Using IAM Roles or Policies to Grant Access to WAF

If you want to manage the permissions of roles and policies in WAF, you can use Identity and Access Management (IAM). IAM allows you to:

Create IAM users under your Huawei Cloud account for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing WAF resources.
Grant only the permissions required for users to perform a task.
Entrust other Huawei Cloud account or cloud service to perform professional and efficient O&M on your WAF resources.

If your Huawei Cloud account does not require individual IAM users, skip this chapter.

This section describes the role-based authorization method. Figure 1 shows the authorization process.

Prerequisites

Before granting permissions to user groups, learn about system permissions in role-based authorization. For details about all the permissions supported by IAM, see Permissions.

Process Flow

Figure 1 Process for granting permissions

Create a user group and grant permissions.
Create a user group on the IAM console, and attach the WAF ReadOnlyAccess permission to the group.
Create a user and add the user to a user group.
Create a user on the IAM console and add the user to the group created in 1.
Log in as an IAM user and verify permissions.
Log in to the WAF console by using the newly created user, and verify that the user only has WAF Administrator permissions for WAF.
- Assume that the current permissions include only WAF ReadOnlyAccess: Choose Service List > Web Application Firewall. Then click Create WAF on the WAF console to apply for a dedicated WAF instance. If the instance cannot be created, the WAF ReadOnlyAccess policy already works.
- Assume that the current role has only WAF ReadOnlyAccess policy: Choose any other service in Service List. If a message appears indicating that you do not have permissions to access the service, the WAF ReadOnlyAccess policy already works.

WAF Example Custom Policies

If the system-defined policies of WAF cannot meet your needs, you can create custom policies. Add actions in custom policies as needed. For details about supported actions, see Actions Supported by Policy-based Authorization.

You can create custom policies on Huawei Cloud in either of the following ways:

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Policy.

WAF does not support the g:RequestedRegion request condition key. Do not select this condition key when adding a request condition. Otherwise, the custom policy does not take effect.

If the WAF console displays a message indicating that you do not have the permission to perform an operation, check whether the g:RequestedRegion condition key has been added to the request condition. If yes, deselect g:RequestedRegion from the visual editor or delete g:RequestedRegion from the JSON editor.

The following provides examples of custom WAF policies.

Example 1: Allowing users to query the protected domain list

{
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "waf:instance:list"
                                                       ]
                }
        ]
}

Example 2: Denying the user request of deleting web tamper protection rules
A deny policy must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

The following method can be used if you need to assign permissions of the WAF FullAccess policy to a user but also forbid the user from deleting web tamper protection rules (waf:antiTamperRule:delete). Create a custom policy with the action to delete web tamper protection rules, set its Effect to Deny, and assign both this policy and the WAF FullAccess policy to the group the user belongs to. Then the user can perform all operations on WAF except deleting web tamper protection rules. The following is a policy for denying web tamper protection rule deletion.
```
{
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Deny",
                        "Action": [
                                "waf:antiTamperRule:delete"                                
                        ]
                },
        ]
}
```

Multi-action policy

A custom policy can contain the actions of multiple services that are of the project-level type. The following is an example policy containing actions of multiple services:

{
        "Version": "1.1",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "waf:instance:get",
                                "waf:certificate:get"
                        ]
                },
               {
                        "Effect": "Allow",
                        "Action": [
                                "hss:hosts:switchVersion",
                                "hss:hosts:manualDetect",
                                "hss:manualDetectStatus:get"
                        ]
                }
        ]
}

Parent Topic: Granting Permissions to Use WAF Using IAM

Previous topic: Granting Permissions to Use WAF Using IAM

Next topic: Using IAM Identity Policies to Grant Access to WAF