Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Permissions/ UCS Resource Permissions (IAM-based)

Updated on 2025-08-25 GMT+08:00

View PDF

UCS Resource Permissions (IAM-based)

UCS cluster- and fleet-level permissions are assigned based on IAM system-defined policies and custom policies. You can use user groups to assign permissions to IAM users.

Cluster- and fleet-level permissions are configured only for cluster- and fleet-related resources (such as resources for the cluster management, fleet management, add-on management, policy center, configuration management, traffic distribution, container intelligent analysis, and other functions). You must also configure Kubernetes resource permissions to perform operations on Kubernetes resources (such as workloads and Services in a cluster).
When you view a cluster or fleet on the UCS console, the information displayed depends on the Kubernetes resource permissions. If the Kubernetes resource permissions are not configured, you cannot view the resources in the cluster or fleet.

Prerequisites

Before granting permissions to user groups, you need to get familiar with the system-defined policies listed in system-defined permissions for UCS. To grant permissions for other services, learn about all system-defined permissions supported by IAM.
A user with the Security Administrator role (for example, your account) has all IAM permissions except role switching. Only these users can view user groups and their permissions on the Permissions page on the UCS console.

Configuration Description

On the UCS console, when you choose Permissions > Add Permission to create a user or user group, you will be directed to the IAM console to complete the process. After the user or user group is created and its permissions are configured, you can view the information on the Permissions page. This section describes the operations on IAM.

Process Flow

Figure 1 Process for assigning UCS permissions

Create a user group and assign permissions.
On the IAM console, create a user group and grant it UCS permissions (UCS ReadOnlyAccess as an example).

UCS is a global service deployed in all physical regions. When granting permissions, set the authorization scope to All resources.
Create a user and add it to the user group.
Create a user on the IAM console and add it to the user group created in 1.
Log in and verify permissions.
Log in to the console as the created user and verify the permissions. (Assume that the user has only the UCS ReadOnlyAccess permissions.)
- Choose Ubiquitous Cloud Native Service from the service list. In the navigation pane, choose Infrastructure > Fleets. If a message indicating that you do not have the access permissions is displayed when you create a fleet or register a cluster, the UCS ReadOnlyAccess permissions have taken effect.
- Choose another service (such as Elastic Cloud Server) from the service list. If a message indicating insufficient permissions is displayed, the UCS ReadOnlyAccess permissions have taken effect.

System-defined Roles

Roles are a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. Only a limited number of service-level roles are available for authorization. However, roles are not an ideal choice for fine-grained authorization and secure access control.

The preset system role for UCS in IAM is UCS Administrator. When assigning this role to a user group, you must also select other roles and policies on which this role depends, such as Tenant Guest, Server Administrator, ELB Administrator, OBS Administrator, SFS Administrator, APM FullAccess, and SWR Admin. For more information about dependencies, see System-defined Permissions.

System-defined Policies

The system-defined policies preset for UCS in IAM include UCS FullAccess, UCS CommonOperations, UCS CIAOperations, and UCS ReadOnlyAccess.

UCS FullAccess: UCS administrator with full permissions, including creating permission policies and security policies

UCS FullAccess does not have the RBAC permissions of CCE clusters. You need to go to the Permissions page to grant permissions for CCE clusters.
UCS CommonOperations: common operation permissions for UCS. Users with these permissions can create workloads, distribute traffic, and perform other operations.
UCS CIAOperations: administrator permissions for UCS Container Intelligent Analysis
UCS ReadOnlyAccess: read-only permissions for UCS services (except for Container Intelligent Analysis)

You can check the content of a system-defined policy to learn about its supported actions. An action is in the format of {service-name}:{resource-type}:{action}. The wildcard (*) is allowed, indicating all actions.

The following is an example of the UCS FullAccess policy. This policy contains all permissions for UCS, Cloud Container Engine (CCE), and SoftWare Repository for Container (SWR), and operation permissions on some resources of Application Operations Management (AOM), Simple Message Notification (SMN), Domain Name Service (DNS), and other services.

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "ucs:*:*",
                "cce:*:*",
                "swr:*:*",
                "aom:*:get",
                "aom:*:list",
                "smn:*:list",
                "dns:*:get*",
                "dns:*:list*",
                "dns:*:get",
                "dns:*:list",
                "dns:recordset:create",
                "dns:recordset:delete",
                "dns:recordset:update",
                "dns:tag:get",
                "lts:*:get",
                "lts:*:list",
                "apm:*:get",
                "apm:*:list",
                "vpcep:epservices:*",
                "vpcep:connections:*",
                "vpcep:endpoints:*",
                "elb:*:get",
                "elb:*:list",
                "vpc:*:get",
                "vpc:*:list",
                "ief:*:get",
                "ief:*:list",
                "cgs:images:operate",
                "cgs:*:get",
                "cgs:*:list"
            ],
            "Effect": "Allow"
        }
    ]
}

**Table 1** Permissions in a UCS FullAccess policy
Action	Specific Action	Description
ucs::	ucs:ciaInstances:create	Creating a Container Intelligent Analysis instance
	ucs:ciaDetectEngines:update	Updating an inspection configuration
	ucs:permissionsRules:create	Creating a permission policy
	ucs:commodityServiceRegions:create	Creating a region
	ucs:clustergroups:delete	Deleting a cluster group
	ucs:clustergroups:create	Creating a cluster group
	ucs:addonTemplates:create	Creating an add-on template
	ucs:traffic:create	Creating a DNS record set
	ucs:serviceInstances:delete	Deleting a service instance
	ucs:ciaAlertRules:create	Creating an alarm rule
	ucs:clustergroups:update	Updating the description of a cluster group and the clusters or policies associated with it
	ucs:servicePlugins:operate	Operating a system add-on
	ucs:addonTemplates:offline	Bringing an add-on template offline
	ucs:ciaMonitorDashboards:update	Updating a Container Intelligent Analysis dashboard
	ucs:ciaMonitorDashboards:delete	Deleting a Container Intelligent Analysis dashboard
	ucs:serviceSubscriptions:operate	Operating service subscription, including adding, deleting, and modifying services
	ucs:servicePackages:operate	Operating a service package
	ucs:ciaMonitorDashboards:create	Creating a Container Intelligent Analysis dashboard
	ucs:clusters:create	Creating a cluster
	ucs:ciaInstanceEndpoints:delete	Deleting a network access point for a Container Intelligent Analysis instance
	ucs:permissionsTemplates:update	Updating a permission template
	ucs:commodityServiceBuckets:operate	Operating records in the OBS buckets of a commoditized service package
	ucs:permissionsTemplates:create	Creating a permission template
	ucs:addons:create	Creating an add-on instance
	ucs:ciaAlerts:update	Clearing triggered alarm events
	ucs:ciaInstances:update	Updating a Container Intelligent Analysis instance
	ucs:clusters:update	Updating cluster location information or activating a cluster
	ucs:addonTemplatesVersion:offline	Bringing an add-on template offline according to the version
	ucs:serviceRegistry:delete	Deleting a bound repository
	ucs:ciaMonitorClusters:update	Updating the configuration of a monitored cluster
	ucs:serviceRegistry:check	Checking whether a user is an administrator
	ucs:commodityServices:operate	Operating a commoditized service package
	ucs:addons:delete	Deleting an add-on instance
	ucs:ciaEvents:update	Updating an event
	ucs:ciaAlertRules:update	Updating an alarm rule
	ucs:serviceOperators:operate	Operating a service operator
	ucs:serviceRegistry:create	Creating a bound repository
	ucs:ciaAlertRules:delete	Deleting an alarm rule
	ucs:ciaInstances:delete	Deleting a Container Intelligent Analysis instance
	ucs:serviceInstances:update	Updating a service instance
	ucs:permissionsRules:update	Updating a permission policy
	ucs:serviceInstances:create	Creating a service instance
	ucs:permissionsTemplates:delete	Deleting a permission template
	ucs:addons:update	Updating an add-on instance
	ucs:ciaInstanceEndpoints:create	Creating a network access point for a Container Intelligent Analysis instance
	ucs:addonTemplates:delete	Deleting an add-on template
	ucs:clusters:delete	Deleting a cluster
	ucs:permissionsRules:delete	Deleting a permission policy
	ucs:workloads:operate	Creating, deleting, and querying a workload
cce::	-	Performing all operations on CCE
swr::	-	Performing all operations on SWR
aom:*:get	-	Viewing AOM resource details
aom:*:list	-	Listing all AOM resources
smn:*:list	-	Listing all SMN resources
dns::get	-	Viewing details about all DNS resources
dns::list	-	Listing all DNS resources
dns:recordset:create	-	Creating a record set on DNS
dns:recordset:delete	-	Deleting a record set on DNS
dns:recordset:update	-	Updating a record set on DNS
dns:tag:get	-	Querying a resource tag on DNS
lts:*:get	-	Viewing details about all LTS resources
lts:*:list	-	Listing all LTS resources
apm:*:get	-	Viewing details about all APM resources
apm:*:list	-	Listing all APM resources
vpcep:epservices:*	-	Operating all VPC endpoint services on VPCEP
vpcep:connections:*	-	Connecting to all VPC endpoints on VPCEP
vpcep:endpoints:*	-	Operating all VPC endpoints on VPCEP
elb:*:get	-	Viewing details about all ELB resources
elb:*:list	-	Listing all ELB resources
vpc:*:get	-	Viewing details about all VPC resources
vpc:*:list	-	Listing all VPC resources
ief:*:get	-	Viewing details about all Intelligent EdgeFabric (IEF) resources
ief:*:list	-	Listing all IEF resources
cgs:images:operate	-	Synchronizing and scanning images on Container Guard Service (CGS)
cgs:*:get	-	Viewing details about all CGS resources
cgs:*:list	-	Listing all CGS resources
evs:types:get	-	Querying EVS disk types on EVS

