Controlling Access to Resources Using Tags
Attribute-based Access Control (ABAC) is an authorization strategy that defines permissions based on attributes. Tags are a type of attributes. You can attach tags to IAM resources (including IAM users and trust agencies that can be accessed by other entities) or other Huawei Cloud resources. You can define identity policies that use tags as condition keys. This allows minimal changes to identity policies when you need to control access to a growing number of Huawei Cloud resources. ABAC policies are more flexible than role-based access control (RBAC) policies because RBAC policies require you to list each individual resource. For more information about ABAC and its advantages over RBAC, see ABAC.
This section describes how to create an IAM user with a principal tag, create an identity policy, and attach the policy to the IAM user. The identity policy allows the IAM user to access only the resources with the tag matching the principal tag.
Operations
Assume that you are an experienced IAM administrator familiar with creating and managing IAM users, trust agencies, and identity policies. You want to ensure that your engineers and O&M team members can access only the resources they need. You also need an identity policy that scales as your company grows and more types of members join your company. You use principal tags and resource tags in the identity policy. For the cloud services that support resource tags, see "ABAC (Tag-based Authentication)" in Cloud Services for Using Identity Policies and Trust Agencies.
You can add the following tags to your engineers and O&M team members:
- employee-type=engineer
- employee-type=operations
In this section, you will tag each IAM user and each trust agency, write an identity policy, and attach the policy to the IAM user. This identity policy allows the IAM user to create, update, read, and delete accessible resources.
Step 1: Attach a Tag to an IAM User
- Log in to the new IAM console as an administrator and choose Users in the navigation pane.
- Click employee-user (the name of an IAM user for the engineer team). On the user details page, click the Tags tab.
- Click Add Tag in the upper left corner.
- In the displayed dialog box, set the tag key to employee-type and the tag value to engineer.
Step 2: Attach a Tag to a Resource
When a trust agency initiates an access, it is an IAM principal, and its tag is a principal tag. When a trust agency is accessed by an IAM principal as an IAM resource, its tag is a resource tag. The following uses trust agencies as an example:
- Log in to the new IAM console as an administrator and choose Agencies in the navigation pane.
- Click the name of the trust agency that can be accessed by the IAM user employee-user. On the displayed page, click the Tags tab.
- Click Add Tag in the upper left corner.
- In the displayed dialog box, set the tag key to employee-type and the tag value to engineer. Click OK.
- Return to the trust agency list and click the name of the trust agency operations-access that can be accessed by the O&M team operations. On the displayed page, click the Tags tab.
- In the displayed dialog box, set the tag key to employee-type and the tag value to operations. Click OK.
Step 3: Create a Custom Identity Policy
- Log in to the new IAM console as an administrator, and choose Identity Policies in the navigation pane.
- Click Create Identity Policy in the upper right corner.
- Set the identity policy name to engineer-access-policy.
- Set Policy View to JSON. Enter the following identity policy to allow access when the principal tag matches the tag of the resources to be accessed:
{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "iam:agencies:getV5" ], "Condition": { "StringEquals": { "g:ResourceTag/employee-type": [ "${g:PrincipalTag/employee-type}" ] } } }] } - Click OK. The identity policy is created.
Step 4: Attach the Identity Policy to the Authorization Principal
- Log in to the new IAM console as an administrator, and choose Identity Policies in the navigation pane.
- Select the identity policy created in step 3 and click Attach above the identity policy list.
- Select the IAM user employee-user added in step 1 and click OK.
Step 5: Verify the Result
- In addition to attaching the identity policy created in step 3 to IAM user employee-user, attach another identity policy that allows listing all agencies on the IAM console. (If you call APIs to list the agencies, you do not need this identity policy.)
- View the trust agencies engineer-access and operations-access as the IAM user employee-user of the engineer team.
- You can view the details about the trust agency engineer-access. This is because the principal tag of employee-user matches the resource tag of engineer-access, which complies with the identity policy.
- When you view the trust agency operations-access, the system displays a message indicating insufficient permissions. This is because the principal tag of employee-user does not match the resource tag of operations-access.
- You can view the details about the trust agency engineer-access. This is because the principal tag of employee-user matches the resource tag of engineer-access, which complies with the identity policy.
Follow-up Operations
When new members join the company, there is no need to modify this identity policy. You only need to attach the tags to the new members and to the resources they can access.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
