Using IAM Roles or Policies to Grant Access to VPC

System-defined permissions in Role/Policy-based Authorization provided by Identity and Access Management (IAM) let you control access to VPC. With IAM, you can:

Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing VPC resources.
Grant users only the permissions required to perform a given task based on their job responsibilities.
Entrust a HUAWEI ID or a cloud service to perform efficient O&M on your VPC resources.

If your HUAWEI ID meets your permissions requirements, you can skip this section.

Figure 1 shows the process of role/policy-based authorization.

Prerequisites

Learn about the system permissions (see Role/Policy-based Permissions Management) supported by VPC and choose permissions based on your requirements.

To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process for granting VPC permissions using role/policy-based authorization
Click to enlarge

On the IAM console, create a user group and grant it permissions.
Create a user group on the IAM console and assign the VPCReadOnlyAccess permissions to the group.
Create an IAM user and add it to the created user group.
Create a user on the IAM console and add the user to the group created in 1.
Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- Choose Service List > Virtual Private Cloud. Then click Create VPC on the VPC console. If a message appears indicating that you have insufficient permissions to perform the operation, the VPCReadOnlyAccess policy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the VPCReadOnlyAccess policy is in effect.

Example Custom Policies

Custom policies can be created to supplement the system-defined policies of VPC. Add actions in custom policies as needed. For details about supported actions, see Supported Actions in RBAC.

To create a custom policy, choose either visual editor or JSON.

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy.

The following lists examples of common VPC custom policies.

Example 1: Allowing users to create and view VPCs

{ 
    "Version": "1.1", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                " 
                     vpc:vpcs:create 
                     vpc:vpcs:list 
                 " 
            ] 
        } 
    ] 
}

Example 2: Denying VPC deletion
A policy with only "Deny" permissions must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both Allow and Deny actions, the Deny actions take precedence over the Allow actions.

The following method can be used if you need to assign permissions of the VPCFullAccess policy to a user but also forbid the user from deleting VPCs. Create a custom policy for denying VPC deletion, and assign both policies to the group the user belongs to. Then the user can perform all operations on VPC except deleting VPCs. The following is an example of a deny policy:
```
{ 
      "Version": "1.1", 
      "Statement": [ 
            { 
		  "Effect": "Deny", 
                  "Action": [ 
                        "vpc:vpcs:delete" 
                  ] 
            } 
      ] 
}
```

Example 3: Defining permissions for multiple services in a policy

A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "vpc:vpcs:create",
                "vpc:vpcs:update"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ecs:servers:delete"
            ],
            "Effect": "Allow"
        }
    ]
}

Example 4: Allowing users to view associated resources
To allow users to view resources associated with a specific resource, you need to assign them permissions to query that resource and its associated resources. The following is an example policy containing actions for allowing users to view the servers, extended network interfaces, and supplementary network interfaces associated with a security group:
```
{  
    "Version": "1.1",  
    "Statement": [  
        {  
            "Effect": "Allow",  
            "Action": [  
                    "vpc:ports:get",
                    "vpc:securityGroups:get",  
                    "vpc:subNetworkInterfaces:list"  
                 "  
            ]  
        }  
    ]  
}
```