Help Center/ Data Warehouse Service / User Guide/ Preparations/ Using IAM to Grant Access to DWS/ Using IAM Identity Policies to Grant Access to DWS
Updated on 2025-11-11 GMT+08:00
View PDF
Share

Using IAM Identity Policies to Grant Access to DWS

This section applies to IAM 5.0.

If you need to manage the permissions for your DWS resources, you can use IAM. With IAM, you can:

  • Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing DWS resources.
  • Grant only the permissions required for users to perform specific tasks.
  • Entrust a Huawei Cloud account or a cloud service to perform professional and efficient O&M on your DWS resources.

If your Huawei Cloud account meets your requirements, skip this chapter. This will not affect other functions of the DWS service.

This section describes the procedure for granting permissions (see Procedure).

Prerequisites

Before granting permissions, you have learned about DWS permissions. For details about the system-defined identity policies supported by DWS, see DWS Permissions Management. For details about the permissions of other services, see System-defined Permissions.

Procedure

This section describes how to grant the DWSReadOnlyPolicy system-defined identity policy to a user or user group. If the user cannot create a DWS cluster after logging in to the console (assume that the user only has the DWSReadOnlyPolicy permission), DWSReadOnlyPolicy has taken effect. To allow the user to create a DWS cluster or perform other operations, grant required identity policies of DWS to the user. For details about the policies, see DWS System-defined Identity Policies.

Figure 1 Process of granting DWS permissions
  1. On the IAM console, create an IAM user or create a user group.

    Create a user or user group on the IAM console.

  2. Attach a system-defined identity policy.

    Grant the system-defined identity policy DWSReadOnlyPolicy to a user or user group, or attach the policy to the user or user group.

  3. Log in as the IAM user and verify permissions.

    Log in to the console as an authorized user and verify the permissions.

    • Choose Service List > Data Warehouse Service to enter the DWS management console, and click Create DWS Cluster to create a data warehouse cluster. If you cannot create one (assume that you only have the DWSReadOnlyPolicy permission), DWSReadOnlyPolicy has taken effect.
    • Choose any other service in Service List. If only the DWS ReadOnlyPolicy policy is added and a message is displayed indicating that you have insufficient permission to access the service, DWSReadOnlyPolicy has taken effect.

Example Custom Policies

You can create custom identity policies to supplement the system-defined identity policies of DWS. For the actions supported for custom identity policies, see Permissions Policies and Supported Actions.

You can create custom policies in either of the following ways:

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

When creating a custom identity policy, use the Resource element to specify the resources the policy applies to and use the Condition element (service-specific condition keys) to control when the policy is in effect. For details about the supported resource types and condition keys, see Supported Actions in ABAC.

The following are examples of DWS custom identity policies:

  • Example 1: Granting the permission to obtain the data warehouse cluster list and restart the data warehouse cluster 
    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dws:cluster:list*",
                "dws:cluster:getCountDown",
                "dws::list*",
                "dws:service:listEps",
                "dws:cluster:restart",
                "tms:predefineTags:list",
                "vpc:securityGroups:get"
            ]
        }
    ]
}
  • Example 2: Defining permissions for multiple services in a policy

    A custom policy can contain the actions of one or more services. The following is an example policy containing actions of multiple services:

    {
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dws:cluster:list*",
                "dws:cluster:getCountDown",
                "dws::list*",
                "dws:service:listEps",
                "dws:cluster:restart"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "vpc:*:get*",
                "vpc:*:list*",
                "tms:predefineTags:list"
            ]
        }
    ]
}
Parent Topic: Using IAM to Grant Access to DWS