- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- Logging In to Huawei Cloud
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- Custom Identity Broker
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
- Best Practices
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
API
- Token Management
-
Access Key Management
- Obtaining Temporary Access Keys and Security Tokens of an Agency
- Obtaining Temporary Access Keys and Security Tokens of an IAM User
- Obtaining Temporary Access Keys and Security Tokens of a Federated User
- Creating a Permanent Access Key
- Querying Permanent Access Keys
- Querying a Permanent Access Key
- Modifying a Permanent Access Key
- Deleting a Permanent Access Key
- Region Management
- Project Management
- Account Management
-
IAM User Management
- Listing IAM Users
- Querying IAM User Details (Recommended)
- Querying IAM User Details
- Querying the User Groups Which an IAM User Belongs to
- Querying the IAM Users in a Group
- Creating an IAM User (Recommended)
- Creating an IAM User
- Changing the Login Password
- Modifying IAM User Information (By an IAM User) (Recommended)
- Modifying IAM User Information (By the Administrator) (Recommended)
- Modifying IAM User Information (By the Administrator)
- Deleting an IAM User
- User Group Management
-
Permissions Management
- Listing Permissions
- Querying Permission Details
- Querying Permissions Assignment Records
- Querying Permissions of a User Group for a Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for a Global Service Project
- Granting Permissions to a User Group for a Region-specific Project
- Checking Whether a User Group Has Specified Permissions for a Global Service Project
- Checking Whether a User Group Has Specified Permissions for a Region-specific Project
- Querying All Permissions of a User Group
- Checking Whether a User Group Has Specified Permissions for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Removing Permissions of a User Group for a Global Service Project
- Removing the Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for All Projects
- Custom Policy Management
-
Agency Management
- Listing Agencies
- Querying Agency Details
- Creating an Agency
- Modifying an Agency
- Deleting an Agency
- Querying Permissions of an Agency for a Global Service Project
- Querying Permissions of an Agency for a Region-specific Project
- Granting Permissions to an Agency for a Global Service Project
- Granting Permissions to an Agency for a Region-specific Project
- Checking Whether an Agency Has Specified Permissions for a Global Service Project
- Checking Whether an Agency Has Specified Permissions for a Region-specific Project
- Removing Permissions of an Agency for a Global Service Project
- Removing Permissions of an Agency for a Region-specific Project
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Enterprise Project Management
- Querying User Groups Associated with an Enterprise Project
- Querying the Permissions of a User Group Associated with an Enterprise Project
- Granting Permissions to a User Group Associated with an Enterprise Project
- Removing Permissions of a User Group Associated with an Enterprise Project
- Querying the Enterprise Projects Associated with a User Group
- Querying the Enterprise Projects Directly Associated with an IAM User
- Querying Users Directly Associated with an Enterprise Project
- Querying Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to a User Associated with an Enterprise Project
- Removing Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to Agencies Associated with Specified Enterprise Projects
- Removing Permissions of Agencies Associated with Specified Enterprise Projects
-
Security Settings
- Modifying the Operation Protection Policy
- Querying the Operation Protection Policy
- Modifying the Password Policy
- Querying the Password Policy of an Account
- Modifying the Login Authentication Policy
- Querying the Login Authentication Policy
- Modifying the ACL for Console Access
- Querying the ACL for Console Access
- Modifying the ACL for API Access
- Querying the ACL for API Access
- Listing MFA Device Information of IAM Users
- Querying the MFA Device Information of an IAM User
- Listing Login Protection Configurations of IAM Users
- Querying the Login Protection Configuration of an IAM User
- Modifying the Login Protection Configuration of an IAM User
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
-
Federated Identity Authentication Management
- Obtaining a Token Through Federated Identity Authentication
-
Identity Providers
- Listing Identity Providers
- Querying Identity Provider Details
- Creating an Identity Provider
- Modifying a SAML Identity Provider
- Deleting a SAML Identity Provider
- Creating an OpenID Connect Identity Provider Configuration
- Modifying an OpenID Connect Identity Provider
- Querying an OpenID Connect Identity Provider
- Mappings
- Protocols
- Metadata
- Token
- Listing Accounts Accessible to Federated Users
- Listing Projects Accessible to Federated Users
- Custom Identity Brokers
- Version Information Management
- Services and Endpoints
- Out-of-Date APIs
- Permissions and Actions
- Appendix
- Change History
- SDK Reference
-
FAQs
-
User Groups and Permissions Management
- Why Can't I Find Permissions for a Cloud Service?
