Help Center/ Container Guard Service/ User Guide/ Managing Permissions/ CGS Permissions and Supported Actions
Updated on 2022-10-08 GMT+08:00

CGS Permissions and Supported Actions

This section describes fine-grained permissions management for your CGS resources. If your Huawei Cloud account does not need individual IAM users, you can skip this section.

By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from their groups and can perform operations on cloud services as allowed by the permissions.

You can grant users permissions by using roles and policies. Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Policies define API-based permissions for operations on specific resources under certain conditions, allowing for more fine-grained, secure access control of cloud resources.

Supported Actions

CGS provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.

  • Permission: a statement in a policy that allows or denies certain operations.
  • Actions: added to a custom policy to control permissions for specific operations

    Permission

    Action

    Related Action

    Obtain CGS quota statistics.

    cgs:quota:get

    -

    Obtain the yearly/monthly quota list.

    cgs:quota:list

    -

    Subscribe to yearly/monthly CGS quota.

    cgs:quota:operate

    -

    Query system process information.

    cgs:cluster:list

    • cce:addonInstance:*
    • cce:node:list
    • cce:cluster:list

    Enable or disable protection for a container cluster.

    cgs:cluster:operate

    • cce:addonInstance:*

    Query the image list.

    cgs:images:list

    -

    Synchronize and scan images.

    cgs:images:operate

    -

    Query container image information.

    cgs:images:get

    -

    Query configurations.

    cgs:configuration:list

    -

    Modify configurations.

    cgs:configuration:operate

    -

    Query image security information.

    cgs:imageSecure:list

    -

    Handle image security events.

    cgs:imageSecure:operate

    -

    Obtain image scanning results.

    cgs:imageSecure:get

    -

    Obtain the runtime event list.

    cgs:runtimeSecure:list

    -

    Obtain runtime monitoring information.

    cgs:runtimeSecure:get

    -

    Handle runtime monitoring events.

    cgs:runtimeSecure:operate

    -

    Handle security agency authorization for CGS.

    cgs:privilege:operate

    -

    Query CGS authorization.

    cgs:privilege:get

    -