Updated on 2024-12-03 GMT+08:00

Agencies

KooGallery sends an authorization request to you when you use a service listed in Table 1. Once you agree, you authorize KooGallery to provide you with the service as a delegatee. If the policy of an agency is updated, KooGallery will request authorization again when you use the related service. For details about the agency policies, see Agency Policy Permission Details.

Do not modify KooGallery agencies and their policies, or reuse their policies on other agencies. Otherwise, the services will be affected.

Table 1 Services

Delegator

Scenario

Service

Agency

Delegatee

Agency Policy

  

Product use

Quick image provisioning

mkp_agency_trust

KooGallery system account

mkp_deployment_policy

mkp_rfs_agency_trust

Resource Formation Service (RFS)

mkp_rfs_deployment_polic...

Image deployment via templates

mkp_agency_trust

KooGallery system account

mkp_deployment_policy

KooGallery no longer uses the mkp_ims_trust, mkp_admin_trust, mkp_rf_admin_trust, and mkp_obs_trust agencies. If you have created these agencies, delete them by referring to Canceling Agency Authorization.

Agency Policy Permission Details

  • mkp_deployment_policy
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:cmk:create",
                    "kms:cmk:get",
                    "kms:dek:create"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "rf:stack:listStacks",
                    "rf:stack:listStackResources",
                    "rf:stack:listStackOutputs",
                    "rf:stack:createStack",
                    "rf:stack:getStackMetadata",
                    "rf:stack:updateStack"
                ]
            }
        ]
    }
  • mkp_rfs_deployment_policy
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:cmk:get",
                    "kms:dek:decrypt"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:diskConfigs:use",
                    "ecs:servers:create",
                    "ecs:cloudServers:showServer",
                    "ecs:cloudServers:get",
                    "ecs:serverInterfaces:get",
                    "ecs:serverKeypairs:get",
                    "ecs:flavors:get",
                    "ecs:serverVolumes:use",
                    "ecs:cloudServers:createServers",
                    "ecs:cloudServers:create",
                    "ecs:cloudServers:deleteServers",
                    "ecs:cloudServers:delete",
                    "ecs:servers:get",
                    "ecs:serverInterfaces:use",
                    "ecs:securityGroups:use"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "evs:volumes:list",
                    "evs:volumes:create",
                    "evs:volumes:manage",
                    "evs:backups:get",
                    "evs:volumes:attach",
                    "evs:volumes:get",
                    "evs:snapshots:get"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ims:images:get",
                    "ims:images:list"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:securityGroups:create",
                    "vpc:subnets:update",
                    "vpc:routers:update",
                    "vpc:networks:get",
                    "vpc:ports:get",
                    "vpc:ports:update",
                    "vpc:ports:create",
                    "vpc:securityGroupRules:get",
                    "vpc:subnets:create",
                    "vpc:subnets:get",
                    "vpc:securityGroups:update",
                    "vpc:routers:get",
                    "vpc:securityGroups:get",
                    "vpc:networks:create",
                    "vpc:networks:update"
                ]
            }
        ]
    }

Canceling Agency Authorization

You can cancel authorization by deleting an agency. To do so, point to your account name in the upper right corner of Huawei Cloud console, select Identity and Access Management from the drop-down list, and choose Agencies in the navigation pane. Deleting an agency will instantly invalidate the corresponding service.