Authorizing IAM Users to Use CodeArts Deploy

This section describes how to use Identity and Access Management (IAM) to manage permissions for your CodeArts Deploy resources on the console. With IAM, you can:

Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing CodeArts Deploy resources.
Grant only the permissions required for users to perform a specific task.
Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your CodeArts Deploy resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

This section describes the policy-based authorization method. Figure 1 shows the authorization process.

Prerequisites

Learn about the permissions supported by the CodeArts Deploy console and select them according to your requirements. For details about the system policies supported by the CodeArts Deploy console, see Identity Policy-based Permissions Management.
To grant permissions for other services, learn about all system-defined permissions supported by IAM.
IAM authentication has been enabled for 5 minutes.
1. Log in to the service homepage, click the username on the top navigation bar, and choose All Account Settings.
2. In the navigation pane, choose General > Global Settings. On the displayed page, enable IAM authentication. Example:

Process

Figure 1 Process of granting permissions for the CodeArts Deploy console

Click to enlarge

Create a user or a user group:
On the IAM console, create a user or user group.
Attach a system-defined policy to a user or user group.
Assign the permissions defined in the system-defined policy CodeArtsDeployReadOnlyPolicy to the user or group, or attach the policy to it.
Log in and verify permissions.
Log in to the console as an authorized user and verify the permissions.
1. Choose Developer Services > CodeArts from the service list. Go to the CodeArts console.
2. Choose Enterprise Account Authorization. On the displayed page, check the authorized enterprise accounts.
3. Click Authorize Enterprise Account. In the displayed dialog box, enter characters for testing. If the system prompts that your permissions are insufficient, the CodeArtsDeployReadOnlyPolicy policy has already taken effect.

Custom Policies for the CodeArts Deploy Console

You can create custom policies to supplement the system-defined policies of CodeArts Deploy. For the actions supported for custom policies, see "Identity Policy-based Authorization" in the CodeArts Deploy API Reference.

You can create custom policies in either of the following ways:

Visual editor: Select cloud services, actions, resources, and request conditions for auto-generation. This does not require knowledge of policy syntax.
JSON: Create a policy in the JSON format from scratch or based on an existing policy.

For details, see Creating a Custom Policy. The following lists examples of common CodeArts Deploy custom policies.

The current version does not support field RequestedRegion.
The codeartsdeploy:application:create and codeartsdeploy:application:list operations do not support application resource update.

Compliant example:

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "codeartsdeploy:application:create",
        "codeartsdeploy:application:list"
      ]
    }
  ]
}

Non-compliant example::

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "codeartsdeploy:application:create",
        "codeartsdeploy:application:list"
      ],
      "Resource": [
        "codeartsdeploy:*:*:application:40d0cc8bae254bfaaa32707d540e2dc3"
      ]
    }
  ]
}

Example 1: Grant permissions to query application details.

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codeartsdeploy:application:get"
            ]
        }
    ]
}

Example 2: Grant permission to deny application deletion.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions. To give a user the CodeArtsDeploy.Application permissions but prevent them from deleting applications, create a custom policy that denies delete access and assign both policies to the user. The user can perform all operations on applications except deletion. The following is an example policy.
```
{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "codeartsdeploy:application:delete"
            ]
        }
    ]
}
```

Example 3: Grant permission create a custom policy containing multiple actions.

A custom policy can contain the actions of both the current and other services. The following is an example policy containing multiple actions:

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cce:cluster:get",
                "cce:cluster:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codeartsdeploy:application:get",
                "codeartsdeploy:application:list"
            ]
        }
    ]
}

Parent Topic: Purchasing and Authorizing CodeArts Deploy

Previous topic: Enabling CodeArts Deploy

Next topic: Configuring CodeArts Deploy Permissions