vpc:publicIps:create", "vpc:publicIps:delete", "vpc:publicIps:update", "vpc:publicipTags:create", "vpc:publicipTags:delete", "vpcep:epservices:get", "vpcep:endpoints:get", "vpcep:quotas:get", "vpcep:tags:get", "vpcep:tags:list", "vpcep:tags:update", "vpcep:epserviceDesc:get", "vpcep:endpoints:create", "vpcep:endpoints:delete", "vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:delete", "vpc:securityGroups:update", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete", "vpc:securityGroupTags:create", "vpc:securityGroupTags:delete", "vpc:ports:get", "elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "rf:*:*" ], "Resource": [ "*" ] } ], "Version": "1.1" }- 针对全局级别服务策略
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "OBS:*:*:bucket:selectdb-bucket-*", "OBS:*:*:object:selectdb-bucket-*/*" ] }, { "Effect": "Allow", "Action": [ "iam:permissions:addUserToGroup", "iam:users:listUsersForGroup", "iam:permissions:removeUserFromGroup", "iam:groups:listGroupsForUser", "iam:permissions:checkUserInGroup", "iam:users:updateUser", "iam:users:createUser", "iam:users:listUsers", "iam:users:getUser", "iam:users:deleteUser", "iam:projects:listProjectsForUser", "iam:roles:getRole", "iam:roles:listRoles", "iam:roles:createRole", "iam:roles:updateRole", "iam:roles:deleteRole", "iam:permissions:revokeRoleFromGroup", "iam:permissions:listRolesForGroupOnDomain", "iam:permissions:checkRoleForGroupOnDomain", "iam:permissions:grantRoleToGroup", "iam:groups:listGroups", "iam:groups:createGroup", "iam:permissions:revokeRoleFromGroupOnDomain", "iam:permissions:listRolesForGroup", "iam:permissions:grantRoleToGroupOnProject", "iam:permissions:checkRoleForGroup", "iam:groups:deleteGroup", "iam:groups:updateGroup", "iam:permissions:grantRoleToGroupOnDomain", "iam:permissions:revokeRoleFromGroupOnProject", "iam:groups:getGroup", "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnDomain", "iam:permissions:listRolesForAgency", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:listRolesForGroupOnProject", "iam:permissions:checkRoleForGroupOnProject", "iam:permissions:checkRoleForAgency", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnProject", "iam:permissions:grantRoleToAgency", "iam:permissions:grantRoleToAgencyOnProject", "iam:permissions:revokeRoleFromAgency", "iam:tokens:assume", "iam:agencies:listAgencies" ], "Resource": [ "*" ] } ] }
具体权限划分如下:
-
ECS 权限:
- 管理 ECS 实例
"ecs:cloudServers:list", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "ecs:cloudServers:showServer", "ecs:cloudServers:batchSetServerTags", "evs:volumeTags:create", "evs:volumeTags:delete", "evs:volumes:*", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:view", "bss:order:pay", -
VPC & ELB & PrivteLink 权限:
- 获取 VPC 相关资源信息
"vpc:vpcs:get", "vpc:vpcs:list", "vpc:bandwidths:get", "vpc:subnets:get", "vpc:subnetTags:get",- 管理安全组、端口
"vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:delete", "vpc:securityGroups:update", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete", "vpc:securityGroupTags:create", "vpc:securityGroupTags:delete", "vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete",- 管理 EIP
"vpc:publicIps:get", "vpc:publicIps:list", "vpc:publicIps:create", "vpc:publicIps:delete", "vpc:publicIps:update", "vpc:publicipTags:create", "vpc:publicipTags:delete",- 管理负载均衡器 ELB 资源
"elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete" -
OSS 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作
{ "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "OBS:*:*:bucket:selectdb-bucket-*", "OBS:*:*:object:selectdb-bucket-*/*", ] }, -
IAM 权限:
- 管理 IAM 用户、用户组、权限
"iam:permissions:addUserToGroup", "iam:users:listUsersForGroup", "iam:permissions:removeUserFromGroup", "iam:groups:listGroupsForUser", "iam:permissions:checkUserInGroup", "iam:users:updateUser", "iam:users:createUser", "iam:users:listUsers", "iam:users:getUser", "iam:users:deleteUser", "iam:projects:listProjectsForUser", "iam:roles:getRole", "iam:roles:listRoles", "iam:roles:createRole", "iam:roles:updateRole", "iam:roles:deleteRole", "iam:permissions:revokeRoleFromGroup", "iam:permissions:listRolesForGroupOnDomain", "iam:permissions:checkRoleForGroupOnDomain", "iam:permissions:grantRoleToGroup", "iam:groups:listGroups", "iam:groups:createGroup", "iam:permissions:revokeRoleFromGroupOnDomain", "iam