Help Center/ Cloud Bastion Host/ Service Overview/ Permissions Management
Updated on 2025-11-21 GMT+08:00
View PDF
Share

Permissions Management

If you need to assign different permissions to employees in your enterprise to access your CBH resources, Identity and Access Management (IAM) is a good choice for fine-grained permissions management. IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources. If your Huawei Cloud account works good for you and you do not need an IAM account to manage user permissions, then you may skip over this chapter.

IAM is a free service. You only pay for the resources in your account.

With IAM, you can control access to specific Huawei Cloud resources. For example, some developers in your enterprise need to use CBH but you do not want them to have permissions to high-risk operations such as deleting CBH instances. To achieve such purpose, you can use IAM to grant them only the permissions to use CBH, but not delete CBH instances. With IAM, you can control their usage of CBH resources.

IAM supports role/policy-based authorization and identity policy-based authorization.

The following table describes the differences between these two authorization models.

Table 1 Differences between the two types of authorization

Name

Core Relationship

Permission

Authorization Method

Application Scenario

Role/Policy-based Authorization

User-permission-authorization scope
  • System-defined role
  • System-defined policy
  • Custom policies

Assigning roles or policies to principals

To authorize a user, you need to add it to a user group first and then specify the scope of authorization. It provides a limited number of condition keys and cannot meet the requirements of fine-grained permissions control. This method is suitable for small- and medium-sized enterprises.

Identity Policy-based Authorization

User-policy
  • System-defined identity policies
  • Custom identity policies
  • Assigning identity policies to principals
  • Attaching identity policies to principals

You can authorize a user by attaching an identity policy to it. User-specific authorization and a variety of key conditions allow for more fine-grained permissions control. However, this model can be hard to set up. It requires a certain amount of expertise and is suitable for medium- and large-sized enterprises.

Policies/identity policies and actions in the two authorization models are not interoperable. You are advised to use the identity policy-based authorization model. For details about system-defined permissions, see Role/Policy-based Permissions Management and Identity Policy-based Permissions Management.

For more information about IAM, see IAM Service Overview.

Role/Policy-based Permissions Management

CBH supports role/policy-based authorization. New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

CBH is a project-level service deployed and accessed in specific physical regions. When you set Scope to Region-specific projects and select the specified projects (for example, ap-southeast-2) in the specified regions (for example, AP-Bangkok), the users only have permissions for ECSs in the selected projects. If you set Scope to All resources, the users have permissions for ECSs in all region-specific projects. When accessing CBH, the users need to switch to a region where they have been authorized to use the CBH service.

Table 1 lists all CBH system permissions. System-defined policies in role/policy-based authorization are not interoperable with those in identity policy-based authorization.

Table 2 CBH system permissions

System Role/Policy Name

Description

Type

Dependency

CBH FullAccess

All permissions (except the payment permission) on CBH instances

System-defined policy

To use a cloud asset agency and bind or unbind EIPs, you need to configure the following actions:

  • csms:secretVersion:get
  • csms:secret:list
  • kms:dek:create
  • kms:cmk:list
  • ecs:cloudServers:list
  • rds:instance:list
  • vpc:vpcs:get
  • vpc:publicIps:get
  • vpc:ports:update
  • iam:agencies:listAgencies
  • iam:permissions:listRolesForAgencyOnProject
  • iam:agencies:createAgency
  • iam:permissions:revokeRoleFromAgencyOnProject
  • iam:roles:createRole
  • iam:agencies:deleteAgency

CBH ReadOnlyAccess

Read-only permissions for CBH instances. Users who have read-only permissions granted can only view CBH instances but not configure services.

System-defined policy

To view CBH instance details, you need to configure the following actions:

vpc:vpcs:get

Table 3 describes the common operations supported by each system-defined permission of CBH.

