- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- Logging In to Huawei Cloud
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- Custom Identity Broker
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
- Best Practices
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
API
- Token Management
-
Access Key Management
- Obtaining Temporary Access Keys and Security Tokens of an Agency
- Obtaining Temporary Access Keys and Security Tokens of an IAM User
- Obtaining Temporary Access Keys and Security Tokens of a Federated User
- Creating a Permanent Access Key
- Querying Permanent Access Keys
- Querying a Permanent Access Key
- Modifying a Permanent Access Key
- Deleting a Permanent Access Key
- Region Management
- Project Management
- Account Management
-
IAM User Management
- Listing IAM Users
- Querying IAM User Details (Recommended)
- Querying IAM User Details
- Querying the User Groups Which an IAM User Belongs to
- Querying the IAM Users in a Group
- Creating an IAM User (Recommended)
- Creating an IAM User
- Changing the Login Password
- Modifying IAM User Information (By an IAM User) (Recommended)
- Modifying IAM User Information (By the Administrator) (Recommended)
- Modifying IAM User Information (By the Administrator)
- Deleting an IAM User
- User Group Management
-
Permissions Management
- Listing Permissions
- Querying Permission Details
- Querying Permissions Assignment Records
- Querying Permissions of a User Group for a Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for a Global Service Project
- Granting Permissions to a User Group for a Region-specific Project
- Checking Whether a User Group Has Specified Permissions for a Global Service Project
- Checking Whether a User Group Has Specified Permissions for a Region-specific Project
- Querying All Permissions of a User Group
- Checking Whether a User Group Has Specified Permissions for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Removing Permissions of a User Group for a Global Service Project
- Removing the Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for All Projects
- Custom Policy Management
-
Agency Management
- Listing Agencies
- Querying Agency Details
- Creating an Agency
- Modifying an Agency
- Deleting an Agency
- Querying Permissions of an Agency for a Global Service Project
- Querying Permissions of an Agency for a Region-specific Project
- Granting Permissions to an Agency for a Global Service Project
- Granting Permissions to an Agency for a Region-specific Project
- Checking Whether an Agency Has Specified Permissions for a Global Service Project
- Checking Whether an Agency Has Specified Permissions for a Region-specific Project
- Removing Permissions of an Agency for a Global Service Project
- Removing Permissions of an Agency for a Region-specific Project
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Enterprise Project Management
- Querying User Groups Associated with an Enterprise Project
- Querying the Permissions of a User Group Associated with an Enterprise Project
- Granting Permissions to a User Group Associated with an Enterprise Project
- Removing Permissions of a User Group Associated with an Enterprise Project
- Querying the Enterprise Projects Associated with a User Group
- Querying the Enterprise Projects Directly Associated with an IAM User
- Querying Users Directly Associated with an Enterprise Project
- Querying Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to a User Associated with an Enterprise Project
- Removing Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to Agencies Associated with Specified Enterprise Projects
- Removing Permissions of Agencies Associated with Specified Enterprise Projects
-
Security Settings
- Modifying the Operation Protection Policy
- Querying the Operation Protection Policy
- Modifying the Password Policy
- Querying the Password Policy of an Account
- Modifying the Login Authentication Policy
- Querying the Login Authentication Policy
- Modifying the ACL for Console Access
- Querying the ACL for Console Access
- Modifying the ACL for API Access
- Querying the ACL for API Access
- Listing MFA Device Information of IAM Users
- Querying the MFA Device Information of an IAM User
- Listing Login Protection Configurations of IAM Users
- Querying the Login Protection Configuration of an IAM User
- Modifying the Login Protection Configuration of an IAM User
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
-
Federated Identity Authentication Management
- Obtaining a Token Through Federated Identity Authentication
-
Identity Providers
- Listing Identity Providers
- Querying Identity Provider Details
- Creating an Identity Provider
- Modifying a SAML Identity Provider
- Deleting a SAML Identity Provider
- Creating an OpenID Connect Identity Provider Configuration
- Modifying an OpenID Connect Identity Provider
- Querying an OpenID Connect Identity Provider
- Mappings
- Protocols
- Metadata
- Token
- Listing Accounts Accessible to Federated Users
- Listing Projects Accessible to Federated Users
- Custom Identity Brokers
- Version Information Management
- Services and Endpoints
- Out-of-Date APIs
- Permissions and Actions
- Appendix
- Change History
- SDK Reference
-
FAQs
-
User Groups and Permissions Management
- Why Can't I Find Permissions for a Cloud Service?
