Granting Permission to Generate Temporary Security Credentials
The identity policies attached to the agency or trust agency determine the permissions for the temporary security credentials that are returned by the AssumeAgency API. You can define the identity policies when creating or updating the agency or trust agency.
You can also use session policies as optional parameters for calling the AssumeAgency API to further limit the permissions of the generated temporary security credentials. The permissions of the generated temporary security credentials are the intersection of the trust agency's identity policies and the session policies.
In subsequent API calls, you can use the newly generated temporary security credentials to access resources in the account that owns the agency or trust agency.
When the temporary security credentials generated by the AssumeAgency API are used to access Huawei Cloud resources, the original permissions of the user who is assuming the agency are not evaluated. The user temporarily gives up its original permissions in favor of the permissions assigned to the agency or trust agency.
You can combine AssumeAgency API operations with different types of policies. The following lists some examples.
Trust Agency-based Identity Policy
In this example, you call the AssumeAgency API without specifying the optional parameters Policy and Policy_ids. The permissions of the generated temporary security credentials are determined by the identity policies of the trust agency. The following example identity policy grants the trust agency permission to list all objects that are contained in an OBS bucket named productionapp. It also allows the trust agency to get, put, and delete objects in that bucket.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"obs:bucket:listBucket"
],
"Resource": [
"obs:*:*:bucket:productionapp"
]
},
{
"Effect": "Allow",
"Action": [
"obs:object:getObject",
"obs:object:putObject",
"obs:object:deleteObject"
],
"Resource": [
"obs:*:*:bucket:productionapp/*"
]
}
]
}
Session Policy Passed as a Parameter
Suppose that you want to allow a user to assume the same trust agency in the preceding example, but you only want the temporary security credentials to have permission to get and put objects in the OBS bucket productionapp, but not the permission to delete objects. One way to accomplish this is to create a new trust agency and specify the desired permissions in that trust agency's identity policy. Another way to accomplish this is to call the AssumeAgency API and include session policies in the optional parameter Policy as part of the API operation. The permissions of the generated temporary security credentials are the intersection of the trust agency's identity policies and the session policies. After obtaining the new temporary security credentials, you can pass them to users that you want to have these permissions.
For example, if the following session policy is passed as a parameter of the AssumeAgency API call, the generated temporary security credentials only have the following permissions:
- Lists all objects in the bucket productionapp.
- Get objects from the bucket productionapp or upload objects to the bucket.
In the following session policy, the obs:object:deleteObject permissions have been filtered out, so the generated temporary security credentials are not granted the obs:object:deleteObject permissions.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"obs:bucket:listBucket"
],
"Resource": [
"obs:*:*:bucket:productionapp"
]
},
{
"Effect": "Allow",
"Action": [
"obs:object:getObject",
"obs:object:putObject"
],
"Resource": [
"obs:*:*:bucket:productionapp/*"
]
}
]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
