Using IAM Roles or Policies to Grant Access to GeminiDB DynamoDB-Compatible API
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing DRS resources.
- Grant only the permissions required for users to perform a specific task.
- Entrust a Huawei Cloud account or cloud service to perform efficient O&M on your GeminiDB resources.
If you do not need to create an IAM user, skip this section.
Figure 1 shows the process of role-based authorization.
Prerequisites
Before granting permissions to user groups, learn about system-defined permissions in Role/Policy-based Authorization for GeminiDB. For other services, see System-defined Permissions.
Process Flow
- Create a user group and grant permissions to it.
Create a user group on the IAM console and grant the GeminiDB ReadOnlyAccess permission to GeminiDB.
- Create an IAM user and add it to the group.
Create a user on the IAM console and add it to the user group created in 1.
- Log in as an IAM user and verify permissions.
Log in by following Logging In to Huawei Cloud as an IAM User, select the authorized region, and verify permissions.
- Choose GeminiDB from the service list. On the GeminiDB console, click Buy DB Instance in the upper right corner to create a GeminiDB instance. If the GeminiDB instance cannot be created (assuming that the current permission contains only GeminiDB ReadOnlyAccess), the GeminiDB ReadOnlyAccess policy is in effect.
- Choose any other service from the service list. If a message appears indicating that you have insufficient permissions to access the service, the GeminiDB ReadOnlyAccess policy has already taken effect.
Example Custom Policies
If the system-defined GeminiDB permissions do not meet your requirements, you can create custom policies. For details about the actions that can be added to a custom policy, see Actions Supported by Policy-based Authorization.
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Policy. The following lists examples of common GeminiDB custom policies.
- Example 1: Allowing users to create GeminiDB instances
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "nosql:instance:create" ] } ] } - Example 2: Denying GeminiDB instance deletion
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
If you grant the GeminiDB FullAccess system policy to a user but do not want the user to delete GeminiDB instances, you can create a custom policy to deny GeminiDB instance deletion. Then, grant both the GeminiDB FullAccess policy and the custom policy to the user. The following is an example of a deny policy:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny" "Action": [ "nosql:instance:delete" ], } ] } - Example 3: Defining permissions for multiple services in a policy
A custom policy can contain actions of multiple services that are of the global- or project-level type. The following is an example policy containing actions of multiple services:
{ "Version": "1.1", "Statement": [ { "Action": [ "nosql:instance:create", "nosql:instance:rename", "nosql:instance:delete", "vpc:publicIps:list", "vpc:publicIps:update" ], "Effect": "Allow" } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