- How Do I Grant Cloud Service Permissions in the EU-Dublin Region to IAM Users?
- Why Have Permissions Granted to a User Not Been Applied?
- What Should I Do If an IAM User Does Not Have the Required Permissions to Access the IAM Console?
- How Can I Grant an IAM User Permissions to Place Orders But Disallow Order Payment?
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Doesn't My API Access Control Policy Take Effect?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- How Do I Obtain an Access Key (AK/SK)?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain Access Keys (AK/SK Pairs) for the EU-Dublin Region?
- Project Management
- Agency Management
- Account Management
- Others
-
User Groups and Permissions Management
- Videos
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions
- Projects
- Agencies
- Account Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Authentication?
- How Do I Disable Login Authentication?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
-
Passwords and Credentials
- How Do I Reset My Password?
- How Do I Change My Password?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and SecurityToken)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the ME-Abu Dhabi-OP5 Region?
- Project Management
- Agency Management
- Others
- Change History
- API Reference (ME-Abu Dhabi Region)
-
User Guide (Paris Regions)
- Service Overview
- Getting Started
-
User Guide
- IAM Users
- User Groups and Authorization
- Permissions
- Account Settings
- Projects
- Agencies
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Auditing
-
FAQs
- How Do I Enable Login Authentication?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain MFA Verification Codes?
- How Do I Unbind a Virtual MFA Device?
- Why Does IAM User Login Fail?
- How Do I Control IAM User Access to the Console?
- Differences Between IAM and Enterprise Management
- What Are the Differences Between IAM Projects and Enterprise Projects?
- How Can I Obtain Permissions to Create an Agency?
- What Can I Do If Text Box Prompt Information Does Not Disappear?
- How Do I Disable Password Association and Saving on Google Chrome?
- How Do I Grant Cloud Service Permissions in the EU-Paris Region to IAM Users?
- How Do I Obtain an Access Key (AK/SK) in the EU-Paris Region?
- Change History
- API Reference (Paris Regions)
-
User Guide (Kuala Lumpur Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the AP-Kuala Lumpur-OP6 Region?
- Project Management
- Agency Management
- Others
- Change History
-
API Reference (Kuala Lumpur Region)
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Token Management
- Access Key Management
- Region Management
-
Project Management
- Querying Project Information Based on the Specified Criteria
- Querying a User Project List
- Querying the List of Projects Accessible to Users
- Creating a Project
- Modifying Project Data
- Querying Information About a Specified Project
- Setting the Status of a Specified Project
- Querying Information and Status of a Specified Project
- Querying the Quotas of a Project
- Tenant Management
-
User Management
- Querying a User List
- Querying User Details
- Querying User Details (Recommended)
- Querying the User Group to Which a User Belongs
- Querying Users in a User Group
- Creating a User
- Changing a Password
- Modifying User Information
- Modifying User Information (Including Email Address and Mobile Number)
- Modifying User Information (Including Email Address and Mobile Number)
- Deleting a User
- Deleting a User from a User Group
- Querying MFA Device Information of Users
- Querying the MFA Device Information of a User
- Querying Login Protection Configurations of Users
- Querying the Login Protection Configuration of a User
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Modifying the Login Protection Configuration of a User
- User Group Management
-
Permission Management
- Querying a Role List
- Querying Role Details
- Querying Permissions of a User Group Under a Domain
- Querying Permissions of a User Group Corresponding to a Project
- Granting Permissions to a User Group of a Domain
- Granting Permissions to a User Group Corresponding to a Project
- Deleting Permissions of a User Group Corresponding to a Project
- Deleting Permissions of a User Group of a Domain
- Querying Whether a User Group Under a Domain Has Specific Permissions
- Querying Whether a User Group Corresponding to a Project Has Specific Permissions
- Granting Permissions to a User Group for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Checking Whether a User Group Has Specified Permissions for All Projects
- Querying All Permissions of a User Group
- Custom Policy Management
-
Agency Management
- Creating an Agency
- Querying an Agency List Based on the Specified Conditions
- Obtaining Details of a Specified Agency
- Modifying an Agency
- Deleting an Agency
- Granting Permissions to an Agency for a Project
- Checking Whether an Agency Has the Specified Permissions on a Project
- Querying the List of Permissions of an Agency on a Project
- Deleting Permissions of an Agency on a Project
- Granting Permissions to an Agency on a Domain
- Checking Whether an Agency Has the Specified Permissions on a Domain
- Querying the List of Permissions of an Agency on a Domain
- Deleting Permissions of an Agency on a Domain
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Security Settings
- Querying the Operation Protection Policy
- Modifying the Operation Protection Policy
- Querying the Password Policy
- Modifying the Password Policy
- Querying the Login Authentication Policy
- Modifying the Login Authentication Policy
- Querying the ACL for Console Access
- Modifying the ACL for Console Access
- Querying the ACL for API Access
- Modifying the ACL for API Access
- Federated Identity Authentication Management
- Version Information Management
- Services and Endpoints
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
User Guide (Ankara Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Quotas
-
FAQs
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Passwords and Credentials
- Agency Management
- Others
- Change History
- API Reference (Ankara Region)
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Show all
Function Overview
-
OBS 2.0支持
-
With IAM, you can authorize IAM users to manage specific resources in your account. For example, you can authorize Charlie to manage Virtual Private Cloud (VPC) resources in project B and authorize James to view VPC data in this project.
