文档首页/ 云商店/ 用户指南/ 授权委托服务
更新时间:2024-12-03 GMT+08:00

授权委托服务

当商家或用户在以下场景使用委托服务时,如表1,云商店会向您发送授权请求。一旦您同意,即表示您授权云商店以委托对象角色为您提供相应的服务。若委托策略有任何更新,云商店将会在您使用该服务时重新请求授权。具体的委托策略参见委托策略权限详情

请勿对云商店的委托及委托策略内容进行修改,也请勿在其他委托上复用云商店的委托策略,否则会影响服务的正常运行。

表1 委托服务表

授权角色

场景

服务类型

委托

委托对象

委托策略

  

使用商品

镜像类商品快捷开通

mkp_agency_trust

云商店系统账号

mkp_deployment_policy

mkp_rfs_agency_trust

资源编排服务RFS

mkp_rfs_deployment_polic...

镜像类商品模版部署

mkp_agency_trust

云商店系统账号

mkp_deployment_policy

云商店已不再使用委托mkp_ims_trust、mkp_admin_trust、mkp_rf_admin_trust、mkp_obs_trust,如您授权过以上委托,可参见取消委托授权删除。

委托策略权限详情

  • mkp_deployment_policy
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:cmk:create",
                    "kms:cmk:get",
                    "kms:dek:create"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "rf:stack:listStacks",
                    "rf:stack:listStackResources",
                    "rf:stack:listStackOutputs",
                    "rf:stack:createStack",
                    "rf:stack:getStackMetadata",
                    "rf:stack:updateStack"
                ]
            }
        ]
    }
  • mkp_rfs_deployment_policy
    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:cmk:get",
                    "kms:dek:decrypt"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:diskConfigs:use",
                    "ecs:servers:create",
                    "ecs:cloudServers:showServer",
                    "ecs:cloudServers:get",
                    "ecs:serverInterfaces:get",
                    "ecs:serverKeypairs:get",
                    "ecs:flavors:get",
                    "ecs:serverVolumes:use",
                    "ecs:cloudServers:createServers",
                    "ecs:cloudServers:create",
                    "ecs:cloudServers:deleteServers",
                    "ecs:cloudServers:delete",
                    "ecs:servers:get",
                    "ecs:serverInterfaces:use",
                    "ecs:securityGroups:use"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "evs:volumes:list",
                    "evs:volumes:create",
                    "evs:volumes:manage",
                    "evs:backups:get",
                    "evs:volumes:attach",
                    "evs:volumes:get",
                    "evs:snapshots:get"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ims:images:get",
                    "ims:images:list"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "vpc:securityGroups:create",
                    "vpc:subnets:update",
                    "vpc:routers:update",
                    "vpc:networks:get",
                    "vpc:ports:get",
                    "vpc:ports:update",
                    "vpc:ports:create",
                    "vpc:securityGroupRules:get",
                    "vpc:subnets:create",
                    "vpc:subnets:get",
                    "vpc:securityGroups:update",
                    "vpc:routers:get",
                    "vpc:securityGroups:get",
                    "vpc:networks:create",
                    "vpc:networks:update"
                ]
            }
        ]
    }

取消委托授权

商家或用户可在控制台右上角下拉框中的“统一身份认证服务(IAM) >委托”中删除已授权的委托,一旦删除,相应的服务将立即失效,请谨慎操作。