Authentication and Access Control

Identity and Access Management (IAM) provides free permissions management for secure access to your Huawei Cloud services and resources. The IAM administrator can assign users permissions for accessing IEF resources through identity authentication (login credentials) and authorization (authorized to operate specific resources).

Account

An account is created after you successfully register with Huawei Cloud, and you can use it to purchase Huawei Cloud resources. The account has full access permissions for your cloud resources and can be used to make payments for them. You can use the account to reset user passwords, assign permissions, and receive and pay all bills generated by your IAM users for their usage of resources.

You cannot modify or delete your account in IAM, but you can do so in My Account.

IAM user

An IAM user is created by an account. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on assigned permissions. IAM users cannot make payments themselves. You can use your account to pay for the resources they use.

User group

An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. IAM users added to a user group automatically obtain the permissions assigned to the group. If a user is added to multiple user groups, the user inherits the permissions from all these groups.

IAM roles

IAM roles are IAM users with special permissions. But they are irrelevant to a specific account. You can switch between different roles as needed.

IEF REST APIs support both authenticated and anonymous requests. Anonymous requests are typically used for public access, such as accessing hosted static websites. In most cases, requests for IEF resources must be authenticated. An authenticated request must include a signature. The signature is calculated based on the requester's access keys (a pair of AK and SK) that are used as the encryption factor and the specific information included in the request body. AK/SK authentication uses AK/SK-based encryption to authenticate a request sender. For details about access keys and how to obtain them, see Authentication.