检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
If your IAM account does not have VPC operation operations, log in to the IAM console using a Huawei Cloud account, and grant the permissions to your IAM account.
Creating a User and Granting VPN Permissions Use the Identity and Access Management (IAM) service to implement fine-grained permissions control over your VPN resources. With IAM, you can: Create IAM users for employees based on your enterprise's organizational structure.
Check whether your account is an IAM user account. If yes, perform operations on the IAM console as the Huawei Cloud account user to authorize you the VPC operation permissions. Ensure that your account has the VPC Administrator, Tenant Guest, and VPN Administrator permissions.
IAM or enterprise projects on which actions take effect. Policies that contain actions supporting both IAM and enterprise projects can be used and take effect in both IAM and Enterprise Management.
The VPN gateways and connections created by a Huawei Cloud account are invisible to IAM user accounts. A message will be displayed indicating that the system is busy if you create a VPN gateway or connection using an IAM user account.
The VPN gateways and connections created by a Huawei Cloud account are invisible to IAM user accounts. A message will be displayed indicating that the system is busy if you create a VPN gateway or connection using an IAM user account.
For example, to obtain a token of IAM in the CN North-Beijing4 region, obtain the endpoint of IAM (iam.cn-north-4.myhuaweicloud.com) in this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
For more information about IAM, see IAM Service Overview. VPN Permissions New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups.
Instead, you are advised to create Identity and Access Management (IAM) users and grant routine management permissions to the users. User You can use your account to create IAM users for routine management of specific cloud services.
VPN Quota Permission API Action Dependencies IAM Project Enterprise Project Querying VPN quotas GET /v5/{project_id}/vpn/quotas vpn:quota:list - √ × Parent topic: Actions Supported by Public Service APIs
VPN Connection Monitor Permission API Action Dependencies IAM Project Enterprise Project Creating a VPN connection monitor POST /v5/{project_id}/connection-monitors vpn:connectionMonitors:create - √ x Querying the VPN connection monitor list GET /v5/{project_id}/connection-monitors
Customer Gateway Permission API Action Dependencies IAM Project Enterprise Project Creating a customer gateway POST /v5/{project_id}/customer-gateways vpn:customerGateways:create - √ x Querying details about a customer gateway GET /v5/{project_id}/customer-gateways/{customer_gateway_id
Access Policy Permission API Action Dependencies IAM Project Enterprise Project Creating a VPN access policy POST /v5/{project_id}/p2c-vpn-gateways/vpn-servers/{vpn_server_id}/access-policies vpn:p2cVpnGateway:createAccessPolicy - √ x Querying the VPN access policy list GET /v5/{project_id
VPN Tag Permission API Action Dependencies IAM Project Enterprise Project Creating a resource tag POST /v5/{project_id}/{resource_type}/{resource_id}/tags/create vpn:resourceInstanceTags:create - √ x Deleting tags of a resource POST /v5/{project_id}/{resource_type}/{resource_id}/tags
Cloud Eye Identity and Access Management (IAM) Allows you to assign different permissions to different users. It enables fine grained control over your VPN resources.
VPN Gateway Permission API Action Dependencies IAM Project Enterprise Project Subscribing to a yearly/monthly P2C VPN gateway POST /v5/{project_id}/p2c-vpn-gateways/subscribe/{order_id} vpn:p2cVpnGateway:subscribe vpn:p2cVpnGateway:listAvailabilityZones vpc:vpcs:list vpc:subnets:get
The API for obtaining the project ID is GET https://{IAM endpoint}/v3/projects. For details about API authentication, see Authentication. The following is an example response.
Server Permission API Action Dependencies IAM Project Enterprise Project Creating a P2C VPN server POST /v5/{project_id}/p2c-vpn-gateways/{p2c_vgw_id}/vpn-servers vpn:p2cVpnGateway:createServer scm:cert:get scm:cert:list scm:cert:download vpc:publicIps:get vpc:routeTables:update vpc
VPN Connection Permission API Action Dependencies IAM Project Enterprise Project Creating a VPN connection POST /v5/{project_id}/vpn-connection vpn:vpnConnections:create ces:metricData:list ces:currentRegionSupportedMetrics:list vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:subnets
If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