-
OBS 2.0支持
-
With IAM, you can authorize IAM users to manage specific resources in your account. For example, you can authorize Charlie to manage Virtual Private Cloud (VPC) resources in project B and authorize James to view VPC data in this project.
-
-
-
OBS 2.0支持
-
An IAM user is created using a HUAWEI CLOUD account. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on assigned permissions. IAM users do not own resources and cannot make payments.
-
OBS 2.0支持
-
An IAM user is created using a HUAWEI CLOUD account. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on assigned permissions. IAM users do not own resources and cannot make payments.
-
-
-
OBS 2.0支持
-
User groups are used to assign permissions to IAM users. By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach policies or roles to these groups. The user then inherits permissions from the groups to which the user belongs, and can perform specific operations on cloud services.
-
OBS 2.0支持
-
User groups are used to assign permissions to IAM users. By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach policies or roles to these groups. The user then inherits permissions from the groups to which the user belongs, and can perform specific operations on cloud services.
-
-
-
OBS 2.0支持
-
You can create custom policies to supplement system-defined policies and implement more refined access control. Specifically, you can allow or deny a user's operations on a resource type under certain conditions.
-
OBS 2.0支持
-
You can create custom policies to supplement system-defined policies and implement more refined access control. Specifically, you can allow or deny a user's operations on a resource type under certain conditions.
-
-
-
OBS 2.0支持
-
Projects group and isolate resources (including compute, storage, and network resources) across physical regions. A default project is provided for each HUAWEI CLOUD region, and subprojects can be created under a default project. IAM users can be granted permissions to access all resources in a specific project.
For more refined access control, create subprojects under a project and purchase resources in the subprojects. IAM users can then be assigned permissions to access only specific resources in the subprojects.
-
OBS 2.0支持
-
Projects group and isolate resources (including compute, storage, and network resources) across physical regions. A default project is provided for each HUAWEI CLOUD region, and subprojects can be created under a default project. IAM users can be granted permissions to access all resources in a specific project.
For more refined access control, create subprojects under a project and purchase resources in the subprojects. IAM users can then be assigned permissions to access only specific resources in the subprojects.
-
-
-
OBS 2.0支持
-
IAM enables you to delegate resource access to another account or a specific cloud service.
Account delegation: You can delegate another HUAWEI CLOUD account to implement O&M on your resources based on assigned permissions. For example, assume that account A wants to delegate account B to manage its resources.
Cloud service delegation: HUAWEI CLOUD services interwork with each other, and some cloud services are dependent on other services. You can delegate a cloud service to access other services and perform resource O&M. Take a Graph Engine Service (GES) agency as an example. The agency allows GES to call cloud services on your behalf, for example, to bind your EIP to the primary load balancer when a failover occurs.
All regions
-
OBS 2.0支持
-
IAM enables you to delegate resource access to another account or a specific cloud service.
Account delegation: You can delegate another HUAWEI CLOUD account to implement O&M on your resources based on assigned permissions. For example, assume that account A wants to delegate account B to manage its resources.