**Table 2** Permissions in a UCS ReadOnlyAccess policy
Action	Specific Action	Description
ucs:*:get	ucs:clusters:get	Querying cluster details, cluster access information, or cluster certificate information
	ucs:clustergroups:get	Querying cluster group details
	ucs:workloads:get	Querying workload details
	ucs:permissionsRules:get	Querying permission policy details
	ucs:permissionsTemplates:get	Querying permission template details
	ucs:addonTemplates:get	Querying add-on template details
	ucs:addons:get	Querying add-on instance information
	ucs:serviceSubscriptions:get	Querying details about a subscribed service
	ucs:serviceInstances:get	Querying service instance details
	ucs:servicePlugins:get	Querying system add-on details
	ucs:serviceOperators:get	Querying a service operator
	ucs:servicePackages:get	Querying a service package and its version details
	ucs:serviceRegistry:get	Querying a bound repository
	ucs:commodityServices:get	Querying details about a commoditized service package
	ucs:commodityServiceRegions:get	Querying details about a supported region
ucs:*:list	ucs:clusters:list	Listing all clusters
	ucs:clustergroups:list	Listing all cluster groups
	ucs:workloads:list	Listing all workloads
	ucs:permissionsRules:list	Listing all permission policies
	ucs:permissionsTemplates:list	Listing all permission templates
	ucs:traffic:list	Listing all DNS record sets
	ucs:serviceSubscriptions:list	Listing all subscribed services
	ucs:serviceInstances:list	Listing all service instances
	ucs:servicePlugins:list	Listing all system add-ons
	ucs:serviceOperators:list	Listing all service operators
	ucs:servicePackages:list	Listing all service packages
	ucs:serviceRegistry:list	Listing all bound repositories
	ucs:commodityServices:list	Listing all commoditized service packages
	ucs:commodityServiceRegions:list	Listing supported regions
	ucs:commodityServiceBuckets:list	Listing OBS buckets of commoditized service packages
dns:*:get	-	Viewing details about all DNS resources
dns:*:list	-	Listing all DNS resources
cce:*:get	-	Viewing details about all CCE resources
cce:*:list	-	Listing all CCE resources
ief:*:get	-	Viewing details about all IEF resources
ief:*:list	-	Listing all IEF resources
aom:*:get	-	Viewing AOM resource details
aom:*:list	-	Listing all AOM resources
elb:*:get	-	Viewing ELB resource details
elb:*:list	-	Listing all ELB resources
vpc:*:get	-	Viewing VPC resource details A cluster must run in a VPC. When creating a namespace, create or associate a VPC for the namespace so that all containers in the namespace will run in the VPC.
vpc:*:list	-	Listing all VPC resources
swr:*:get	-	Viewing SWR resource details
swr:*:list	-	Listing all SWR resources
cgs:*:get	-	View details about all CGS resources
cgs:*:list	-	Listing all CGS resources

Least-Privilege Permissions Required by Each UCS Function

Services on Huawei Cloud are interdependent, so UCS depends on other cloud services to implement some functions (such as image repository and domain name resolution). The preceding four system-defined policies are often used together with the roles or policies of other cloud services for refined authorization. When granting permissions to IAM users, the administrator must comply with the principle of least privilege. Table 3 lists the least-privilege permissions required by the Administrator, Operator, and Viewer roles to use each UCS function.

