Using IAM Roles or Policies to Grant Access to Global Accelerator

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions for Global Accelerator in Role/Policy-based Authorization. To grant permissions for other services, learn about all system-defined policies/roles supported by IAM.

Process Flow

Figure 1 Process of granting Global Accelerator permissions using role/policy-based authorization

1. On the IAM console, create a user group and grant it permissions (GA ReadOnlyAccess as an example).
2. Create an IAM user and add it to the created user group.
3. Log in as the IAM user and verify the permissions.

   In the authorized region, perform the following operations:

   • Click on the upper left corner to display Service List and choose Networking > Global Accelerator. Click Buy Global Accelerator in the upper right corner. If the global accelerator cannot be created, the GA ReadOnlyAccess policy is in effect.
   • Choose another service in Service List. The system prompts you that you do not have permissions to access the service, the GA ReadOnlyAccess policy is in effect.

Example Custom Policies

Custom policies can be created to supplement the system-defined policies of Global Accelerator. For the actions supported for custom identity policies, see "Role/Policy-Based Authorization" in the Global Accelerator API Reference.

To create a custom policy, choose either visual editor or JSON.

• Visual editor: Select cloud services, actions, resources, and request conditions. You do not need to have knowledge of the policy syntax.
• JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of custom policies for Global Accelerator.

• Example 1: Grant permissions to update a global accelerator.

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "ga:accelerator:update"
              ]
          }
      ]
  }

• Example 2: Grant permissions to deny global accelerator deletion.

  A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  Assume that you want to grant the permissions of the GA FullAccess policy to a user but want to prevent them from deleting global accelerators. You can create a custom policy for denying global accelerator deletion, and attach this policy together with the GA FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on global accelerators except deleting them.

  The following is an example deny policy:

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Deny",
              "Action": [
                  "ga:accelerator:delete"
              ]
          }
      ]
  }

• Example 3: Create a custom policy containing multiple actions.

  A custom policy can contain the actions of one or more services that are of the same type (global or project-level).

  Example policy containing multiple actions:

  {
      "Version": "1.1",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "ga:listener:create",
                  "ga:healthcheck:create",
                  "ga:endpointgroup:create",
                  "ga:endpoint:create"
              ]
          },
          {
              "Effect": "Allow",
              "Action": [
                  "eps:enterpriseProjects:enable",
                  "eps:enterpriseProjects:update",
                  "eps:enterpriseProjects:create"
              ]
          }
      ]
  }