How Do I Configure the Access Permission for Each Function of the UCS Console?
Symptom
The functions of the UCS console are controlled by IAM. When an unauthorized user accesses a page on the UCS console, an error message is displayed, indicating that the user does not have the access permission or permission authentication fails.
Solution
The administrator needs to grant users the permissions for using functions of the UCS console. IAM system policies (including UCS FullAccess, UCS CommonOperations, UCS CIAOperations, and UCS ReadOnlyAccess) are used to define user permissions.
System Role/Policy Name |
Description |
Type |
---|---|---|
UCS FullAccess |
UCS administrator with full permissions, including creating permissions policies and security policies |
System policy |
UCS CommonOperations |
Common UCS user with permissions for operations such as creating workloads and distributing traffic |
System policy |
UCS CIAOperations |
UCS Container Intelligent Analysis (CIA) administrator with full permissions |
System policy |
UCS ReadOnlyAccess |
Read-only permissions on UCS (except for CIA) |
System policy |
Services on Huawei Cloud are interdependent, and UCS depends on other cloud services to implement some functions, such as image repository and domain name resolution. Therefore, the preceding system policies are often used together with roles or policies of other cloud services for refined permission granting. When granting permissions to IAM users, the administrator must comply with the principle of least privilege. Table 2 lists the minimum permissions required by the administrator, operation, and read-only permissions of each UCS function.
For details about how to grant IAM system policies and UCS RBAC permissions to users, see UCS Resource Permissions and Kubernetes Resource Permissions in a Cluster, respectively.
Description |
Permission Type |
Permission |
Minimum Permission |
---|---|---|---|
Fleet |
Admin |
|
UCS FullAccess |
Viewer |
Querying clusters and fleets or their details |
UCS ReadOnlyAccess |
|
Huawei Cloud clusters |
Admin |
Read-write permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services) |
UCS FullAccess + CCE Administrator |
Operation |
Read-write permissions on Huawei Cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas |
UCS CommonOperations + CCE Administrator |
|
Viewer |
Read-only permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services) |
UCS ReadOnlyAccess + CCE Administrator |
|
On-premises/Attached/Multi-cloud clusters |
Admin |
Read-write permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services) |
UCS FullAccess |
Operation |
Read-write permissions on on-premises/attached/multi-cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas |
UCS CommonOperations + UCS RBAC (The list permission for namespaces is required.) |
|
Viewer |
Read-only permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services) |
UCS ReadOnlyAccess + UCS RBAC (The list permission for namespaces is required.) |
|
Image repository |
Admin |
All permissions on SoftWare Repository for Container (SWR), including creating organizations, uploading images, viewing images or details, and downloading images |
SWR Administrator |
Permissions |
Admin |
NOTE:
When creating a permission policy, you need to grant the IAM ReadOnlyAccess permission (read-only permissions on IAM) to IAM users to obtain the IAM user list. |
UCS FullAccess + IAM ReadOnlyAccess |
Viewer |
Viewing permissions or details |
UCS ReadOnlyAccess + IAM ReadOnlyAccess |
|
Policy Center |
Admin |
|
UCS FullAccess |
Viewer |
For fleets and clusters with Policy Center enabled, users with this permission can view policies and policy implementation details. |
UCS CommonOperations or UCS ReadOnlyAccess |
|
Traffic distribution |
Admin |
Operations such as creating a traffic policy, suspending and deleting a scheduling policy |
(Recommended) UCS CommonOperations + DNS Administrator or UCS FullAccess + DNS Administrator |
Viewer |
Viewing traffic policies or details |
UCS ReadOnlyAccess + DNS Administrator |
|
CIA |
Admin |
|
UCS CIAOperations |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot