检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Using IAM to Grant Access to HSS Creating a User and Granting Permissions HSS Custom Policies HSS Actions
If your Huawei Cloud account does not need individual IAM users, then you may skip over this section. By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign policies or roles to these groups.
Parent Topic: Using IAM to Grant Access to HSS
"Action": [ "hss:hosts:switchVersion", "hss:hosts:manualDetect", "hss:manualDetectStatus:get" ] } ] } Parent Topic: Using IAM
Identity Authentication and Access Control Identity and Access Management (IAM) provides refined permissions management for HSS resources. You can: Create IAM users for employees based on the organizational structure of your enterprise.
IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see What Is IAM? HSS Permissions By default, new IAM users do not have permissions assigned.
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com)) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Related Services You can use SMN to receive alarm notifications, IAM service to manage user permissions, and Cloud Trace Service (CTS) to audit user behaviors.
On the Permissions tab, click Authorize User Group to go to the User Groups page on the IAM console. Associate the enterprise project with a user group and assign permissions to the group. For details, see Creating a User Group and Assigning Permissions in the IAM help.
Query Clusters in a Project cce:cluster:list Query Agencies Based on Specified Conditions iam:agencies:listAgencies Prerequisites To let an IAM user perform operations, assign the Security Administrator system role or the HSS AgencyOperatePolicy system policy to the user.
For details about how to grant permissions, see Assigning Permissions to an IAM User. Parent topic: Others
protected: CCE cluster: container tunnel network model, cloud native network 2.0 model, and VPC network model Other Kubernetes clusters: container tunnel network model In a CCE cluster, to operate resource objects, you need to obtain either of the following operation permissions: IAM
If you perform operations as an IAM user, ensure that the IAM user has been assigned the HSS FullAccess permission. For details, see Creating a User and Granting Permissions .
Constraints The following permissions are required for IAM users to stop a scan: HSS permission: batch image scan (hss:images:set) or container asset management (hss:containers:set) For details, see Using IAM to Grant Access to HSS.
If you perform operations as an IAM user, ensure that the IAM user has been assigned the HSS FullAccess permission. For details, see Creating a User and Granting Permissions .
For example, if status code 201 is returned for calling the API used to create an IAM user, the request is successful. Response Header A response header corresponds to a request header, for example, Content-Type.
In a CCE cluster, to operate and protect resource objects, you need to obtain either of the following operation permissions: IAM permissions: Tenant Administrator or CCE Administrator. Namespace permissions (authorized by Kubernetes RBAC): O&M permissions.
When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token. A token specifies temporary permissions in a computer system.
For security purposes, create IAM users and grant them permissions for routine management. User A user is created using a domain to use cloud services. Each user has its own identity credentials (password and access keys).
Preparations If you perform operations as an IAM user, ensure that the IAM user has been assigned the HSS FullAccess permission. For details, see Creating a User and Granting Permissions .
