Enabling COC
Upon the first login, you need to obtain the agency permissions to access other cloud services to use COC to perform automated O&M and fault management on cloud service resources. To use COC, create agencies named ServiceLinkedAgencyForCOC and ServiceAgencyForCOC. For details about permissions contained in the agency, see Table 1 and Table 2.
Permission |
Description |
Project [Region] |
Application Scenario |
---|---|---|---|
IAM ReadOnlyAccess |
Read-only permissions for IAM |
Global service [Global] |
Used to read personnel information under an IAM account in the personnel management module. |
RMS ReadOnlyAccess |
Read-only permissions for RMS |
Global service [Global] |
Used to synchronize managed cloud service resources in the resource management module. |
DCS UserAccess |
Common user permissions for DCS, excluding permissions for creating, modifying, deleting DCS instances and modifying instance specifications. |
Permissions on all resources (including new projects in the future) |
Used to inject faults into DCS resources during chaos drills. |
COCServiceAgencyDefaultPolicy |
Service agency policy for cross-account access to COC |
Permissions on all resources (including new projects in the future) |
Used to perform batch resource operations, such as batch restarting ECS and RDS service instances and changing OSs. |
Permission |
Action |
Application Scenario |
---|---|---|
Delivering an agent job |
aom:uniagentJob:create |
Used to execute scripts, jobs, and scheduled tasks during automated O&M. |
Querying logs of an agent job |
aom:uniagentJob:get |
Used to view the logs of scripts, jobs, and scheduled tasks during automated O&M. |
Querying the user list |
IdentityCenter:user:list |
Used to synchronize personnel information during personnel management. |
Creating a topic |
smn:topic:create |
Used to add notification subscription information during personnel management. |
Querying the list of topics |
smn:topic:listTopic |
Used to send notifications in scenarios such as fault management and automated O&M. |
Updating a topic |
smn:topic:updateTopic |
Used to modify notification subscription information during personnel management. |
Querying details of a topic |
smn:topic:get |
Used to send notifications in scenarios such as fault management and automated O&M. |
Deleting a topic |
smn:topic:delete |
Used to delete notification subscription information during personnel management. |
Querying a topic policy |
smn:topic:listAttributes |
Used to send notifications in scenarios such as fault management and automated O&M. |
Deleting a topic policy |
smn:topic:deleteAttribute |
Used to delete notification subscription information during personnel management. |
Updating a topic policy |
smn:topic:updateAttribute |
Used to modify notification subscription information during personnel management. |
Creating a subscription for a topic |
smn:topic:subscribe |
Used to add notification subscription information during personnel management. |
Querying the subscription list of a specified topic |
smn:topic:listSubscriptionsByTopic |
Used to send notifications in scenarios such as fault management and automated O&M. |
Querying the subscription list of all topics |
smn:topic:listSubscriptions |
Used to send notifications in scenarios such as fault management and automated O&M. |
Deleting the subscription information from a specified topic |
smn:topic:deleteSubscription |
Used to delete notification subscription information during personnel management. |
Sending a message |
smn:topic:publish |
Used to send notifications in scenarios such as fault management and automated O&M. |
Listing IAM users |
iam:users:listUsersV5 |
Used to synchronize personnel information during personnel management. |
Obtaining Information about an IAM user |
iam:users:getUserV5 |
Used to synchronize personnel information during personnel management. |
Deleting a service-linked agency |
iam:agencies:deleteServiceLinkedAgencyV5 |
Used to delete an agency associated with a service from IAM. |
Viewing all the resource lists of a user |
rms:resources:list |
Used to synchronize the resource lists of a managed account in the resource management module. |
Querying parameter details |
coc:parameter:* |
Used by the automated O&M function to reference parameters in the parameter center. |
Obtaining the server password pair |
ecs:serverKeypairs:get |
Used to reinstall or change an OS, and set the password pair. |
Obtaining the server password pair list |
ecs:serverKeypairs:list |
Used to reinstall or change an OS, and query the password pair list. |
Stopping ECSs in batches |
ecs:cloudServers:stop |
Used to stop ECSs in batches during resource O&M. |
Restarting ECSs in a batch |
ecs:cloudServers:reboot |
Used to restart ECSs in batches during resource O&M. |
Starting ECSs in batches |
ecs:cloudServers:start |
Used to start ECSs in batches during resource O&M. |
Changing the OS of an ECS |
ecs:cloudServers:changeOS |
Used to change the ECS OSs in batches during resource O&M. |
Reinstalling ECS OSs |
ecs:cloudServers:rebuild |
Used to reinstall ECS OSs in batches during resource O&M. |
Obtaining ECS information |
ecs:servers:get |
Used to obtain cloud service information during batch operations in resource O&M. |
Listing accounts in an organization |
organizations:accounts:list |
Used to query accounts in the current organization in the cross-account scenario. |
Listing delegated administrator accounts |
organizations:delegatedAdministrators:list |
Used to query delegated administrator accounts in the current organization in the cross-account scenario. |
Getting organization information |
organizations:organizations:get |
Used to query information about the current organization in the cross-account scenario. |
Listing organization units |
organizations:ous:list |
Used to query organization units in the cross-account scenario. |
Listing trusted services |
organizations:trustedServices:list |
Used to query the list of trusted services enabled for the current organization in the cross-account scenario. |
Listing roots of an organization |
organizations:roots:list |
Used to query organization roots in the cross-account scenario. |
Modifying or deleting agency permissions
After COC is enabled, if an agency has excessive or insufficient permissions, you can modify the agency policy on IAM .
To modify the permissions, validity period, and description of an agency, click Modify in the row containing the agency you want to modify.
On the authorization record page, you can authorize the agency or delete the authorized permissions.
- You can change the cloud service, validity period, description, and permissions of cloud service agencies, except the agency name and type.
- Modifying the permissions of cloud service agencies may affect the usage of certain functions of cloud services. Exercise caution when performing this operation.
- For more information about agencies, visit IAM.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot