Cloud Services for Using Identity Policies and Trust Agencies
The table below shows cloud services that support identity policies, trust agencies, and IAM functions. See the explanations for the table headings below.
- Cloud Service: The name and abbreviation of a cloud service. You can search for a cloud service name or abbreviation to view its information.
- Service Principal: The service principal identifier of a cloud service. It is used to control the trusted cloud service principal in the trust policy of a trust agency. In a FAS request, the list of involved service principals are specified in the g:CalledVia global condition key. If a cloud service does not have a service principal, it is represented by a hyphen (-).
- Action: You can specify actions in an identity policy. If a cloud service does not support actions, on the new IAM console, you can only select all actions in the visual editor of a custom identity policy. In the JSON view, you must use "Cloud service:*:*" to specify the action element. For details about actions supported by each cloud service, see Actions Supported by Identity Policy-based Authorization.
- Resource-level Permissions: You can use URNs to specify individual resources in an identity policy. If the cloud service does not support this function, you can only select All resources in the visual editor of the custom identity policy on the new IAM console. By default, the "Resource" element is not added in the JSON view. For details about resource types supported by each cloud service, see Actions Supported by Identity Policy-based Authorization.
- Resource-based Policy: You can attach resource-based policies to a resource within a cloud service. For example, trust policies and OBS bucket policies are resource-based policies.
- Tag-based Authentication: To control access based on tags, you can provide tag information in the condition element of a policy using the following condition keys: g:ResourceTag/tag-key, g:RequestTag/tag-key, and g:TagKeys. If a service supports all three condition keys for every resource type, then the value is Supported for the service. If a service supports all three condition keys for only some resource types, then the value is Partially supported. If a service does not support all three condition keys for any resource types, then the value is Not supported.
- Temporary Security Credential: You can call an API to obtain temporary security credentials through an IAM agency or trust agency. If a cloud service supports this function, you can use temporary security credentials that you obtain by switching the trust agency on the new IAM console, or that you obtain by calling the API for obtaining temporary security credentials through an IAM agency or trust agency, to access this cloud service.
- Cloud Service Trust Agency: You can create a trust agency and select a Cloud service as the trust principal. The agency is called a cloud service trust agency. The cloud service can perform operations within the permission scope on your behalf.
- Service-linked Agency: A special type of cloud service agency that grants cloud services the permissions to access some resources of other cloud services on your behalf. For details about service-linked agencies supported by cloud services, see System-defined identity policies.
- Requested Region: Whether a cloud service supports the "g:RequestedRegion" condition key. If the target cloud service is a region-level service, you can use this condition key to limit the region ID in an identity policy.
Table 1 Cloud services for using identity policies and trust agencies Cloud Service
Service Principal
Action
Resource-Level Permissions
Resource-based Policy
ABAC (Tag-based Authentication)
Temporary Security Credentials
Cloud Service Trust Agency
Service-linked Agency
Requested Region
Advanced Anti-DDoS (AAD)
service.AAD
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Not supported
IAM Access Analyzer
service.AccessAnalyzer
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Not supported
My Account
-
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
CNAD Basic (Anti-DDoS)
-
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Supported
Application Operations Management (AOM)
service.AOM
Supported
Supported
Not supported
Supported
Supported
Not supported
Supported
Supported
API Gateway (APIG)
service.APIG
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
Application Performance Management (APM)
service.APM
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Not supported
Auto Scaling (AS)
service.AS
Supported
Supported
Not supported
Not supported
Supported
Not supported
Supported
Supported
Billing Center
service.BILLING
Supported
Not supported
Not supported
Not supported
Supported
Supported
Not supported
Not supported
Bare Metal Server (BMS)
-
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
Enterprise Center
-
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Cloud Application Engine (CAE)
service.CAE
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Supported
Cloud Bastion Host (CBH)
service.CBH
Supported
Supported
Not supported
Supported
Supported
Not supported
Supported
Supported
Cloud Backup and Recovery (CBR)
service.CBR
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
Cloud Connect
service.CC
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Not supported
Cloud Container Engine (CCE)
service.CCE
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
Content Delivery Network (CDN)
service.CDN
Supported
Supported
Not supported
Supported
Supported
Supported
Not supported
Not supported
Cloud Eye
service.CES
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
Cloud Firewall (CFW)
service.CFW
Supported
Supported
Not supported
Partially supported
Supported
Supported
Supported
Supported
CodeArts Wiki
service.CloudWiki
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Cloud Native Anti-DDoS Advanced (CNAD)
service.CNAD
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Cloud Operations Center (COC)
service.COC
Supported
Supported
Not supported
Not supported
Supported
Supported
Supported
Not supported
CodeArts
service.CODEARTS
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
CodeArts Board
service.CodeArtsBoard
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
CodeArts Check
service.CodeArtsCheck
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
CodeArts Governance
service.CodeArtsGovernance
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
CodeArts IDE Online
service.CodeArtsIDEOnline
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
CodeArts Inspector
service.CodeArtsInspector
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
CodeArts Modeling
service.CodeArtsModeling
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
CodeArts PerfTest
service.codeartsperftest
Supported
Supported
Not supported
Partially supported
Supported
Supported
Not supported
Not supported
CodeArts Pipeline
service.CodeArtsPipeline
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Cost Center
-
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Cloud Service Engine (CSE)
service.CSE
Supported
Supported
Not supported
Supported
Supported
Not supported
Supported
Supported
Cloud Secret Management Service (CSMS)
service.CSMS
Supported
Supported
Not supported
Supported
Supported
Supported
Supported
Supported
Cloud Search Service (CSS)
service.CSS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Cloud Trace Service (CTS)
service.CTS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
