Using IAM Roles or Policies to Grant Access to SMN

System-defined permissions in Role/Policy-based Authorization provided by Identity and Access Management (IAM) let you control access to SMN. With IAM, you can:

Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own identity credentials for accessing SMN resources.
Grant users only the permissions required to perform a given task based on their job responsibilities.
Entrust a Huawei Cloud account or cloud service to perform efficient O&M on your SMN resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this topic.

Figure 1 shows the process of authorization with policies/roles.

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions in Role/Policy-based Permissions Management for SMN. To grant permissions for other services, you have learned about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process for granting the SMN permissions
Click to enlarge

On the IAM console, create a user group and grant it permissions (SMN Administrator as an example).
Create a user group on the IAM console and attach the SMN Administrator policy to the group.
Create an IAM user and add it to the created user group.
Create a user on the IAM console and add the user to the group created in 1.
Log in as the IAM user and verify permissions.
Log in to the SMN console as the created user, switch to the region where the user has been granted the SMN Administrator permissions, and verify that the user only has the SMN Administrator permissions.
- Click Service List and select Simple Message Notification. On the SMN console, choose Topic Management > Topics and click Create Topic in the upper right corner. If the topic is successfully created, the SMN Administrator permissions have already taken effect.
- Choose any other service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the SMN Administrator permissions have already taken effect.

Example SMN Custom Policies

You can create custom policies to supplement the system-defined policies of SMN. For actions supported by custom policies, see Actions Supported by Role/Policy-based Authorization.

To create a custom policy, choose either visual editor or JSON.

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common SMN custom policies.

Example 1: Grant permissions to create a topic.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "smn:topic:create"
            ]
        }
    ]
}

Example 2: Grant permissions to deny topic deletion.
A policy with only "Deny" permissions must be used with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

The following method can be used if you need to assign permissions of the SMN FullAccess policy to a user but also forbid the user from deleting topics. Create a custom policy for denying topic deletion and attach both policies to the group the user belongs to. Then the user can perform all operations on SMN except deleting topics. The following is an example of a deny policy:
```
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "smn:topic:delete"
            ]
        }
    ]
}
```

Example 3: Create a custom policy containing multiple actions.

A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level). The following is a custom policy containing multiple actions:

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "smn:topic:create",
                "smn:tag:create",
                "smn:application:create"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elb:certificates:create",
                "elb:whitelists:create",
                "elb:pools:create",
                "elb:members:create",
                "elb:healthmonitors:create",
                "elb:l7policies:create",
                "elb:listeners:create",
                "elb:loadbalancers:create"
            ]
        }
    ]
}

Parent topic: Using IAM to Grant Permissions to Using SMN

Previous topic: Using IAM to Grant Permissions to Using SMN

Next topic: Using IAM Identity Policies to Grant Access to SMN