Permission Dependencies of the SWR Console

Granting Permissions to Access Dependent Cloud Services

To use basic SWR functions, an IAM user must already have SWR Administrator, SWR FullAccess, SWR OperateAccess, or SWR ReadOnlyAccess permissions. Then, you can add roles or policies for them to use the SWR functions that depend on other cloud services.

To grant an IAM user permission to access dependent cloud services of SWR, you must have the IAM role Security Administrator.

Fine-grained HSS Authorization

1. Log in to the management console.
2. Select a region, click in the upper left corner, and choose Management & Governance > Identity and Access Management.
3. In the navigation pane, choose Permissions > Policies/Roles. Click Create Custom Policy. Set Policy Name to SWR HSS Access and Policy View to JSON. Configure the policy as follows and click OK.

   {
       "Version": "1.1",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "HSS:*:*"
               ]
           }
       ]
   }

4. In the navigation pane, choose User Groups. Select the user group the IAM user belongs to and click Authorize.
5. Select the SWR HSS Access policy. Select All resources and click OK.
6. After the authorization is successful, click Finish. The policy will be in effect after about 15 minutes.

Fine-grained CCE Authorization

1. Log in to the management console.
2. Select a region, click in the upper left corner, and choose Management & Governance > Identity and Access Management.
3. In the navigation pane, choose Permissions > Policies/Roles. Click Create Custom Policy. Set Policy Name to SWR CCE Access. Set Policy View to JSON. Configure the policy as follows and click OK.

   {
       "Version": "1.1",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "cce:cluster:list"
               ]
           }
       ]
   }

4. In the navigation pane, choose User Groups. Select the user group your IAM user belongs to and click Authorize.
5. Select the SWR CCE Access policy. Select All resources and click OK.
6. After the authorization is successful, click Finish. The policy will be in effect after about 15 minutes.
7. Click in the upper left corner. Choose Containers > Cloud Container Engine. In the navigation pane, choose Permissions. Select the cluster to access. In the upper right corner of the page, click Add Permission.
8. Configure the following parameters and click OK.
   • User/User Group: Select the user group the IAM user belongs to.
   • Namespace: Select All namespaces.
   • Permission Type: Select viewer.

9. When a dialog box is displayed indicating the permission is added successfully, click OK. Wait for 3 to 5 seconds for the authorization to take effect.

Fine-grained CCI Authorization

1. Log in to the management console.
2. Select a region, click in the upper left corner, and choose Management & Governance > Identity and Access Management.
3. In the navigation pane, choose Permissions > Policies/Roles. Click Create Custom Policy. Set Policy Name to SWR CCI Access and Policy View to JSON. Configure the policy as follows and click OK.

   {
       "Version": "1.1",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                 "cci:namespace:list",
                 "cci:deployment:list",
                 "cci:namespaceSubResource:list",
                 "cci:deployment:get",
                 "cci:namespaceSubResource:get"
               ]
           }
       ]
   }

4. In the navigation pane, choose User Groups. Select the user group your IAM user belongs to and click Authorize.
5. Select the SWR CCI Access policy. Select All resources and click OK.
6. After the authorization is successful, click Finish. The policy will be in effect after about 15 minutes.