Using IAM Identity Policies to Grant Access to CSS

This section describes how to use Identity and Access Management (IAM) to implement identity policy-based permissions authorization for your CSS resources. With IAM, you can:

Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user is assigned their own unique credentials for accessing CSS resources.
Grant users only the permissions required to perform a given task based on their job responsibilities.
Entrust a Huawei Cloud account or a cloud service to perform professional and efficient O&M on your CSS resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

Before granting permissions, learn about the CSS permissions and select the permissions as required. For details, see Permissions Management. To grant permissions to other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process of granting CSS permissions

On the IAM console, create an IAM user or create a user group.
Create a user or user group on the IAM console.
Attach a system-defined identity policy to the user or user group.
Authorize the CSSReadOnlyAccess system-defined policy to a user or user group.
Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Choose Service List > Cloud Search Service. Then click Create Cluster on the CSS console. If the cluster cannot be created (assuming that the current permissions include only CSSReadOnlyPolicy), the CSSReadOnlyPolicy policy has already taken effect.
- Choose any other service from Service List. (Assume that the current policy contains only CSSReadOnlyPolicy.) If a message appears indicating insufficient permissions to access the service, the CSSReadOnlyPolicy policy has already taken effect.

Example Custom Identity Policies

You can create custom identity policies to supplement the system-defined policies of CSS. For the actions supported for custom policies, see Cloud Search Service API Reference > Permissions Policies and Supported Actions > Supported Actions.

To create a custom identity policy, choose either visual editor or JSON.

Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

The following provides examples of custom CSS identity policies.

Example 1: Authorize a user to view the cluster list.

{ 
    "Version": "5.0", 
    "Statement": [ 
        { 
            "Action": [ 
                "css:cluster:list"
            ], 
            "Effect": "Allow" 
        } 
    ] 
}

Example 2: Grant permission to deny cluster deletion.
A policy with only Deny permissions must be used in conjunction with other policies for it to take effect. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

The following method can be used if you need to assign permissions of the CSSFullAccessPolicy policy to a user but you want to prevent the user from deleting clusters. Create a custom policy for denying cluster deletion, and attach both the CSSFullAccessPolicy and cluster deletion denying policies to the group to which the user belongs. Then, the user can perform all operations on CSS except deleting clusters. The following is an example of a deny policy:
```
{ 
      "Version": "5.0", 
      "Statement": [ 
            { 
		  "Effect": "Deny", 
                  "Action": [ 
                        "css:cluster:delete"
                  ] 
            } 
      ] 
}
```

Example 3: Create a custom identity policy containing multiple actions.

A custom identity policy can contain the actions of multiple services that are of the project-level type. Example policy containing multiple actions:

{
    "Version": "5.0",
    "Statement": [
        {
            "Action": [
                "ecs:cloudServers:resize",
                "ecs:cloudServers:delete",
                "ecs:cloudServers:delete",
                "css:cluster:restart",
                "css:*:get*",
                "css:*:list*"
            ],
            "Effect": "Allow"
        }
    ]
}

Additionally, CSS supports public network border SCP policies and resource tag policies, allowing tenants to configure policies to disallow public network access. Resource tags and public network access control policies can also be used together.

The following examples describe how to configure public network border SCP policies for CSS.

Example 1: Disallow the binding of a public IP address when creating a CSS cluster.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "css:cluster:create"
      ],
      "Condition": {
        "Bool": {
          "css:AssociatePublicIp": [
            "true"
          ]
        }
      }
    }
  ]
}

Example 2: Disallow the binding of a public IP address when creating a CSS cluster with the key:value tag.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "css:cluster:create"
      ],
      "Condition": {
        "Bool": {
          "css:AssociatePublicIp": [
            "true"
          ]
        },
        "StringEquals": {
          "g:RequestTag/key": [
            "value"
          ]
        }
      }
    }
  ]
}

Example 2: Allow the binding of a public IP address only for a CSS cluster with the key:value tag during cluster creation.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "css:cluster:create"
      ],
      "Condition": {
        "Bool": {
          "css:AssociatePublicIp": [
            "true"
          ]
        },
        "StringEquals": {
          "g:RequestTag/key": [
            "value"
          ]
        }
      }
    }
  ]
}

Example 1: Disallow the binding of a public IP address to CSS clusters.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "css:publicIPAddress:associates",
        "css:publicKibana:open"
      ]
    }
  ]
}

Example 5: Disallow the binding of a public IP address to a CSS cluster that carries the key:value tag.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "css:publicIPAddress:associates",
        "css:publicKibana:open"
      ],
      "Condition": {
        "StringEquals": {
          "g:ResourceTag/key": [
            "value"
          ]
        }
      }
    }
  ]
}

Example 5: Allow the binding of a public IP address only for a CSS cluster that carries the key:value tag.

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "css:publicIPAddress:associates",
        "css:publicKibana:open"
      ],
      "Condition": {
        "StringEquals": {
          "g:ResourceTag/key": [
            "value"
          ]
        }
      }
    }
  ]
}

Parent topic: CSS Permissions Management

Previous topic: Using IAM Roles or Policies to Grant Access to CSS

Next topic: Example: Granting IAM Users the Permission to Create CSS Clusters