Permissions Management of CBH Instances
If you need to assign different permissions to employees in your enterprise to manage your CBH instances, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your cloud resources.
With IAM, you can create IAM users under your account for your employees, and assign permissions to the users to control their access to specific resource types. For example, you can create IAM users for the software developers and assign specific permissions to allow them to only use CBH instances but not to create, change specifications of, or upgrade CBH instances.
If your account does not need individual IAM users for permissions management, then you may skip over this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.
CBH Instance Permissions
By default, new IAM users do not have any permissions assigned. You can add a user to one or more groups to allow them to inherit the permissions from the groups to which they are added.
CBH is a project-level service deployed and accessed in specific physical regions. To assign CBH permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing a CBH instance, switch to a region where they have been authorized to use the CBH instance.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. Some roles depend other roles to take effect. When you assign such roles to users, remember to assign the roles they depend on. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant CBH users only the permissions for managing a certain type of resources. For details about the actions supported by CBH, see Permissions and Supported Actions.
Table 1 lists some system-defined roles and policies supported by CBH instances.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
CBH FullAccess |
All permissions (except the payment permission) on CBH instances |
System-defined policy |
None |
|
CBH ReadOnlyAccess |
Read-only permissions for CBH instances. Users who have read-only permissions granted can only view CBH instances but not configure services. |
System-defined policy |
None |
To use all CBH functions on the CBH console, you need to have the CBH FullAccess role assigned at the enterprise project level and the CBH ReadOnlyAccess role assigned at the IAM project level.
Table 2 lists the common operations for each system-defined policy or role of CBH instances. Select the policies or roles as required.
|
Operation |
CBH FullAccess |
CBH ReadOnlyAccess |
|---|---|---|
|
Creating a CBH instance |
√ |
x |
|
Changing CBH instance specifications (changing specifications) |
√ |
x |
|
Querying the CBH instance list |
√ |
√ |
|
Upgrading the CBH system version |
√ |
x |
|
Querying total ECS quota |
√ |
x |
|
Binding or unbinding an EIP |
√ |
x |
|
Restarting a CBH instance |
√ |
x |
|
Starting a CBH instance |
√ |
x |
|
Stopping a CBH instance |
√ |
x |
|
Querying the AZ of a CBH instance |
√ |
x |
|
Checking whether an IPv6 CBH instance can be created |
√ |
x |
|
Checking network connection between the CBH instance and the license center |
√ |
x |
|
Modifying the network of the CBH instance to ensure that the CBH instance can communicate with the license center |
√ |
x |
Role/Policy Dependencies of the CBH Console
|
Console Function |
Dependency |
Role/Policy Required |
|---|---|---|
|
Creating a bastion host |
Elastic Cloud Server (ECS) Virtual Private Cloud (VPC) |
In addition to CBH FullAccess role, the ECS CommonOperations and VPC FullAccess roles are required for an IAM user to create CBH instances on the console. |
|
Binding or unbinding an EIP |
Elastic IP (EIP) |
In addition to CBH FullAccess role, the VPC FullAccess role is required for an IAM user to bind an EIP to or unbind an EIP from a CBH instance. |
|
Updating the security group for a CBH instance |
Virtual Private Cloud (VPC) |
In addition to CBH FullAccess role, the VPC FullAccess role is required for an IAM user to change the security group for a CBH instance. |
|
Creating a cloud asset agency |
Data Encryption Workshop (DEW) Elastic Cloud Server (ECS) Relational Database Service (RDS) Identity and Access Management (IAM) |
After the CBH FullAccess permission is configured for an IAM user, you need to add related permissions for the user based on Manually Adding Permissions for CBH FullAccess. |
CBH FullAccess Policy Content
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cbh:*:*",
"vpc:subnets:get",
"vpc:publicIps:list",
"vpc:vpcs:list",
"vpc:securityGroups:get",
"vpc:firewallGroups:get",
"vpc:firewallPolicies:get",
"vpc:firewallRules:get",
"vpc:ports:get",
"vpc:publicips:update",
"vpc:securityGroups:create",
"vpc:firewallRules:create",
"vpc:firewallPolicies:addRule"
"ecs:cloudServerFlavors:get",
"evs:types:get"
]
}
]
}
CBH ReadOnlyAccess Policy Content
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cbh:*:list*",
"vpc:publicIps:list",
"vpc:vpcs:list",
"vpc:securityGroups:get",
"vpc:subnets:get"
]
}
]
}
Manually Adding Permissions for CBH FullAccess
When using a bastion host, you need to manually add permissions to create cloud asset agencies and bind or unbind EIPs.
|
Permission |
Description |
|---|---|
|
csms:secretVersion:get |
Grants the permissions to obtain secrets from CSMS. |
|
csms:secret:list |
Grants the permission to obtain the CSMS secret list. |
|
kms:dek:create |
Grants the permission to create keys in KMS. |
|
kms:cmk:list |
Grants the permission to obtain the KMS key list. |
|
ecs:cloudServers:list |
Grants the permission to obtain the ECS list. |
|
rds:instance:list |
Grants the permission to obtain the RDS instance list. |
|
vpc:vpcs:get |
Grants the permission to query VPC details. |
|
vpc:publicIps:get |
Grants the permission to query the EIP of a VPC. |
|
vpc:ports:update |
Grants the permission to bind or unbind an EIP. |
|
iam:agencies:listAgencies |
Grants the permission to obtain the IAM agency list. |
|
iam:permissions:listRolesForAgencyOnProject |
Grants the permission to obtain the IAM agency role list. |
|
iam:agencies:createAgency |
Grants the permission to create an IAM agency. |
|
iam:permissions:revokeRoleFromAgencyOnProject |
Grants the permission to associate the IAM agency with a role. |
|
iam:roles:createRole |
Grants the permission to create an IAM agency role. |
Manually Adding Permissions for CBH ReadOnlyAccess
When using a bastion host instance, you need to manually add the permission to view the instance details.
|
Permission |
Description |
|---|---|
|
vpc:vpcs:get |
Grants permission to query VPC details. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
