Creating an IAM User and Logging In

Scenarios

The account created in the previous section can be used to create an IAM user and add the IAM user to the developer user group. The IAM user has their own username and password. They can log in to Huawei Cloud and use resources based on assigned permissions.

Procedure

Step 1: Create an IAM User

1. Choose Users from the navigation pane, and click Create User.

   Set mandatory IAM user parameters by referring to the following table. Retain the default settings for other parameters.

2. Specify the user details and access type.
   1. Enter a username.
      Figure 1 Setting user details
      
      

      IAM users can log in to Huawei Cloud using their usernames, email addresses, or mobile numbers.

      Table 1 User details

      Parameter	Example	Description
      Username	Alice	(Mandatory) Username used by an IAM user to log in to Huawei Cloud. Use only letters, digits, spaces, hyphens (-), underscores (_), and periods (.). Do not start with a digit or space.
      Email Address	Skip	Email address of the IAM user that can be used as a login credential. IAM users can bind an email address after they are created. This parameter is mandatory if you select Set by user for Credential Type.
      Mobile Number	Skip	(Optional) Mobile phone number of the IAM user that can be used as a login credential. IAM users can bind a mobile number after they are created.

   2. Specify the access type.
      Figure 2 Specifying the access type
      

      Table 2 Access types

      Access Type	Example	Description
      Programmatic access	Select it.	This type allows access to cloud services using development tools, such as APIs, CLI, and SDKs, and requires an access key or password.
      Management console access	Select it.	This type allows access to cloud services by using the management console and requires a password. If you select this parameter, Password must be selected for Credential Type.

   3. Configure the credential type.
      Figure 3 Credential types

      

      Table 3 Credential types

      Credential Type		Example	Description
      Access key		Select it.	An access key comprises an AK and SK, and is used as a long-term identity credential to sign your requests for Huawei Cloud APIs. After users are created, you can download the access keys (AK/SK) generated for these users.
      Password	Set now	-	You need to set a password for the user and determine whether to require the user to reset the password at first login. If you will use the IAM user by yourself, you are advised to select this option, set a password, and deselect Require password reset at first login.
      	Automatically generated	-	The system automatically generates a login password for the user. After the user is created, download the EXCEL password file and provide the password for the user. The user can then use this password for login. The password file must be downloaded upon the user creation. If you cancel the download, the password file cannot be obtained again. You can change the password of an IAM user by referring to Changing the Password of an IAM User. This option is available only when you create a single user.
      	Set by user	Select it.	A one-time login URL will be emailed to the user. The user can click the link to log in to the console and set a password. If you do not use the IAM user, select this option and enter the email address and mobile number of the IAM user. The user can then set a password by clicking the one-time login URL sent over email. The login URL is valid for seven days.
      USB Key		Deselect it.	A USB key is a device that stores user credentials. You can use a USB key, rather than a password to verify your identity. This option is more secure, as there is no password to be leaked. Once selected, the USB key is the only way for the IAM user to log in. The password will be invalidated and can no longer be used.

   4. Enable or disable login protection. This function is available only when Access Type is Management console access. In this example, select Enable.
      • Login protection enabled: IAM users need to enter verification codes in addition to their usernames and passwords during console login. For the best possible security, this two-factor identity authentication is recommended.
        You can choose from SMS-, email-, and virtual MFA–based login verification.

        Figure 4 Enable
        
      • Login protection disabled: If you need to enable it after user creation, see Modifying IAM User Information.
        Figure 5 Login protection disabled
        
   5. Enable or disable API login protection. This function is available when only login protection is enabled and the verification mode is set to virtual MFA.
      • API login protection enabled: Both a password and a virtual MFA device are required to obtain an IAM user token. To obtain an IAM user token using both a password and a virtual MFA device, see Obtaining a User Token Through Password and Virtual MFA Authentication.
      • API login protection disabled: You can enable API login protection after user creation. Locate the target user, and click Security Settings in the Operation column. In the displayed tab, click next to Verification Method of the Login Protection function, enable this function, and select Virtual MFA device.

3. Click Next and add the user to the developer user group.
   Figure 6 Adding the user to the user group
   

4. Click Create. The created IAM user is displayed in the user list.
5. In the displayed Download Password dialog box, click OK to download the initial password of the IAM user. Then, provide the account name, IAM username, and the IAM user's initial password for corresponding employees.
   Figure 7 Downloading the password
   

Step 2: Log In to the Console as an IAM User

After an IAM user is created, employees can log in to Huawei Cloud as the IAM user. If an IAM user fails to log in, they can contact the administrator to reset their password.