Using IAM Identity Policies to Grant Access to CBH

Prerequisites

Before granting permissions, learn about the CBH permissions and select them as required. For details about the system-defined identity policies supported by CBH, see . For details about the permissions of other services, see Permissions Management.

Authorization Process

Figure 1 Process for granting permissions

1. On the IAM console, create an IAM user or create a user group.

   Create a user or user group on the IAM console.

2. Attach a system-defined identity policy to the user or user group.

   Assign the system-defined identity policy CBHReadOnlyPolicy to the user or user group.

3. Log in as the IAM user and verify permissions.

   Log in to the console as an authorized user and verify the permissions.

   • Hover over Service List and choose Cloud Bastion Host. On the CBH console, click Buy CBH Instance in the upper right corner. If the CBH instance cannot be purchased (assume that the current permission contains only CBHReadOnlyPolicy), the CBHReadOnlyPolicy policy is in effect.
   • Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the CBHReadOnlyPolicy policy is in effect.

Example Custom Identity Policies for CBH

You can create custom identity policies to supplement the system-defined identity policies of CBH. For details about actions supported in custom identity policies, see .

You can create custom identity policies in either of the following ways:

• Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
• JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

When creating a custom identity policy, use the Resource element to specify the resources the policy applies to and use the Condition element (condition keys) to control when the policy is in effect. For details about the supported resource types and condition keys, see . The following lists examples of common CBH custom identity policies.

• Example 1: Allowing users to change CBH instance specifications and upgrade CBH instance version.

  1	{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "cbh:instance:upgradeInstance", "cbh:instance:alterInstance" ] } ]}

• Example 2: Denying a user request of restarting a CBH instance

  A deny policy must be used together with other policies. If the policies assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

  The following method can be used to create a custom policy to disallow users who have the CBHFullAccessPolicy policy assigned to restart a CBH instance. Assign both CBHFullAccessPolicy and the custom policies to the group the user belongs to. Then the user can perform all operations on CBH except restarting a CBH instance. The following is an example of a deny policy:

  1	{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "cbh:instance:rebootInstance" ] } ]}

• Example 3: Create a custom identity policy containing multiple actions.

  A custom identity policy can contain the actions of multiple services. The following is an example policy containing actions of multiple services:

  1	{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "cbh:instance:createInstance" ] }, { "Effect": "Allow", "Action": [ "vpc:subnets:get" ] }, { "Effect": "Allow", "Action": [ "ecs:cloudServerFlavors:get" ] } ]}