Authorization Using an Agency

CCI works closely with multiple cloud services to support computing, storage, networking, and monitoring functions. When you log in to the CCI console for the first time, CCI automatically requests permissions to access those cloud services in the region where you run your applications.

Constraints

Comply with the following constraints s when using an agency for CCI to avoid service interruptions:

Do not delete the agency automatically created by CCI on the IAM console. CCI uses this agency to access your compute, storage, networking, and monitoring resources.
If the agency is deleted, the core functions of CCI (such as pod startup) will become invalid immediately, and resource billing will be abnormal.
If the agency is deleted by mistake, you must call the API for creating an agency or trigger re-authorization on the CCI console.

Permission Configuration Requirements

Before using CCI 2.0 (including the console and APIs), you need to create and manage the CCI agency. Based on the principle of least privilege (PoLP), an IAM user must have the IAM operation permissions below when creating or updating an agency, or the operations will fail.

**Table 1** Permission configuration requirements
Permission Type	Action in Custom Policy (Old IAM Console)	Action in Custom Identity Policy (New IAM Console)
Agency creation	iam:agencies:createAgency	iam:agencies:create
Project authorization	iam:permissions:grantRoleToAgencyOnProject	iam:agencies:grantRoleOnProject

Policy Configuration Example

You can create a custom policy (on the old IAM console) or custom identity policy (on the new IAM console), copy the content below to the JSON view, and grant permissions to the user or user group that manages CCI.

Content of a custom policy (old IAM console):

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:agencies:createAgency",
                "iam:permissions:grantRoleToAgencyOnProject"
            ]
        }
    ]
}

Content of a custom identity policy (old IAM console):

{
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:agencies:create",
        "iam:agencies:grantRoleOnProject"
      ]
    }
  ]
}

Parent Topic: Permissions Management

Previous topic: Permissions Management for CCI

Next topic: Creating a User and Granting Permissions

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot