Identity Policy-based Authorization
Identity-based permission provided by Identity and Access Management (IAM)Identity and Access Management (IAM) let you control access to CBH. With IAM, you can:
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing CBH resources.
- Grant only the permissions required for users to perform a task.
- Entrust an account or cloud service to perform professional and efficient O&M on your CBH resources.
If your account meets your permissions requirements, you can skip this section.
Figure 1 shows the process flow of identity policy-based authorization.
Prerequisites
Learn about the permissions supported by CBH. For details about the permissions of other services, see Permission SetPermission Set.
Authorization Process
- .
Assign the CBHReadOnlyAccess system policy to the user or user group.
- Log in as the IAM userLog in as the IAM user and verify permissions.
Log in to the console as an authorized user and verify the permissions.
- Hover over Service List and choose Cloud Bastion Host. On the CBH console, click Buy CBH Instance in the upper right corner. If the CBH instance cannot be purchased (assume that the current permission contains only CBH ReadOnlyAccess), the CBHReadOnlyAccess policy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the CBHReadOnlyAccess policy is in effect.
Example Custom Identity Policies for CBH
You can create custom identity policies to supplement the system-defined identity policies of CBH. You can create custom identity policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Edit policies from scratch or based on an existing policy in JSON format.
For details, see .
When creating a custom identity policy, use the Resource element to specify the resources the policy applies to and use the Condition element (condition keys) to control when the policy is in effect.
The following provides examples of custom identity policies for CBH.
- Example 1: Allowing users to change CBH instance specifications and upgrade CBH instance version.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "cbh:instance:upgrade", "cbh:instance:alterSpec" ] } ] }
- Example 2: Denying a user request of restarting a CBH instance
A deny policy must be used together with other policies. If the policies assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.
The following method can be used to create a custom policy to disallow users who have the CBH FullAccess policy assigned to restart a CBH instance. Assign both CBH FullAccess and the custom policies to the group to which the user belongs. Then the user can perform all operations on CBH except restarting a CBH instance. The following is an example of a deny policy:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "cbh:instance:reboot" ] } ] }
- Example 3: Defining permissions for multiple services in a policy
A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "cbh:instance:create" ] }, { "Effect": "Allow", "Action": [ "vpc:subnets:get" ] }, { "Effect": "Allow", "Action": [ "ecs:cloudServerFlavors:get" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.