Help Center/ SoftWare Repository for Container/ User Guide/ Permissions Management/ Permission Dependencies of the SWR Console
Updated on 2025-06-30 GMT+08:00

Permission Dependencies of the SWR Console

Some SWR functions depend on other cloud services. You can use IAM to grant permission to access these services.

Before granting an IAM user permission to access dependent cloud services of SWR, ensure that this user already has SWR Administrator, SWR FullAccess, SWR OperateAccess, or SWR ReadOnlyAccess permissions as needed.

Granting Permissions to Access Dependent Cloud Services

To use basic SWR functions, an IAM user must already have SWR Administrator, SWR FullAccess, SWR OperateAccess, or SWR ReadOnlyAccess permissions. Then, you can add roles or policies for them to use the SWR functions that depend on other cloud services.

Table 1 Role/Policy dependencies of the SWR console

Console Function

Dependency

Role/Policy Required

Image vulnerability scanning

Host Security Service (HSS)

Custom policy: SWR HSS Access

Triggers

Cloud Container Engine (CCE)

Cloud Container Instance (CCI)

If your applications are deployed in CCE, you need policies to access CCE. For details, see the custom policy SWR CCE Access.

If your applications are deployed in CCI, you need policies to access CCI. For details, see the custom policy SWR CCI Access.

To grant an IAM user permission to access dependent cloud services of SWR, you must have the IAM role Security Administrator.

Fine-grained HSS Authorization

  1. Log in to the management console.
  2. Select a region, click in the upper left corner, and choose Management & Governance > Identity and Access Management.
  3. In the navigation pane, choose Permissions > Policies/Roles. Click Create Custom Policy. Set Policy Name to SWR HSS Access and Policy View to JSON. Configure the policy as follows and click OK.

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "HSS:*:*"
                ]
            }
        ]
    }

  4. In the navigation pane, choose User Groups. Select the user group the IAM user belongs to and click Authorize.
  5. Select the SWR HSS Access policy. Select All resources and click OK.
  6. After the authorization is successful, click Finish. The policy will be in effect after about 15 minutes.

Fine-grained CCE Authorization

  1. Log in to the management console.
  2. Select a region, click in the upper left corner, and choose Management & Governance > Identity and Access Management.
  3. In the navigation pane, choose Permissions > Policies/Roles. Click Create Custom Policy. Set Policy Name to SWR CCE Access. Set Policy View to JSON. Configure the policy as follows and click OK.

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cce:cluster:list"
                ]
            }
        ]
    }

  4. In the navigation pane, choose User Groups. Select the user group your IAM user belongs to and click Authorize.
  5. Select the SWR CCE Access policy. Select All resources and click OK.
  6. After the authorization is successful, click Finish. The policy will be in effect after about 15 minutes.
  7. Click in the upper left corner. Choose Containers > Cloud Container Engine. In the navigation pane, choose Permissions. Select the cluster to access. In the upper right corner of the page, click Add Permission.
  8. Configure the following parameters and click OK.

    • User/User Group: Select the user group the IAM user belongs to.
    • Namespace: Select All namespaces.
    • Permission Type: Select viewer.

  9. When a dialog box is displayed indicating the permission is added successfully, click OK. Wait for 3 to 5 seconds for the authorization to take effect.

Fine-grained CCI Authorization

  1. Log in to the management console.
  2. Select a region, click in the upper left corner, and choose Management & Governance > Identity and Access Management.
  3. In the navigation pane, choose Permissions > Policies/Roles. Click Create Custom Policy. Set Policy Name to SWR CCI Access and Policy View to JSON. Configure the policy as follows and click OK.

    {
        "Version": "1.1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                  "cci:namespace:list",
                  "cci:deployment:list",
                  "cci:namespaceSubResource:list",
                  "cci:deployment:get",
                  "cci:namespaceSubResource:get"
                ]
            }
        ]
    }

  4. In the navigation pane, choose User Groups. Select the user group your IAM user belongs to and click Authorize.
  5. Select the SWR CCI Access policy. Select All resources and click OK.
  6. After the authorization is successful, click Finish. The policy will be in effect after about 15 minutes.