- How Do I Grant Cloud Service Permissions in the EU-Dublin Region to IAM Users?
- Why Have Permissions Granted to a User Not Been Applied?
- What Should I Do If an IAM User Does Not Have the Required Permissions to Access the IAM Console?
- How Can I Grant an IAM User Permissions to Place Orders But Disallow Order Payment?
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Doesn't My API Access Control Policy Take Effect?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- How Do I Obtain an Access Key (AK/SK)?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain Access Keys (AK/SK Pairs) for the EU-Dublin Region?
- Project Management
- Agency Management
- Account Management
- Others
-
User Groups and Permissions Management
- Videos
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions
- Projects
- Agencies
- Account Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Authentication?
- How Do I Disable Login Authentication?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
-
Passwords and Credentials
- How Do I Reset My Password?
- How Do I Change My Password?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and SecurityToken)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the ME-Abu Dhabi-OP5 Region?
- Project Management
- Agency Management
- Others
- Change History
- API Reference (ME-Abu Dhabi Region)
-
User Guide (Paris Regions)
- Service Overview
- Getting Started
-
User Guide
- IAM Users
- User Groups and Authorization
- Permissions
- Account Settings
- Projects
- Agencies
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Auditing
-
FAQs
- How Do I Enable Login Authentication?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain MFA Verification Codes?
- How Do I Unbind a Virtual MFA Device?
- Why Does IAM User Login Fail?
- How Do I Control IAM User Access to the Console?
- Differences Between IAM and Enterprise Management
- What Are the Differences Between IAM Projects and Enterprise Projects?
- How Can I Obtain Permissions to Create an Agency?
- What Can I Do If Text Box Prompt Information Does Not Disappear?
- How Do I Disable Password Association and Saving on Google Chrome?
- How Do I Grant Cloud Service Permissions in the EU-Paris Region to IAM Users?
- How Do I Obtain an Access Key (AK/SK) in the EU-Paris Region?
- Change History
- API Reference (Paris Regions)
-
User Guide (Kuala Lumpur Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the AP-Kuala Lumpur-OP6 Region?
- Project Management
- Agency Management
- Others
- Change History
-
API Reference (Kuala Lumpur Region)
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Token Management
- Access Key Management
- Region Management
-
Project Management
- Querying Project Information Based on the Specified Criteria
- Querying a User Project List
- Querying the List of Projects Accessible to Users
- Creating a Project
- Modifying Project Data
- Querying Information About a Specified Project
- Setting the Status of a Specified Project
- Querying Information and Status of a Specified Project
- Querying the Quotas of a Project
- Tenant Management
-
User Management
- Querying a User List
- Querying User Details
- Querying User Details (Recommended)
- Querying the User Group to Which a User Belongs
- Querying Users in a User Group
- Creating a User
- Changing a Password
- Modifying User Information
- Modifying User Information (Including Email Address and Mobile Number)
- Modifying User Information (Including Email Address and Mobile Number)
- Deleting a User
- Deleting a User from a User Group
- Querying MFA Device Information of Users
- Querying the MFA Device Information of a User
- Querying Login Protection Configurations of Users
- Querying the Login Protection Configuration of a User
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Modifying the Login Protection Configuration of a User
- User Group Management
-
Permission Management
- Querying a Role List
- Querying Role Details
- Querying Permissions of a User Group Under a Domain
- Querying Permissions of a User Group Corresponding to a Project
- Granting Permissions to a User Group of a Domain
- Granting Permissions to a User Group Corresponding to a Project
- Deleting Permissions of a User Group Corresponding to a Project
- Deleting Permissions of a User Group of a Domain
- Querying Whether a User Group Under a Domain Has Specific Permissions
- Querying Whether a User Group Corresponding to a Project Has Specific Permissions
