Updated on 2024-10-31 GMT+08:00

Enabling COC

Upon the first login, you need to obtain the agency permissions to access other cloud services to use COC to perform automated O&M and fault management on cloud service resources. To use COC, create agencies named ServiceLinkedAgencyForCOC and ServiceAgencyForCOC. For details about permissions contained in the agency, see Table 1 and Table 2.

Figure 1 Enabling COC

Table 1 Permissions in ServiceAgencyForCOC

Permission

Description

Project [Region]

Application Scenario

IAM ReadOnlyAccess

Read-only permissions for IAM

Global service [Global]

Used to read personnel information under an IAM account in the personnel management module.

RMS ReadOnlyAccess

Read-only permissions for RMS

Global service [Global]

Used to synchronize managed cloud service resources in the resource management module.

DCS UserAccess

Common user permissions for DCS, excluding permissions for creating, modifying, deleting DCS instances and modifying instance specifications.

Permissions on all resources (including new projects in the future)

Used to inject faults into DCS resources during chaos drills.

COCServiceAgencyDefaultPolicy

Service agency policy for cross-account access to COC

Permissions on all resources (including new projects in the future)

Used to perform batch resource operations, such as batch restarting ECS and RDS service instances and changing OSs.

Table 2 Permissions in ServiceLinkedAgencyForCOC

Permission

Action

Application Scenario

Delivering an agent job

aom:uniagentJob:create

Used to execute scripts, jobs, and scheduled tasks during automated O&M.

Querying logs of an agent job

aom:uniagentJob:get

Used to view the logs of scripts, jobs, and scheduled tasks during automated O&M.

Querying the user list

IdentityCenter:user:list

Used to synchronize personnel information during personnel management.

Creating a topic

smn:topic:create

Used to add notification subscription information during personnel management.

Querying the list of topics

smn:topic:listTopic

Used to send notifications in scenarios such as fault management and automated O&M.

Updating a topic

smn:topic:updateTopic

Used to modify notification subscription information during personnel management.

Querying details of a topic

smn:topic:get

Used to send notifications in scenarios such as fault management and automated O&M.

Deleting a topic

smn:topic:delete

Used to delete notification subscription information during personnel management.

Querying a topic policy

smn:topic:listAttributes

Used to send notifications in scenarios such as fault management and automated O&M.

Deleting a topic policy

smn:topic:deleteAttribute

Used to delete notification subscription information during personnel management.

Updating a topic policy

smn:topic:updateAttribute

Used to modify notification subscription information during personnel management.

Creating a subscription for a topic

smn:topic:subscribe

Used to add notification subscription information during personnel management.

Querying the subscription list of a specified topic

smn:topic:listSubscriptionsByTopic

Used to send notifications in scenarios such as fault management and automated O&M.

Querying the subscription list of all topics

smn:topic:listSubscriptions

Used to send notifications in scenarios such as fault management and automated O&M.

Deleting the subscription information from a specified topic

smn:topic:deleteSubscription

Used to delete notification subscription information during personnel management.

Sending a message

smn:topic:publish

Used to send notifications in scenarios such as fault management and automated O&M.

Listing IAM users

iam:users:listUsersV5

Used to synchronize personnel information during personnel management.

Obtaining Information about an IAM user

iam:users:getUserV5

Used to synchronize personnel information during personnel management.

Deleting a service-linked agency

iam:agencies:deleteServiceLinkedAgencyV5

Used to delete an agency associated with a service from IAM.

Viewing all the resource lists of a user

rms:resources:list

Used to synchronize the resource lists of a managed account in the resource management module.

Querying parameter details

coc:parameter:*

Used by the automated O&M function to reference parameters in the parameter center.

Obtaining the server password pair

ecs:serverKeypairs:get

Used to reinstall or change an OS, and set the password pair.

Obtaining the server password pair list

ecs:serverKeypairs:list

Used to reinstall or change an OS, and query the password pair list.

Stopping ECSs in batches

ecs:cloudServers:stop

Used to stop ECSs in batches during resource O&M.

Restarting ECSs in a batch

ecs:cloudServers:reboot

Used to restart ECSs in batches during resource O&M.

Starting ECSs in batches

ecs:cloudServers:start

Used to start ECSs in batches during resource O&M.

Changing the OS of an ECS

ecs:cloudServers:changeOS

Used to change the ECS OSs in batches during resource O&M.

Reinstalling ECS OSs

ecs:cloudServers:rebuild

Used to reinstall ECS OSs in batches during resource O&M.

Obtaining ECS information

ecs:servers:get

Used to obtain cloud service information during batch operations in resource O&M.

Listing accounts in an organization

organizations:accounts:list

Used to query accounts in the current organization in the cross-account scenario.

Listing delegated administrator accounts

organizations:delegatedAdministrators:list

Used to query delegated administrator accounts in the current organization in the cross-account scenario.

Getting organization information

organizations:organizations:get

Used to query information about the current organization in the cross-account scenario.

Listing organization units

organizations:ous:list

Used to query organization units in the cross-account scenario.

Listing trusted services

organizations:trustedServices:list

Used to query the list of trusted services enabled for the current organization in the cross-account scenario.

Listing roots of an organization

organizations:roots:list

Used to query organization roots in the cross-account scenario.

Modifying or deleting agency permissions

After COC is enabled, if an agency has excessive or insufficient permissions, you can modify the agency policy on IAM .

To modify the permissions, validity period, and description of an agency, click Modify in the row containing the agency you want to modify.

Figure 2 Agencies

On the authorization record page, you can authorize the agency or delete the authorized permissions.

Figure 3 Permission granting records
  • You can change the cloud service, validity period, description, and permissions of cloud service agencies, except the agency name and type.
  • Modifying the permissions of cloud service agencies may affect the usage of certain functions of cloud services. Exercise caution when performing this operation.
  • For more information about agencies, visit IAM.