yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
218900ecfc237f6c0ba9f9684f9afa10f1d5ea9a
doc-exports/docs/cce/umn/cce_10_0556.html
qiujiandong1 ab1e53a279 CCE UMN 20251031 version 
Reviewed-by: Gergo-Bence Lorincz <a200452876@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2026-01-15 10:25:22 +00:00

5.4 KiB
Raw Blame History

System Agencies

CCE works closely with multiple cloud services to support compute, storage, networking, and monitoring functions. When you log in to the CCE console for the first time, CCE automatically requests permissions to access those cloud services in the region where you run your applications. Specifically:
  • Compute services

    When you create a node in a cluster, a cloud server is created accordingly. The prerequisite is that CCE has obtained the permissions for accessing Elastic Cloud Server (ECS) and Bare Metal Server (BMS).

  • Storage services

    CCE allows you to mount storage to nodes and containers in a cluster. The prerequisite is that CCE has obtained the permissions for accessing services such as Elastic Volume Service (EVS), Scalable File Service (SFS), and Object Storage Service (OBS).

  • Networking services

    CCE allows containers in a cluster to be published as services that can be accessed by external systems. The prerequisite is that CCE has obtained the permissions for accessing services such as Virtual Private Cloud (VPC) and Elastic Load Balance (ELB).

  • Container and monitoring services

    CCE supports functions such as container image pull, monitoring, and logging. The prerequisite is that CCE has obtained the permissions for accessing services such as SoftWare Repository for Container (SWR) and Application Operations Management (AOM).

After you agree to the entrustment, CCE automatically creates an agency in IAM to delegate other resource operation permissions in your account to CCE. For details, see Account Delegation.

The agencies automatically created by CCE are as follows:

  • cce_admin_trust has permission to call all cloud services that CCE depends on, with the exception of IAM.

Based on the principle of least privilege (POLP), an IAM user must have at least the following IAM operation permissions when creating or updating an agency:

  • iam:agencies:createAgency: for creating an agency
  • iam:permissions:revokeRoleFromAgencyOnProject: for removing permissions of an agency for a region-specific project
  • iam:permissions:grantRoleToAgencyOnProject: for granting permissions to an agency for a region-specific project
  • iam:roles:createRole: for creating a custom policy
  • iam:roles:updateRole: for modifying a custom policy

For details about how to add custom permissions to cloud services, see Custom Policies.

cce_admin_trust

The cce_admin_trust agency has permission to call all cloud services that CCE depends on, such as creating a cluster or node. This delegation of permissions only applies to the current region.

To use CCE in multiple regions, request for cloud resource permissions in each region. You can go to the IAM console, choose Agencies and click cce_admin_trust to view the permissions of each region.

To ensure CCE can run normally, do not delete or modify the cce_admin_trust agency on IAM, as CCE requires the permissions.

Parent topic: Permissions