Updated on 2025-07-03 GMT+08:00

Before You Start

Overview

Welcome to Identity and Access Management (IAM). IAM provides identity authentication, permissions management, and access control. With IAM, you can create and manage users and grant them permissions to allow or deny their access to cloud resources.

IAM supports the console access and programmatic access (API access). This document describes how to use APIs to perform operations on IAM, such as creating users and user groups, and obtaining tokens. If you intend to access IAM through APIs, ensure that you are familiar with IAM concepts. For details, see Service Overview.

API Calling

Welcome to Identity and Access Management (IAM). IAM provides identity authentication, permissions management, and access control. With IAM, you can create and manage users and grant them permissions to allow or deny their access to cloud resources.

IAM supports the console access and programmatic access (API access). This document describes how to use APIs to perform operations on IAM, such as creating users and user groups, and obtaining tokens. If you intend to access IAM through APIs, ensure that you are familiar with IAM concepts. For details, see Service Overview.

Endpoints

An endpoint is the request address for calling an API. Endpoints vary depending on services and regions. For the endpoint of each service, see Regions and Endpoints.

Table 1 lists IAM endpoints. IAM is a global service with all data stored in the Global service project. All APIs of IAM can be called using the endpoint of a global service. To facilitate access from region-specific services using APIs or the CLI, IAM provides some APIs for other regions except the Global region. You can use the endpoint of the region closest to you to call these APIs (learn about the Notes and Constraints).

Table 1 IAM endpoints

Region Name

Region ID

Endpoint

Global

global

iam.myhuaweicloud.com

CN North-Beijing1

cn-north-1

iam.cn-north-1.myhuaweicloud.com

CN North-Beijing2

cn-north-2

iam.cn-north-2.myhuaweicloud.com

CN North-Beijing4

cn-north-4

iam.cn-north-4.myhuaweicloud.com

CN East-Shanghai1

cn-east-3

iam.cn-east-3.myhuaweicloud.com

CN East-Shanghai2

cn-east-2

iam.cn-east-2.myhuaweicloud.com

CN South-Guangzhou

cn-south-1

iam.cn-south-1.myhuaweicloud.com

CN South-Shenzhen

cn-south-2

iam.cn-south-2.myhuaweicloud.com

CN Southwest-Guiyang1

cn-southwest-2

iam.cn-southwest-2.myhuaweicloud.com

CN-Hong Kong

ap-southeast-1

iam.ap-southeast-1.myhuaweicloud.com

AP-Bangkok

ap-southeast-2

iam.ap-southeast-2.myhuaweicloud.com

AP-Singapore

ap-southeast-3

iam.ap-southeast-3.myhuaweicloud.com

AP-Jakarta

ap-southeast-4

iam.ap-southeast-4.myhuaweicloud.com

AF-Johannesburg

af-south-1

iam.af-south-1.myhuaweicloud.com

LA-Santiago

la-south-2

iam.la-south-2.myhuaweicloud.com

EU-Dublin

eu-west-101

iam.myhuaweicloud.eu

EU-Paris

eu-west-0

iam.eu-west-0.myhuaweicloud.com

TR-Istanbul

tr-west-1

iam.tr-west-1.myhuaweicloud.com

ME-Abu Dhabi-OP5

ae-ad-1

iam.ae-ad-1.myhuaweicloud.com

AP-Kuala Lumpur-OP6

my-kualalumpur-1

iam.my-kualalumpur-1.myhuaweicloud.com

URI Parameters

The following table lists a few API parameters and their names displayed on the console.

Table 2 URI parameter description

API Parameter

Name Displayed on the Console

How to Obtain on the Console

domain

Account

Obtaining Account, IAM User, and Project Information

domain_id or tenant_id

Account ID

domain_name

Account name

user

IAM user

Obtaining Account, IAM User, and Project Information

user_id

IAM user ID

user_name

IAM user name

group

User group

Obtaining User Group Information

group_id

User group ID

group_name

User group name

project

Project

Obtaining Account, IAM User, and Project Information

project_id

Project ID

project_name

Project Name

agency

Agency

Obtaining Agency Information

agency_id

Agency ID

agency_name

Agency Name

Basic Concepts

Common concepts used when you call APIs are described as follows:

  • Account

    An account is created upon successful registration with Huawei Cloud. The account has full access permissions for all of its cloud services and resources. It can be used to reset user passwords and grant user permissions. The account is a payment entity and should not be used directly to perform routine management. For security purposes, create IAM users and grant them permissions for routine management.

  • IAM user

    An IAM user is created by an account to use cloud services. Each IAM user has its own identity credentials (password or access keys).

    An IAM user can view the account ID and IAM user ID on the My Credentials page of the console. The account name, username, and password will be required for API authentication.

  • Region

    Regions are divided based on geographical location and network latency. Public services, such as Elastic Cloud Server (ECS), Elastic Volume Service (EVS), Object Storage Service (OBS), Virtual Private Cloud (VPC), Elastic IP (EIP), and Image Management Service (IMS), are shared within the same region. Regions are classified into universal regions and dedicated regions. A universal region provides universal cloud services for common tenants. A dedicated region provides specific services for specific tenants.

  • AZ

    An availability zone (AZ) comprises one or more physical data centers equipped with independent ventilation, fire, water, and electricity facilities. Compute, network, storage, and other resources in an AZ are logically divided into multiple clusters. AZs within a region are interconnected by optical fibers for high-availability networking.

  • Project

    Projects group and isolate resources (including compute, storage, and network resources) across physical regions. A default project is provided for each Huawei Cloud region, and subprojects can be created under each default project. Users can be granted permissions to access all resources in a specific project. If you need more refined access control, you can create subprojects under a default project and purchase resources in subprojects. Then you can grant users the permissions required to access only the resources in specific subprojects.

    Figure 1 Project isolating model

  • Enterprise Project

    Enterprise projects allow you to group and manage resources across regions. Resources in enterprise projects are logically isolated from each other. An enterprise project can contain resources of multiple regions, and you can easily add resources to or remove resources from enterprise projects.

    For details about how to obtain enterprise project IDs and features, see the Enterprise Management User Guide.