Configuring Read-Only Permissions
Context
If you want to give varying levels of access to your company's DWS resources on Huawei Cloud, using IAM is an effective way to manage permissions in detail. IAM provides identity authentication, permissions management, and access control, enabling secure access to your cloud resources. You can use your cloud account to create IAM users, and assign permissions to the users to control their access to specific resources.
- Scenario 1: To allow software developers in your company to use DWS resources while restricting high-risk operations and resource deletion, you can create IAM users tailored for these developers and grant them only the essential permissions for DWS usage.
- Scenario 2: Allow employees to use only DWS resources, but not the resources of other services. To this end, grant them only the permissions for DWS.
You can use IAM to control cloud resource access and prevents misoperations on cloud resources. This section describes how to configure the read-only permission for an IAM user.
Tutorial 1: Read-Only Operations on IAM Project View
- Create a user group and assign permissions to it.
Use the Huawei Cloud account to log in to the IAM console, create a user group, and attach the DWS ReadOnlyAccess policy to the group.
- Create a user and add it to a user group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the DWS console as the created user, switch to the authorized region, and verify the permissions.
- Click Create GaussDB(DWS) Cluster in the upper right corner to create a cluster. If the cluster cannot be created (assuming that the current permission contains only DWS ReadOnlyAccess), DWS ReadOnlyAccess has taken effect.
- Choose any other service in Service List. If only the DWS ReadOnlyAccess policy is added and a message is displayed indicating that you have insufficient permission to access the service, DWS ReadOnlyAccess has taken effect.
Tutorial 2: Read-Only Operations in an Enterprise Project
- Create a user group and assign permissions to it.
Use the Huawei Cloud account to log in to the IAM console, create a user group, and attach the DWS ReadOnlyAccess policy to the group.
- In the enterprise project view, the system still displays a message indicating that you lack the fine-grained permissions if you perform read-only operations irrelevant to resources. For example, fine-grained permissions related to events and alarms.
- Configure read-only permissions for events and alarms in the IAM project view.
- Create the following custom policy readonly_event_alarm:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "dws:alarm*:list*", "dws:cluster*:list*", "dws:dms*:get*", "dws:event*:list*" ] } ] } - Log in to the IAM console and create a user group, and assign the newly created policy to the user group.
- Create the following custom policy readonly_event_alarm:
- Create a user and add it to a user group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the DWS console as the created user, switch to the authorized region, and verify the permissions.
- Click Create GaussDB(DWS) Cluster in the upper right corner to create a cluster. If the cluster cannot be created (assuming that the current permission contains only DWS ReadOnlyAccess), DWS ReadOnlyAccess has taken effect.
- Choose any other service in Service List. If only the DWS ReadOnlyAccess policy is added and a message is displayed indicating that you have insufficient permission to access the service, DWS ReadOnlyAccess has taken effect.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
