Updated on 2025-07-18 GMT+08:00

IAM User Permissions

With IAM, you can configure permission policies to grant IAM users in your account fine-grained MgC permissions, enabling effective permission isolation.

The following table lists the permissions that are required for IAM users to use different MgC functions. For details about how to grant specific permissions to IAM users, see Creating a Custom Policy.

Function

Required Permissions

Configuring a server purchase template

vpc:vpcs:list (Listing VPCs)

vpc:subnets:get (Querying subnets or querying details about a subnet)

vpc:securityGroups:get (Querying security groups or querying details about a security group)

eps:enterpriseProjects:list (Listing enterprise projects)

ecs:availabilityZones:list (Listing AZs)

Manually configuring target server specifications

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

evs:types:get (Querying EVS disk types)

ims:images:list (Listing images)

ims:images:get (Querying details about an image)

Associating source servers with existing target servers

evs:volumes:list (Listing EVS disks)

ecs:cloudServers:list (Querying details about ECSs)

ecs:cloudServers:showServer (Querying details about an ECS)

ims:images:get (Querying details about a specified image)

Importing target resource configurations during the design of server migration plans

obs:bucket:ListBucket (Listing objects in a bucket)

obs:bucket:ListAllMyBuckets (Listing buckets)

Creating a server migration workflow

vpc:vpcs:list (Listing VPCs)

vpc:vpcs:get (Querying VPC details)

vpc:subnets:get (Querying subnets or querying details about a subnet)

vpc:securityGroups:get (Querying security groups or querying details about a security group)

eps:enterpriseProjects:list (Listing enterprise projects)

eps:enterpriseProjects:get (Querying details about an enterprise project)

kms:cmk:list (Listing keys)

kms:cmk:get (Querying key information)

kms:dek:create (Creating a DEK)

kms:dek:decrypt (Decrypting a DEK)

sms:server:migrationServer (Migrating a source server)

sms:server:queryServer (Querying source servers)

smn:topic:list (Listing topics)

Getting server recommendations

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ecs:cloudServers:list (Querying details about ECSs)

ims:images:list (Listing images)

ims:images:get (Querying details about an image)

evs:volumes:list (Listing EVS disks)

evs:types:get (Querying EVS disk types)

Creating a cross-az migration workflow

ecs:availabilityZones:list (Listing AZs)

smn:topic:list (Listing topics)

Configuring product mappings for TCO analysis

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

ims:images:list (Listing images)

evs:types:get (Querying EVS disk types)

Configuring target buckets in an object storage migration plan

obs:bucket:ListAllMyBuckets (Listing buckets)

Creating a storage migration workflow

OMS Administrator (Full permissions for OMS)

smn:topic:list (Listing topics)

smn:topic:updateNotifyPolicy (Granting the permissions to modify notification policies)

smn:topic:update (Granting the permissions to update a topic, including adding subscriptions)

Creating a migration cluster

OMS Administrator (Full permissions for OMS)

nat:natGateways:list (Listing NAT gateways)

vpc:vpcs:list (Listing VPCs)

vpc:subnets:get (Querying subnets or querying details about a subnet)

vpc:publicIps:list (Listing EIPs)

ecs:cloudServerFlavors:get (Querying details about flavors and extended flavor information)

Authorizing an agency

iam:agencies:listAgencies (Querying agencies based on specified conditions)

iam:roles:listRoles (Listing permissions)

iam:quotas:listQuotas (Listing quotas)

iam:permissions:listRolesForAgency (Listing permissions of an agency)

iam:agencies:createAgency (Creating an agency)

iam:permissions:grantRoleToAgency (Granting specified permissions to an agency)

iam:roles:createRole (Creating a custom policy)

iam:roles:updateRole (Modifying a custom policy)

iam:permissions:revokeRoleFromAgency (Revoking permissions from an agency)