Help Center> Ubiquitous Cloud Native Service> FAQs> Permissions> Why Can't an IAM User Obtain Clusters or Cluster Groups After Logging In to UCS?
Updated on 2022-11-07 GMT+08:00

Why Can't an IAM User Obtain Clusters or Cluster Groups After Logging In to UCS?

Description

An IAM user logs in to the UCS console and finds an empty Container Clusters page, no cluster or cluster group displayed.

Troubleshooting

Check whether the IAM user has been granted the required permission policies. Managing CCE clusters requires IAM policies, while managing third-party clusters and cluster groups requires UCS policies, as listed in Table 1.

Table 1 Cluster permissions

Function

Permission

Dependent IAM Role

Description

Type

Container Clusters > Cluster Groups

Administrator permissions

Users in the IAM admin user group

Manages cluster groups, such as creation, deletion, and permission policy association.

-

Operation permissions

Users of the IAM admin user group associated with the cluster grouppermission policies

The permission policies allow operations on the resources in a container cluster. After policy association, users in the user group can read clusters in the cluster group and add or remove clusters.

NOTE:

VPC Endpoint is required if you connect a cluster to UCS through a private network. Therefore, the user group must have the IAM permission VPCEndpoint Administrator.

UCS permission policy

Container Cluster - CCE Clusters

Administrator permissions

CCE Administrator

Read and write permissions for CCE clusters and all resources (including workloads, nodes, jobs, and Services) in the clusters.

IAM system-defined role

Operation permissions

CCE FullAccess

Common operation permissions on CCE cluster resources, excluding the namespace-level permissions for the clusters (with Kubernetes RBAC enabled) and the privileged administrator operations, such as agency configuration and cluster certificate generation

For common operation permissions, you also need to configure cluster RBAC authorization. For details, see Namespace Permissions (Kubernetes RBAC-based).

IAM system-defined policy

Read-only permissions

CCE ReadOnlyAccess

Permissions to view CCE cluster resources, excluding the namespace-level permissions of the clusters (with Kubernetes RBAC enabled)

For the read-only permission, you also need to configure RBAC authorization for the cluster. For details, see Namespace Permissions (Kubernetes RBAC-based).

IAM system-defined policy

Container Cluster - Third-Party Clusters (details available in Table 1)

Administrator permissions

Admin Permission Template

You need to grant permissions to the user group on the Permissions Policies page of the UCS console, and the user group must have any IAM permissions.

Read and write permissions on all resources, including cluster permission management

UCS permission policy

Operation permissions

Developer Permission Template

You need to grant permissions to the user group on the Permissions Policies page of the UCS console, and the user group must have any IAM permissions.

Read and write permissions on resources except cluster permission management

UCS permission policy

Read-only permissions

ReadOnly Permission Template

You need to grant permissions to the user group on the Permissions Policies page of the UCS console, and the user group must have any IAM permissions.

Read-only permissions on all resources

UCS permission policy

IAM users often fail to obtain data about their clusters due to incorrect permission settings. In UCS, IAM, UCS, and cluster group policies are required for managing both CCE clusters and third-party clusters at the same time.

If you manage only third-party clusters, you need to configure UCS policies and cluster group policies.

Therefore, try checking the following items:

Prerequisites

Contact the Huawei Cloud account administrator or a user in the IAM admin user group to check.

Check Item 1: IAM Permissions

For CCE clusters, if an IAM user is not added to any user group or the user group does not have CCE permissions, the UCS console cannot obtain data about CCE clusters.

For third-party clusters alone, no IAM permission policy is required, not the case for hybrid management of both CCE clusters and third-party clusters.

For details about how to grant permissions to a user group, see User Groups.

Users with different IAM permissions have different namespace permissions (assigned using Kubernetes RBAC).

  • CCE Administrator: administrator permissions. Users with this role can perform operations on all resources without configuring the cluster RBAC. If a user already has the Tenant Administrator role, the user can have the administrator permissions for all cloud services, including CCE but excluding IAM.
  • CCE FullAccess or CCE ReadOnlyAccess: cluster operation/read-only permissions configured in IAM. You also need to configure RBAC for the cluster in the CCE console. For details, see Namespace Permissions (Kubernetes RBAC-based).

Check Item 2: Permissions Policies

Log in to the UCS console. On the Permissions Policies page, create a permission policy, and associate a user group with the policy.

This setting takes effect only for non-CCE clusters. For details, see How Do I Configure Operation Permissions for Cluster Resources?.

See Check Item 1: IAM Permissions to set IAM permissions and cluster RBAC for cluster resources.

Check Item 3: Permissions Policies Associated with the Cluster Group

The created permission policy must be associated with the cluster group. Otherwise, the UCS console will not display data about the cluster group.

  1. Log in to the UCS console. In the navigation pane, choose Container Clusters.
  2. In the card view of the target cluster group, click in the upper right corner.

    Figure 1 Associating a permission policy with a cluster group

  3. Select one or multiple existing permission policies for the cluster group.

    Figure 2 Associating policies

  4. Click OK.

Permissions FAQs

more