EVS CTIAM

Identity and Access Management (IAM) is a basic service that supports user permission management and can help you securely control access and operation permissions of your cloud services and resources.

Introduction to IAM

Identity and Access Management (IAM) is a basic service that supports user permission management and can help you securely control access and operation permissions of your cloud services and resources.

The main functions provided by IAM include: fine-grained permission management, secure access, batch management of user permissions through user groups, delegation of resource management to other accounts, etc.

Identify Management

Access Control: Identities in IAM include IAM users and IAM user groups.

IAM users have a specific login password and access key, while IAM user groups are used to classify IAM users with the same responsibilities. Both IAM users and IAM user groups can be assigned a set of permission policies. When resources need to be used collaboratively, avoid directly sharing eSurfing Cloud account passwords and related information. Reduce the visibility of different IAM sub-user information and grant permissions to IAM sub-users and IAM user groups as needed. Even if confidential information is inadvertently leaked, it will not jeopardize all resources under the eSurfing Cloud account.

Permission management

Identity and Access Management (IAM) describes authorization content through permission policies. Permission policies contain fixed basic elements such as Action and Effect. For more information, see Step 2: Creating Custom Policy. After adding a set of permission policies to IAM users and IAM user groups in global authorization or enterprise project authorization, they will have the right to access specified resources.

Permission policies are divided into system policies and custom policies:

System policy: A preset system policy. You can use it but not modify it. EVS-related system policies include:

EVS Admin: Administrator permission of EVS, including all control permissions of the EVS (excluding order permissions);

EVS Viewer: Viewer permission of EVS, including permissions on the EVS list page and details page;

Custom policy: The permission policy you create and maintain as needed. For the operation and example of custom policies, see Step 2: Creating Custom Policy.

Permission Table of EVS APIs

The following shows the permission triplet of EVS and its effective range:

Note:

eSurfing Cloud supports permission authorization for user groups/sub-users at the resource pool or global level, or for user groups at the resource group level in enterprise projects. Interfaces or resources without enterprise project attributes can only be authorized at the resource pool or global level. The authorization at the resource pool or global level takes precedence over the resource group level in enterprise projects.

For operations that support IAM configuration but not enterprise project configuration, such as Creating Snapshot, Setting Automatic Snapshot Policy, and Modifying EVS Name, if IAM permission is not configured, the IAM permission will not be granted by default, and the operation will be blocked. In this case, you can add IAM permission to the operation in IAM to avoid the restriction. For details, see FAQs - Permission Management.

Controlling Access to Resources Through IAM Users

In collaborative resource usage scenarios, based on the duties and the permissions, you can create multiple IAM users and grant them different permissions, allowing multiple IAM sub-users to manage varying resources separately, thus improving management efficiency and reducing the risk of information leakage. This topic describes how to create IAM sub-users and grant specific permission policies to control access to EVS resources.

Operation Steps

Step 1: Create an IAM Sub-user

For more information, see Identity and Access Management (IAM).

Step 2: Create a Custom Policy

eSurfing Cloud provides system policies for accessing EVS resources. For more information, see Permission Management. If system policies cannot meet your needs, you can also create custom policies. For more information, see Identity and Access Management (IAM).

Policies include custom policies that users can define and system policies predefined in the platform.

The fine-grained authorization policy structure includes a list of policy version numbers (Version) and policy statements (Statement).

l  Policy Version Number: Version, indicating the version number of the policy structure. Currently, it is version 1.1.

l  Policy Statement: Statement. The basic elements are Effect and Action.

l  Effect includes two types: Allow and Deny.

l  Action: Action rights on resources. You can have one or multiple action rights.

a) Example 1 of script configuration policy: Configuring EVS viewer rights for IAM sub-users.

{
    "Version":"1.1",
    "Statement":[
         {
              "Effect":"Allow",
              "Action":[
                    "evs:volumes:list",
                    "evs:volumes:get"
               ],
               "Resource":[
                    "*"
               ]
          }
     ]
}

b) Example 2 of script configuration policy: Configuring all action rights on EVS and ECS for IAM sub-users. (* indicates all values)

{
    "Version":"1.1",
    "Statement":[
         {
              "Effect":"Allow",
              "Action":[
                    "evs:*:*",
                    "ecs:*:*"
               ],
               "Resource":[
                    "*"
               ]
          }
     ]
}

Step 3: Authorize Custom Policy

Grant IAM users access to resources in the range of the custom policy. For more information, see Identity and Access Management (IAM).

Step 4: Authorize System Policy

You can also directly authorize IAM sub-users using eSurfing Cloud's preset system policies.