DataArts Studio
service.DataArtsStudio
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
Database Security Service (DBSS)
service.DBSS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
Direct Connect
service.DCAAS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Distributed Cache Service (DCS)
service.DCS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
Distributed Database Middleware (DDM)
service.DDM
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Document Database Service (DDS)
service.DDS
Supported
Supported
Not supported
Not supported
Supported
Not supported
Supported
Supported
Dedicated Hardware Security Module (DHSM)
service.DHSM
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Data Lake Insight (DLI)
service.DLI
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Distributed Message Service (DMS)
service.DMS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
Domain Name Service (DNS)
service.DNS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Not supported
Data Replication Service (DRS)
service.DRS
Supported
Supported
Not supported
Supported
Supported
Not supported
Supported
Supported
Data Security Center (DSC)
service.DSC
Supported
Supported
Not supported
Not supported
Supported
Supported
Supported
Supported
GaussDB(DWS)
service.DWS
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
Elastic Cloud Server (ECS)
-
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Elastic IP (EIP)
service.EIP
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Elastic Load Balance (ELB)
service.ELB
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
Enterprise Project Management Service (EPS)
service.EPS
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Enterprise Router
service.ER
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Elastic Volume Service (EVS)
service.EVS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
FunctionGraph
service.FunctionGraph
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
Global Accelerator
service.GA
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Not supported
GaussDB
service.GaussDB
Supported
Supported
Not supported
Supported
Supported
Not supported
Supported
Supported
GaussDB(for MySQL)
service.GaussDBforMySQL
Supported
Supported
Not supported
Supported
Supported
Not supported
Supported
Supported
Host Security Service (HSS)
service.HSS
Supported
Supported
Not supported
Not supported
Supported
Not supported
Supported
Not supported
Identity and Access Management (IAM)
service.IAM
Supported
Supported
Supported
Partially supported
Supported
Not supported
Not supported
Not supported
IAM Identity Center
service.IdentityCenter
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Not supported
Image Management Service (IMS)
service.IMS
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
IoT Device Access (IoTDA)
service.IoTDA
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Key Management Service (KMS)
service.KMS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
KooDrive
service.KooDrive
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Key Pair Service (KPS)
service.KPS
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Supported
Key-Value Storage Service (KVS)
service.KVS
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
LTS
service.LTS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
KooGallery
service.Marketplace
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Message Center
-
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
MapReduce Service (MRS)
service.MRS
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
NAT Gateway
service.NAT
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Object Storage Service (OBS)
service.OBS
Supported
Supported
Supported
Supported
Supported
Supported
Not supported
Supported
Object Storage Migration Service (OMS)
service.OMS
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Supported
Organizations
service.Organizations
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Not supported
Private Certificate Authority (PCA)
service.PCA
Supported
Supported
Not supported
Supported
Supported
Not supported
Supported
Not supported
Resource Access Manager (RAM)
service.RAM
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Not supported
Relational Database Service (RDS)
service.RDS
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
Resource Formation Service (RFS)
service.RF
service.RFStackSets
service.RFStackSetsOrgMember
Supported
Supported
Not supported
Not supported
Supported
Supported
Supported
Supported
Resource Governance Center (RGC)
service.RGC
Supported
Not supported
Not supported
Not supported
Supported
Supported
Supported
Not supported
Config
service.RMSMultiAccountSetup
service.RMSConforms
service.RMSRemediation
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Not supported
SSL Certificate Manager (SCM)
service.SCM
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Not supported
SecMaster
service.SecMaster
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
ServiceStage
service.ServiceStage
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Scalable File Service Turbo (SFS Turbo)
service.SFSTurbo
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
Simple Message Notification (SMN)
service.SMN
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Server Migration Service (SMS)
service.SMS
Supported
Supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Security Token Service (STS)
-
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Not supported
Software Repository for Container (SWR)
service.swr
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
Tag Management Service (TMS)
service.TMS
Supported
Not supported
Not supported
Not supported
Supported
Not supported
Not supported
Not supported
Virtual Private Cloud (VPC)
service.VPC
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Not supported
Supported
VPC Endpoint (VPCEP)
service.VPCEP
Supported
Supported
Not supported
Supported
Supported
Not supported
Not supported
Supported
Web Application Firewall (WAF)
service.WAF
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
Workspace
service.Workspace
Supported
Supported
Not supported
Partially supported
Supported
Not supported
Supported
Supported
RFS and Config each have multiple principals.
RFS:
- You can use service.RF to assume a cloud service agency and create, update, or delete resources based on the cloud service defined in the template for FAS access.
- You can use service.RFStackSets to assume a cloud service agency and query OU and member account information in Organizations. The administrator can obtain temporary credentials of the trust agencies assumed by member accounts in IAM.
- You can use service.RFStackSetsOrgMember to assume a cloud service agency and create trust agencies for member accounts and add policies to the trust agencies in IAM for RFS management.
Config:
- You can use service.RMSMultiAccountSetup to create a service-linked agency in IAM for creating or updating organization conformance rules and packages for FAS access. You can also use this principal to assume a cloud service agency and send resource change notifications through SMN or dump resource snapshots to OBS.
- You can use service.RMSConforms to create a service-linked agency in IAM for creating or updating conformance packages for FAS access.
- You can use service.RMSRemediation to create a service-linked agency in IAM for creating or updating remediation configurations for FAS access.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
