Ao criar uma AK/SK para o Huawei Cloud na opção de IAM e um usuário não administrador, utilize os 2 JSONs abaixo. O primeiro precisa ser criado com o escopo nos projetos e o segundo com escopo global. O bucket deve ser o que está configurado para receber os arquivos de custos.
{
"Version": "1.1",
"Statement": [
{
"Action": [
"ims:images:get",
"ims:quotas:get",
"ims:images:list"
],
"Effect": "Allow"
},
{
"Action": [
"vpc:*:get",
"vpc:*:list"
],
"Effect": "Allow"
},
{
"Action": [
"CES:*:*",
"ecs:servers:stop",
"ecs:servers:start",
"ecs:cloudServers:put",
"ecs:cloudServerFlavors:get",
"ecs:cloudServers:reboot",
"ecs:diskConfigs:use",
"ecs:networks:list",
"ecs:servers:getMetadata",
"ecs:servers:update",
"ecs:cloudServers:start",
"ecs:servers:reboot",
"ecs:cloudServers:get",
"ecs:serverInterfaces:get",
"ecs:cloudServerFpgaImages:getRelations",
"ecs:servers:list",
"ecs:cloudServers:getAutoRecovery",
"ecs:serverKeypairs:get",
"ecs:quotas:get",
"ecs:cloudServerQuotas:get",
"ecs:servers:setTags",
"ecs:servers:resize",
"ecs:flavors:get",
"ecs:cloudServers:list",
"ecs:serverVolumeAttachments:get",
"ecs:cloudServerFpgaImages:list",
"ecs:cloudServers:stop",
"ecs:serverKeypairs:list",
"ecs:serverVolumes:use",
"ecs:servers:getTags",
"ecs:serverVolumeAttachments:list",
"ecs:servers:listMetadata",
"ecs:servers:get",
"ecs:cloudServers:resize",
"ecs:availabilityZones:list",
"ecs:securityGroups:use"
],
"Effect": "Allow"
},
{
"Action": [
"cbr:vaults:listExternalVaults",
"cbr:vaults:listProjectTags",
"cbr:policies:get",
"cbr:tasks:get",
"cbr:vaults:getProtectables",
"cbr:vaults:get",
"cbr:backups:checkAgent",
"cbr:member:list",
"cbr:backups:list",
"cbr:backups:queryReplicationCapability",
"cbr:vaults:getTags",
"cbr:member:get",
"cbr:vaults:list",
"cbr:vaults:listResourceInstances",
"cbr:tasks:list",
"cbr:backups:listStorageUsage",
"cbr:backups:get",
"cbr:policies:list",
"cbr:vaults:listProtectables"
],
"Effect": "Allow"
},
{
"Action": [
"evs:volumeTags:create",
"evs:backupTags:delete",
"evs:sharedBackups:getById",
"evs:transfers:list",
"evs:volumeTags:delete",
"evs:types:get",
"evs:volumeTags:update",
"evs:snapshots:list",
"evs:backupTags:get",
"evs:backupTags:create",
"evs:sharedBackups:count",
"evs:volumeTags:list",
"evs:backups:export",
"evs:volumes:list",
"evs:snapshots:delete",
"evs:snapshots:create",
"evs:volumeTags:getById",
"evs:volumes:update",
"evs:transfers:get",
"evs:sharedBackups:list",
"evs:backupTags:getById",
"evs:backups:get",
"evs:backupTags:list",
"evs:snapshots:update",
"evs:recycle_policy:get",
"evs:quotas:get",
"evs:volumeTags:get",
"evs:backups:delete",
"evs:volumes:get",
"evs:snapshots:get",
"evs:backups:list",
"evs:backupTags:update",
"evs:volumes:delete",
"evs:backups:create"
],
"Effect": "Allow"
}
]
}Segue a segunda policy ‘global’:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:object:GetObject",
"obs:bucket:GetBucketLocation",
"obs:bucket:GetLifecycleConfiguration",
