Creating an IAM User
If you are an administrator and have purchased multiple resources on HUAWEI CLOUD, such as Elastic Cloud Servers (ECSs), Elastic Volume Service (EVS) disks, and Bare Metal Servers (BMSs), you can create IAM users for your employees or applications and grant them permissions required to perform operations on specific resources. You do not need to share the password of your account.
By default, new IAM users do not have permissions. You can assign permissions to new users, or add them to one or more groups and grant permissions to these groups by referring to Assigning Permissions to a User Group so that the users can inherit the permissions of the groups. The users then can perform specific operations on cloud services as specified by the permissions.
The default user group admin has all permissions required to use all of the cloud resources. Users in this group can perform operations on all the resources, including but not limited to creating user groups and users, modifying permissions, and managing resources.
If you delete a user and create a new user with the same name, you need to grant the required permissions to the new user again.
Procedure
- Log in to the IAM console as an administrator.
- On the IAM console, choose Users from the navigation pane, and click Create User in the upper right corner.
- Specify the user information on the Create User page. To create more users, click Add User. You can add a maximum of 10 users at a time.
- You cannot bind the mobile number and email address associated with your account or an IAM user in your account to another IAM user.
- Users who have access to the management console can log in to HUAWEI CLOUD using their username, email address, or mobile number.
- If the mobile number of an IAM user has been bound to an account or another user, bind an email address or virtual MFA device to the user for identity verification.
- If a user forgets their password, they can reset it through email address or mobile number verification. If no email address or mobile number has been bound to the user, they need to request the administrator to reset their password.
- Select an access type.
- Programmatic access: Select this option to allow the user to access cloud services using development tools, such as APIs, CLI, and SDKs. You can generate an access key or set a password for the user.
- Management console access: Select this option to allow the user to access cloud services using the management console. You can set or generate a password for the user or request the user to set a password at first login.
- If an IAM user accesses cloud services only by using the management console, specify the access type as Management console access and the credential type as Password.
- If the user accesses cloud services only through programmatic calls, specify the access type as Programmatic access and the credential type as Access key.
- If the user needs to use a password as the credential for programmatic access to certain APIs, specify the access type as Programmatic access and the credential type as Password.
- If the user needs to perform access key verification when using certain services in the console, specify the access type as "Programmatic access + Management console access" and the credential type as "Access Key + Password". For example, the user needs to perform access key verification when creating a data migration job in the Cloud Data Migration (CDM) console.
Table 1 Setting the credential type and login protection Credential Type and Login Protection
Description
Access key
After you create the user, you can download the access key (AK/SK) generated for the user.
Each user can have a maximum of two access keys.
Password
Set now
Set a password for the user and determine whether to require the user to reset the password at first login.
If you are the user, select this option and set a password for login. You do not need to select Require password reset at first login.
Automatically generated
The system automatically generates a login password for the user. After the user is created, you can download the EXCEL password file and provide the password to the user. The user can then use this password for login.
This option is available only when you create a single user.
Set by user
A one-time login URL will be emailed to the user. The user can click on the link to log in to the console and set a password.
If you are an administrator setting the password for the user, select this option and enter an email address and a mobile number. The user can then set a password by clicking on the one-time login URL sent over email. The login URL is valid for seven days.
- Configure login protection. This parameter is available only when you have selected Management console access for Access Type.
- Enable (Recommend): If login protection is enabled, the user will need to enter a verification code in addition to the username and password during login. Enable this function for account security.
You can choose from SMS-, email-, and virtual MFA–based login verification.
- Disable: If login protection is disabled, you can enable it for the user by following the instructions provided in Login Protection.
- Enable (Recommend): If login protection is enabled, the user will need to enter a verification code in addition to the username and password during login. Enable this function for account security.
- (Optional) Click Next and add the user to one or more user groups.
- The user will inherit the permissions assigned to the user groups to which the user belongs.
- You can also create new groups and add the user to these groups.
- If the user will be an administrator, add the user to the default group admin.
- You can add a user to a maximum of 10 user groups.
- Click Create.
Last Article: IAM Users
Next Article: Assigning Permissions to an IAM User
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.