Using IAM Roles or Policies to Grant Permissions to Use Huawei Cloud Astro Zero

Prerequisites

You have learned about the permissions supported by Huawei Cloud Astro Zero. For details, see Role/Policy-based Authorization. If you want to grant permissions for services other than Huawei Cloud Astro Zero, see System-defined Permissions.

Process Flow

Figure 1 Process of granting permissions to a user

1. Create a user group and assign permissions.

   Create a user group on the IAM console and grant the Astro Zero Instance ManageAccess permission to the group.

2. Create IAM users and add them to the group.

   On the IAM console, create a user and add it to the user group created in 1.

3. Log in and verify permissions.

   In the authorized region, perform the following operations:

   • In the service list, select Huawei Cloud Astro Zero. On the Huawei Cloud Astro Zero console, click Buy Huawei Cloud Astro Zero in the upper right corner. If purchase is successful, the Astro Zero Instance ManageAccess policy has taken effect.
   • Choose another service from the service list. If a message appears indicating that you have insufficient permissions to access the service, Astro Zero Instance ManageAccess takes effect.

Example Custom Policies for Huawei Cloud Astro Zero

Custom policies can be created as a supplement to the system policies of Huawei Cloud Astro Zero. Add actions in custom policies as needed. For details about supported actions, see Actions Supported by Policy-based Authorization.

To create a custom policy, choose either visual editor or JSON.

• Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
• JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following are example custom policies created for Huawei Cloud Astro Zero.

• Example 1: Allow users to view information about Huawei Cloud Astro Zero instances.

  {
      "Version": "3.0",
      "Statement": [
          {
              "Action": [
                  "astrozero:instance:get"
              ],
              "Effect": "Allow"
          }
      ]
  }

• Example 2: Deny the deletion of a Huawei Cloud Astro Zero instance.

  A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  The following method can be used if you need to assign permissions of the Astro Zero Instance ManageAccess policy to a user but you want to prevent the user from deleting instances. Create a custom policy for denying instance deletion, and attach both policies to the group to which the user belongs. Then, the user can perform all operations on Huawei Cloud Astro Zero except deleting instances. The following is an example of a deny policy:

  {
      "Version": "3.0",
      "Statement": [
          {
              "Action": [
                  "astrozero:instance:delete"
              ],
              "Effect": "Deny"
          }
      ]
  }

• Example 3: Create a custom policy containing multiple actions.

  A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:

  {
      "Version": "3.0",
      "Statement": [
          {
              "Action": [
                  "astrozero:instance:get",
                  "astrozero:instance:create",
          "bss:order:pay",
          "bss:renewal:update",
          "bss:unsubscribe:update"
              ],
              "Effect": "Allow"
          }
      ]
  }