Identity and Access Management (IAM) is a user identity management and resource access control service provided by JD Cloud. IAM Policy is a user-based authorization policy. By setting IAM Policy, you can centrally manage your users (such as employees, systems, or applications), and control the permission of users on which resources users can access under your name. For example, you can restrict your users to having read permission to only one Bucket. The sub-account is subordinate to the primary account, and these accounts cannot have any actual resources. All resources belong to the primary account.
Employees at different posts in an enterprise need to have the minimum access permission of the cloud resources of the enterprise.
Scenario: An enterprise has a lot of JD Cloud resources, including VPC instances, CDN instances, OSS bucket, objects, etc. The enterprise has a lot of employees at the same time, including development personnel, test personnel, operation and maintenance personnel, etc. Some development personnel need the read and write permissions on the cloud resources of the developed machine related to their projects. Test personnel need the read and write permissions on the cloud resources of the test machine of their projects. The operation and maintenance personnel are responsible for the purchase and daily operation of machines. In case of any change to the employees, responsibilities or projects of the enterprise, the corresponding permissions shall be modified and the minimum permission management shall be carried out.
Different enterprises need the sharing of cloud resources due to business cooperation.
Scenario: An enterprise needs to share its cloud resources with other enterprises due to business cooperation, or an enterprise with a lot of cloud resources hopes to be dedicated to product research and development, and intends to authorize the operation and maintenance of cloud resources to another operation enterprise. Upon the termination of the cooperation, the enterprise will recover the corresponding management permission.
Access Management Policy Syntax The policy comprises several elements, and is used to describe the specific authorization information. Core elements are principal, action, resource, condition and effect. To know more, please view IAM Policy-based Permission Control.
IAM Policy Example
The example description is as follows: The sub-account user1 under the primary account ID 1234567890098 is allowed to have the permission for the read and write object prefixed with test/object under OSS bucketA and bucketB, and the JCQ administrator permission.
{ "Statement": [{ "Action": [ "oss:PutObject", "oss:GetObject" ], "Effect": "Allow", "Resource": [ "jrn:oss:::bucketA/test/*", "jrn:oss:::bucketB/test/*" ] }, { "Action": [ "jcq:*" ], "Effect": "Allow", "Resource": [ "*" ] }], "Version": "3" }