Cloud service delegation: HUAWEI CLOUD services interwork with each other, and some cloud services are dependent on other services. You can delegate a cloud service to access other services and perform resource O&M. Take a Graph Engine Service (GES) agency as an example. The agency allows GES to call cloud services on your behalf, for example, to bind your EIP to the primary load balancer when a failover occurs.
All regions
-
-
-
OBS 2.0支持
-
You can configure the login authentication and password policies and access control list (ACL) to improve security of user information and system data.
-
OBS 2.0支持
-
You can configure the login authentication and password policies and access control list (ACL) to improve security of user information and system data.
-
-
-
OBS 2.0支持
-
MFA authentication provides an additional layer of protection on top of the username and password. If you enable MFA authentication, users need to enter the username and password as well as a verification code before they can log in to the console.
MFA authentication can also be enabled to verify a user's identity before the user is allowed to perform critical operations. When a user attempts to perform a critical operation, the user needs to enter a verification code to proceed.
-
OBS 2.0支持
-
MFA authentication provides an additional layer of protection on top of the username and password. If you enable MFA authentication, users need to enter the username and password as well as a verification code before they can log in to the console.
MFA authentication can also be enabled to verify a user's identity before the user is allowed to perform critical operations. When a user attempts to perform a critical operation, the user needs to enter a verification code to proceed.
-
-
-
OBS 2.0支持
-
HUAWEI CLOUD provides the identity provider function to implement federated identity authentication based on SAML. This function allows users in your own identity authentication system to access resources in your HUAWEI CLOUD account through single sign-on (SSO).
HUAWEI CLOUD supports two types of federated identity authentication:
- Web SSO: Browsers are used as the communication media. This authentication type enables common users to access HUAWEI CLOUD using browsers.
- API calling: Development tools (such as OpenStack Client and ShibbolethECP Client) are used as the communication media. This authentication type enables enterprise users and common users to access HUAWEI CLOUD by calling APIs.
-
OBS 2.0支持
-
HUAWEI CLOUD provides the identity provider function to implement federated identity authentication based on SAML. This function allows users in your own identity authentication system to access resources in your HUAWEI CLOUD account through single sign-on (SSO).
HUAWEI CLOUD supports two types of federated identity authentication:
- Web SSO: Browsers are used as the communication media. This authentication type enables common users to access HUAWEI CLOUD using browsers.
- API calling: Development tools (such as OpenStack Client and ShibbolethECP Client) are used as the communication media. This authentication type enables enterprise users and common users to access HUAWEI CLOUD by calling APIs.
-
-
-
OBS 2.0支持
-
IAM operations are recorded by Cloud Trace Service (CTS), which is a log audit service provided by HUAWEI CLOUD. CTS collects, stores, and queries records of operations on IAM resources, facilitating security analysis, compliance auditing, resource tracking, and fault locating.
To view the key operations on IAM, such as creating or deleting a user, enable the CTS service.
-
OBS 2.0支持
-
IAM operations are recorded by Cloud Trace Service (CTS), which is a log audit service provided by HUAWEI CLOUD. CTS collects, stores, and queries records of operations on IAM resources, facilitating security analysis, compliance auditing, resource tracking, and fault locating.
To view the key operations on IAM, such as creating or deleting a user, enable the CTS service.
-
-
-
OBS 2.0支持
-
To establish secure access to your HUAWEI CLOUD resources, follow these recommendations for the IAM service.
All regions
-
OBS 2.0支持
-
To establish secure access to your HUAWEI CLOUD resources, follow these recommendations for the IAM service.
All regions
-
-
-
OBS 2.0支持
-
IAM provides Representational State Transfer (REST) APIs, which you can call using HTTPS requests.
All regions
-
OBS 2.0支持
-
IAM provides Representational State Transfer (REST) APIs, which you can call using HTTPS requests.
All regions
-
-
-
OBS 2.0支持
-
IAM provides a user management mechanism that is suitable for enterprises, and enables you to assign permissions for different resources and operations to enterprise members. With the SDKs, you can easily call IAM APIs to create upper-layer applications on HUAWEI CLOUD.
Currently, Java, Python, .NET, and Go SDKs are available.
All regions
-
OBS 2.0支持
-
IAM provides a user management mechanism that is suitable for enterprises, and enables you to assign permissions for different resources and operations to enterprise members. With the SDKs, you can easily call IAM APIs to create upper-layer applications on HUAWEI CLOUD.
Currently, Java, Python, .NET, and Go SDKs are available.
All regions
-
-
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot