Help Center/ Elastic IP/ User Guide/ Elastic IP User Guide/ Permissions Management/ Using IAM Identity Policies to Grant Access to EIP
Updated on 2025-11-12 GMT+08:00
View PDF
Share

Using IAM Identity Policies to Grant Access to EIP

System-defined permissions in identity policy-based authorization provided by Identity and Access Management (IAM) let you control access to EIP. With IAM, you can:
  • Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing EIP resources.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust a HUAWEI ID or a cloud service to perform efficient O&M on your EIP resources.

If your HUAWEI ID meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

Before granting permissions, learn about all system-defined permissions for EIP. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process for granting EIP permissions
  1. On the IAM console, create an IAM user or create a user group.

    Log in to the IAM console to create an IAM user or user group.

  2. Attach a system-defined identity policy to the user or user group.

    Assign the permissions defined in the system-defined identity policy EIPReadOnlyAccessPolicy to the user or group, or attach the system-defined identity policy to it.

  3. Log in using the IAM user and verify permissions.

    In the authorized region, perform the following operations:

    • Choose Service List > Elastic IP. Then click Buy EIP on the EIP console. If a message appears indicating that you have insufficient permissions to perform the operation, the EIPReadOnlyAccessPolicy policy is in effect.
    • Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the EIPReadOnlyAccessPolicy policy is in effect.

Example Custom Policies

You can create custom identity policies to supplement the system-defined identity policies of EIP. You can add actions in custom identity policies as needed. For details about supported actions, see Permissions Policies and Supported Actions.

To create a custom identity policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. You do not need to have knowledge of the policy grammar.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

When creating a custom identity policy, use the Resource element to specify the resources the identity policy applies to and use the Condition element (service-specific condition keys) to control when the identity policy is in effect. For details about the supported resource types and condition keys, see . The following provides example custom identity policies for EIP.

  • Example 1: Grant permissions to assign and release EIPs.
    A custom policy can contain the actions of one or multiple services. Example policy containing multiple actions: 
    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eip:publicIps:create"
            ],
            "Resource": [
                "VPC:*:*:publicip:*"
            ]
        },
       {
            "Effect": "Allow",
            "Action": [
                "eip:publicIps:delete"
            ],
            "Resource": [
                "VPC:*:*:publicip:*"
            ]
        }
    ]
}
  • Example 2: Grant permissions to release a specific EIP

    For operations on resources with IDs, such as querying details, updating, and deleting resources, you can grant permissions based on the resource in a policy. Operations that are not granted with permissions will be rejected by default. The following policy allows users to release only the EIP with a specific ID.

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eip:publicIps:delete"
            ],
            "Resource": [
                "VPC:*:*:publicip:46901873-cfa2-4bfa-b458-225a6e027425"
            ]
        }
    ]
}
  • Example 3: Grant permissions to release only EIPs that meet specific conditions
    You can grant permissions based on specified conditions in a policy. Operations that are not granted with permissions will be rejected by default. The following policy allows users to release only EIPs in a specific enterprise project. 
    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eip:publicIps:delete"
            ],
            "Resource": [
                "VPC:*:*:publicip:*"
            ],
            "Condition": {
                "StringEquals": {
                    "g:EnterpriseProjectId": "a152091c-0b16-4a37-b871-93546ee98de4"
                }
            }
        }
    ]
}
Parent Topic: Permissions Management