Help Center/ SoftWare Repository for Container/ User Guide (Basic Edition)/ Permissions Management/ Configuring Permissions in IAM/ Using IAM Roles or Policies to Allow Access to SWR

Updated on 2025-11-14 GMT+08:00

View PDF

Using IAM Roles or Policies to Allow Access to SWR

System-defined permissions in role/policy-based authorization provided by Identity and Access Management (IAM) let you control access to your SWR resources. With IAM, you can:

Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing SWR resources.
Grant users only the permissions required to perform a given task based on their job responsibilities.
Entrust other Huawei Cloud account or cloud service to perform efficient O&M on your SWR resources.

If your account does not require individual IAM users for permissions management, you can skip this section.

Figure 1 shows the process flow of role/policy-based authorization.

Prerequisites

Before granting permissions to user groups, learn about system-defined permissions for SWR. For details, see Permissions. To grant permissions for other services, learn about all system-defined permissions.

Process Flow

Figure 1 Process of granting SWR permissions

Create a user group and assign permissions to it.
Create a user group on the IAM console, and grant the SWR Admin permissions to the group.
Create an IAM user and add it to the user group.
Create a user on the IAM console and add the user to the group created in 1.
Log in and verify permissions.
Log in to the management console using the IAM user. Switch to the authorized region. If the following operations can be performed, the permissions are assigned successfully:
1. Choose Service List > SoftWare Repository for Container. The SWR console is displayed.
2. In the navigation pane, choose Organizations. Click Create Organization in the upper right corner. Enter an organization name to create an organization.
3. In the navigation pane, choose My Images. Click Upload Through SWR in the upper right corner. Select the new organization. Upload a local image file to SWR.

SWR Resources

A resource is an object that exists within a service. SWR resources include organizations and images. When creating a policy, you can select a resource by specifying its path.

**Table 1** SWR resources and their paths
Resource	Resource Name	Path
repo	Image repository	[Format] swr:::repo:image repository name The first * is regionid, and the second * is domainid. [Note] IAM automatically generates the path prefix *swr:::repo:. For the path of a specific repository, add the image repository name* to the end. You can also use a wildcard character () to indicate any image repository. Example: swr:::repo:test/nginx: image repository whose name starts with nginx in the test organization swr:::repo:test/nginx: image repository whose name is nginx in the test organization
namespace	Organization	[Format] swr:::namespace:organization name The first * is regionid, and the second * is domainid. [Note] For the path of an organization, IAM automatically generates the resource path prefix *swr:::namespace:. You can add the organization name to the end. You can also use a wildcard character () to indicate any organization. Example: swr:::namespace:test: organization whose name starts with test* swr:::namespace:test: organization whose name is test

Example 1: If you only allow users to query brief information about image repositories, configure a policy as follows:

{

"Version": "5.0"

"Statement": [

{

"Effect": "Allow",

"Action": [

"swr:repo:getRepo"

"Resource": [

"swr:*:*:repo:*"

]

}

]

}

Example 2: To synchronize an image test from the source organization in the cn-north-4 region to the target organization in the cn-north-7 organization, a user needs to have permission to create auto image synchronization tasks and pull images in the cn-north-4 region, permission to obtain temporary login commands in the cn-north-4 and cn-north-7 regions, and permission to push images in the cn-north-7 region. Configure a policy as follows:

{

"Version": "5.0",

"Statement": [

{

"Effect": "Allow",

"Action": [

"swr:repo:createAutoSyncRepoJob",

"swr:repo:download"

"Resource": [

"swr:cn-north-4:*:repo:source/test"

]

{

"Effect": "Allow",

"Action": [

"swr:repo:upload"

"Resource": [

"swr:cn-north-7:*:repo:target"

]

{

"Effect": "Allow",

"Action": [

"swr::createLoginSecret"

]

}

]

}

Parent Topic: Configuring Permissions in IAM

Previous topic: Creating a User and Granting Permissions

Next topic: Using IAM Identity Policies to Allow Access to SWR

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot