Permission¶
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
RFS is a project-level service accessed in specific physical regions. To assign RFS permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing RFS, the users need to switch to a region where they have been authorized to use this service.
You can grant permissions by using roles and policies.
Roles: A coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides a limited number of service-level roles for authorization. Open Telekom Cloud services depend on each other. When you grant permissions using roles, you may need to attach any existing role dependencies. However, roles are not ideal for fine-grained authorization and least privilege access.
Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.
Item | Description | Type |
|---|---|---|
RF FullAccess | All permissions for RFS. | System-defined policy |
RF DeployByExecutionPlanOperations | Create, apply, and read permissions for execution plans and read permissions for stacks. | System-defined policy |
RF ReadOnlyAccess | Read-only permissions for RFS. | System-defined policy |
Table 2 lists the common operations supported by each system-defined policy of RFS. Please choose proper policies according to this table.
Operation | RF FullAccess | RF DeployByExecutionPlanOperations | RF ReadOnlyAccess |
|---|---|---|---|
Create a template | Y | x | x |
Create a template version | Y | x | x |
Delete a template | Y | x | x |
Delete a template version | Y | x | x |
List templates | Y | Y | Y |
List template versions | Y | Y | Y |
Show template metadata | Y | x | Y |
Show template version content | Y | Y | Y |
Show template version metadata | Y | x | Y |
Update template metadata | Y | x | x |
Parse template variables | Y | Y | Y |
Apply execution plan | Y | Y | x |
Create execution plan | Y | Y | x |
Delete execution plan | Y | x | x |
Get execution plan | Y | Y | Y |
Get execution plan metadata | Y | Y | Y |
List execution plans | Y | Y | Y |
Create stack | Y | x | x |
Delete stack | Y | x | x |
Deploy stack | Y | x | x |
Continue to deploy stack | Y | x | x |
Continue to rollback stack | Y | x | x |
Get stack metadata | Y | Y | Y |
Get stack template | Y | Y | Y |
List stack events | Y | Y | Y |
List stack outputs | Y | Y | Y |
List stack resources | Y | Y | Y |
List stacks | Y | Y | Y |
Update stack | Y | x | x |
If predefined permissions cannot meet your requirements, you can create custom policies. Custom policies allow you to perform fine-grained access control flexibly. For details about how to create a custom policy, see Creating a Custom Policy. For details about RFS example custom policies, see Custom Policies.
The following table lists fine-grained actions and dependencies for RFS.
System-defined Permission | Description | Dependencies | Scenario |
|---|---|---|---|
rf:privateTemplate:create | Grant permissions to create a template | None | Create a template |
rf:privateTemplate:createVersion | Grant permissions to create a template version |
| Create a template version |
rf:privateTemplate:delete | Grant permissions to delete a template |
| Delete a template |
rf:privateTemplate:deleteVersion | Grant permissions to delete a template version |
| Delete a template version |
rf:privateTemplate:list | Grant permissions to list templates | None | List templates |
rf:privateTemplate:listVersions | Grant permissions to list template versions |
| List template versions |
rf:privateTemplate:showMetadata | Grant permissions to show template metadata |
| Show template properties such as template name, ID and description |
rf:privateTemplate:showVersionContent | Grant permissions to show template version content |
| Show template version content |
rf:privateTemplate:showVersionMetadata | Grant permissions to show template version metadata |
| Show template version properties such as template version ID and description |
rf:privateTemplate:updateMetadata | Grant permissions to update template metadata |
| Update template properties such as template description |
rf:template:parseTemplateVariables | Grant permissions to parse template variables | None | Parse and return all variable blocks in the template |
rf:stack:applyExecutionPlan | Grant permissions to apply execution plan |
| Deploy a stack via applying an execution plan |
rf:stack:createExecutionPlan | Grant permissions to create execution plan | Required to locate the desired stack
Required for creating an execution plan from a private template
Required for configuring template variables
Required for template resource encryption
| Create an execution plan |
rf:stack:deleteExecutionPlan | Grant permissions to delete execution plan |
| Delete an execution plan |
rf:stack:getExecutionPlan | Grant permissions to get execution plan |
| Get an execution plan which provides a preview of stack changes such as operations to be performed on resources |
rf:stack:getExecutionPlanMetadata | Grant permissions to get execution plan metadata |
| Get execution plan properties such as execution plan name, ID and description |
rf:stack:listExecutionPlans | Grant permissions to list execution plans |
| List execution plans |
rf:stack:createStack | Grant permissions to create stack | Required for creating stack from a private template
Required for configuring template variables
Required for template resource encryption
Required for configuring agency
Required for stack creation using direct deployment
Required for stack creation using execution plan
| Create a stack |
rf:stack:deleteStack | Grant permissions to delete stack |
| Delete a stack |
rf:stack:deployStack | Grant permissions to deploy stack | Required to locate the desired stack
Required for directly deploy a private template
Required for configuring template variables
Required for template resource encryption
| Deploy stack directly |
rf:stack:continueDeployStack | Grant permissions to continue to deploy stack |
Required for template resource encryption
| Retry failed stack deployment |
rf:stack:continueRollbackStack | Grant permissions to continue to rollback stack. Currently this functionality is only available at the API level. | None | Retry failed stack rollback |
rf:stack:getStackMetadata | Grant permissions to get stack metadata |
| Get stack properties such as stack ID, name and description |
rf:stack:getStackTemplate | Grant permissions to get stack template |
| Get stack template |
rf:stack:listStackEvents | Grant permissions to list stack events |
| List stack events |
rf:stack:listStackOutputs | Grant permissions to list stack outputs |
| List stack outputs |
rf:stack:listStackResources | Grant permissions to list stack resources |
| List stack resources |
rf:stack:listStacks | Grant permissions to list stacks | None | List stacks |
rf:stack:updateStack | Grant permissions to update stack |
Required for configuring agency
| Update stack properties such as description, auto-rollback and deletion protection |
Note
If an agency is configured for the stack, make sure that all necessary permissions are configured for the agency, which are required for stack deployment.
If there is no configured agency for the stack, make sure that all necessary permissions are assigned to the user, which are required for stack deployment.
These permissions can be:
Different cloud service specific permissions depending on the resources and the operations described in the terraform template.
If the resource encryption is enabled in the terraform template, the kms:dek:crypto permission must be granted.