Using IAM Roles or Policies to Grant Access to HSS
You can perform role/policy-based authorization using Identity and Access Management (IAM).
- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to HSS resources.
- Grant only the permissions required for users to perform a specific task.
- Entrust an account or cloud service to perform professional and efficient O&M on your HSS resources.
If your Huawei Cloud account does not require individual IAM users, skip this chapter.
This section describes how to perform role/policy-based authorization. Figure 1 shows the process.
Prerequisite
Before assigning permissions to a user group, you need to understand the HSS permissions. For details, see Role/Policy-based Authorization. For the system policies of other services, see System Permissions.
Authorization Process
- Create a user group and grant it permissions.
Create a user group on the IAM console and assign the HSS ReadOnlyAccess policy to the group.
- Create a user and add the user to a user group.
Create a user on the IAM console and add the user to the group created in 1.
- Log in as the IAM user and verify permissions.
Log in to the HSS console as the created user, and verify that the user only has read permissions for HSS.
- Choose HSS from the service list. On the HSS console, click Buy HSS. If the purchase fails (assuming that only the HSS ReadOnlyAccess permission is granted), the HSS ReadOnlyAccess permission has already taken effect.
- Choose any other service in the service list. If a message appears indicating that you have insufficient permissions to access the service (assuming that only the HSSReadOnlyAccess permission is granted), the HSSReadOnlyAccess policy has already taken effect.
Example Custom Policies
Custom policies can be created to supplement the system-defined policies of HSS. For details about the actions supported by custom policies, see Actions Supported by Policy-based Authorization.
To create a custom policy, choose either visual editor or JSON.
- Visual editor: Select cloud services, actions, resources, and request conditions. You do not need to have knowledge of the policy syntax.
- JSON: Create a policy in JSON format or edit the JSON strings of an existing policy.
For details, see Creating a Custom Policy. The following lists examples of common HSS custom policies.
- Example 1: Allowing users to query the protected server list
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "hss:hosts:list" ] } ] }
- Example 2: Denying agent uninstallation
A deny policy must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
The following method can be used if you need to assign permissions of the HSS Administrator policy to a user but also forbid the user from deleting key pairs (hss:agent:uninstall). Create a custom policy with the action to delete key pairs, set its Effect to Deny, and assign both this and the HSS Administrator policies to the group the user belongs to. Then the user can perform all operations on HSS except uninstalling it. The following is an example policy that denies agent uninstallation.
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "hss:agent:uninstall" ] }, ] } - Multi-action policies
A custom policy can contain the actions of multiple services that are of the project-level type. The following is a policy with multiple statements:
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "hss:hosts:list" ] }, { "Effect": "Allow", "Action": [ "hss:hosts:switchVersion", "hss:hosts:manualDetect", "hss:manualDetectStatus:get" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