- Granting Permissions to a User Group for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Checking Whether a User Group Has Specified Permissions for All Projects
- Querying All Permissions of a User Group
- Custom Policy Management
-
Agency Management
- Creating an Agency
- Querying an Agency List Based on the Specified Conditions
- Obtaining Details of a Specified Agency
- Modifying an Agency
- Deleting an Agency
- Granting Permissions to an Agency for a Project
- Checking Whether an Agency Has the Specified Permissions on a Project
- Querying the List of Permissions of an Agency on a Project
- Deleting Permissions of an Agency on a Project
- Granting Permissions to an Agency on a Domain
- Checking Whether an Agency Has the Specified Permissions on a Domain
- Querying the List of Permissions of an Agency on a Domain
- Deleting Permissions of an Agency on a Domain
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Security Settings
- Querying the Operation Protection Policy
- Modifying the Operation Protection Policy
- Querying the Password Policy
- Modifying the Password Policy
- Querying the Login Authentication Policy
- Modifying the Login Authentication Policy
- Querying the ACL for Console Access
- Modifying the ACL for Console Access
- Querying the ACL for API Access
- Modifying the ACL for API Access
- Federated Identity Authentication Management
- Version Information Management
- Services and Endpoints
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
User Guide (Ankara Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Quotas
-
FAQs
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Passwords and Credentials
- Agency Management
- Others
- Change History
- API Reference (Ankara Region)
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Show all
Copied.
Creating an IAM User
If you are an administrator and have purchased multiple resources on Huawei Cloud, such as Elastic Cloud Servers (ECSs), Elastic Volume Service (EVS) disks, and Bare Metal Servers (BMSs), you can create IAM users and grant them permissions required to perform operations on specific resources. This way, you do not need to share the password of your account.
New IAM users do not have any permissions assigned by default. You can assign permissions to new users, or add them to one or more groups and grant permissions to these groups by referring to Assigning Permissions to a User Group so that the users can inherit the permissions of the groups. The users then can perform specific operations on cloud services as specified by the permissions.
The default user group admin has all permissions required to use all of the cloud resources. Users in this group can perform operations on all the resources, including but not limited to creating user groups and users, modifying permissions, and managing resources.
If you delete a user and then create a new user with the same name, you need to grant the required permissions to the new user again.
Procedure
- Log in to the IAM console as the administrator.
- Choose Users from the left navigation pane and click Create User in the upper right corner.
Figure 1 Creating an IAM user
- Specify the user information on the Create User page. To create more users, click Add User. You can add a maximum of 10 users at a time.
Table 1 User details Parameter
Description
Username
This parameter is user-defined and cannot be the same as that of any other account or any IAM user in the account.
Email Address
This parameter is user-defined and cannot be the same as that of any other account or any IAM user in the account. It can be used to authenticate the IAM user and reset the password.
Mobile Number
This parameter is user-defined and cannot be the same as that of any other account or any IAM user in the account. It can be used to authenticate the IAM user and reset the password.
External Identity ID
Identity of an enterprise user in IAM user SSO.
This parameter must be specified if you want to configure virtual user SSO via SAML for an IAM user. The value contains a maximum of 128 characters.
NOTE:
- IAM users can log in to Huawei Cloud using the username, email address, or mobile number.
- If users forget their passwords, they can reset the passwords through email address or mobile number verification. If no email addresses or mobile numbers have been bound to users, users need to request the administrator to reset their passwords.
- Specify Access Type.
