Help Center/ Cloud Trace Service/ User Guide/ Trace References/ Relationship Between IAM Identities and Operators
Updated on 2025-07-11 GMT+08:00

Relationship Between IAM Identities and Operators

Huawei Cloud IAM provides the following types of identities: IAM users, IAM agencies, cloud service agencies, IAM Identity Center users, and federated users.

The operator information reported to CTS audit logs varies depending on the operators identity. The following describes the format specifications of the username (user.name field) and identity ID (principal_id field) of different operators:

Operator Identity

Identity Type (type)

Operator Name Format (user.name)

Identity ID Format (principal_id)

IAM user

User

<user-name>

<user-id>

IAM agency

AssumedAgency

<domain-name>/<agency-name>

<agency-id>:<agency-session-name>

Cloud service agency

AssumedAgency

<domain-name>/<agency-name>

<agency-id>:<agency-session-name>

IAM Identity Center

AssumedAgency

<domain-name>/<agency-name>

<agency-id>:<agency-session-name>

Federated user

ExternalUser

<idp_id>/<user-session-name>

<idp_id>:<user-session-name>

The Operator column of the trace list displays usernames of operators.

This section provides examples of operator information in the trace list when different user identities are used to perform operations on resources.

IAM User

If the operator is an IAM user, the user field in the audit log is as follows:

{
    "access_key_id": "HSTAZ***YE2GA",
    "account_id": "7e0d78c85***d0b9b7cba",
    "user_name": "IAMUserA",
    "domain": {
        "name": "IAMDomainB",
        "id": "7e0d78c85***d0b9b7cba"
    },
    "name": "IAMUserA",
    "principal_is_root_user": "true",
    "id": "f36972ced***d619f1214",
    "principal_urn": "iam::7e0d78c85***d0b9b7cba:user:IAMUserA",
    "type": "User",
    "principal_id": "f36972ced***d619f1214"
}

The user field records the information about the operator, which is IAMUserA (value of the name field) in this example. Note the following fields.

Field

Description

user_name

Username of the operator. To obtain it, hover over the username in the upper right corner of the console, select My Credentials from the drop-down menu, and locate the name on the right of IAM Username. In this example, it is IAMUserA.

name

id

User ID of the operator. To obtain it, hover over the username in the upper right corner of the console, select My Credentials from the drop-down menu, and locate the name on the right of IAM User ID. In this example, it is f36972ced***d619f1214.

principal_id

Identity ID of the operator. The format is user-id. In this example, the value is f36972ced***d619f1214.

principal_urn

URN of the operator. The format is iam::<account-id>:user:<user-name>. In this example, the value is iam::7e0d78c85***d0b9b7cba:user:IAMUserA.

domain.name

Account name of the operator. To obtain it, hover over the username in the upper right corner of the console, select My Credentials from the drop-down menu, and locate the name on the right of Account Name. In this example, it is IAMUserB.

domain.id

Account ID of the operator. To obtain it, hover over the username in the upper right corner of the console, select My Credentials from the drop-down menu, and locate the name on the right of Account ID. In this example, it is 7e0d78c85***d0b9b7cba.

account_id

IAM Agency

If the operator is an IAM agency, the user field in the audit log is as follows:

{
    "access_key_id": "HSTAB***6DEEB",
    "invoked_by": [
      "service.console"
    ],
    "account_id": "302893da***5a7453e5733",
    "domain": {
      "name": "hc_beta_***",
      "id": "302893da***5a7453e5733"
    },
    "name": "hc_beta_***/agencyname",
    "session_context": {
      "attributes": {
        "created_at": "1724744585642",
        "mfa_authenticated": "false"
      },
      "assumed_by": {
        "principal_id": "3cd5b27548***a58b5801d9d"
      }
    },
    "principal_urn": "sts::302893da***5a7453e5733:assumed-agency:agencyname/null",
    "type": "AssumedAgency",
    "principal_id": "40c79f4571***8bc54784b61:null"
}

The user field records the information about the operator, which is hc_beta_***/agencyname (value of the name field) in this example. Note the following fields.

Field

Description

name

Username of the operator. The format is <domain-name>/<agency-name>.

principal_id

Identity ID of the operator. The format is <agency-id>:<agency-session-name>. In this example, the value is 40c79f4571***8bc54784b61:null.

principal_urn

URN of the operator. For an IAM agency, the format is sts::<account-id>:assumed-agency:<agency-name>/<agency-session-name>. In this example, the value is sts::302893da***5a7453e5733:assumed-agency:agencyname/null.

session_context.assumed_by.principal_id

ID of the delegated account in IAM. For details, see Switching Roles (by a Delegated Party).

