Using IAM Roles or Policies to Grant Access to GaussDB

System-defined permissions in Role/Policy-based Authorization provided by Identity and Access Management (IAM) let you control access to GaussDB. With IAM, you can:

Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing GaussDB resources.
Grant only the permissions required for users to perform a specific task.
Entrust a Huawei Cloud account or a cloud service to perform professional and efficient O&M on your GaussDB resources.

If your Huawei Cloud account does not require individual IAM users, skip this section.

Figure 1 shows the process flow of role/policy-based authorization.

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions in Role/Policy-based Permission Management for GaussDB. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process of granting GaussDB permissions
Click to enlarge

On the IAM console, create a user group and grant it permissions (GaussDB ReadOnlyAccess as an example).
Create an IAM user and add it to the created user group.
Log in as the IAM user and verify permissions.
Log in to the console by using the created user, and verify that the user only has read permissions for GaussDB.
- Choose Service List > GaussDB. On the GaussDB console, click Create DB Instance in the upper right corner to create a GaussDB instance. If the GaussDB instance cannot be created (assuming only the GaussDB ReadOnlyAccess permission is assigned), the GaussDB ReadOnlyAccess permission has already taken effect.
- Choose any other service in the service list. If a message appears indicating that you have insufficient permissions to access the service, the GaussDB ReadOnlyAccess policy has already taken effect.

Example Custom Policies

Custom policies can be created to supplement the system-defined policies of GaussDB. Add actions in custom policies as needed. For details, see Actions Supported by Policy-based Authorization.

To create a custom policy, choose either visual editor or JSON.

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following contains examples of common GaussDB custom policies.

Example 1: Grant permission to create GaussDB instances.

{
    "Version": "V2.0-8.103",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "gaussdb:instance:create"
            ]
        }
    ]
}

Example 2: Deny GaussDB instance deletion.
A policy with only "Deny" permissions must be used in conjunction with other policies. If the policies assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

The following method can be used if you need to assign permissions of the GaussDB FullAccess policy to a user but you want to prevent the user from deleting GaussDB DB instances. Create a custom policy for denying GaussDB DB instance deletion, and attach both policies to the group to which the user belongs. Then, the user can perform all operations on GaussDB DB instances except deleting GaussDB DB instances. The following is an example of a deny policy:
```
{
        "Version": "V2.0-8.103",
        "Statement": [
                {
                    "Action": [
                                "gaussdb:instance:delete"
                        ],
                        "Effect": "Deny"
                }
        ]
}
```

Example 3: Create a custom policy containing multiple actions.

A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). The following is an example policy containing actions of multiple services:

{ 
        "Version": "V2.0-8.103", 
        "Statement": [ 
                { 
                        "Action": [ 
                                "gaussdb:instance:create",                                 
                                "gaussdb:instance:delete", 
                                "lts:*:list", 
                                "tms:*:list", 
                                "vpc:*:get" 
                        ], 
                        "Effect": "Allow" 
                } 
        ] 
}

GaussDB Resources

A resource is an object that exists within a service. GaussDB resources include instances and nodes. To select these resources, specify their paths.

**Table 1** GaussDB resources and their paths
Resource	Path
Instance	gaussdb:<region>:<account-id>:instance:<instance-id>

GaussDB Request Conditions

Request conditions are useful in determining when a custom policy is in effect. A request condition consists of condition keys and operators. Condition keys are either global or service-level and are used in the Condition element of a policy statement. Global condition keys (starting with g:) are available for operations of all services, while service-specific condition keys (starting with a service name such as gaussdb:) are available only for operations of specific services. An operator must be used together with a condition key to form a complete condition statement.

GaussDB has a group of condition keys predefined in IAM. For example, you can use the condition key hw:SourceIp to match requesters by IP address and then allow actions. The following table lists the GaussDB predefined condition keys.

**Table 2** GaussDB predefined condition keys
Condition Key	Operator	Description
gaussdb:BackupEnabled	boolean	Filters access by the tag key that specifies whether to enable the backup policy in the request. Select Default for Qualifier.
gaussdb:Encrypted	boolean	Filters access by the tag key that specifies whether to enable disk encryption in the request. Select Default for Qualifier.