Using IAM Roles or Policies to Grant Access to CSS

Prerequisites

Before assigning permissions to a user group, you need to understand the CSS permissions. For details, see Permissions Management. To grant permissions to other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process of granting CSS permissions

1. Creating a User Group and Assigning Permissions

   Create a user group on the IAM console, and assign the CSS ReadOnlyAccess permission to the group.

2. Creating a User and Adding the User to a User Group

   On the IAM console, create an IAM user and add it to the user group created in 1.

3. Log in as an IAM user and verify the permissions.

   In the authorized region, perform the following operations:

   • Choose Service List > Cloud Search Service. Then click Create Cluster on the CSS console. If the cluster cannot be created (assuming that the current permissions include only CSS ReadOnlyAccess), the CSS ReadOnlyAccess policy has already taken effect.
   • Choose any other service from Service List. (Assume that the current policy contains only CSS ReadOnlyAccess.) If a message appears indicating insufficient permissions to access the service, the CSS ReadOnlyAccess policy has already taken effect.

CSS Custom Policy Examples

Custom policies can be created to supplement the system-defined policies of CSS. For the actions supported for custom policies, see Cloud Search Service API Reference > Permissions Policies and Supported Actions > Supported Actions.

You can create custom policies in either of the following ways:

• Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
• JSON: Create a JSON policy or edit an existing one.

To be compatible with the open-source ecosystem, the IAM permissions and data plane cluster permissions of CSS are managed separately. To enhance data-plane security, you need to use the security mode.

For details, see Creating a Custom Policy. The following provides examples of custom CSS policies.

• Example 1: Authorize a user to view the cluster list.

  { 
      "Version": "1.1", 
      "Statement": [ 
          { 
              "Action": [ 
                  "css:cluster:list"
              ], 
              "Effect": "Allow" 
          } 
      ] 
  }

• Example 2: Grant permission to deny cluster deletion.

  A policy with only Deny permissions must be used in conjunction with other policies for it to take effect. If the permissions granted to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  The following method can be used if you need to assign permissions of the CSS Admin policy to a user but you want to prevent the user from deleting clusters. Create a custom policy for denying cluster deletion, and attach both policies to the group to which the user belongs. Then, the user can perform all operations on CSS except deleting clusters. The following is an example of a deny policy:

  { 
        "Version": "1.1", 
        "Statement": [ 
              { 
      "Effect": "Deny", 
                    "Action": [ 
                          "css:cluster:delete"
                    ] 
              } 
        ] 
  }

• Example 3: Create a custom policy containing multiple actions.

  A custom policy can contain the actions of multiple services that are of the global or project-level type. Example policy containing multiple actions:

  {
      "Version": "1.1",
      "Statement": [
          {
              "Action": [
                  "ecs:cloudServers:resize",
                  "ecs:cloudServers:delete",
                  "ecs:cloudServers:delete",
                  "css:cluster:restart",
                  "css:*:get*",
                  "css:*:list*"
              ],
              "Effect": "Allow"
          }
      ]
  }