Using IAM Identity Policies to Grant Access to CDN

System-defined permissions in identity policy-based authorization provided by Identity and Access Management (IAM) let you control access to CDN. With IAM, you can:

• Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing CDN resources.
• Grant users only the permissions required to perform a given task based on their job responsibilities.
• Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your CDN resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Process Flow

Figure 1 Process of granting CDN permissions using identity policy-based authorization

1. On the IAM console, create an IAM user or create a user group.
2. Attach a system-defined policy (CDNReadOnlyPolicy as an example) to the user or user group.
3. Log in as the IAM user and verify permissions.

   In the authorized region, perform the following operations:

   • Choose Service List > Content Delivery & Edge Computing > Content Delivery Network. In the navigation pane of the CDN console, choose Domains. Then click Add Domain Name. If a message appears indicating that you have insufficient permissions to perform the operation, the CDNReadOnlyPolicy policy is in effect.
   • Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the CDNReadOnlyPolicy policy is in effect.

{
    "Version": "5.0",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cdn:configuration:createDomains"
            ]
        }
    ]
}

• Example 2: Grant permission to set an IP address blacklist.

{
        "Version": "5.0",
        "Statement": [
                {
                        "Action": [
                                "cdn:configuration:modifyIpAcl"
                        ],
                        "Effect": "Allow"
                }
        ]
}

• Example 3: Grant permission to deny domain name deletion.

  A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

  Assume that you want to grant the permissions of the CDN Admin policy to a user but want to prevent them from deleting domain names. You can create a custom policy for denying domain name deletion, and attach this policy together with the CDN Admin policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on domain names excepting deleting them.

  Example policy denying domain name deletion:

  {
          "Version": "5.0",
          "Statement": [
                  {
                          "Action": [
                                  "cdn:configuration:deleteDomains"
                          ],
                          "Effect": "Deny"
                  }
          ]
  }

• Example 4: Create a custom policy containing multiple actions.

  A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level).

  Example policy containing multiple actions:

  {
      "Version": "5.0",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "cdn:configuration:enableDomains",
                  "cdn:configuration:createDomains",
              ]
          }
      ]
  }