Granting IAM Users the Permission to Create CSS Clusters

To implement fine-grained permission management for CSS, you can use Identity and Access Management (IAM) to create independent IAM users and assign policies or roles to IAM user groups. The policies and roles can be used to control access to CSS resources.

This section describes how to create an IAM user and add the IAM user to a user group, so that the IAM user has the permission to create CSS clusters.

Step 1: Create a User Group and Assign Policy

Use your Huawei ID to enable Huawei Cloud services, and then log in to Huawei Cloud.

Figure 1 Logging in to Huawei Cloud
Click Console in the upper right corner.

Figure 2 Accessing the console
On the management console, hover the mouse pointer over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.

Figure 3 Accessing the IAM console
Log in to the Huawei Cloud console and choose Identity and Access Management.
On the IAM console, choose User Groups and click Create User Group.

Figure 4 Creating a user group
Enter Developers for Name, and click OK.

Figure 5 Setting the user group information

Step 2: Grant Permissions to a User Group

In the user group list, click Authorize in the row containing the newly created user group.

Figure 6 Authorizing a user group

In the Select Policy/Role step, search for CSS FullAccess in the search box, select it, and click Next.

Generally, the permissions for creating a cluster include CSS FullAccess and Elasticsearch Administrator. You can configure the permissions based on the relationship between common operations and system permissions in Table 1. For more information, see Table 2.
If users in the group need to view resource usage, attach the BSS Administrator role to the group for the same project.

**Table 1** Common operations supported by each system-defined policy
Operation	CSS FullAccess	CSS ReadOnlyAccess	Elasticsearch Administrator	Remarks
Creating a cluster	√	x	√	-
Querying the cluster list	√	√	√	-
Querying cluster details	√	√	√	-
Deleting a cluster	√	x	√	-
Restarting a cluster	√	x	√	-
Expanding cluster capacity	√	x	√	-
Adding instances and expanding storage	√	x	√	-
Querying tags of a specified cluster	√	√	√	-
Querying all tags	√	√	√	-
Loading a custom word dictionary	√	x	√	Depends on OBS and IAM permissions
Querying the status of a custom word dictionary	√	√	√	-
Deleting a custom word dictionary	√	x	√	-
Automatically setting basic configurations of a cluster snapshot	√	x	√	Depends on OBS and IAM permissions
Modifying basic configurations of a cluster snapshot	√	x	√	Depends on OBS and IAM permissions
Setting the automatic snapshot creation policy	√	x	√	-
Querying the automatic snapshot creation policy	√	√	√	-
Manually creating a snapshot	√	x	√	-
Querying the snapshot list	√	√	√	-
Restoring a snapshot	√	x	√	-
Deleting a snapshot	√	x	√	-
Disabling the snapshot function	√	x	√	-
Modifying specifications	√	x	√	-
Scaling in clusters	√	x	√	-

**Table 2** CSS system permissions
Role/Policy Name	Type	Role/Policy Description	Dependencies
Elasticsearch Administrator	System-defined role	Full permissions for CSS. This role depends on the Tenant Guest and Server Administrator roles in the same project.	Tenant Guest: A global role, which must be assigned in the global project. Server Administrator: A project-level role, which must be assigned in the same project
CSS FullAccess	System policy	Full CSS permissions granted through policies. Users with these permissions can perform all operations on CSS.	None
CSS ReadOnlyAccess	System policy	Read-only permissions for CSS. Users with these permissions can only view CSS data.	None

Select a scope.
Take the AP-Singapore region as an example. Set Scope to Region-specific projects and select ap-southeast-3 [AP-Singapore].
Click OK.

Step 3: Create an IAM User and Add It to the User Group

In the navigation pane, choose Users. Click Create User.

Configure basic information. On the Create User page, Configure User Details and Access Type. To create more users, click Add User. A maximum of 10 users can be created at a time.

Figure 7 Configuring user information

Users can log in to Huawei Cloudthe cloud platform using the username, email address, or mobile number.
If users forget their password, they can reset it through email address or mobile number verification. If no email addresses or mobile numbers have been bound to users, users need to request the administrator to reset their passwords.

**Table 3** User information
Parameter	Description
Username	Mandatory. Username that will be used to log in to HUAWEI CLOUD, for example, James and Alice.
Email Address	This parameter is mandatory if you choose Credential Type > Password > Require password reset at first login. The email address of an IAM user that can be used as a login credential. After IAM users are created, they can also bind email addresses.
Mobile Number	Optional. Mobile phone number of the IAM user to use as a login credential. IAM users can bind mobile numbers by themselves after being created.
Description	Optional. Additional information about the IAM user.

Figure 8 Setting the access type

Programmatic access: Select this option to allow the user to access cloud services using development tools, such as APIs, CLI, and SDKs. You can generate an access key or set a password for the user.

Management console access: Select this option to allow the user to access cloud services using the management console. You can set or generate a password for the user or request the user to set a password at first login.

If the user accesses cloud services only by using the management console, select Management console access for Access Type and Password for Credential Type.
If the user accesses cloud services only through programmatic calls, select Programmatic access for Access Type and Access key for Credential Type.
If the user needs to use a password as the credential for programmatic access to certain APIs, select Programmatic access for Access Type and Password for Credential Type
If the user needs to perform access key verification when using certain services in the console, select Programmatic access and Management console access for Access Type and Access key and Password for Credential Type. For example, the user needs to perform access key verification when creating a data migration job in the Cloud Data Migration (CDM) console.

**Table 4** Setting the credential type and login protection
Credential Type and Login Protection		Description
Access Key		After creating the user, you can download the access key (AK/SK) generated for the user. Each user can have a maximum of two access keys.
Password	Custom images	Set a password for the user and determine whether to require the user to reset the password at first login. If you are the user, select this option and set a password for login. You do not need to select Require password reset at first login.
	Automatically generated	The system automatically generates a login password for the user. After the user is created, download the EXCEL password file and provide the password to the user. The user can then use this password for login. This option is available only when you create a single user.
	Set by user	A one-time login URL will be emailed to the user. The user can click the link to log in to the console and set a password. If you do not use the IAM user, select this option and enter the email address and mobile number of the IAM user. The user can then set a password by clicking the one-time login URL sent over email. The login URL is valid for seven days.
Login Protection	Enable (Recommended)	If login protection is enabled, the user will need to enter a verification code in addition to the username and password during login. Enable this function for account security. You can select SMS, email, or virtual MFA device for verification during login.
Login Protection	Disable	To enable login protection for an IAM user after creation, see Modifying IAM User Information.

Click Next and add the user to the user group created in Step 1: Create a User Group and Assign Policy.
The user will inherit the permissions assigned to the user groups to which the user belongs.

The default user group admin has the administrator permissions and the permissions required to use all cloud resources.
Click Create. If you have specified the access type as Programmatic access and selected Access key for Credential Type (see Table 4), you can download the access keys on the Finish page.

Figure 9 User created successfully

Step 4: Log In as an IAM User and Verify Permissions

Click IAM UserIAM User Login on the login page, and then enter your Tenant name or HUAWEI CLOUD account name, IAM user name or email address, and IAM user password.

Figure 10 IAM user login
- Tenant name or Huawei Cloud account name: the name of the account that was used to create the IAM user.
- IAM user name or email address: the username (for example, James) or email address of the IAM user. IAM users can obtain their username and password from the administrator.
- IAM user password: the password of the IAM user (not the password of the account)
Click Log In.
Click Service List and choose Cloud Search Service.
In the upper right corner of the Dashboard page, click Create Cluster. Create a cluster by following the steps provided in Creating a Cluster. If the cluster can be created, the permissions have taken effect.