Permissions Management¶
If you need to assign different permissions to employees in your company to access your GaussDB resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you securely manage access to your resources.
If your account does not need individual IAM users for permissions management, you can skip this section.
With IAM, you can use your account to create IAM users for your employees, and assign specific permissions to different users to control their access to specific resource types. For example, you can grant software developers in your company permissions to use GaussDB resources but not the permissions needed to delete them or perform any high-risk operations.
GaussDB Permissions¶
By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach permission policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services.
GaussDB is a project-level service deployed in specific physical regions. To assign GaussDB permissions to a user group, specify the scope as region-specific projects and select the project (eu-de) for the permissions to take effect. If All projects is selected, the permissions will be granted to the user group in all region-specific projects. When accessing GaussDB, the users need to switch to the authorized region.
You can use roles and policies to manage user permissions.
Roles: A coarse-grained way of granting permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. When using roles to grant permissions, you may need to assign additional roles because of the different dependencies involved with role-based permissions. Roles are not ideal for fine-grained authorization and least privilege access.
Policies: A more fine-grained system. Policies let you define permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization on a principle of least privilege (PoLP) basis. For example, you can grant IAM users only the permissions needed to manage a certain type of GaussDB resources. Most policies define permissions based on APIs.
Table 1 lists all the system-defined policies supported by GaussDB.
Policy Name | Description | Category |
|---|---|---|
GaussDB FullAccess | Full permissions for GaussDB | System-defined policy |
GaussDB ReadOnlyAccess | Read-only permissions for GaussDB | System-defined policy |
Table 2 lists the common operations supported by each system policy of GaussDB. Choose appropriate system policies based on this table.
Operation | GaussDB FullAccess | GaussDB ReadOnlyAccess |
|---|---|---|
Creating a GaussDB instance | Y | x |
Deleting a GaussDB instance | Y | x |
Querying GaussDB instances | Y | Y |
Operation | Action | Remarks |
|---|---|---|
Creating a DB instance | gaussdb:instance:create gaussdb:param:list | To select a VPC, subnet, and security group, configure the following actions: vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get To create an encrypted instance, configure the following actions for the project: kms:cmk:get kms:cmk:list To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Changing vCPUs and memory of an instance | gaussdb:instance:modifySpec | To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Adding nodes | gaussdb:instance:modifySpec | To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Scaling up storage | gaussdb:instance:modifySpec | To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Rebooting a DB instance | gaussdb:instance:restart | To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Deleting a DB instance | gaussdb:instance:delete | To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Querying instances | gaussdb:instance:list | N/A |
Querying instance details | gaussdb:instance:list | To display VPC, subnet, and security group information in the instance list, configure vpc:*:get and vpc:*:list. To display the disk usage, configure ces:*:list. |
Changing a DB instance password | gaussdb:instance:modify | To report event monitoring of a failed operation, configure the following actions: "ces:alarmsOnOff:put" "ces:alarms:create" |
Changing a DB instance name | gaussdb:instance:modify | N/A |
Binding or unbinding an EIP | gaussdb:instance:modify | To display EIPs on the console, configure the following actions: vpc:publicIps:get vpc:publicIps:list To report event monitoring of a failed operation, configure the following actions: ces:alarmsOnOff:put ces:alarms:create |
Creating a parameter template | gaussdb:param:create gaussdb:param:list | N/A |
Modifying a parameter template | gaussdb:param:modify | N/A |
Obtaining parameter templates | gaussdb:param:list | N/A |
Applying a parameter template | gaussdb:param:apply | To report event monitoring of a failed operation, configure the following actions: ces:alarmsOnOff:put ces:alarms:create |
Deleting a parameter template | gaussdb:param:delete | N/A |
Creating a manual backup | gaussdb:backup:create | To report event monitoring of a failed operation, configure the following actions: ces:alarmsOnOff:put ces:alarms:create |
Obtaining backups | gaussdb:backup:list | N/A |
Modifying the backup policy | gaussdb:instance:modifyBackupPolicy | N/A |
Deleting a manual backup | gaussdb:backup:delete | To report event monitoring of a failed operation, configure the following actions: ces:alarmsOnOff:put ces:alarms:create |
Restoring data to a new DB instance | gaussdb:instance:create | To select a VPC, subnet, and security group, configure the following actions: vpc:vpcs:list vpc:vpcs:get vpc:subnets:get vpc:securityGroups:get To report event monitoring of a failed operation, configure the following actions: ces:alarmsOnOff:put ces:alarms:create |
Querying project tags | gaussdb:tag:list | N/A |
Adding or deleting project tags in batches | gaussdb:instance:dealTag | N/A |
Modifying quotas | gaussdb:quota:modify | N/A |