If your Huawei Cloud account is used to log in to the UCS console for the first time, you need to grant permissions to the account. Then, UCS will create an agency named ucs_admin_trust for you in IAM. Do not delete or modify the agency.
If the user group that an IAM user belongs to is not granted any permissions, you cannot access the UCS console. Grant permissions by referring to Table 3.
UCS FullAccess does not have the RBAC permissions of CCE clusters. You need to go to the Permissions page to grant permissions for CCE clusters as described in the following table.

**Table 3** Least-privilege permissions required by each UCS function
Function	Permission Type	Permissions	Least-Privilege Permissions
Fleets	Administrator	Creating and deleting a fleet Registering a Huawei Cloud cluster (CCE standard cluster or CCE Turbo cluster), an on-premises cluster, or an attached cluster Unregistering a cluster Adding a cluster to or removing a cluster from a fleet Adding permissions for a cluster or fleet Enabling cluster federation and performing federation management operations (such as creating a workload and creating a DNS policy)	UCS FullAccess
Fleets	Viewer	Querying the list or details of clusters or fleets	UCS ReadOnlyAccess
Huawei Cloud clusters	Administrator	Read-write permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and Services)	UCS FullAccess + CCE Administrator
	Developer	Read-write permissions on Huawei Cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas	UCS CommonOperations + CCE Administrator
	Viewer	Read-only permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and Services)	UCS ReadOnlyAccess + CCE Administrator
On-premises/Attached clusters	Administrator	Read-write permissions on on-premises/attached clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)	UCS FullAccess
	Developer	Read-write permissions on on-premises/attached clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas	UCS CommonOperations + UCS RBAC permissions (The list permission for namespaces is required.)
	Viewer	Read-only permissions on on-premises/attached clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)	UCS ReadOnlyAccess + UCS RBAC permissions (The list permission for namespaces is required.)
Image Repositories	Administrator	All permissions on SWR, including creating organizations, pushing images, viewing the image list or details, and pulling images	SWR Administrator
Permissions	Administrator	Creating and deleting permissions Viewing the permission list or details NOTE: When creating permissions, you need to grant the IAM ReadOnlyAccess permissions (read-only permissions on IAM) to IAM users to obtain the IAM user list.	UCS FullAccess + IAM ReadOnlyAccess
Permissions	Viewer	Viewing the permission list or details	UCS ReadOnlyAccess + IAM ReadOnlyAccess
Policy Center	Administrator	Enabling the Policy Center Creating and disabling a policy instance Viewing the policy list Viewing policy implementation details	UCS FullAccess
Policy Center	Viewer	For fleets and clusters with Policy Center enabled, users with such permissions can view the policy list and policy implementation details.	UCS CommonOperations or UCS ReadOnlyAccess
Traffic Distribution	Administrator	Operations such as creating a traffic policy as well as suspending and deleting a scheduling policy	(Recommended) UCS CommonOperations + DNS Administrator Alternative: UCS FullAccess + DNS Administrator
Traffic Distribution	Viewer	Viewing the traffic policy list or details	UCS ReadOnlyAccess + DNS Administrator
Container Intelligent Analysis	Administrator	Connecting clusters to a fleet or canceling cluster connection Viewing the monitoring data of infrastructures, workloads, and other resources	UCS CIAOperations

Custom Policies

Custom policies can be created as a supplement to the system-defined policies of UCS.

You can create custom policies in either of the following ways:

Visual editor: Select cloud services, actions, resources, and request conditions without the need to know policy syntax.
JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common UCS custom policies.

Examples

Example 1: Creating a cluster

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ucs:clusters:create"
            ]
        }
    ]
}

Example 2: Denying cluster deletion
A policy with only "Deny" permissions must be used with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

If you want to grant the UCSFullAccess permissions to a user but prevent the user from deleting clusters (ucs:clusters:delete), you can create a custom policy that denies cluster deletion. Then, attach this policy with the UCSFullAccess policy to the user. Since an explicit denial in any policy takes precedence over any allowances, the user will have permissions to perform all operations on clusters except for deleting them. The following is an example policy that denies cluster deletion:
```
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ucs:clusters:delete"
            ]
        }
    ]
}
```

Example 3: Creating a custom policy containing multiple actions

A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ucs:clustergroups:create",
                "ucs:ciaEvents:update",
                "ucs:addonTemplates:delete"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "obs:bucket:GetBucketInventoryConfiguration",
                "obs:bucket:CreateBucket"
            ]
        }
    ]
}

Parent topic: Permissions

Previous topic: UCS Permissions

Next topic: Kubernetes Resource Permissions in a Cluster (Kubernetes RBAC-based)

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot