Authorization
Scenario
Some HSS functions depend on other cloud services. To use these functions, you need to assign HSS the permissions for the cloud service resources.
When you log in to the HSS console, HSS automatically requests the permissions to access other cloud service resources in the current region. After you assign the permissions, HSS will automatically create an agency named hss_policy_trust in IAM, which grants HSS the operation permissions on other cloud service resources in your account. For details, see Cloud Service Delegation.
To use HSS in multiple regions, request for cloud resource permissions in each region. To view the delegation records of each region, go to the IAM console, choose Agencies, and click hss_policy_trust.
|
Function |
Required Permission |
Cloud Service Permission |
Usage |
|
|---|---|---|---|---|
|
Permission |
Action |
|||
|
Container audit (image repository audit) |
CTSOperatePolicy |
Query audit events |
cts:trace:list |
Obtain image operation logs (CTS logs of SWR). |
|
Installation and configuration on servers |
VPCOperatePolicy |
Create a port |
vpc:ports:create |
Create network interface cards (NICs) and modify security groups to ensure that the port used for installing the agent is accessible. |
|
Delete a port |
vpc:ports:delete |
|||
|
Create a security group rule |
vpc:securityGroupRules:create |
|||
|
Delete a security group rule |
vpc:securityGroupRules:delete |
|||
|
Query ports or details about a port |
vpc:ports:get |
|||
|
Query networks or details about a network |
vpc:networks:get |
|||
|
Query subnets or details about a subnet |
vpc:subnets:get |
|||
|
VPCEPOperatePolicy |
Create an endpoint |
vpcep:endpoints:create |
Maintain the network channel Between the agent and the HSS cloud protection center (master). |
|
|
Query endpoints |
vpcep:endpoints:list |
|||
|
Delete a VPC endpoint |
vpcep:endpoints:delete |
|||
|
Installation and configuration on containers |
CCEOperatePolicy |
Query Cluster Information |
cce:cluster:get |
Manage the lifecycle of HSS-Daemonset and Configmap in a CCE cluster. |
|
Query Clusters in a Project |
cce:cluster:list |
|||
|
Query Agencies Based on Specified Conditions |
iam:agencies:listAgencies |
|||
Prerequisites
To let an IAM user perform operations, assign the Security Administrator system role or the HSS AgencyOperatePolicy system policy to the user. For details, see Creating a User Group and Granting Permissions.
Assigning Cloud Service Resource Permissions
- Log in to the management console.
- In the upper left corner of the page, select a region, click
, and choose Security & Compliance > HSS.
- In the navigation pane, choose Installation & Configuration > Permissions Management.
- Click Assign. The Assign dialog box is displayed.
Figure 1 Assigning permissions
- Select permissions and click OK.
The Container Audit, Server Install & Config, and Container Install & Config pages cannot work properly if required permissions are not assigned. You can click Assign in the reminder on the top of the pages to assign permissions.
Deleting Cloud Service Resource Permissions
- Log in to the management console.
- In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
- In the navigation pane, choose Installation & Configuration > Permissions Management.
- Locate a permission and click Remove in the Operation column. The Remove Permissions dialog box is displayed.
Alternatively, select multiple permissions and click Remove above the list.
Figure 2 Removing permissions
- Confirm the permission information, enter DELETE in the dialog box, and click OK.
If the permission is no longer displayed in the permission list, it indicates the permission has been removed.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
