Help Center/ ServiceStage/ User Guide/ Using IAM to Grant Access to ServiceStage/ Using IAM Roles or Policies to Grant Access to ServiceStage
Updated on 2025-11-21 GMT+08:00
View PDF
Share

Using IAM Roles or Policies to Grant Access to ServiceStage

System-defined permissions in Role/Policy-Based Authorization provided by Identity and Access Management (IAM) let you control access to ServiceStage.

  • Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing ServiceStage resources
  • Grant only the permissions required for users to perform a specific task.
  • Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your ServiceStage resources.

If your Huawei Cloud account does not require individual IAM users, you may skip over this section.

Figure 1 shows the process flow of role/policy-based authorization.

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions in Role/Policy-based Permissions Management for ServiceStage. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process for granting ServiceStage permissions
  1. On the IAM console, create a user group and grant it permissions (ServiceStage ReadOnlyAccess as an example).

    Create a user group on the IAM console and assign the ServiceStage ReadOnlyAccess permissions to the group.

  2. Create an IAM user and add it to the created user group.

    Create a user on the IAM console and add it to the user group created in 1.

  3. Log in as the IAM user and verify permissions.

    In the authorized region, perform the following operations:

    1. Choose Service List > ServiceStage > Application Management.
    2. Click Create Application. If a message appears indicating that you have insufficient permissions to perform the operation, the ServiceStage ReadOnlyAccess policy is in effect.

Example Custom Policies

You can create custom policies to supplement the system-defined policies of ServiceStage. For details about actions supported in custom policies, see Actions Supported by Policy-based Authorization.

To create a custom policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common ServiceStage custom policies.

This procedure creates a policy that an IAM user is prohibited to create and delete a microservice engine. 
{
        "Version": "1.1",
        "Statement": [
                {
                        "Action": [
                                "cse:*:*"
                        ],
                        "Effect": "Allow"
                },
                {
                        "Action": [
                                "cse:engine:create",
                                "cse:engine:delete"
                        ],
                        "Effect": "Deny"
                }
        ]
}

A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

After authorization, you can verify the permissions as the IAM user using the console or REST APIs.

The following uses the custom policy as an example to describe how to log in to the ServiceStage console to verify that a user is not allowed to create microservice engines.

  1. Log in to Huawei Cloud as an IAM user.
    • Tenant name: Name of the Huawei Cloud account used to create the IAM user
    • IAM username and password: Username and password specified during the IAM user creation using the tenant name
  2. On the Cloud Service Engines page, create a microservice engine. If error 403 is returned, the permissions are correct and have taken effect.