华为云前置准备
本文主要介绍创建 BYOC 类型仓库涉及的华为云平台相关操作,包括准备 IAM 用户并授权、准备虚拟私有云 VPC 和子网、了解资源编排和资源栈 等。
准备 IAM 用户并授权
创建 BYOC 类型仓库前,需提前准备好具备相关权限的华为云 IAM 用户。
请将此文档发送给您的华为云平台管理员,请求管理员参照此文档为您创建 IAM 用户,并授权。
管理员访问华为云 统一身份认证服务 IAM (opens in a new tab) 控制台,执行以下操作:
创建 IAM 用户
提示: 如果已有 IAM 用户,可以跳过创建 IAM 用户步骤。
点击左侧 用户,进入用户管理页面,点击创建用户,输入相关信息,完成创建。
创建 IAM 用户组(可选)
提示: 如果已有 IAM 用户组,可以跳过创建 IAM 用户组步骤。
如果企业内存在多名人员使用 SelectDB Cloud,可以创建 IAM 用户组,并将相关人员加入用户组,并统一授权。
点击左侧 用户组,进入用户组管理页面,点击创建用户组,输入相关信息,完成创建。
创建权限策略并授权
创建 SelectDB Cloud BYOC 类型仓库时,需要通过资源编排服务(RFS)执行资源栈模板,会创建ECS、VPC、OBS 等云资源或进行相关操作,因此需要一系列 IAM 权限。
请参照下面步骤为 IAM 用户或用户组添加权限。
1. 创建权限策略: 点击左侧 权限管理 > 权限,进入权限策略管理页面,点击创建自定义策略
输入名称,切换到JSON模式,清空原有文本框,复制以下脚本,输入文本框。详细的权限说明,请见下文 资源栈模板依赖的权限说明 部分。
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:cloudServers:list",
"ecs:cloudServers:showServer",
"ecs:cloudServers:createServers",
"ecs:cloudServers:deleteServers",
"ecs:cloudServers:updateServer",
"ecs:cloudServers:changeChargeMode",
"ecs:cloudServers:resize",
"ecs:cloudServers:reboot",
"ecs:cloudServers:stop",
"ecs:cloudServers:start",
"ecs:cloudServers:showServerBlockDevice",
"ecs:cloudServers:listServerBlockDevices",
"ecs:servers:get",
"ecs:servers:list",
"ecs:servers:start",
"ecs:servers:stop",
"ecs:servers:reboot",
"ecs:servers:resize",
"ecs:securityGroups:use",
"ecs:servers:getTags",
"ecs:servers:setTags",
"evs:volumes:get",
"evs:volumes:extend",
"bss:renewal:update",
"bss:order:view",
"bss:order:pay",
"vpc:vpcs:get",
"vpc:vpcs:list",
"vpc:subnets:get",
"vpc:subnetTags:get",
"vpc:securityGroups:get",
"vpc:securityGroups:create",
"vpc:securityGroups:update",
"vpc:securityGroups:delete",
"vpc:securityGroupRules:get",
"vpc:securityGroupRules:create",
"vpc:securityGroupRules:delete",
"vpc:ports:get",
"vpc:ports:create",
"vpc:ports:update",
"vpc:ports:delete",
"vpc:publicIps:get",
"vpc:publicIps:list",
"vpc:publicIps:create",
"vpc:publicIps:delete",
"vpc:publicipTags:create",
"vpc:publicipTags:delete",
"elb:loadbalancers:get",
"elb:loadbalancers:list",
"elb:loadbalancers:create",
"elb:loadbalancers:delete",
"elb:loadbalancerTags:get",
"elb:loadbalancerTags:create",
"elb:loadbalancerTags:delete",
"elb:listeners:get",
"elb:listeners:list",
"elb:listeners:create",
"elb:listeners:delete",
"elb:listenerTags:get",
"elb:listenerTags:create",
"elb:listenerTags:delete",
"elb:pools:get",
"elb:pools:list",
"elb:pools:create",
"elb:pools:delete",
"elb:members:get",
"elb:members:list",
"elb:members:create",
"elb:members:delete",
"elb:l7policies:get",
"elb:l7policies:list",
"elb:l7policies:create",
"elb:l7policies:delete",
"elb:l7rules:get",
"elb:l7rules:list",
"elb:l7rules:create",
"elb:l7rules:delete",
"elb:healthmonitors:get",
"elb:healthmonitors:list",
"elb:healthmonitors:put",
"elb:healthmonitors:create",
"elb:healthmonitors:delete",
"elb:ipgroups:get",
"elb:ipgroups:list",
"elb:ipgroups:create",
"elb:ipgroups:put",
"elb:ipgroups:delete"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"rf:*:*"
],
"Resource": [
"*"
]
}
]
}
点击确定,完成创建权限策略。
2. 为 IAM 用户授权权限策略:
在用户列表页,点击授权操作,进入授权页面。
选择直接给用户授权,筛选自定义策略,勾选上述步骤创建的自定义策略,点击下一步。
选择指定企业项目资源,勾选企业项目,点击确定,完成授权。
3. 为 IAM 用户组授权权限策略(可选):
在用户组列表页,点击授权操作,进入授权页面。
筛选自定义策略,勾选上述步骤创建的自定义策略,点击下一步。
选择指定企业项目资源,勾选企业项目,点击确定,完成授权。
至此,您已完成 IAM 用户或用户组创建,并已完成授权。
准备虚拟私有云 VPC 和子网
提示:
- 如果已有符合地域要求的 VPC,并期望将 BYOC 仓库部署在此 VPC 内,可以跳过下面创建虚拟私有云 VPC 和子网步骤。
- 当前支持的地域为:华南-广州、亚太-新加坡。可用区无限制。
创建 BYOC 类型仓库前,需要使用上述 IAM 用户提前创建虚拟私有云 VPC 和子网,以下是具体操作。
打开华为云 虚拟私有云 VPC (opens in a new tab) 控制台,点击 创建虚拟私有云,进入 VPC 创建页面。
选择您期望创建 BYOC 仓库的地域,输入名称、选择 IPv4 网段、企业项目,输入子网名称和可用区,点击立即创建完成创建。
了解资源编排和资源栈
当用户创建 BYOC 类型仓库时,会首先借助云厂商的资源编排服务自动部署 Agent,完成 Agent 与 SelectDB Cloud 平台之间的私有连接,然后由 Agent 负责 BYOC 仓库的部署与管理工作。
RFS 资源编排模板说明
SelectDB 提供的资源编排模板运行在您的云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的资源编排模板:
https://selectdb-cloud-online-bj.obs.cn-north-4.myhuaweicloud.com/selectdb/public/hwcloud-cn-south-1-byoc-cf.zip当您通过华为云 RFS 执行上述资源模板时,它会自动进行 Agent 的创建与部署。然后 Agent 会与 SelectDB Cloud 建立私有连接,并完成仓库初始化流程。
在完成资源编排脚本执行后,您即可从 SelectDB Cloud 平台进入相应仓库,像使用普通的仓库一样,开始新建用于数据分析的计算集群。
如何查看资源栈信息
您可以通过华为云 RFS 产品界面,查看由 SelectDB 资源栈模板创建的所有资源信息,并可通过资源名称查看特定资源。
注意 所有资源栈模版创建出来的资源,都属于您的云账号,并只在您的 VPC 内使用,不会外泄。
- ECS
- 名称:SelectDBAgent(ECS 机器)
- 用途:用于部署 Agent 类程序
- 终端节点
- 名称:SelectDBEndpoint
- 用途:与 SelectDB Cloud 平台建立私网连接,从而可以拉取管控指令、推送监控和日志
- Bucket
- 名称:SelectDBBucket
- 用途:存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup
- 用途:绑定在终端节点和 ECS 实例,并通过安全组规则限定特定端口特定子网的流量才能通行(允许来自同一子网的443、22、5000、9090、8888、8666、8777端口流量入网,允许所有端口流量出网)
- IAM User
- 名称:SelectDBUser(子用户),SelectDBUserRegionPolicy(子用户权限---针对 Region 级别服务),SelectDBUserGlobalPolicy(子用户权限---针对全局级别服务)
- 用途:创建出的子用户具备 Agent 所需的最小权限,之后进行的所有业务操作均使用该子用户的身份
资源栈模板所依赖的权限
在您的云账号下通过资源编排服务(RFS)执行资源栈模板时,会创建 ECS、VPC、OBS 等云资源或进行相关操作,因此需要一系列 IAM 权限。在正式执行前,请确保执行此模板的用户具备相应权限,否则可能会遇到执行模板失败的情况。
注意 资源栈模版的执行过程完全在您的云账号下进行,创建出来的资源也都属于您的云账号。SelectDB 不会获取您的云账号信息,也无法使用该账号的相应 IAM 权限。
以下是根据模板中定义的资源和操作所需的权限:
-
权限汇总:
- Region-Policy
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:view", "bss:order:pay", "vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get", "vpc:subnetTags:get", "vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete", "vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete", "vpc:publicIps:get", "vpc:publicIps:list", "vpc:publicIps:create", "vpc:publicIps:delete", "vpc:publicipTags:create", "vpc:publicipTags:delete", "elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "rf:*:*" ], "Resource": [ "*" ] } ] }- Global-Policy
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "obs:*:*:bucket:selectdb-*", "obs:*:*:object:selectdb-*/*" ] }, { "Effect": "Allow", "Action": [ "iam:permissions:addUserToGroup", "iam:users:listUsersForGroup", "iam:permissions:removeUserFromGroup", "iam:groups:listGroupsForUser", "iam:permissions:checkUserInGroup", "iam:users:updateUser", "iam:users:createUser", "iam:users:listUsers", "iam:users:getUser", "iam:users:deleteUser", "iam:projects:listProjectsForUser", "iam:roles:getRole", "iam:roles:listRoles", "iam:roles:createRole", "iam:roles:updateRole", "iam:roles:deleteRole", "iam:permissions:revokeRoleFromGroup", "iam:permissions:listRolesForGroupOnDomain", "iam:permissions:checkRoleForGroupOnDomain", "iam:permissions:grantRoleToGroup", "iam:groups:listGroups", "iam:groups:createGroup", "iam:permissions:revokeRoleFromGroupOnDomain", "iam:permissions:listRolesForGroup", "iam:permissions:grantRoleToGroupOnProject", "iam:permissions:checkRoleForGroup", "iam:groups:deleteGroup", "iam:groups:updateGroup", "iam:permissions:grantRoleToGroupOnDomain", "iam:permissions:revokeRoleFromGroupOnProject", "iam:groups:getGroup", "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnDomain", "iam:permissions:listRolesForAgency", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:listRolesForGroupOnProject", "iam:permissions:checkRoleForGroupOnProject", "iam:permissions:checkRoleForAgency", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnProject", "iam:permissions:grantRoleToAgency", "iam:permissions:grantRoleToAgencyOnProject", "iam:permissions:revokeRoleFromAgency", "iam:tokens:assume", "iam:agencies:list*" ], "Resource": [ "*" ] } ] }- VPCEndpoint Administrator
{ "Version": "1.0", "Statement": [ { "Action": [ "vpcep:*:*" ], "Effect": "Allow" } ], "Depends": [ { "catalog": "BASE", "display_name": "Server Administrator" }, { "catalog": "VPC", "display_name": "VPC Administrator" }, { "catalog": "DNS", "display_name": "DNS Administrator" } ] } -
Elastic Compute Service (ECS) 权限:
- 管理 ECS 实例
"ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:view", "bss:order:pay", -
Virtual Private Cloud (VPC) 和 PrivateLink 权限
- 获取 VPC 相关资源信息
"vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get", "vpc:subnetTags:get",- 管理安全组
"vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete",- 管理端口
"vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete",- 管理 EIP
"vpc:publicIps:get", "vpc:publicIps:list", "vpc:publicIps:create", "vpc:publicIps:delete", "vpc:publicipTags:create", "vpc:publicipTags:delete",- 管理负载均衡器(ELB)资源
"elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete",- VPCEndpoint 管理员权限 由于云厂商限制,目前 VPCEndpoint Administrator 权限需要依赖 VPC, ECS, DNS 管理员权限
-
Object Storage Service (OSS) 权限:
- 管理 OSS 存储桶以及对存储桶及其内容进行读写操作
{ "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "obs:*:*:bucket:selectdb-bucket-*", "obs:*:*:object:selectdb-bucket-*/*", "obs:*:*:bucket:selectdb-import-data-cn-north-4", "obs:*:*:object:selectdb-import-data-cn-north-4/*" ] }, -
Identity and Access Management (IAM) 权限:
- 管理 IAM 用户、用户组、权限
"iam:permissions:addUserToGroup", "iam:users:listUsersForGroup", "iam:permissions:removeUserFromGroup", "iam:groups:listGroupsForUser", "iam:permissions:checkUserInGroup", "iam:users:updateUser", "iam:users:createUser", "iam:users:listUsers", "iam:users:getUser", "iam:users:deleteUser", "iam:projects:listProjectsForUser", "iam:roles:getRole", "iam:roles:listRoles", "iam:roles:createRole", "iam:roles:updateRole", "iam:roles:deleteRole", "iam:permissions:revokeRoleFromGroup", "iam:permissions:listRolesForGroupOnDomain", "iam:permissions:checkRoleForGroupOnDomain", "iam:permissions:grantRoleToGroup", "iam:groups:listGroups", "iam:groups:createGroup", "iam:permissions:revokeRoleFromGroupOnDomain", "iam:permissions:listRolesForGroup", "iam:permissions:grantRoleToGroupOnProject", "iam:permissions:checkRoleForGroup", "iam:groups:deleteGroup", "iam:groups:updateGroup", "iam:permissions:grantRoleToGroupOnDomain", "iam:permissions:revokeRoleFromGroupOnProject", "iam:groups:getGroup", "iam:permissions:listRolesForAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnDomain", "iam:permissions:listRolesForAgency", "iam:permissions:checkRoleForAgencyOnProject", "iam:permissions:listRolesForGroupOnProject", "iam:permissions:checkRoleForGroupOnProject", "iam:permissions:checkRoleForAgency", "iam:permissions:listRolesForAgencyOnProject", "iam:permissions:grantRoleToAgencyOnDomain", "iam:permissions:revokeRoleFromAgencyOnProject", "iam:permissions:grantRoleToAgency", "iam:permissions:grantRoleToAgencyOnProject", "iam:permissions:revokeRoleFromAgency", "iam:tokens:assume", "iam:agencies:list*" -
Resource Orchestration Service(RFS)权限:
- 管理资源栈
rf:*:*
资源栈模板创建的子用户的权限说明
初次执行完资源栈模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户拥有的权限说明。
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:cloudServers:list",
"ecs:cloudServers:showServer",
"ecs:cloudServers:createServers",
"ecs:cloudServers:deleteServers",
"ecs:cloudServers:updateServer",
"ecs:cloudServers:changeChargeMode",
"ecs:cloudServers:resize",
"ecs:cloudServers:reboot",
"ecs:cloudServers:stop",
"ecs:cloudServers:start",
"ecs:cloudServers:showServerBlockDevice",
"ecs:cloudServers:listServerBlockDevices",
"ecs:servers:get",
"ecs:servers:list",
"ecs:servers:start",
"ecs:servers:stop",
"ecs:servers:reboot",
"ecs:servers:resize",
"ecs:securityGroups:use",
"ecs:servers:getTags",
"ecs:servers:setTags",
"evs:volumes:get",
"evs:volumes:extend",
"bss:renewal:update",
"bss:order:view",
"bss:order:pay",
"vpc:vpcs:get",
"vpc:vpcs:list",
"vpc:subnets:get",
"vpc:securityGroups:get",
"vpc:securityGroups:create",
"vpc:securityGroups:update",
"vpc:securityGroups:delete",
"vpc:securityGroupRules:get",
"vpc:securityGroupRules:create",
"vpc:securityGroupRules:delete",
"vpc:ports:get",
"vpc:ports:create",
"vpc:ports:update",
"vpc:ports:delete",
"elb:loadbalancers:get",
"elb:loadbalancers:list",
"elb:loadbalancers:create",
"elb:loadbalancers:delete",
"elb:loadbalancerTags:get",
"elb:loadbalancerTags:create",
"elb:loadbalancerTags:delete",
"elb:listeners:get",
"elb:listeners:list",
"elb:listeners:create",
"elb:listeners:delete",
"elb:listenerTags:get",
"elb:listenerTags:create",
"elb:listenerTags:delete",
"elb:pools:get",
"elb:pools:list",
"elb:pools:create",
"elb:pools:delete",
"elb:members:get",
"elb:members:list",
"elb:members:create",
"elb:members:delete",
"elb:l7policies:get",
"elb:l7policies:list",
"elb:l7policies:create",
"elb:l7policies:delete",
"elb:l7rules:get",
"elb:l7rules:list",
"elb:l7rules:create",
"elb:l7rules:delete",
"elb:healthmonitors:get",
"elb:healthmonitors:list",
"elb:healthmonitors:put",
"elb:healthmonitors:create",
"elb:healthmonitors:delete",
"elb:ipgroups:get",
"elb:ipgroups:list",
"elb:ipgroups:create",
"elb:ipgroups:put",
"elb:ipgroups:delete"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"obs:bucket:*",
"obs:object:*"
],
"Resource": [
"obs:*:*:bucket:${huaweicloud_obs_bucket.SelectDBBucket.id}",
"obs:*:*:object:${huaweicloud_obs_bucket.SelectDBBucket.id}/*",
"obs:*:*:bucket:selectdb-import-data-cn-south-1",
"obs:*:*:object:selectdb-import-data-cn-south-1/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:tokens:assume"
],
"Resource": [
"*"
]
}
]具体权限划分如下:
-
Elastic Compute Service (ECS) 权限:
- 项目级服务,管理 ECS 实例
"ecs:cloudServers:list", "ecs:cloudServers:showServer", "ecs:cloudServers:createServers", "ecs:cloudServers:deleteServers", "ecs:cloudServers:updateServer", "ecs:cloudServers:changeChargeMode", "ecs:cloudServers:resize", "ecs:cloudServers:reboot", "ecs:cloudServers:stop", "ecs:cloudServers:start", "ecs:cloudServers:showServerBlockDevice", "ecs:cloudServers:listServerBlockDevices", "ecs:servers:get", "ecs:servers:list", "ecs:servers:start", "ecs:servers:stop", "ecs:servers:reboot", "ecs:servers:resize", "ecs:securityGroups:use", "ecs:servers:getTags", "ecs:servers:setTags", "evs:volumes:get", "evs:volumes:extend", "bss:renewal:update", "bss:order:pay" -
Virtual Private Cloud (VPC) 和 ELB 权限
- 项目级服务,获取 VPC 相关资源信息
"vpc:vpcs:get", "vpc:vpcs:list", "vpc:subnets:get",- 项目级服务,管理安全组
"vpc:securityGroups:get", "vpc:securityGroups:create", "vpc:securityGroups:update", "vpc:securityGroups:delete", "vpc:securityGroupRules:get", "vpc:securityGroupRules:create", "vpc:securityGroupRules:delete",- 项目级服务,管理端口
"vpc:ports:get", "vpc:ports:create", "vpc:ports:update", "vpc:ports:delete",- 项目级服务,管理负载均衡器(ELB)资源
"elb:loadbalancers:get", "elb:loadbalancers:list", "elb:loadbalancers:create", "elb:loadbalancers:delete", "elb:loadbalancerTags:get", "elb:loadbalancerTags:create", "elb:loadbalancerTags:delete", "elb:listeners:get", "elb:listeners:list", "elb:listeners:create", "elb:listeners:delete", "elb:listenerTags:get", "elb:listenerTags:create", "elb:listenerTags:delete", "elb:pools:get", "elb:pools:list", "elb:pools:create", "elb:pools:delete", "elb:members:get", "elb:members:list", "elb:members:create", "elb:members:delete", "elb:l7policies:get", "elb:l7policies:list", "elb:l7policies:create", "elb:l7policies:delete", "elb:l7rules:get", "elb:l7rules:list", "elb:l7rules:create", "elb:l7rules:delete", "elb:healthmonitors:get", "elb:healthmonitors:list", "elb:healthmonitors:put", "elb:healthmonitors:create", "elb:healthmonitors:delete", "elb:ipgroups:get", "elb:ipgroups:list", "elb:ipgroups:create", "elb:ipgroups:put", "elb:ipgroups:delete", -
Object Storage Service (OSS) 权限:
- 全局级服务,管理 OSS 存储桶以及对存储桶及其内容进行读写操作
{ "Effect": "Allow", "Action": [ "obs:bucket:*", "obs:object:*" ], "Resource": [ "obs:*:*:bucket:selectdb-bucket-*", "obs:*:*:object:selectdb-bucket-*/*", "obs:*:*:bucket:selectdb-import-data-cn-north-4", "obs:*:*:object:selectdb-import-data-cn-north-4/*" ] }, -
Identity and Access Management (IAM) 权限:
- 全局级服务,允许扮演特定角色,获取该角色的临时凭证
{ "Effect": "Allow", "Action": [ "iam:tokens:assume" ], "Resource": [ "*" ] }