Agency Permissions

Cloud Native Cost Governance works closely with cloud services such as CCE, AOM, OBS, and CBC for cost governance. When you use Cloud Native Cost Governance for the first time, you need to use an account with the Security Administrator permissions to grant the cloud resource permissions of the current region to CCE.

To minimize authorization, CCE fine-grained permissions are optimized. The permissions defined by system policies are now defined using API actions. (Each API has one API action.) If you have authorized the cloud services, you can optimize the permissions in one click.

After you agree to the authorization, agencies are automatically created in IAM to delegate required resource operation permissions in your account to Huawei Cloud CCE and AOM. For details about agencies, see Cloud Service Delegation. The following are agencies automatically created in IAM:

cia_admin_trust
This agency is used to to delegate the permissions required by the O&M modules to access other cloud services.

To use the O&M modules in multiple regions, you need to apply for the Tenant Guest, CCE Administrator, and SWR Administrator permissions in each region. (Go to the IAM console, choose Agencies, and click cia_admin_trust to view the authorization records in each region.)
aom_admin_trust
For details about this agency, see AOM Cloud Service Authorization.

The O&M modules may fail to run as expected if the required permissions are not granted. When using the O&M modules, do not delete or modify cia_admin_trust and aom_admin_trust.

Permissions Before Optimization

**Table 1** cia_admin_trust permissions
Granted To	Policy/Role	Description
CCE	IAM ReadOnlyAccess	IAM users need to be able to access Monitoring Center and Alarm Center.
CCE	Tenant Guest	Monitoring Center and Alarm Center check the configurations of global resources (for example OBS or DNS) associated with clusters to identify invalid or inappropriate configurations.
CCE	CCE Administrator	Monitoring Center and Alarm Center need to be able to access CCE to obtain information about clusters, nodes, workloads, and other resources, so that they can help ensure resource health.
CCE	SWR Administrator	Monitoring Center and Alarm Center need to be able to access SWR to obtain image information.
CCE	SMN Administrator	Monitoring Center and Alarm Center need to be able to access SMN to obtain contact groups.
CCE	AOM Administrator	Monitoring Center and Alarm Center need to be able to access AOM to obtain metrics.
CCE	LTS Administrator	Monitoring Center and Alarm Center need to be able to access LTS to obtain logs.

**Table 2** aom_admin_trust permissions
Granted To	Policy/Role	Description
AOM	DMS UserAccess	AOM obtains subscription data from DMS.
AOM	ECS CommonOperations	AOM obtains system metrics and logs using UniAgents and ICAgents installed on ECSs.
AOM	CES ReadOnlyAccess	AOM synchronizes metrics from Cloud Eye.
AOM	CCE FullAccess	AOM synchronizes container metrics from CCE.
AOM	RMS ReadOnlyAccess	AOM CMDB manages cloud service instances.
AOM	ECS ReadOnlyAccess	AOM obtains system metrics and logs using UniAgents and ICAgents installed on ECSs.
AOM	LTS FullAccess	AOM obtains logs from LTS.
AOM	CCI FullAccess	AOM synchronizes container metrics from CCI.

Permissions After Optimization

**Table 3** cia_admin_trust permissions
Policy Name	Policy Type	Policy Scope	Permission Set	Description
CCE Administrator	System-defined policy	Project	cce::	CCE administrator permissions
CIACostGlobalPolicy	Custom policy	Global	obs:object:GetObject	Obtains object content and metadata.
			obs:bucket:HeadBucket	Obtains bucket metadata.
			obs:bucket:CreateBucket	Creates a bucket.
			obs:bucket:ListBucket	Lists objects in a bucket.
			OBS:::object:cost/daily_cost_{region_id}	Resource object path restriction
			OBS:::bucket:cce-cost-{region_id}-{domain_id}	Resource bucket limit
CIACostProjectPolicy	Custom policy	Project	cce:cluster:get	Obtains details about a cluster.
			cce:cluster:list	Lists all clusters.
			cce:addonInstance:list	Lists all add-on instances.
			cce:addonInstance:create	Creates an add-on instance.
			cce:addonInstance:delete	Deletes an add-on instance.
			cce:addonInstance:update	Updates an add-on instance.
			cce:node:get	Obtains details about a node.
			cce:node:list	Lists nodes.
			cce:nodepool:list	Lists all node pools in a cluster.
			aom:metric:set	Modifies monitoring configuration.
			aom:metric:get	Queries details about a metric.
			aom:metric:list	Lists metrics.
			aom:agency:get	Queries AOM authorization.
			bss:costtag:update	Activates or deactivates cost tags.
			bss:costtag:view	Views cost tags.
			bss:costdetailreport:view	Views the task list for exporting cost details to OBS.
			bss:costdetailreport:update	Creates, modifies, or deletes the tasks of exporting cost details to OBS.
			apm:icmgr:get	Obtains AOM 2.0 permissions.
			apm:icmgr:create	Grants AOM 2.0 permissions.

**Table 4** aom_admin_trust permissions
Policy Name	Policy Type	Policy Scope	Permission Set	Description
AOM Global Access	Custom policy	Global	rms:*:list	Lists RMS resources.
			rms:*:get	Queries details about an RMS resource.
			rms:resources:listTagsForResource	Lists resource tags.
			rms:resources:listTags	Lists project tags.
			rms:resources:listResourcesByTag	List resource instances.
AOM UserAccess	Custom policy	Project	lts:topics:*	Full permissions for performing operations on log topics
			lts:groups:*	Full permissions for performing operations on log groups
			aom:metric:*	Full permissions for performing operations on a metric (AOM)
			aom:cmdbSubApplication:*	Full permissions for performing operations on a sub-application (AOM)
			aom:cmdbResources:*	Full permissions for performing operations on resources (AOM)
			aom:cmdbEnvironment:*	Full permissions for performing operations on the environment (AOM)
			aom:cmdbComponent:*	Full permissions for performing operations on a component (AOM)
			aom:cmdbApplication:*	Full permissions for performing operations on an application (AOM)
			ecs:cloudServers:showServer	Queries details about an ECS.
			ecs:cloudServers:list	Lists ECSs.
			dms:instance:get	Queries details about a DMS instance.
			ces:metrics:list	Lists metrics (Cloud Eye).
			ces:metricData:list	Queries metrics (Cloud Eye).
			cci:namespace:list	Lists all namespaces.
			cce:cluster:list	Lists all clusters.
			cce:cluster:get	Obtains details about a cluster.
			cce:node:list	List nodes.
			cce:node:get	Obtains details about a node.
			apm:icmgr:*	Full permissions for performing operations on the APM collection component
			lts::	Full permissions for performing operations on LTS logs
			aom:*:list	Lists AOM instances.