Figure 2 Selecting access types
Table 2 Access types Access Type
Description
Programmatic access
An access key or password is generated for the IAM user. This type allows access to cloud services using development tools, such as APIs, CLI, and SDKs.
Management console access
A password is generated for the IAM user. This type allows access to cloud services using the management console. A password is mandatory for login.
NOTE:
- If the user accesses cloud services only by using the management console, select Management console access for Access Type and Password for Credential Type.
- If the user accesses cloud services only through programmatic access, select Programmatic access for Access Type and Access key for Credential Type
- If the user needs to use a password as the credential for programmatic access to certain APIs, select Programmatic access for Access Type and Password for Credential Type.
- If the user needs to perform access key verification when using certain services in the console, select Programmatic access and Management console access for Access Type, and select Access key and Password for Credential Type. For example, the user needs to perform access key verification before creating a data migration job in the Cloud Data Migration (CDM) console.
- Specify Credential Type.
Figure 3 Selecting credential types
Table 3 Credential types Credential Type
Description
Access key
After creating the user, you can download the access key (AK/SK) generated for the user.
Each user can have a maximum of two access keys.
Password
Set now
Set a password for the user and determine whether to require the user to reset the password at the first login.
If you will use the IAM user by yourself, you are advised to select this option, enter a password, and deselect Require password reset at first login.
Automatically generated
The system automatically generates a login password for the user. After the user is created, you can download the EXCEL password file and provide the password to the user. The user can then use this password for login.
The password file must be downloaded upon the user creation. If you cancel the download, the password file cannot be obtained again. You can reset the user password by referring to Changing the Password of an IAM User.
This option is available only when you create an individual user.
Set by user
A one-time login URL will be emailed to the user. The user can click on the link to log in to the console and set a password.
If you do not use the IAM user by yourself, select this option and enter the email address and mobile number of the IAM user. The user can then set a password by clicking on the one-time login URL sent over email. The login URL is valid for seven days.
USB Key
A USB key is a device that stores user credentials. You can use a USB key, rather than a password to verify your identity. This option is more secure, as there is no password to be leaked.
Once selected, the USB key is the only way for the IAM user to log in. The password will be invalidated and can no longer be used.
Table 4 Recommended configurations Management Console Access
Programmatic Access
Credential Type
Recommended Access Type
Recommended Credential Type
Select
Deselect
There are no special requirements.
Management console access
Password
Deselect
Select
There are no special requirements.
Programmatic access
Access key
Deselect
Select
A password is required as a credential for programmatic access (required by some APIs).
Programmatic access
Password
Select
Select
The access key (entered by the IAM user) needs to be verified on the console.
For example, the user needs to perform access key verification before creating a data migration job in the Cloud Data Migration (CDM) console.
Programmatic access and management console access
Password and access key
- Configure login protection. This parameter is available only when you have selected Management console access for Access Type.
Figure 4 Enabling login protection
- Enable (Recommend for account security): The user needs to enter a verification code in addition to the username and password for login.
You can choose SMS-, email-, or virtual MFA–based login verification.
- Disable: The user does not need to enter a verification code for login. If you want to enable login protection after the user is created, see Login Protection.
- Enable (Recommend for account security): The user needs to enter a verification code in addition to the username and password for login.
- Click Next. Select the user groups to add the user. The user will inherit the permissions assigned to the user groups.
Figure 5 Adding the user to a user group
NOTE:
- You can also create a new group and add the user to that group.
- If you want the user to be an administrator, add the user to the default group admin.
- You can add a user to a maximum of 10 user groups.
- Click Create.
Related Operations
- IAM users created without being added to any groups do not have any permissions. The administrator can assign permissions to these IAM users on the IAM console. IAM users can also assign permissions to themselves. Then the users can use cloud resources based on the assigned permissions. For details, see Assigning Permissions to an IAM User.
- Accounts and IAM users use different methods to log in. For details about IAM user login, see Logging In as an IAM User.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot