Help Center/ Cloud Container Engine/ User Guide/ O&M/ Agency Permissions
Updated on 2025-01-07 GMT+08:00
View PDF
Share

Agency Permissions

O&M modules work closely with cloud services for cluster monitoring, alarm reporting, and notification. When you access the O&M modules for the first time, the system will request permissions to access the cloud services in the region where you run your applications.

To minimize authorization, CCE fine-grained permissions are optimized. The permissions defined by system policies are now defined using API actions. (Each API has one API action.) If you have authorized the cloud services, you can optimize the permissions in one click.

After you agree to the authorization, agencies are automatically created in IAM to delegate required resource operation permissions in your account to Huawei Cloud CCE and AOM. For details about agencies, see Cloud Service Delegation. The following are agencies automatically created in IAM:
  • cia_admin_trust

    This agency is used to to delegate the permissions required by the O&M modules to access other cloud services.

    To use the O&M modules in multiple regions, you need to apply for the Tenant Guest, CCE Administrator, and SWR Administrator permissions in each region. (Go to the IAM console, choose Agencies, and click cia_admin_trust to view the authorization records in each region.)

  • aom_admin_trust

    For details about this agency, see AOM Cloud Service Authorization.

The O&M modules may fail to run as expected if the required permissions are not granted. When using the O&M modules, do not delete or modify cia_admin_trust and aom_admin_trust.

Permissions Before Optimization

Table 1 cia_admin_trust permissions

Granted To

Policy/Role

Description

CCE

IAM ReadOnlyAccess

IAM users need to be able to access Monitoring Center and Alarm Center.

CCE

Tenant Guest

Monitoring Center and Alarm Center check the configurations of global resources (for example OBS or DNS) associated with clusters to identify invalid or inappropriate configurations.

CCE

CCE Administrator

Monitoring Center and Alarm Center need to be able to access CCE to obtain information about clusters, nodes, workloads, and other resources, so that they can help ensure resource health.

CCE

SWR Administrator

Monitoring Center and Alarm Center need to be able to access SWR to obtain image information.

CCE

SMN Administrator

Monitoring Center and Alarm Center need to be able to access SMN to obtain contact groups.

CCE

AOM Administrator

Monitoring Center and Alarm Center need to be able to access AOM to obtain metrics.

CCE

LTS Administrator

Monitoring Center and Alarm Center need to be able to access LTS to obtain logs.
Table 2 aom_admin_trust permissions

Granted To

Policy/Role

Description

AOM

DMS UserAccess

AOM obtains subscription data from DMS.

AOM

ECS CommonOperations

AOM obtains system metrics and logs using UniAgents and ICAgents installed on ECSs.

AOM

CES ReadOnlyAccess

AOM synchronizes metrics from Cloud Eye.

AOM

CCE FullAccess

AOM synchronizes container metrics from CCE.

AOM

RMS ReadOnlyAccess

AOM CMDB manages cloud service instances.

AOM

ECS ReadOnlyAccess

AOM obtains system metrics and logs using UniAgents and ICAgents installed on ECSs.

AOM

LTS FullAccess

AOM obtains logs from LTS.

AOM

CCI FullAccess

AOM synchronizes container metrics from CCI.

Permissions After Optimization

Table 3 cia_admin_trust permissions

Policy Name

Policy Type

Policy Scope

Permission Set

Description

CCE Administrator

System-defined policy

Project

cce:*:*

CCE administrator permissions

CIAMonitorProjectPolicy

Custom policy

Project

cce:cluster:get

Obtains details about a cluster.

cce:cluster:list

Lists all clusters.

cce:addonInstance:list

Lists all add-on instances.

cce:addonInstance:create

Creates an add-on instance.

cce:addonInstance:delete

Deletes an add-on instance.

cce:addonInstance:update

Updates an add-on instance.

cce:node:get

Obtains details about a node.

cce:node:list

Lists nodes.

cce:nodepool:list

Lists all node pools in a cluster.

aom:metric:set

Modifies monitoring configuration.

aom:metric:get

Queries details about a metric.

aom:metric:list

Lists metrics.

aom:alarm:list

Lists alarms.

aom:alarm:put

Clears AOM alarms.

aom:actionRule:get

Queries an alarm linkage rule by ID.

aom:actionRule:list

Lists alarm linkage rules.

aom:actionRule:create

Creates an alarm linkage rule.

aom:actionRule:update

Updates an alarm linkage rule.

aom:actionRule:delete

Deletes an alarm linkage rule.

aom:alarmRule:create

Adds a threshold rule.

aom:alarmRule:list

Lists alarm rules.

aom:alarmRule:delete

Delete a threshold rule.

aom:agency:get

Queries AOM authorization.

lts:groups:get

Queries a specified log group.

lts:groups:list

Lists log groups.

lts:groups:create

Creates a log group.

lts:logs:list

Lists logs.

lts:topics:get

Queries a specified log topic.

lts:topics:create

Creates a log topic.

lts:topics:put

Updates a log topic.

smn:topic:list

Lists topics.

smn:topic:update

Updates a topic, including adding subscriptions to and deleting subscriptions from a topic.

smn:topic:delete

Deletes a topic.

smn:topic:create

Creates a topic.

vpc:securityGroups:get

Queries security groups or details about a security group.

vpc:vpcs:get

Queries details about a VPC.

vpc:subnets:get

Queries subnets or details about a subnet.

vpc:vpcs:list

Lists VPCs.

vpcep:endpoints:list

Lists VPC endpoints.

evs:quotas:get

Queries EVS disk quotas.

ecs:cloudServerQuotas:get

Queries tenant quotas.

apm:icmgr:get

Obtains AOM 2.0 permissions.

apm:icmgr:create

Grants AOM 2.0 permissions.
Table 4 aom_admin_trust permissions

Policy Name

Policy Type

Policy Scope

Permission Set

Description

AOM Global Access

Custom policy

Global

rms:*:list

Lists RMS resources.

rms:*:get

Queries details about an RMS resource.

rms:resources:listTagsForResource

Lists resource tags.

rms:resources:listTags

Lists project tags.

rms:resources:listResourcesByTag

List resource instances.

AOM UserAccess

Custom policy

Project

lts:topics:*

Full permissions for performing operations on log topics

lts:groups:*

Full permissions for performing operations on log groups

aom:metric:*

Full permissions for performing operations on a metric (AOM)

aom:cmdbSubApplication:*

Full permissions for performing operations on a sub-application (AOM)

aom:cmdbResources:*

Full permissions for performing operations on resources (AOM)

aom:cmdbEnvironment:*

Full permissions for performing operations on the environment (AOM)

aom:cmdbComponent:*

Full permissions for performing operations on a component (AOM)

aom:cmdbApplication:*

Full permissions for performing operations on an application (AOM)

ecs:cloudServers:showServer

Queries details about an ECS.

ecs:cloudServers:list

Lists ECSs.

dms:instance:get

Queries details about a DMS instance.

ces:metrics:list

Lists metrics (Cloud Eye).

ces:metricData:list

Queries metrics (Cloud Eye).

cci:namespace:list

Lists all namespaces.

cce:cluster:list

Lists all clusters.

cce:cluster:get

Obtains details about a cluster.

cce:node:list

Lists nodes.

cce:node:get

Obtains details about a node.

apm:icmgr:*

Full permissions for performing operations on the APM collection component

lts:*:*

Full permissions for performing operations on LTS logs

aom:*:list

Lists AOM instances.
Parent Topic: O&M