Help Center/ Enterprise Switch/ User Guide/ Permissions Management/ Using IAM Identity Policies to Grant Access to Enterprise Switch

Updated on 2025-11-13 GMT+08:00

View PDF

Using IAM Identity Policies to Grant Access to Enterprise Switch

System-defined permissions in Identity Policy-based Authorization provided by Identity and Access Management (IAM) let you control access to Enterprise Switch. With IAM, you can:

Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing Enterprise Switch resources.
Grant only the permissions required for users to perform a specific task.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

Before granting permissions, learn about system-defined permissions in Identity Policy-based Authorization for Enterprise Switch. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process for granting Enterprise Switch permissions
Click to enlarge

On the IAM console, create an IAM user or create a user group.
Attach a system-defined identity policy to the user or user group.
Assign the permissions defined in the system-defined identity policy ESWReadOnlyPolicy to the user or group, or attach the system-defined identity policy to it.
Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Click Service List and choose Enterprise Switch. Then click Buy in the upper right corner. If a message appears indicating that you have insufficient permissions to perform the operation, the ESWReadOnlyPolicy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the ESWReadOnlyPolicy policy is in effect.

Example Custom Identity Policies

You can create custom identity policies to supplement system-defined identity policies of Enterprise Switch.

To create a custom identity policy, choose either visual editor or JSON.

Visual editor: Select cloud services, actions, resources, and conditions. This does not require knowledge of policy grammar.
JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

The following provides example custom identity policies for Enterprise Switch.

Example 1: Grant the permissions to create and delete enterprise switches.

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "esw:instance:create",
                "esw:instance:delete"
            ]
        }
    ]
}

Example 2: Create a custom identity policy containing multiple actions.

A custom identity policy can contain the actions of one or multiple services. The following is a policy with multiple actions:

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "esw:instance:create",
                "esw:instance:delete"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "esw:connection:create",
                "esw:connection:list"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:ports:list",
                "vpc:ports:delete"
            ]
        }
    ]
}

Parent topic: Permissions Management

Previous topic: Using IAM Roles or Policies to Grant Access to Enterprise Switch

Next topic: Enterprise Switches