Table 3 Common operations for each system-defined policy or role of CBH

Operation

CBH FullAccess

CBH ReadOnlyAccess

Creating a CBH instance

x

Changing CBH instance specifications (changing specifications)

x

Querying the CBH instance list

Upgrading the CBH system version

x

Querying total ECS quota

x

Binding or unbinding an EIP

x

Restarting a CBH instance

x

Starting a CBH instance

x

Stopping a CBH instance

x

Querying the AZ of a CBH instance

x

Checking whether an IPv6 CBH instance can be created

x

Checking network connection between the CBH instance and the license center

x

Modifying the network of the CBH instance to ensure that the CBH instance can communicate with the license center

x

Role/Policy Dependencies of the CBH Console

Table 4 Roles or policies required for operations on the CBH console

Console Function

Dependency

Role/Policy Required

Creating a bastion host

Elastic Cloud Server (ECS)

Virtual Private Cloud (VPC)

In addition to CBH FullAccess role, the ECS CommonOperations and VPC FullAccess roles are required for an IAM user to create CBH instances on the console.

Binding or unbinding an EIP

Elastic IP (EIP)

In addition to CBH FullAccess role, the VPC FullAccess role is required for an IAM user to bind an EIP to or unbind an EIP from a CBH instance.

Updating the security group for a CBH instance

Virtual Private Cloud (VPC)

In addition to CBH FullAccess role, the VPC FullAccess role is required for an IAM user to change the security group for a CBH instance.

Creating a cloud asset agency

Data Encryption Workshop (DEW)

Elastic Cloud Server (ECS)

Relational Database Service (RDS)

Identity and Access Management (IAM)

After the CBH FullAccess permission is configured for an IAM user, you need to add related permissions for the user based on dependencies in Table 2.

Identity Policy-based Permissions Management

CBH supports identity policy-based authorization. Table 5 lists all the system-defined identity policies for CBH. System-defined policies in identity policy-based authorization are not interoperable with those in role/policy-based authorization.

Table 5 System-defined identity policies for CBH

Identity Policy Name

Description

Policy Type

CBHFullAccessPolicy

All permissions for CBH.

System-defined identity policies

CBHReadOnlyPolicy

Read-only permissions for CBH.

System-defined identity policies

CBHServiceLinkedAgencyPolicy

Agency permissions required for CBH to access KMS and credential management services of tenants.

System-defined identity policies

Table 6 describes the common operations supported by system-defined identity policies of CBH.

Table 6 Common operations supported by system-defined policies

Operation

CBHFullAccessPolicy

CBHReadOnlyPolicy

CBHServiceLinkedAgencyPolicy

Creating a CBH instance

x

x

Changing CBH instance specifications (changing specifications)

x

x

Querying the CBH instance list

x

Upgrading the CBH system version

x

x

Querying total ECS quota

x

x

Binding or unbinding an EIP

x

x

Restarting a CBH instance

x

x

Starting a CBH instance

x

x

Stopping a CBH instance

x

x

Querying the AZ of a CBH instance

x

x

Checking whether an IPv6 CBH instance can be created

x

x

Checking network connection between the CBH instance and the license center

x

x

Modifying the network of the CBH instance to ensure that the CBH instance can communicate with the license center

x

x

Identity Policy Dependencies of the CBH Console

Table 7 Identity policy dependencies of the CBH console

Console Function

Dependency

Identity Policy Required

Creating a bastion host

Elastic Cloud Server (ECS)

Virtual Private Cloud (VPC)

In addition to CBHFullAccessPolicy, the ECSCommonOperationsPolicy and VPCFullAccessPolicy are required for an IAM user to create CBH instances on the console.

Binding or unbinding an EIP

Elastic IP (EIP)

In addition to CBHFullAccessPolicy, the VPCFullAccessPolicy is required for an IAM user to bind or unbind an EIP to/from a CBH instance on the console.

Updating the security group for a CBH instance

Virtual Private Cloud (VPC)

In addition to CBHFullAccessPolicy, the VPCFullAccessPolicy is required for an IAM user to update the security group for a CBH instance on the console.

Creating a cloud asset agency

Data Encryption Workshop (DEW)

Elastic Cloud Server (ECS)

Relational Database Service (RDS)

Identity and Access Management (IAM)

In addition to CBHFullAccessPolicy, the CBHServiceLinkedAgencyPolicy is required for an IAM user to use the cloud asset agency function.

Helpful Links