"obs:bucket:GetBucketWebsite",
"obs:bucket:GetBucketLogging",
"obs:bucket:HeadBucket",
"obs:bucket:GetBucketQuota",
"obs:object:GetObjectVersionAcl",
"obs:bucket:GetDirectColdAccessConfiguration",
"obs:bucket:GetBucketAcl",
"obs:bucket:GetBucketVersioning",
"obs:bucket:GetBucketInventoryConfiguration",
"obs:bucket:GetBucketStoragePolicy",
"obs:bucket:GetEncryptionConfiguration",
"obs:bucket:ListBucketMultipartUploads",
"obs:bucket:GetBucketTagging",
"obs:bucket:GetBucketCustomDomainConfiguration",
"obs:object:ListMultipartUploadParts",
"obs:bucket:ListBucketVersions",
"obs:bucket:ListBucket",
"obs:bucket:GetBucketCORS",
"obs:object:GetObjectVersion",
"obs:object:GetObjectAcl",
"obs:bucket:GetBucketNotification",
"obs:bucket:GetReplicationConfiguration",
"obs:bucket:GetBucketPolicy",
"obs:bucket:GetBucketStorage"
],
"Resource": [
"OBS:*:*:object:*",
"OBS:*:*:bucket:Nome_Do_Bucket"
]
},
{
"Effect": "Allow",
"Action": [
"obs:bucket:ListAllMyBuckets"
]
},
{
"Effect": "Allow",
"Action": [
"iam:quotas:listQuotas",
"iam:identityProviders:getMapping",
"iam:mfa:getVirtualMFADevice",
"iam:permissions:listRolesForAgencyOnDomain",
"iam:identityProviders:getIDPMetadata",
"iam:identityProviders:getIdentityProvider",
"iam:permissions:listRolesForGroupOnDomain",
"iam:permissions:listRolesForUserOnEnterpriseProject",
"iam:permissions:checkRoleForGroupOnDomain",
"iam:users:listUsersForGroup",
"iam:permissions:listRolesForAgency",
"iam:permissions:checkRoleForAgencyOnProject",
"iam:permissions:listRolesForGroupOnProject",
"iam:roles:listRoles",
"iam:permissions:listRoleAssignments",
"iam:roles:getRole",
"iam:groups:listGroupsForUser",
"iam:identityProviders:getProtocol",
"iam:identityProviders:listIdentityProviders",
"iam:users:listUserLoginProtects",
"iam:projects:listProjects",
"iam:permissions:listGroupsOnEnterpriseProject",
"iam:permissions:checkRoleForAgency",
"iam:tokens:assume",
"iam:groups:listGroups",
"iam:permissions:listRolesForUserOnProject",
"iam:mfa:listVirtualMFADevices",
"iam:securitypolicies:getPasswordPolicy",
"iam:permissions:listRolesForAgencyOnProject",
"iam:identityProviders:listMappings",
"iam:securitypolicies:getProtectPolicy",
"iam:permissions:checkRoleForAgencyOnDomain",
"iam:users:getUserLoginProtect",
"iam:users:listUsers",
"iam:permissions:listRolesForGroup",
"iam:users:listUsersForProject",
"iam:permissions:checkRoleForGroup",
"iam:credentials:getCredential",
"iam:quotas:listQuotasForProject",
"iam:users:getUser",
"iam:agencies:listAgencies",
"iam:credentials:listCredentials",
"iam:agencies:getAgency",
"iam:securitypolicies:getLoginPolicy",
"iam:permissions:listRolesForGroupOnEnterpriseProject",
"iam:permissions:listUsersForEnterpriseProject",
"iam:identityProviders:listProtocols",
"iam:securitypolicies:getConsoleAclPolicy",
"iam:identityProviders:getOpenIDConnectConfig",
"iam:projects:listProjectsForUser",
"iam:groups:getGroup"
]
}
]
}
