Help Center/ Elastic Volume Service/ User Guide/ Using IAM to Grant Access to EVS/ Using IAM Roles or Policies to Grant Access to EVS
Updated on 2025-12-23 GMT+08:00

Using IAM Roles or Policies to Grant Access to EVS

System-defined permissions in role/policy-based authorization provided by Identity and Access Management (IAM) let you control access to EVS resources. With IAM, you can:

  • Create IAM users for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing EVS resources.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your EVS resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of role/policy-based authorization.

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions in role/policy-based authorization for EVS. To grant permissions for other services, learn about all system-defined permissions supported by IAM.

Process Flow

Figure 1 Process of granting EVS permissions
  1. On the IAM console, create a user group and grant it permissions (EVS ReadOnlyAccess as an example).

  2. Create an IAM user and add it to the created user group.

  3. Log in as the IAM user and verify permissions.

    In the authorized region, perform the following operations:

    • Choose Service List > Elastic Volume Service. Then click Buy Disk on the EVS console. If a message appears indicating that you have insufficient permissions to perform the operation, the EVS ReadOnlyAccess policy is in effect.
    • Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the EVS ReadOnlyAccess policy is in effect.

Example Custom Policies

You can create custom policies to supplement the system-defined policies of EVS.

To create a custom policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Policy. The following lists examples of common EVS custom policies.

  • Example 1: Grant permission to create disks.
    {
            "Version": "1.1",
            "Statement": [
                    {
                            "Action": [
                                    "evs:volumes:create",
                                    "evs:volumes:list",
                                    "evs:volumes:get",
                                    "evs:types:get",
                                    "evs:quotas:get",
                                    "ecs:cloudServerFlavors:get",
                                    "ecs:cloudServers:list"
                            ],
                            "Effect": "Allow"
                    }
            ]
    }
  • Example 2: Grant permission to deny disk deletion.

    A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    Assume that you want to grant the permissions of the EVS FullAccess policy to a user but want to prevent them from deleting EVS disks. You can create a custom policy for denying EVS disk deletion, and attach this policy together with the EVS FullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on EVS disks excepting deleting them.

    Example policy denying disk deletion:

    {
            "Version": "1.1",
            "Statement": [
                    {
                            "Effect": "Deny",
                            "Action": [
                                    "evs:volumes:delete"
                            ]
                    }
            ]
    }
  • Example 3: Create a custom policy containing multiple actions.

    A custom policy can contain the actions of one or multiple services that are of the same type (global or project-level).

    Example policy containing multiple actions:

    { 
            "Version": "1.1", 
            "Statement": [ 
                    { 
                            "Action": [ 
                                    "evs:volumes:create",
                                    "evs:volumes:list",
                                    "evs:volumes:get",
                                    "evs:types:get", 
                                    "evs:quotas:get", 
                                    "evs:volumes:use"
                            ], 
                            "Effect": "Allow" 
                    },
                   { 
                            "Action": [ 
                                    "ecs:cloudServerFlavors:get",
                                    "ecs:cloudServers:list",
                                    "ecs:cloudServers:get",
                                    "ecs:cloudServers:attach", 
                                    "ecs:cloudServers:detachVolume"
                            ], 
                            "Effect": "Allow" 
                    }
            ] 
    }