Updated on 2024-09-05 GMT+08:00

Entrustment Description

IEF works closely with multiple cloud services to use image, storage, data, and monitoring functions. When you log in to the IEF console for the first time, IEF automatically requests permissions to access those cloud services in the region where you run your applications. Specifically:

  • Application Operations Management (AOM)

    IEF can collect performance metrics and logs (optional) of edge nodes and application containers through AOM, helping you monitor the performance of edge nodes and applications in real time and quickly identify risks.

  • Software Repository for Container (SWR)

    IEF can manage and download self-defined container images through SWR, helping you deploy containerized applications on edge nodes.

  • Object Storage Service (OBS)

    IEF can access created edge functions through OBS, helping you deploy and run functions on edge nodes and devices.

  • Data Ingestion Service (DIS)

    IEF can send data of edge nodes and devices to your DIS streams.

After you agree to the entrustment, IEF automatically creates an agency in IAM to delegate other resource operation permissions in your account to Huawei Cloud IEF. For details, see Account Delegation.

The agencies automatically created in IAM are:

ief_admin_trust

The ief_admin_trust agency has the Tenant Administrator permissions. Tenant Administrator has the administrator permissions on all cloud services except IAM. The permissions are used to call the cloud services that IEF depends on. The delegation takes effect only in the current region.

To use IEF in multiple regions, request for cloud resource permissions in each region. You can go to the IAM console, choose Agencies, and click ief_admin_trust to view the authorization records in each region.

IEF may fail to run as expected if the Tenant Administrator permissions are not assigned. So, do not delete or modify the ief_admin_trust agency when using IEF.

ief_edge_trust

The ief_edge_trust agency does not contain the Tenant Administrator system role. It only has the operation permissions of cloud service resources required by IEF and is used by edge nodes to report monitoring, alarms, and logs.

If the permissions of the ief_edge_trust agency are different from those expected by IEF, the console displays a message indicating that the permissions have changed and a re-authorization is required.

You may need to modify the permissions of the ief_edge_trust agency in the following scenarios:

  • The permissions on which IEF components depend may change with versions. For example, if a new component depends on new permissions, IEF will update the expected permission list and you need to grant the required permissions to ief_edge_trust.
  • When you manually modify the permissions of the ief_edge_trust agency, the permissions of the agency are different from those expected by IEF. In this case, a message is displayed, asking you to re-authorize the agency. If a re-authorization, the permissions you previously modified may become invalid.