Cloud Service Agency

If the operator is a cloud service agency, the user field in the audit log is as follows:

{
    "access_key_id": "HSTAR***LG6FC",
    "account_id": "302893da***53e5733",
    "domain": {
      "name": "hc_beta_***",
      "id": ""302893da***53e5733""
    },
    "name": "hc_beta_***/ServiceLinkedAgencyForCloudTraceService",
    "session_context": {
      "attributes": {
        "created_at": "1724744380046",
        "mfa_authenticated": "false"
      },
      "assumed_by": {
        "service_principal": "service.CTS"
      }
    },
    "principal_urn": "sts::302893da***53e5733:assumed-agency:ServiceLinkedAgencyForCloudTraceService/302893da***53e5733",
    "type": "AssumedAgency",
    "principal_id": "4bc820d3***b786c83:302893da***53e5733"
}

The user field records the information about the operator, which is hc_beta_***/ServiceLinkedAgencyForCloudTraceService (value of the name field) in this example. Note the following fields.

Field

Description

name

Username of the operator. The format is <domain-name>/<agency-name>. In this example, it is hc_beta_***/ServiceLinkedAgencyForCloudTraceService.

principal_id

Identity ID of the operator. The format is <agency-id>:<agency-session-name>. In this example, the value is 4bc820d3***b786c83:302893da***53e5733.

principal_urn

URN of the operator. The format is sts::<account-id>:assumed-agency:<agency-name>/<agency-session-name>. In this example, the value is sts::302893da***53e5733:assumed-agency:ServiceLinkedAgencyForCloudTraceService/302893da***53e5733.

session_context.assumed_by.service_principal

Name of the delegated cloud service. The format is service.<service-name>.

IAM Identity Center User

If the operator is a user created in IAM Identity Center, the user field in the audit log is as follows:

{
    "access_key_id": "HSTA9***CKG7E",
    "invoked_by": [
      "service.console"
    ],
    "account_id": "302893da***53e5733",
    "domain": {
      "name": "hc_beta_***",
      "id": "302893da***53e5733"
    },
    "name": "hc_beta_***/SysReservedV3_evs-FullAccess-***",
    "session_context": {
      "attributes": {
        "created_at": "1724744395079",
        "mfa_authenticated": "false"
      },
      "assumed_by": {
        "service_principal": "service.IdentityCenter"
      }
    },
    "principal_urn": "sts::302893da***53e5733:assumed-agency:SysReservedV3_evs-FullAccess-***/IdentityCenterUsername",
    "type": "AssumedAgency",
    "principal_id": "dbc60d8***ef5fd807:***"
}

The user field records the information about the operator, which is hc_beta_***/SysReservedV3_evs-FullAccess-*** (value of the name field) in this example. Note the following fields.

Field

Description

name

Username of the operator. For a service-linked agency, the format is <domain-name>/<agency-name>. In this example, the value is hc_beta_***/SysReservedV3_evs-FullAccess-***.

principal_id

Identity ID of the operator. The format is <agency-id>:<agency-session-name>. In this example, the value is dbc60d8***ef5fd807:***.

principal_urn

URN of the operator. The format is sts::<account-id>:assumed-agency:<agency-name>/<agency-session-name>. In this example, the value is sts::302893da***53e5733:assumed-agency:SysReservedV3_evs-FullAccess-***/IdentityCenterUsername.

session_context.assumed_by.service_principal

Name of the entrusted cloud service. The value is fixed at service.IdentityCenter.

Federated User

If the operator is a federated user, the user field in the audit log is as follows:

{
    "access_key_id": "HSTAX***3IBZB",
    "account_id": "797c8fc3c***2dc6bf70bd",
    "domain": {
      "name": "***",
      "id": "797c8fc3c***2dc6bf70bd"
    },
    "name": "provider_name/UserA",
    "session_context": {
      "federation_data": {
        "identity_provider": "provider_name",
        "protocol": "SAML",
        "group_Ids": [
          "fedf7a460***46451be85"
        ]
      }
    },
    "principal_urn": "sts::797c8fc3c***2dc6bf70bd:external-user:provider_name/UserA",
    "type": "ExternalUser",
    "principal_id": "provider_name:UserA"
}

The user field records the information about the operator, which is provider_name/UserA (value of the name field) in this example. Note the following fields.

Field

Description

name

Username of the operator. The format is <idp_id>/<user-session-name>. In this example, the value is provider_name/UserA.

principal_id

Identity ID of the operator. The format is <idp_id>:<user-session-name>. In this example, the value is provider_name:UserA.

principal_urn

URN of the operator. The format is sts::<account-id>:external-user:<idp_id>/<user-session-name>. In this example, the value is sts::797c8fc3c***2dc6bf70bd:external-user:provider_name/UserA.

idp_id indicates the name of the IAM identity provider. To obtain its value, log in to the IAM console and view the identity provider name on the Identity Providers page.