Using IAM Identity Policies to Grant Access to VPC Endpoint
System-defined permissions in identity policy-based authorization provided by IAM let you control access to your VPC Endpoint resources. With IAM, you can:
- Create IAM users or user groups for employees based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing VPC Endpoint resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Entrust a HUAWEI ID or a cloud service to perform efficient O&M on your VPC Endpoint resources.
If your HUAWEI ID meets your permissions requirements, you can skip this section.
Figure 1 shows the process flow of identity policy-based authorization.
Prerequisites
Before granting permissions, you have learned about VPC Endpoint permissions. Before granting permissions, learn about system-defined permissions in Identity Policy-based Authorization. To grant permissions for other services, you have learned about all system-defined permissions supported by IAM.
Process Flow
- On the IAM console, create an IAM user or create a user group.
Log in to the IAM console to create an IAM user or user group.
- Attach a system-defined policy to the user or user group.
Attach the VPCEPReadOnlyPolicy identity policy to the IAM user or user group.
- Log in as the IAM user and verify permissions.
In the authorized region, perform the following operations:
- On the Service List page, click VPC Endpoint. Then click Buy VPC Endpoint in the upper right corner. If a message appears indicating that you have insufficient permissions to perform the operation, the VPCEPReadOnlyPolicy policy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the VPCEPReadOnlyPolicy policy is in effect.
Example Custom Identity Policies
You can create custom identity policies to supplement system-defined identity policies of VPC Endpoint. Add actions in custom identity policies as needed. For details about supported actions, see "Actions Supported by Identity Policy-based Authorization" in the VPC Endpoint API Reference.
To create a custom identity policy, choose either visual editor or JSON.
- Visual editor: Select cloud services, actions, resources, and conditions. This does not require knowledge of policy grammar.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Identity Policy and Attaching It to a Principal.
When creating a custom Identity policy, use the Resource element to specify the resources the identity policy applies to and use the Condition element (service-specific condition keys) to control when the identity policy is in effect. For details about supported resource types and condition keys, see "Actions Supported by Identity Policy-based Authorization" in the VPC Endpoint API Reference.
The following are examples of custom identity policies of VPC Endpoint.
- Example 1: Grant permissions to create and delete a VPC endpoint.
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "vpcep:endpoints:delete", "vpcep:endpoints:create" ] } ] } - Example 2: Create a custom identity policy that contains multiple actions.
A custom policy can contain the actions of one or multiple services. The following is a custom policy containing multiple actions:
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "vpcep:endpoints:delete" ] }, { "Effect": "Allow", "Action": [ "vpcep:endpointServices:create", "vpcep:endpointServices:delete" ] }, { "Effect": "Allow", "Action": [ "vpc:peerings:accept", "vpc:vpcs:create" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
