更新时间:2024-04-30 GMT+08:00
分享

配置IAM权限

  1. 使用华为云主帐号创建一个开发者用户组user_group,将开发者帐号加入用户组user_group中。具体操作请参见Step1 创建用户组并加入用户
  2. 创建自定义策略。
    1. 使用华为云主帐号登录控制台,单击右上角用户名,在下拉框中选择“统一身份认证”,进入IAM服务。
    2. 在统一身份认证服务控制台的左侧菜单栏中,选择权限管理> 权限。单击右上角“创建自定义策略”“策略名称”“Policy1”,策略配置方式选择JSON视图,输入策略内容,单击“确定”
    3. 自定义策略“Policy1”的具体内容如下,可以直接复制粘贴。
      {
          "Version": "1.1",
          "Statement": [
              {
                  "Action": [
                      "modelarts:*:*"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "modelarts:pool:create",
                      "modelarts:pool:update",
                      "modelarts:pool:delete"
                  ],
                  "Effect": "Deny"
              },
              {
                  "Action": [
                      "sfsturbo:*:*",
                      "vpc:*:*",
                      "dss:*:get",
                      "dss:*:list"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "ecs:*:*",
                      "evs:*:get",
                      "evs:*:list",
                      "evs:volumes:create",
                      "evs:volumes:delete",
                      "evs:volumes:attach",
                      "evs:volumes:detach",
                      "evs:volumes:manage",
                      "evs:volumes:update",
                      "evs:volumes:use",
                      "evs:volumes:uploadImage",
                      "evs:snapshots:create",
                      "vpc:*:get",
                      "vpc:*:list",
                      "vpc:networks:create",
                      "vpc:networks:update",
                      "vpc:subnets:update",
                      "vpc:subnets:create",
                      "vpc:ports:*",
                      "vpc:routers:get",
                      "vpc:routers:update",
                      "vpc:securityGroups:*",
                      "vpc:securityGroupRules:*",
                      "vpc:floatingIps:*",
                      "vpc:publicIps:*",
                      "ims:images:create",
                      "ims:images:delete",
                      "ims:images:get",
                      "ims:images:list",
                      "ims:images:update",
                      "ims:images:upload"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "vpc:*:*",
                      "ecs:*:get*",
                      "ecs:*:list*"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "kms:cmk:*",
                      "kms:dek:*",
                      "kms:grant:*",
                      "kms:cmkTag:*",
                      "kms:partition:*"
                  ],
                  "Effect": "Allow"
              }
          ]
      }
  3. 自定义策略“Policy2”的具体内容如下,可以直接复制粘贴。
    {
        "Version": "1.1",
        "Statement": [
            {
                "Action": [
                    "obs:bucket:ListAllMybuckets",
                    "obs:bucket:HeadBucket",
                    "obs:bucket:ListBucket",
                    "obs:bucket:GetBucketLocation",
                    "obs:object:GetObject",
                    "obs:object:GetObjectVersion",
                    "obs:object:PutObject",
                    "obs:object:DeleteObject",
                    "obs:object:DeleteObjectVersion",
                    "obs:object:ListMultipartUploadParts",
                    "obs:object:AbortMultipartUpload",
                    "obs:object:GetObjectAcl",
                    "obs:object:GetObjectVersionAcl"
                ],
                "Effect": "Allow"
            }
        ]
    }

    创建自定义策略时,建议将项目级云服务和全局级云服务拆分为两条策略,便于授权时设置最小授权范围。此处的“Policy1”为项目级云服务、“Policy2”为全局级云服务。了解更多

  4. 将自定义策略授权给开发者用户组user_group。
    1. 在统一身份认证服务控制台的左侧菜单栏中,选择用户组。在用户组页面单击对应用户组名称user_group操作列的“授权”,勾选策略“Policy1”“Policy2”“SWR Admin”。单击“下一步”

      SWR的权限有SWR FullAccess、SWR OperateAccess、SWR ReadOnlyAccess。但SWR FullAccess、SWR OperateAccess、SWR ReadOnlyAccess仅限容器镜像服务企业版使用,目前企业版已暂停公测。非企业版用户暂不支持使用此权限。因此需要在此勾选“SWR Admin” 策略。

    2. 选择授权范围方案为“所有资源”,单击“确定”

精细化授权管理

如果您需要进行精细的权限管理,可参考《ModelArts API参考》中的权限策略和授权项。

精细化授权案例可参考管理员和开发者权限分离

相关文档