Using IAM Roles or Policies to Grant Access to DAS
Role/Policy-based authorization provided by Identity and Access Management (IAM) can control access to DAS. With IAM, you can:
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to DAS resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your DAS resources.
If your account does not require individual IAM users, skip this section.
Figure 1 shows the process flow of role/policy-based authorization.
Prerequisites
Learn about role/policy-based authorization before granting DAS permissions to user groups. To grant permissions for other services, learn about all system-defined permissions supported by IAM.
Process Flow
- On the IAM console, create a user group and grant it permissions.
Create a user group on the IAM console, and assign the DAS ReadOnlyAccess policy to the group.
- Create a user and add it to the user group.
On the IAM console, create a user and add it to the user group created in 1.
- Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Choose Service List > Databases > DAS. Then click Buy DB Instance on the DAS console. If you cannot buy an instance (assume that the current policy includes only DAS ReadOnlyAccess), DAS ReadOnlyAccess has taken effect.
- Choose any other service in the Service List (for example, there is only the DAS ReadOnlyAccess policy). If a message appears indicating insufficient permissions to access the service, the DAS ReadOnlyAccess policy has already taken effect.
Examples of DAS Custom Policies
Custom policies can be created to supplement the system-defined policies of DAS. For details, see Actions Supported by Policy-based Authorization.
You can create custom policies in either of the following ways:
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Edit JSON policies from scratch or based on an existing policy.
For details, see Creating a Custom Policy. The following lists examples of common DAS custom policies.
- Example 1: Allowing a user to log in to a database on DAS
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "das:connections:login" ] } ] } - Example 2: Denying deleting a database connection on DAS
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
If you grant DAS FullAccess to a user but do not want the user to have the permission to delete database connections, create a custom policy to deny deleting database connections, and attach both policies to the user. Then the user can perform all operations on the DAS except deleting the database connections. The following is an example of a deny policy:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny" "Action": [ "das:connections:delete" ], } ] } - Example 3: Create a custom policy containing multiple actions.
A custom policy can contain the actions of one or multiple services that are of the same type (global- or project-level). The following is an example policy containing multiple actions:
{ "Version": "1.1", "Statement": [ { "Action": [ "das:connections:create", "das:connections:login", "das:connections:modify", "das:connections:delete", "das:connections:list", "rds:instance:list", "dds:instance:list" ], "Effect": "Allow" } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