:permissions:listRolesForGroup", "iam:permissions:grantRoleToGroupOnProject", "iam:permissions:checkRoleForGroup", "iam:groups:deleteGroup", "iam:groups:updateGroup", "iam:permissions:grantRoleToGroupOnDomain", "iam:permissions:revokeRoleFromGroupOnProject", "iam:groups:getGroup", "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnDomain", "iam:permissions:listRolesForAgency", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:listRolesForGroupOnProject", "iam:permissions:checkRoleForGroupOnProject", "iam:permissions:checkRoleForAgency", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnProject", "iam:permissions:grantRoleToAgency", "iam:permissions:grantRoleToAgencyOnProject", "iam:permissions:revokeRoleFromAgency", "iam:tokens:assume", "iam:agencies:listAgencies" -
RFS 权限:
- 管理资源栈
{ "Effect": "Allow", "Action": [ "rf:*:*" ], "Resource": [ "*" ] }
资源栈模板创建的子用户的权限说明
初次执行完资源栈模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户权限示例:
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
- 针对区域级别服务策略
{
"Statement": [
{
"Action": [
"ecs:cloudServers:list",
"ecs:cloudServers:createServers",
"ecs:cloudServers:deleteServers",
"ecs:cloudServers:updateServer",
"ecs:cloudServers:changeChargeMode",
"ecs:cloudServers:resize",
"ecs:cloudServers:reboot",
"ecs:cloudServers:stop",
"ecs:cloudServers:start",
"ecs:cloudServers:showServerBlockDevice",
"ecs:cloudServers:listServerBlockDevices",
"ecs:servers:get",
"ecs:servers:list",
"ecs:servers:start",
"ecs:servers:stop",
"ecs:servers:reboot",
"ecs:servers:resize",
"ecs:securityGroups:use",
"ecs:servers:getTags",
"ecs:servers:setTags",
"vpc:securityGroups:get",
"vpc:securityGroups:update",
"vpc:securityGroupRules:get",
"vpc:ports:create",
"vpc:ports:update",
"vpc:ports:delete"
],
"Condition": {
"StringEquals": {
"g:ResourceTag/resource-created-by": [
"selectdb"
]
}
},
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"ecs:cloudServers:showServer",
"ecs:cloudServers:batchSetServerTags",
"evs:volumeTags:create",
"evs:volumeTags:delete",
"evs:volumes:*",
"evs:volumes:get",
"evs:volumes:extend",
"bss:renewal:update",
"bss:order:view",
"bss:order:pay",
"vpc:vpcs:get",
"vpc:vpcs:list",
"vpc:subnets:get",
"vpc:securityGroups:create",
"vpc:securityGroups:delete",
"vpc:securityGroupRules:create",
"vpc:securityGroupRules:delete",
"vpc:ports:get",
"elb:loadbalancers:get",
"elb:loadbalancers:list",
"elb:loadbalancers:create",
"elb:loadbalancers:delete",
"elb:loadbalancerTags:get",
"elb:loadbalancerTags:create",
"elb:loadbalancerTags:delete",
"elb:listeners:get",
"elb:listeners:list",
"elb:listeners:create",
"elb:listeners:delete",
"elb:listenerTags:get",
"elb:listenerTags:create",
"elb:listenerTags:delete",
"elb:pools:get",
"elb:pools:list",
"elb:pools:create",
"elb:pools:delete",
"elb:members:get",
"elb:members:list",
"elb:members:create",
"elb:members:delete",
"elb:l7policies:get",
"elb:l7policies:list",
"elb:l7policies:create",
"elb:l7policies:delete",
"elb:l7rules:get",
"elb:l7rules:list",
"elb:l7rules:create",
"elb:l7rules:delete",
"elb:healthmonitors:get",
"elb:healthmonitors:list",
"elb:healthmonitors:put",
"elb:healthmonitors:create",
"elb:healthmonitors:delete",
"elb:ipgroups:get",
"elb:ipgroups:list",
"elb:ipgroups:create",
"elb:ipgroups:put",
"elb:ipgroups:delete"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "1.1"
}- 针对全局级别服务策略
{
"Statement": [
{
"Action": [
"obs:bucket:*",
"obs:object:*"
],
"Effect": "Allow",
"Resource": [
"OBS:*:*:bucket:selectdb-bucket-*",
"OBS:*:*:object:selectdb-bucket-*/*"
]
}
],
"Version": "1.1"
}具体权限划分如下:
-
ECS 权限:
- 项目级服务,管理 ECS 实例
"ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "ecs:cloudServers:batchSetServerTags", "evs:volumeTags:create", "evs:volumeTags:delete", "evs:volumes:*", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:view", "bss:order:pay" -
VPC & ELB 权限:
- 项目级服务,获取 VPC 相关资源信息
"vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get",- 项目级服务,管理安全组、端口
"vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete", "vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete",- 项目级服务,管理负载均衡器 ELB 资源
"elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete", -
OSS 权限:
- 全局级服务,管理 OSS 存储桶以及对存储桶及其内容进行读写操作
{ "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "OBS:*:*:bucket:selectdb-bucket-*", "OBS:*:*:object:selectdb-bucket-*/*" ] },