Function Overview

With IAM, you can authorize IAM users to manage specific resources in your account. For example, you can authorize Charlie to manage Virtual Private Cloud (VPC) resources in project B and authorize James to view VPC data in this project.

An IAM user is created using a HUAWEI CLOUD account. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on assigned permissions. IAM users do not own resources and cannot make payments.

User groups are used to assign permissions to IAM users. By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach policies or roles to these groups. The user then inherits permissions from the groups to which the user belongs, and can perform specific operations on cloud services.

You can create custom policies to supplement system-defined policies and implement more refined access control. Specifically, you can allow or deny a user's operations on a resource type under certain conditions.

Projects group and isolate resources (including compute, storage, and network resources) across physical regions. A default project is provided for each HUAWEI CLOUD region, and subprojects can be created under a default project. IAM users can be granted permissions to access all resources in a specific project.

For more refined access control, create subprojects under a project and purchase resources in the subprojects. IAM users can then be assigned permissions to access only specific resources in the subprojects.

IAM enables you to delegate resource access to another account or a specific cloud service.

Account delegation: You can delegate another HUAWEI CLOUD account to implement O&M on your resources based on assigned permissions. For example, assume that account A wants to delegate account B to manage its resources.

Cloud service delegation: HUAWEI CLOUD services interwork with each other, and some cloud services are dependent on other services. You can delegate a cloud service to access other services and perform resource O&M. Take a Graph Engine Service (GES) agency as an example. The agency allows GES to call cloud services on your behalf, for example, to bind your EIP to the primary load balancer when a failover occurs.

You can configure the login authentication and password policies and access control list (ACL) to improve security of user information and system data.

MFA authentication provides an additional layer of protection on top of the username and password. If you enable MFA authentication, users need to enter the username and password as well as a verification code before they can log in to the console.

MFA authentication can also be enabled to verify a user's identity before the user is allowed to perform critical operations. When a user attempts to perform a critical operation, the user needs to enter a verification code to proceed.

HUAWEI CLOUD provides the identity provider function to implement federated identity authentication based on SAML. This function allows users in your own identity authentication system to access resources in your HUAWEI CLOUD account through single sign-on (SSO).

HUAWEI CLOUD supports two types of federated identity authentication:

• Web SSO: Browsers are used as the communication media. This authentication type enables common users to access HUAWEI CLOUD using browsers.
• API calling: Development tools (such as OpenStack Client and ShibbolethECP Client) are used as the communication media. This authentication type enables enterprise users and common users to access HUAWEI CLOUD by calling APIs.

IAM operations are recorded by Cloud Trace Service (CTS), which is a log audit service provided by HUAWEI CLOUD. CTS collects, stores, and queries records of operations on IAM resources, facilitating security analysis, compliance auditing, resource tracking, and fault locating.

To view the key operations on IAM, such as creating or deleting a user, enable the CTS service.

To establish secure access to your HUAWEI CLOUD resources, follow these recommendations for the IAM service.

IAM provides Representational State Transfer (REST) APIs, which you can call using HTTPS requests.