Updated on 2025-08-19 GMT+08:00

System Agencies

CCE works closely with multiple cloud services to support compute, storage, networking, and monitoring functions. When you log in to the CCE console for the first time, CCE automatically requests permissions to access those cloud services in the region where you run your applications. Specifically:
  • Compute services

    When you create a node in a cluster, a cloud server is created accordingly. The prerequisite is that CCE has obtained the permissions for accessing Elastic Cloud Server (ECS) and Bare Metal Server (BMS).

  • Storage services

    CCE allows you to mount storage to nodes and containers in a cluster. The prerequisite is that CCE has obtained the permissions for accessing services such as Elastic Volume Service (EVS), Scalable File Service (SFS), and Object Storage Service (OBS).

  • Networking services

    CCE allows containers in a cluster to be published as services that can be accessed by external systems. The prerequisite is that CCE has obtained the permissions for accessing services such as Virtual Private Cloud (VPC) and Elastic Load Balance (ELB).

  • Container and monitoring services

    CCE supports functions such as container image pull, monitoring, and logging. The prerequisite is that CCE has obtained the permissions for accessing services such as SoftWare Repository for Container (SWR) and Application Operations Management (AOM).

After you agree to the entrustment, CCE automatically creates an agency in IAM to delegate other resource operation permissions in your account to Huawei Cloud CCE. For details, see Delegating Another Account for Resource Management.

The agencies automatically created by CCE are as follows:

  • cce_admin_trust has permission to call all cloud services that CCE depends on, with the exception of IAM.
  • cce_cluster_agency is authorized to operate only the cloud services required by CCE to generate temporary access credentials used by components in CCE clusters.
  • hss_policy_trust automatically grants cluster management permission to HSS after HSS is enabled for the cluster.

Based on the principle of least privilege (POLP), an IAM user must have at least the following IAM operation permissions when creating or updating an agency:

  • iam:agencies:createAgency: for creating an agency
  • iam:permissions:revokeRoleFromAgencyOnProject: for removing permissions of an agency for a region-specific project
  • iam:permissions:grantRoleToAgencyOnProject: for granting permissions to an agency for a region-specific project
  • iam:roles:createRole: for creating a custom policy
  • iam:roles:updateRole: for modifying a custom policy

For details about how to add custom permissions for cloud services, see Custom Policies.

cce_admin_trust

The cce_admin_trust agency has the Tenant Administrator permissions. Tenant Administrator has permission to call all cloud services (with the exception of IAM) that CCE depends on, such as creating a cluster or node. This delegation of permissions only applies to the current region.

To use CCE in multiple regions, request for cloud resource permissions in each region. You can go to the IAM console, choose Agencies and click cce_admin_trust to view the permissions of each region.

CCE may fail to run as expected if the Tenant Administrator role is not assigned. Therefore, do not delete or modify the cce_admin_trust agency when using CCE.

CCE has updated the cce_admin_trust agency permissions to enhance security while accommodating dependencies on other cloud services. The new permissions no longer include Tenant Administrator permissions. This update is only available in certain regions. If your clusters are of v1.21 or later, a message will appear on the console asking you to re-grant permissions. After re-granting, the cce_admin_trust agency will be updated to include only the necessary cloud service permissions, with the Tenant Administrator permissions removed.

When creating the cce_admin_trust agency, CCE creates a custom policy named CCE admin policies. Do not delete this policy.

cce_cluster_agency

The cce_cluster_agency agency contains only the cloud service resource operation permissions required by CCE components. It generates temporary access credentials used by components in CCE clusters. This agency permission will be used when cloud service resources that CCE depends on are automatically created in a cluster, for example, when an ingress or dynamic storage volume is created.

  • The cce_cluster_agency agency supports clusters of v1.21 or later.
  • When creating the cce_cluster_agency agency, CCE creates a custom policy named CCE cluster policies. Do not delete this policy.

If the permissions of the cce_cluster_agency agency are different from those expected by CCE, the console displays a message indicating that the permissions have changed and you need to re-authorize the agency.

The cce_cluster_agency agency may be re-authorized in the following scenarios:

  • The permissions on which CCE components depend may change with versions. For example, if a new component depends on new permissions, CCE will update the expected permission list and you need to grant permissions to cce_cluster_agency again.
  • When you manually modify the permissions of the cce_cluster_agency agency, the permissions of the agency are different from those expected by CCE. In this case, a message is displayed, asking you to re-authorize the agency. If you re-authorize the agency, the manually modified permissions may become invalid.

hss_policy_trust

After HSS is enabled, CCE will automatically create a CCEOperatePolicy policy and assign it to the hss_policy_trust agency.

CCEOperatePolicy permissions:

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "cce:cluster:get",
                "cce:cluster:list",
                "iam:agencies:listAgencies"
            ],
            "Effect": "Allow"
        }
    ]
}

ClusterRole hss-cluster-role will be automatically created in the cluster with HSS enabled.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: hss-cluster-role
rules:
  - verbs:
      - '*'
    apiGroups:
      - '*'
    resources:
      - daemonsets
      - namespaces
      - configmaps
      - nodes