Using IAM Identity Policies to Grant Access to Direct Connect
System-defined permissions in identity policy-based authorization provided by IAM let you control access to your Direct Connect resources. With IAM, you can:
- Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing Direct Connect resources.
- Grant only the permissions required for users to perform a specific task.
- Entrust another account or cloud service to perform professional and efficient O&M on your cloud resources.
If your HUAWEI ID meets your permissions requirements, you can skip this topic.
Figure 1 shows the process flow of identity policy-based authorization.
Prerequisites
You have learned about system-defined permissions supported by Direct Connect. Before granting permissions, learn about system-defined permissions in Identity Policy-based Authorization. To grant permissions for other services, learn about all system-defined permissions.
Process Flow
- On the IAM console, create an IAM user or create a user group.
Log in to the IAM console to create a user or user group.
- Attach a system-defined identity policy (DCAASReadOnlyPolicy as an example) to the user or user group.
- Log in as the IAM user and verify permissions.
Log in to the Direct Connect console as the authorized user and verify permissions.
- Go to the connection list page and click Create Connection in the upper right corner. If the connection cannot be created, the DCAASReadOnlyPolicy policy has already taken effect.
- Choose any other service in Service List. If a message appears indicating that you have insufficient permissions to access the service, the DCAASReadOnlyPolicy policy has already taken effect.
Example Custom Identity Policies
You can create custom identity policies to supplement system-defined identity policies. For the actions supported for custom identity policies, see "Identity Policy-Based Authorization" in the Direct Connect API Reference.
You can create custom identity policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and conditions. This does not require knowledge of policy grammar.
- JSON: Edit JSON policies from scratch or based on an existing policy.
For details, see Creating a Custom Identity Policy and Attaching It to a Principal.
When creating a custom Identity policy, use the Resource element to specify the resources the policy applies to and use the Condition element (service-specific condition keys) to control when the policy is in effect. For details about the supported resource types and condition keys, see "Supported Actions in Identity Policy-based Authorization" in the Direct Connect API Reference. The following are example custom identity policies created for Direct Connect.
- Example 1: Granting permission to create and modify connections
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "dcaas:directConnect:create", "dcaas:directConnect:update" ] } ] } - Example 2: Create a custom identity policy that contains multiple actions.
A custom identity policy can contain the actions of one or multiple services. The following is an example policy containing actions of multiple services:
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "dcaas:directConnect:create", "dcaas:directConnect:update", "dcaas:vgw:create", "dcaas:vif:create" ] }, { "Effect": "Allow", "Action": [ "vpc:vpcs:create", "vpc:vpcs:update", "vpc:subnets:create", "vpc:subnets:update" ] }, { "Effect": "Deny", "Action": [ "dcaas:vgw:delete", "dcaas:vif:delete" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
