Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Identity/ IAM Users/ Creating an IAM User
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Creating an IAM User

If you are an administrator and have purchased multiple resources on Huawei Cloud, such as Elastic Cloud Servers (ECSs), Elastic Volume Service (EVS) disks, and Bare Metal Servers (BMSs), you can create IAM users and grant them only permissions required to perform operations on specific resources. You do not need to share the password of your account.

New IAM users do not have any permissions assigned by default. The administrator needs to assign identity policy to the user, or add it to one or more groups and assign permissions to these groups (see Assigning Permissions to a User Group). Users in the group will inherit all permissions of the group. The users then can perform specified operations on cloud resources based on the permissions they have been assigned.

The default user group admin has all permissions required to use all of the cloud resources. IAM users in this group can perform operations on all the resources, including but not limited to creating user groups and users, modifying permissions, and managing resources.

IAM usernames are case insensitive and must be unique. Creating users with the same username but different letter cases is not allowed. If you delete an IAM user and then create a new one with the same name, the new user does not have any permissions. You need to grant the required permissions to the new user.

Procedure

  1. Log in to the new IAM console as an administrator.
  2. On the IAM console, choose Users from the navigation pane, and click Create User in the upper right corner.

    Figure 1 Creating an IAM user

  3. Specify the username on the Create User page. The username can only contain uppercase letters, lowercase letters, spaces, digits, hyphens (-), underscores (_), and periods (.). It cannot start with a digit or space.

    Figure 2 Specifying a username

  4. Determine whether to enable Management Console Access. If you need to allow console access, you are advised to create a user on the IAM Identity Center console.

    • Enable: This user can log in to the management console to access cloud services. It can also create access keys and use development tools such as APIs, CLI, and SDKs to access cloud services.
    • Disable: The user cannot set a password or use a password to log in to the management console. It only can create access keys and use development tools such as APIs, CLI, and SDKs to access cloud services.

  5. If you enable Management Console Access and choose to create an IAM user, you need to select a password type.

    • Custom: Set a password for the user and specify whether to require the user to reset the password upon first login.
    • Automatically generated: The system automatically generates a login password for the user. After the user is created, you can download the password file and send it to the user. The user can then use this password for login.
      Figure 3 Password settings

  6. (Optional) Select a permission configuration method. You can select User group or Identity policy.

    • User group: Add a user to one or more groups, and the user will inherit permissions from these groups. If you need to grant the same permissions to multiple users, this method is recommended.
      Select the user groups and add the user to these user groups.
      • You can also create a new group and add the user to that group.
      • To grant administrator permissions to a user, add the user to the admin group.
      • You can add a user to a maximum of 10 user groups.
    • Identity policy: Attach one or more identity policies to a user, and the user will have the permissions defined in the identity policies.

      Select the identity policies and attach them directly to the user.

      • You can click Create to create a custom identity policy. After the policy is created, select it and attach it to the user.
      • By default, you can attach up to 10 identity policies to a user. To attach up to 20 identity policies to a user, submit a service ticket to request a quota increase.

  7. Click Create User.

    If Automatically generated is selected for Password Setting in step 5, you can download the password file on this page.

    • You can download the password file only once on this page. If you do not download the password file after upon a successful user creation, you can only obtain the password by resetting it.
    Figure 4 Users created successfully

(Recommended) Creating Users on the IAM Identity Center Console

Using IAM users is not the best choice for managing access in Huawei Cloud. You should avoid relying on IAM users in most use cases.

  • IAM users are designed for individual accounts. As an organization grows, it becomes increasingly challenging to manage the permissions and security of a large number of IAM users.
  • IAM users also lack centralized visibility and audit capabilities, making security and regulatory compliance more challenging.

A better solution is to use IAM Identity Center users. This solution has the following advantages:

  • Simplified access

    Users can access multiple Huawei Cloud accounts and applications using SSO, avoiding switches between multiple usernames and passwords.

  • Integration with enterprise identity sources

    IAM Identity Center can integrate with enterprise identity sources such as Active Directory and Okta, simplifying user synchronization and management.

  • Flexible identity source selection

    You can use the default identity source, or connect to an external identity source using IAM Identity Center to meet your business requirements.

  • Reduced management costs

    Synchronizing users from external identity sources via the SCIM protocol reduces the workload of manually creating users and updating user attributes.

Follow-Up Operations

  • IAM users created without being added to any groups or assigned any policies do not have permissions. The administrator can assign permissions to these users on the IAM console. The IAM users can then use cloud resources as specified by their permissions. For details, see Assigning Permissions to an IAM User.
  • IAM users and HUAWEI IDs/Huawei Cloud Accounts use different methods to log in. For details about IAM user login, see Logging In as an IAM User.
Parent topic: IAM Users