Examples of Custom Policies for Networks and ACLs
Custom policies for both networks and ACLs are not defined in the BMS FullAccess, BMS CommonOperations, or BMS ReadOnlyAccess system policies. You need to define policies to create, modify, or delete custom networks or ACLs.
This section describes only the JSON text of the policies in different scenarios. For details about authorization, see Creating a User and Granting Permissions.
For details about other service actions involved in the following scenarios, see section "Permissions Policies and Supported Actions" in the API reference of each service.
Scenario 1: Configuring Actions Required By Custom Networks and ACLs
Actions: ecs:servers:list and bms:servers:list
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list"
]
}
]
}
If the two actions are not configured, you are not allowed to access the BMS list page or perform any operations related to custom networks or ACLs.
Scenario 2: Creating a Custom Network
The bms:virtualNetworks:create action is used to create a custom network.
In addition, the vpc:vpcs:list action is used to query the VPC list on the network creation page.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:virtualNetworks:create"
]
}
]
}
Scenario 3: Querying the Custom Network List
The bms:virtualNetworks:list action is used to query the custom network list.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:virtualNetworks:list"
]
}
]
}
Scenario 4: Querying Custom Network Details
The bms:virtualNetworks:get action is used to query custom network details.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:virtualNetworks:list",
"bms:virtualNetworks:get"
]
}
]
}
Scenario 5: Changing the Name of a Custom Network
The bms:virtualNetworks:update action is used to change the name of a custom network.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:virtualNetworks:list",
"bms:virtualNetworks:get",
"bms:virtualSubnets:create",
"bms:virtualNetworks:update"
]
}
]
}
Scenario 6: Deleting a Custom Network
The bms:virtualNetworks:delete action is used to delete a custom network.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:virtualNetworks:list",
"bms:virtualNetworks:get",
"bms:virtualNetworks:delete"
]
}
]
}
Scenario 7: Adding a Custom Subnet
The bms:virtualSubnets:create action is used to add a custom subnet.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:virtualNetworks:list",
"bms:virtualNetworks:get",
"bms:virtualSubnets:list",
"bms:virtualSubnets:create"
]
}
]
}
Scenario 8: Querying the Custom Subnet List
The bms:virtualSubnets:list action is used to query the custom subnet list.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:virtualNetworks:list",
"bms:virtualNetworks:get",
"bms:virtualSubnets:list"
]
}
]
}
This action is used only when a custom network ACL is associated with a custom subnet.
Scenario 9: Deleting a Custom Subnet
The bms:virtualSubnets:delete action is used to delete a custom subnet.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:virtualNetworks:list",
"bms:virtualNetworks:get",
"bms:virtualSubnets:list",
"bms:virtualSubnets:delete"
]
}
]
}
Scenario 10: Creating a Custom Network ACL
The bms:firewallGroups:create action is used to create a custom network ACL.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:firewallGroups:list",
"bms:firewallGroups:create"
]
}
]
}
Scenario 11: Querying the Custom Network ACL List
The bms:firewallGroups:list action is used to query the custom network ACL list.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:firewallGroups:list"
]
}
]
}
Scenario 12: Querying Custom Network ACL Details
The bms:firewallGroups:get action is used to query custom network ACL details.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:firewallGroups:list",
"bms:firewallGroups:get"
]
}
]
}
Scenario 13: Modifying a Custom Network ACL
You can perform the following operations: Modify the ACL name and description; add, modify, delete, enable, and disable ACL rules; add rules above or below the ACL; associate the ACL with a custom subnet (action: bms:virtualSubnets:list).
The bms:firewallGroups:update action is used to modify a custom network ACL.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:firewallGroups:list",
"bms:firewallGroups:get",
"bms:virtualSubnets:list",
"bms:firewallGroups:update"
]
}
]
}
Scenario 14: Deleting a Custom Network ACL
The bms:firewallGroups:delete action is used to delete a custom network ACL.
The policy is as follows:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:servers:list",
"bms:servers:list",
"vpc:vpcs:list",
"bms:firewallGroups:list",
"bms:firewallGroups:get",
"bms:firewallGroups:delete"
]
}
]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
