Help Center/ Cloud Service Engine/ User Guide/ Using IAM to Grant Access to CSE/ Using IAM Roles or Policies to Grant Access to CSE
Updated on 2026-01-15 GMT+08:00
View PDF
Share

Using IAM Roles or Policies to Grant Access to CSE

CSE Permissions provided by IAM let you control access to CSE. With IAM, you can:

  • Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing CSE resources.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust a Huawei Cloud account or a cloud service to perform professional and efficient O&M on your CSE resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of role/policy-based authorization.

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions in Role/Policy-Based Authorization for CSE. To grant permissions for other services, learn about all CSE Permissions supported by IAM.

Process Flow

Figure 1 Process of granting CSE permissions using role/policy-based authorization
  1. On the IAM console, create a user group and grant it permissions.

    Create a user group on the IAM console and grant the CSE ReadOnlyAccess permission to CSE.

  2. Create an IAM user and add it to the created user group.

    On the IAM console, create a user and add it to the user group created in 1.

  3. Log in as the IAM user and verify permissions.

    In the authorized region, perform the following operations:

    • Choose Service List > Cloud Service Engine. Then choose ServiceComb > Buy Exclusive Microservice Engine on the console. If a message appears indicating that you have insufficient permissions to perform the operation, the CSE ReadOnlyAccess policy is in effect.
    • Choose any other service in Service List. If a message is displayed indicating insufficient permissions to access the service, the CSE ReadOnlyAccess policy is in effect.

Example Custom Policies

Custom policies can be created as a supplement to the system policies of CSE. Add actions in custom policies as needed. For details about supported actions, see Actions Supported by Policy-based Authorization.

To create a custom policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common ECS custom policies.

This procedure creates a policy that an IAM user is prohibited to create and delete a microservice engine. 
{
        "Version": "1.1",
        "Statement": [
                {
                        "Action": [
                                "cse:*:*"
                        ],
                        "Effect": "Allow"
                },
                {
                        "Action": [
                                "cse:engine:create",
                                "cse:engine:delete"
                        ],
                        "Effect": "Deny"
                }
        ]
}

A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

You can verify your granted permissions using the console or REST APIs.

The following uses the custom policy as an example to describe how to verify that a user is not allowed to create microservice engines on the console.

  1. Log in to Huawei Cloud as an IAM user.
    • Tenant name: Name of the account used to create the IAM user
    • IAM username and IAM user password: Username and password specified during IAM user creation using the Tenant name
  2. Create a microservice engine on the CSE console. If error 403 is returned, the permissions are correct and are in effect.