Updated on 2022-11-04 GMT+08:00

Assigning Permissions to IAM Users

Scenario

UCS allows you to assign cluster permissions to IAM users and user groups under your account. Different departments or projects can be isolated by setting permissions policies and cluster groups. Authorizing users groups is more time-efficient than authorizing users one by one.

Assume that you have two projects, each involving multiple members. Figure 1 shows how their permissions are assigned. CCE clusters, self-built clusters, and third-party cloud clusters are grouped into group 1, 2, and 3, respectively.

  • Project team A needs to manage cluster groups 1 and 2, and reads data of cluster group 3. Therefore, you can create two permissions policies, one admin (associated with group 1 and 2) and one read-only (associated with group 3).
  • Project team A needs to manage cluster groups 1 and 3, and reads data of cluster group 2. Therefore, you can create two permissions policies, one admin (associated with group 1 and 3) and one read-only (associated with group 2).

UCS permission policies vary according to cluster providers.

  • For CCE clusters, their permissions policies are configured in IAM by users of the admin user group.
  • For non-CCE clusters, their permissions policies are configured by users in the admin user group on the Permissions Policies page of the UCS console.

This section describes how to configure UCS permissions by creating an IAM user and user group.

Figure 1 Permission design

Solutions

Figure 1 shows that each project team needs two user groups (read-write and read-only). Table 1 lists the permissions to be granted to each user group.

Table 1 Permissions setting examples

Project Team

Permissions

Cluster Group

IAM Console

UCS Console

Team A

Admin

Cluster group 1 (CCE clusters)

Cluster group 2 (self-built clusters)

User group 1: CCE Administrator

Permissions policy 1 (associated with user group 1): Admin Permission Template

Read-only

Cluster group 3 (third-party clusters)

User group 2: CCE ReadOnlyAccess

Permissions policy 2 (associated with user group 2): ReadOnly Permission Template

Team B

Admin

Cluster group 1 (CCE clusters)

Cluster group 3 (third-party clusters)

User group 3: CCE Administrator

Permissions policy 3 (associated with user group 3): Admin Permission Template

Read-only

Cluster group 2 (self-built clusters)

User group 4: CCE ReadOnlyAccess

Permissions policy 4 (associated with user group 4): ReadOnly Permission Template

Procedure

Figure 2 shows the procedure of creating an IAM user and managing its permissions. Step 1: Create and Authorize an IAM User and Step 2: Create and Associate a Permissions Policy with a Cluster Group detail the operations.

Each user group needs to be authorized on the IAM and UCS consoles. In this example, you need to grant permissions listed in Table 1 to four user groups.

Figure 2 Permission management flow

Prerequisites

You have connected a cluster to UCS.

Step 1: Create and Authorize an IAM User

Before a new IAM user uses UCS, the administrator needs to add the IAM user to a user group and grant permissions to the user group.

  1. Log in to the IAM console as the administrator.
  2. Choose User Groups from the navigation pane, and click Create User Group. If a user group has been created, go to 4 to grant permissions to the user group.
  3. On the Create User Group page, enter the user group name and description, and click OK.

    Figure 3 Creating a user group

  4. In the user group list, click Authorize in the row that contains the target user group.

    Figure 4 Authorizing a user group

  5. Search for and select one or multiple policies or roles.

    This example involves managing container clusters. Therefore, only the CCE Administrator role is assigned to the user. To use all UCS functions (except permissions policies), the user also needs the Tenant Administrator role.
    Figure 5 Selecting policies

  6. Click Next and select a scope.

    The default option All resources is selected, indicating that the IAM user will be able to use all resources, including those in enterprise projects, region-specific projects, and global services under your account based on assigned permissions.

  7. Click OK to complete the authorization. The authorization may take effect 15 to 30 minutes later.
  8. On the IAM console homepage, choose Users from the navigation pane, and click Create User.

    Enter the username and initial password. For details about other parameters, see Creating an IAM User.

  9. Click Next and select the user group authorized in the 4.

    Figure 6 Adding the user to a user group

  10. Click Create.

Step 2: Create and Associate a Permissions Policy with a Cluster Group

  1. Log in to the UCS console. In the navigation pane, choose Permissions Policies.
  2. In the upper right corner, click Create Permissions Policy.
  3. Set permissions policy parameters as illustrated in Figure 7.

    Figure 7 Creating a permissions policy
    • Policy Name: Enter a name, starting with a lowercase letter and not ending with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.
    • User Group: Select the user group to associate with the permissions policy. Not editable after creation.
    • Permission Template: Defaults to Do not use. You can also select a default or a custom template. For details, see Permissions Templates.

  4. Click OK.
  5. Associate the created permissions policy with the cluster group by clicking in the cluster group card view on the Container Clusters page.

    Figure 8 Associating a permissions policy with a cluster group

  6. Select the permissions policy created in 3.

    Figure 9 Associating a policy

  7. Click OK. The IAM user can now log in to the UCS console to use the functions allowed by the permissions policies.