Using IAM Identity Policies to Grant Permissions to Use Huawei Cloud Astro Zero
System-defined permissions in identity policy-based authorization provided by IAM let you control access to Huawei Cloud Astro Zero. With IAM, you can:
- Create users or user groups for employees. In this way, each IAM user has a unique security credential to use Huawei Cloud Astro Zero resources.
- Grant only the permissions required for users or user groups to perform a specific task.
- Entrust a Huawei account or cloud service to perform efficient O&M on your Huawei Cloud Astro Zero resources.
If your Huawei Cloud account meets your permissions requirements, you can skip this section.
Figure 1 shows the process flow of identity policy-based authorization.
Prerequisites
Before granting permissions, learn system-defined permissions in system-defined identity policies in Identity Policy-based Authorization for Huawei Cloud Astro Zero. If you want to grant permissions for services other than Huawei Cloud Astro Zero, see System-defined Permissions.
Process Flow
- Create an IAM user or create a user group.
Log in to the IAM console and create a user or user group.
- Attach a system-defined identity policy to the user or user group.
Attach the system-defined identity policy AstroZeroFullAccessPolicy to the user or user group.
- Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- In the service list, select Huawei Cloud Astro Zero. On the Huawei Cloud Astro Zero console, click Buy Huawei Cloud Astro Zero in the upper right corner. If the purchase is successful, the AstroZeroFullAccessPolicy policy has taken effect.
- Choose another service from the service list. If a message appears indicating that you have insufficient permissions to access the service, AstroZeroFullAccessPolicy takes effect.
Example Custom Identity Policies for Huawei Cloud Astro Zero
You can create custom identity policies to supplement system-defined identity policies. For details about the actions supported by custom identity policies, see Actions Supported by Identity Policy-based Authorization.
To create a custom identity policy, choose either visual editor or JSON.
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Identity Policy and Attaching It to a Principal.
When creating a custom identity policy, use the Resource element to specify the resources the identity policy applies to and use the Condition element (service-specific condition keys) to control when the identity policy is in effect. For details about the supported resource types and condition keys, see Actions Supported by Identity-based Authorization. The following are example custom identity policies created for Huawei Cloud Astro Zero.
- Example 1: Allow users to view information about Huawei Cloud Astro Zero instances.
{ "Version": "5.0", "Statement": [ { "Action": [ "astrozero:instances:get" ], "Effect": "Allow" } ] } - Example 2: Create a custom identity policy containing multiple actions.
A custom identity policy can contain the actions of one or multiple services. The following is an example policy containing actions of multiple services:
{ "Version": "5.0", "Statement": [ { "Action": [ "astrozero:instances:create", "astrozero:instances:get", "astrozero:instances:delete", "astrozero:instances:resize", "astrozero:instances:update", "billing:order:pay", "billing:subscription:renew", "billing:subscription:unsubscribe" ], "Effect": "Allow" } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
