Help Center/ Data Replication Service/ Preparations/ Using IAM to Grant Access to DRS/ Using IAM Identity Policies to Grant Access to DRS
Updated on 2025-12-18 GMT+08:00

Using IAM Identity Policies to Grant Access to DRS

System-defined permissions in Identity Policy-based Authorization provided by Identity and Access Management (IAM) let you control access to DRS. With IAM, you can:

  • Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing DRS resources.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your DRS resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

Before granting permissions, learn about system-defined permissions in Identity Policy-based Authorization for DRS. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process of granting DRS permissions using identity policy-based authorization
  1. On the IAM console, create an IAM user or create a user group.
  2. Attach a system-defined identity policy (DRSAdministratorPolicy as an example) to the user or user group.

    Assign the permissions defined in the system-defined identity policy DRSAdministratorPolicy to the user or group, or attach the system-defined identity policy to it.

  3. Log in as the IAM user and verify permissions.

    In the authorized region, perform the following operations:

    Choose Service List > Data Replication Service. Then click Create Migration Task on the DRS console. If a migration task (assume that there is only the DRSAdministratorPolicy permission) is created, the DRSAdministratorPolicy policy is in effect.

Example Custom Identity Policies

You can create custom identity policies to supplement the system-defined identity policies of DRS. For details about actions supported in custom identity policies, see Data Replication Service API Reference > "Permissions Policies and Supported Actions" > "Actions Supported by Identity Policy-based Authorization".

To create a custom identity policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy grammar.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

The following lists examples of common DRS custom identity policies.

  • Example 1: Grant permission to create DRS instances.
    {
    	"Version": "5.0",
    	"Statement": [{
                    "Action": ["drs:migrationJob:create"],
    		"Effect": "Allow"
    	}]
    }
  • Example 2: Grant permission to deny DRS instance deletion.

    A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    Assume that you want to grant the permissions of the DRS FullAccess policy to a user but want to prevent them from deleting DRS instances. You can create a custom policy for denying DRS instance deletion, and attach this policy together with the DRS FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on DRS instances excepting deleting them. Example policy denying DRS instance deletion:

    {
    	"Version": "5.0",
    	"Statement": [{
    		"Action": ["drs:migrationJob:delete"],
    		"Effect": "Deny"
    	}]
    }