Why Can't an IAM User Obtain Clusters or Cluster Groups After Logging In to UCS?

Description

An IAM user logs in to the UCS console and finds an empty Container Clusters page, no cluster or cluster group displayed.

Troubleshooting

Check whether the IAM user has been granted the required permission policies. Managing CCE clusters requires IAM policies, while managing third-party clusters and cluster groups requires UCS policies, as listed in Table 1.

**Table 1** Cluster permissions
Function	Permission	Dependent IAM Role	Description	Type
Container Clusters > Cluster Groups	Administrator permissions	Users in the IAM admin user group	Manages cluster groups, such as creation, deletion, and permission policy association.	-
Container Clusters > Cluster Groups	Operation permissions	Users of the IAM admin user group associated with the cluster grouppermission policies	The permission policies allow operations on the resources in a container cluster. After policy association, users in the user group can read clusters in the cluster group and add or remove clusters. NOTE: VPC Endpoint is required if you connect a cluster to UCS through a private network. Therefore, the user group must have the IAM permission VPCEndpoint Administrator.	UCS permission policy
Container Cluster - CCE Clusters	Administrator permissions	CCE Administrator	Read and write permissions for CCE clusters and all resources (including workloads, nodes, jobs, and Services) in the clusters.	IAM system-defined role
	Operation permissions	CCE FullAccess	Common operation permissions on CCE cluster resources, excluding the namespace-level permissions for the clusters (with Kubernetes RBAC enabled) and the privileged administrator operations, such as agency configuration and cluster certificate generation For common operation permissions, you also need to configure cluster RBAC authorization. For details, see Namespace Permissions (Kubernetes RBAC-based).	IAM system-defined policy
	Read-only permissions	CCE ReadOnlyAccess	Permissions to view CCE cluster resources, excluding the namespace-level permissions of the clusters (with Kubernetes RBAC enabled) For the read-only permission, you also need to configure RBAC authorization for the cluster. For details, see Namespace Permissions (Kubernetes RBAC-based).	IAM system-defined policy
Container Cluster - Third-Party Clusters (details available in Table 1)	Administrator permissions	Admin Permission Template	You need to grant permissions to the user group on the Permissions Policies page of the UCS console, and the user group must have any IAM permissions. Read and write permissions on all resources, including cluster permission management	UCS permission policy
	Operation permissions	Developer Permission Template	You need to grant permissions to the user group on the Permissions Policies page of the UCS console, and the user group must have any IAM permissions. Read and write permissions on resources except cluster permission management	UCS permission policy
	Read-only permissions	ReadOnly Permission Template	You need to grant permissions to the user group on the Permissions Policies page of the UCS console, and the user group must have any IAM permissions. Read-only permissions on all resources	UCS permission policy

IAM users often fail to obtain data about their clusters due to incorrect permission settings. In UCS, IAM, UCS, and cluster group policies are required for managing both CCE clusters and third-party clusters at the same time.

If you manage only third-party clusters, you need to configure UCS policies and cluster group policies.

Therefore, try checking the following items:

Check Item 1: IAM Permissions
Check Item 2: Permissions Policies
Check Item 3: Permissions Policies Associated with the Cluster Group

Prerequisites

Contact the Huawei Cloud account administrator or a user in the IAM admin user group to check.

Check Item 1: IAM Permissions

For CCE clusters, if an IAM user is not added to any user group or the user group does not have CCE permissions, the UCS console cannot obtain data about CCE clusters.

For third-party clusters alone, no IAM permission policy is required, not the case for hybrid management of both CCE clusters and third-party clusters.

For details about how to grant permissions to a user group, see User Groups.

Users with different IAM permissions have different namespace permissions (assigned using Kubernetes RBAC).

CCE Administrator: administrator permissions. Users with this role can perform operations on all resources without configuring the cluster RBAC. If a user already has the Tenant Administrator role, the user can have the administrator permissions for all cloud services, including CCE but excluding IAM.
CCE FullAccess or CCE ReadOnlyAccess: cluster operation/read-only permissions configured in IAM. You also need to configure RBAC for the cluster in the CCE console. For details, see Namespace Permissions (Kubernetes RBAC-based).

Check Item 2: Permissions Policies

Log in to the UCS console. On the Permissions Policies page, create a permission policy, and associate a user group with the policy.

This setting takes effect only for non-CCE clusters. For details, see How Do I Configure Operation Permissions for Cluster Resources?.

See Check Item 1: IAM Permissions to set IAM permissions and cluster RBAC for cluster resources.

Check Item 3: Permissions Policies Associated with the Cluster Group

The created permission policy must be associated with the cluster group. Otherwise, the UCS console will not display data about the cluster group.

Log in to the UCS console. In the navigation pane, choose Container Clusters.
In the card view of the target cluster group, click in the upper right corner.

Figure 1 Associating a permission policy with a cluster group
Select one or multiple existing permission policies for the cluster group.

Figure 2 Associating policies
Click OK.