yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
218900ecfc237f6c0ba9f9684f9afa10f1d5ea9a
doc-exports/docs/cce/umn/cce_10_0556.html
qiujiandong1 ab1e53a279 CCE UMN 20251031 version 
Reviewed-by: Gergo-Bence Lorincz <a200452876@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2026-01-15 10:25:22 +00:00

28 lines
5.4 KiB
HTML
Raw Blame History

<a name="cce_10_0556"></a><a name="cce_10_0556"></a>
<h1 class="topictitle1">System Agencies</h1>
<div id="body0000001462751661"><div class="p" id="cce_10_0556__p14970231788">CCE works closely with multiple cloud services to support compute, storage, networking, and monitoring functions. When you log in to the CCE console for the first time, CCE automatically requests permissions to access those cloud services in the region where you run your applications. Specifically:<ul id="cce_10_0556__ul3701191818917"><li id="cce_10_0556__li10701131818911">Compute services<p id="cce_10_0556__p1087644518126"><a name="cce_10_0556__li10701131818911"></a><a name="li10701131818911"></a>When you create a node in a cluster, a cloud server is created accordingly. The prerequisite is that CCE has obtained the permissions for accessing Elastic Cloud Server (ECS) and Bare Metal Server (BMS).</p>
</li><li id="cce_10_0556__li183546439915">Storage services<p id="cce_10_0556__p1726215716134"><a name="cce_10_0556__li183546439915"></a><a name="li183546439915"></a>CCE allows you to mount storage to nodes and containers in a cluster. The prerequisite is that CCE has obtained the permissions for accessing services such as Elastic Volume Service (EVS), Scalable File Service (SFS), and Object Storage Service (OBS).</p>
</li><li id="cce_10_0556__li1982014497913">Networking services<p id="cce_10_0556__p113391343111318"><a name="cce_10_0556__li1982014497913"></a><a name="li1982014497913"></a>CCE allows containers in a cluster to be published as services that can be accessed by external systems. The prerequisite is that CCE has obtained the permissions for accessing services such as Virtual Private Cloud (VPC) and Elastic Load Balance (ELB).</p>
</li><li id="cce_10_0556__li1828065516916">Container and monitoring services<p id="cce_10_0556__p99237594139"><a name="cce_10_0556__li1828065516916"></a><a name="li1828065516916"></a>CCE supports functions such as container image pull, monitoring, and logging. The prerequisite is that CCE has obtained the permissions for accessing services such as SoftWare Repository for Container (SWR) and Application Operations Management (AOM).</p>
</li></ul>
</div>
<p id="cce_10_0556__p12202757114912">After you agree to the entrustment, CCE automatically creates an agency in IAM to delegate other resource operation permissions in your account to CCE. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0054.html" target="_blank" rel="noopener noreferrer">Account Delegation</a>.</p>
<p id="cce_10_0556__p17370117487">The agencies automatically created by CCE are as follows:</p>
<ul id="cce_10_0556__ul1280714448481"><li id="cce_10_0556__li380711444485"><a href="#cce_10_0556__section123269912477">cce_admin_trust</a> has permission to call all cloud services that CCE depends on, with the exception of IAM.</li></ul>
<div class="note" id="cce_10_0556__note1755154313395"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_10_0556__p1355343133916">Based on the principle of least privilege (POLP), an IAM user must have at least the following IAM operation permissions when creating or updating an agency:</p>
<ul id="cce_10_0556__ul15552043153918"><li id="cce_10_0556__li17551043193912"><strong id="cce_10_0556__b1355164310392">iam:agencies:createAgency</strong>: for creating an agency</li><li id="cce_10_0556__li10552043103919"><strong id="cce_10_0556__b2055114314398">iam:permissions:revokeRoleFromAgencyOnProject</strong>: for removing permissions of an agency for a region-specific project</li><li id="cce_10_0556__li195574383920"><strong id="cce_10_0556__b1955104319399">iam:permissions:grantRoleToAgencyOnProject</strong>: for granting permissions to an agency for a region-specific project</li><li id="cce_10_0556__li14102141911541"><strong id="cce_10_0556__b18969173111547">iam:roles:createRole</strong>: for creating a custom policy</li><li id="cce_10_0556__li626716155412"><strong id="cce_10_0556__b16589162965415">iam:roles:updateRole</strong>: for modifying a custom policy</li></ul>
<p id="cce_10_0556__p1241218321817">For details about how to add custom permissions to cloud services, see <a href="cce_10_0188.html#cce_10_0188__section1437818291149">Custom Policies</a>.</p>
</div></div>
<div class="section" id="cce_10_0556__section123269912477"><a name="cce_10_0556__section123269912477"></a><a name="section123269912477"></a><h4 class="sectiontitle">cce_admin_trust</h4><p id="cce_10_0556__p16691744154410">The <strong id="cce_10_0556__b45661437174515">cce_admin_trust</strong> agency has permission to call all cloud services that CCE depends on, such as creating a cluster or node. This delegation of permissions only applies to the current region.</p>
<p id="cce_10_0556__p17113145902611">To use CCE in multiple regions, request for cloud resource permissions in each region. You can go to the IAM console, choose <strong id="cce_10_0556__b1571552931017">Agencies</strong> and click <strong id="cce_10_0556__b5715929181010">cce_admin_trust</strong> to view the permissions of each region.</p>
<p id="cce_10_0556__p1879746141212">To ensure CCE can run normally, do not delete or modify the <strong id="cce_10_0556__b18813138104613">cce_admin_trust</strong> agency on IAM, as CCE requires the permissions.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_10_0164.html">Permissions</a></div>
</div>
</div>
View Git Blame Copy Permalink