Help Center/ Identity and Access Management/ Getting Started/ Creating an IAM User and Logging In
Updated on 2025-04-28 GMT+08:00

Creating an IAM User and Logging In

Scenarios

The account created in the previous section can be used to create an IAM user and add the IAM user to the developer user group. The IAM user has their own username and password. They can log in to Huawei Cloud and use resources based on assigned permissions.

Procedure

Step

Description

Step 1: Create an IAM User

Create an IAM user and add it to the user group to obtain permissions.

Step 2: Log In to the Console as an IAM User

Log in to the management console as an IAM user and use resources within the permissions scope.

Step 1: Create an IAM User

  1. Choose Users from the navigation pane, and click Create User.

    Set mandatory IAM user parameters by referring to the following table. Retain the default settings for other parameters.

  2. Specify the user details and access type.

    1. Enter a username.
      Figure 1 Setting user details

      IAM users can log in to Huawei Cloud using their usernames, email addresses, or mobile numbers.

      Table 1 User details

      Parameter

      Example

      Description

      Username

      Alice

      (Mandatory) Username used by an IAM user to log in to Huawei Cloud.

      Use only letters, digits, spaces, hyphens (-), underscores (_), and periods (.). Do not start with a digit or space.

      Email Address

      Skip

      Email address of the IAM user that can be used as a login credential. IAM users can bind an email address after they are created. This parameter is mandatory if you select Set by user for Credential Type.

      Mobile Number

      Skip

      (Optional) Mobile phone number of the IAM user that can be used as a login credential. IAM users can bind a mobile number after they are created.

    2. Specify the access type.
      Figure 2 Specifying the access type
      Table 2 Access types

      Access Type

      Example

      Description

      Programmatic access

      Select it.

      This type allows access to cloud services using development tools, such as APIs, CLI, and SDKs, and requires an access key or password.

      Management console access

      Select it.

      This type allows access to cloud services by using the management console and requires a password. If you select this parameter, Password must be selected for Credential Type.

    3. Configure the credential type.
      Figure 3 Credential types

      Table 3 Credential types

      Credential Type

      Example

      Description

      Access key

      Select it.

      An access key comprises an AK and SK, and is used as a long-term identity credential to sign your requests for Huawei Cloud APIs.

      After users are created, you can download the access keys (AK/SK) generated for these users.

      Password

      Set now

      -

      You need to set a password for the user and determine whether to require the user to reset the password at first login.

      If you will use the IAM user by yourself, you are advised to select this option, set a password, and deselect Require password reset at first login.

      Automatically generated

      -

      The system automatically generates a login password for the user. After the user is created, download the EXCEL password file and provide the password for the user. The user can then use this password for login.

      The password file must be downloaded upon the user creation. If you cancel the download, the password file cannot be obtained again. You can change the password of an IAM user by referring to Changing the Password of an IAM User.

      This option is available only when you create a single user.

      Set by user

      Select it.

      A one-time login URL will be emailed to the user. The user can click the link to log in to the console and set a password.

      If you do not use the IAM user, select this option and enter the email address and mobile number of the IAM user. The user can then set a password by clicking the one-time login URL sent over email. The login URL is valid for seven days.

      USB Key

      Deselect it.

      A USB key is a device that stores user credentials. You can use a USB key, rather than a password to verify your identity. This option is more secure, as there is no password to be leaked.

      Once selected, the USB key is the only way for the IAM user to log in. The password will be invalidated and can no longer be used.

    4. Enable or disable login protection. This function is available only when Access Type is Management console access. In this example, select Enable.
      • Login protection enabled: IAM users need to enter verification codes in addition to their usernames and passwords during console login. For the best possible security, this two-factor identity authentication is recommended.
        You can choose from SMS-, email-, and virtual MFA–based login verification.
        Figure 4 Enable
      • Login protection disabled: If you need to enable it after user creation, see Modifying IAM User Information.
        Figure 5 Login protection disabled
    5. Enable or disable API login protection. This function is available when only login protection is enabled and the verification mode is set to virtual MFA.
      • API login protection enabled: Both a password and a virtual MFA device are required to obtain an IAM user token. To obtain an IAM user token using both a password and a virtual MFA device, see Obtaining a User Token Through Password and Virtual MFA Authentication.
      • API login protection disabled: You can enable API login protection after user creation. Locate the target user, and click Security Settings in the Operation column. In the displayed tab, click next to Verification Method of the Login Protection function, enable this function, and select Virtual MFA device.

  3. Click Next and add the user to the developer user group.

    Figure 6 Adding the user to the user group

  4. Click Create. The created IAM user is displayed in the user list.
  5. In the displayed Download Password dialog box, click OK to download the initial password of the IAM user. Then, provide the account name, IAM username, and the IAM user's initial password for corresponding employees.

    Figure 7 Downloading the password

Step 2: Log In to the Console as an IAM User

After an IAM user is created, employees can log in to Huawei Cloud as the IAM user. If an IAM user fails to log in, they can contact the administrator to reset their password.

  1. Click IAM User on the login page, and then enter your Tenant name or Huawei Cloud account name, IAM username or email address, and IAM userpassword.

    Figure 8 Logging in as an IAM user
    Table 4 Login parameters

    Parameter

    Example

    Description

    Tenant name or Huawei Cloud account name

    Company-A

    Account used to create the IAM user, for example, Company-A.

    IAM username or email address

    Alice

    IAM username or email address entered during the user creation. You can obtain the IAM username and IAM user's initial password from the administrator.

    IAM user password

    ********

    Password of the IAM user, rather than the account. Enter the downloaded password.

  2. Click Log In to log in to Huawei Cloud as IAM user Alice.
  3. Verify the permissions of IAM user Alice.

    1. Switch to CN-Hong Kong.
    2. Choose Elastic Cloud Server from the service list to go to the ECS console. If the IAM user can perform all operations such as creating and managing ECSs, the ECS FullAccess permissions have been configured successfully.
    3. Choose Object Storage Service from the service list. If the IAM user can view the bucket list and query bucket locations on the OBS console but cannot create OBS buckets, the OBS OperateAccess permissions have been configured successfully.
    4. If the IAM user chooses any service other than ECS and OBS, and the system displays a message indicating insufficient permissions, the permissions have been configured successfully.
    5. Switch to a region other than CN-Hong Kong. If the IAM user can only access the OBS homepage (cannot access ECS and other services), the permissions have been successfully assigned to the region-specific project.