Permissions
If you need to assign different permissions to personnel in your enterprise to access your VPCs, IAM is a good choice. IAM provides identity authentication, permissions management, and access control, helping you to securely access your Huawei Cloud resources.
With IAM, you can create IAM users, and assign permissions to control their access to specific resources. For example, if you want some software developers in your enterprise to use VPCs but do not want them to delete VPCs or perform any other high-risk operations, you can grant permissions to use VPCs but not permissions to delete them.
If your HUAWEI ID does not require IAM for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account. For more information, see IAM Service Overview.
VPC Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
VPC is a project-level service deployed for specific regions. When you set Scope to Region-specific projects and select the specified projects in the specified regions, the users only have permissions for VPCs in the selected projects. If you set Scope to All resources, users have permissions for VPCs in all region-specific projects. When accessing VPCs, the users need to switch to the authorized region.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. Only a limited number of service-level roles are available for authorization. When you grant permissions using roles, you also need to attach dependent roles. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant VPC users only the permissions for managing a certain type of resources. A majority of fine-grained policies contain permissions for specific APIs, and permissions are defined using API actions. For the API actions supported by VPC, see Permissions Policies and Supported Actions.
Table 1 lists all the system-defined permissions for VPC.
Policy Name |
Description |
Policy Type |
Dependencies |
---|---|---|---|
VPC FullAccess |
Full permissions for VPC. |
System-defined policy |
To use the VPC flow log function, users must also have the LTS ReadOnlyAccess permission. |
VPC ReadOnlyAccess |
Read-only permissions on VPC. |
System-defined policy |
None |
VPC Administrator |
Most permissions on VPC, excluding creating, modifying, deleting, and viewing security groups and security group rules. To be granted this permission, users must also have the Tenant Guest permission. |
System-defined role |
Tenant Guest policy, which must be attached in the same project as VPC Administrator. |
Table 2 lists the common operations supported by system-defined permissions for VPC.
Operation |
VPCReadOnlyAccess |
VPC Administrator |
VPC FullAccess |
---|---|---|---|
Creating a VPC |
Not supported |
Supported |
Supported |
Modifying a VPC |
Not supported |
Supported |
Supported |
Deleting a VPC |
Not supported |
Supported |
Supported |
Viewing VPC information |
Supported |
Supported |
Supported |
Creating a subnet |
Not supported |
Supported |
Supported |
Viewing subnet information |
Supported |
Supported |
Supported |
Modifying a subnet |
Not supported |
Supported |
Supported |
Deleting a subnet |
Not supported |
Supported |
Supported |
Creating a security group |
Not supported |
Not supported |
Supported |
Viewing security group information |
Supported |
Not supported |
Supported |
Modifying a security group |
Not supported |
Not supported |
Supported |
Deleting a security group |
Not supported |
Not supported |
Supported |
Adding a security group rule |
Not supported |
Not supported |
Supported |
Viewing a security group rule |
Supported |
Not supported |
Supported |
Modifying a security group rule |
Not supported |
Not supported |
Supported |
Deleting a security group rule |
Not supported |
Not supported |
Supported |
Creating a network ACL |
Not supported |
Supported |
Supported |
Viewing a network ACL |
Supported |
Supported |
Supported |
Modifying a network ACL |
Not supported |
Supported |
Supported |
Deleting a network ACL |
Not supported |
Supported |
Supported |
Adding a network ACL rule |
Not supported |
Supported |
Supported |
Modifying a network ACL rule |
Not supported |
Supported |
Supported |
Deleting a network ACL rule |
Not supported |
Supported |
Supported |
Creating a VPC peering connection |
Not supported |
Supported |
Supported |
Modifying a VPC peering connection |
Not supported |
Supported |
Supported |
Deleting a VPC peering connection |
Not supported |
Supported |
Supported |
Querying a VPC peering connection |
Supported |
Supported |
Supported |
Accepting a VPC peering connection request |
Not supported |
Supported |
Supported |
Rejecting a VPC peering connection request |
Not supported |
Supported |
Supported |
Creating a route table |
Not supported |
Supported |
Supported |
Deleting a route table |
Not supported |
Supported |
Supported |
Modifying a route table |
Not supported |
Supported |
Supported |
Associating a route table with a subnet |
Not supported |
Supported |
Supported |
Adding a route |
Not supported |
Supported |
Supported |
Modifying a route |
Not supported |
Supported |
Supported |
Deleting a route |
Not supported |
Supported |
Supported |
Creating a VPC flow log |
Not supported |
Supported |
Supported |
Viewing a VPC flow log |
Supported |
Supported |
Supported |
Enabling or disabling a VPC flow log |
Not supported |
Supported |
Supported |
Deleting a VPC flow log |
Not supported |
Supported |
Supported |
Creating an IP address group |
Not supported |
Supported |
Supported |
Associating an IP address group with resources |
Not supported |
Supported |
Supported |
Disassociating an IP address group from resources |
Not supported |
Supported |
Supported |
Adding IP addresses to an IP address group |
Not supported |
Supported |
Supported |
Deleting IP addresses from an IP address group |
Not supported |
Supported |
Supported |
Modifying an IP address group |
Not supported |
Supported |
Supported |
Deleting an IP address group |
Not supported |
Supported |
Supported |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.