Reducing Extensive Permissions of Cloud Service Agencies
In versions earlier than GES 2.4.6, an agency can be used in the following scenarios:
|
Agency |
Permission |
Description |
|---|---|---|
|
get_agency or ges_agency_default_{Region ID} |
Server Administrator or XX FullAccess |
Allows GES to call your VPC service. For example, in the event of a failover, GES uses this agency to bind your EIP to the primary GES load balancing instance. |
|
GESAccessKMS |
KMS Administrator |
Allows GES to call your KMS service, used in creating encrypted clusters/metadata scenarios. This agency is no longer needed after version optimization. |
Due to the limitations of IAM 1.0, which only had RBAC authorization, the agency permissions for these two scenarios were relatively large. In reality, GES did not require such extensive permissions.
To reduce agency permissions, GES provides a one-click reduction function on the console, which helps you easily remove unnecessary permissions delegated to GES.
Procedure
- Log in to the GES management console. In the navigation pane on the left, choose Graph Management.
- If excessive agency permissions are not reduced, you will see a notification to reduce agency permissions at the top of the console.
- Click Rectify. The Optimize the Agency Permission dialog box is displayed. See Figure 1.
Note: This dialog box will remind you that when using GES, some scenarios require an agency to authorize GES to access user resources. The system will create a custom policy called ges_access_vpc_custom and authorize it to ges_agency. It will also list high-risk agency permissions that need to be removed to enhance account security.
- Manually enter DELETE or click Auto Enter to reduce agency permissions. Once the operation is successful, the notification to reduce agency permissions will automatically disappear from the dialog box.
If you do not have the permission to query agency permissions, the system cannot retrieve agency information using your authentication credentials. A notification to fix agency permissions will appear every time you log in to the console, urging you to inform the administrator to resolve the issue. You can also close the notification or select Do not show again.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
