Updated on 2023-03-07 GMT+08:00

Creating an IAM User

If you are an administrator and have created multiple resources on the cloud platform, such as Elastic Cloud Servers (ECSs), Elastic Volume Service (EVS) disks, and Bare Metal Servers (BMSs), you can create IAM users grant them permissions required to perform operations on specific resources. You do not need to share the password of your account.

By default, new IAM users do not have permissions. You can assign permissions to new users, or add them to one or more groups and grant permissions to these groups by referring to Assigning Permissions to a User Group so that the users can inherit the permissions of the groups. The users then can perform specific operations on cloud services as specified by the permissions.

The default user group admin has all permissions required to use all of the cloud resources. Users in this group can perform operations on all the resources, including but not limited to creating user groups and users, modifying permissions, and managing resources.

If you delete a user and create a new user with the same name, you need to grant the required permissions to the new user again.

Procedure

  1. Log in to the IAM console as an administrator.
  2. On the IAM console, choose Users from the navigation pane, and click Create User in the upper right corner.
  3. Specify the user information on the Create User page. To create more users, click Add User. You can add a maximum of 10 users at a time.

    Table 1 User details

    Parameter

    Description

    Username

    This parameter is user-defined and cannot be the same as that of any other account or any IAM user in the account.

    Email Address

    This parameter is user-defined and cannot be the same as that of any other account or any IAM user in the account. It can be used to authenticate the IAM user and reset the password.

    Mobile Number

    This parameter is user-defined. It can be used to authenticate the IAM user and reset the password.

    External Identity ID

    If you want to configure SAML-based Federated Identity Authentication for an IAM user, External Identity ID of a maximum of 128 characters is mandatory.

  4. Specify Access Type.

    Table 2 Access types

    Access Type

    Description

    Programmatic access

    Allows users to access cloud services using development tools such as APIs, CLI, and SDKs.

    Management console access

    Allows users to access cloud services through the management console. A password is mandatory for login.

  5. Specify Credential Type.

    Table 3 Recommended configurations

    Management console access

    Programmatic access

    Credential type

    Recommended Access Type

    Recommended Credential Type

    ×

    There is no special requirement.

    Management console access

    Password

    ×

    There is no special requirement.

    Programmatic access

    Access key

    ×

    A password is required as a credential for programmatic access (required by some APIs).

    Programmatic access

    Password

    ×

    The access key (entered by the IAM user) needs to be verified on the console.

    For example, the user needs to perform access key verification before creating a data migration job in the Cloud Data Migration (CDM) console.

    Programmatic access and management console access

    Password and key

  6. Configure login protection. This parameter is available only when you have selected Management console access for Access Type.

    • Enable (Recommend): The user needs to enter a verification code in addition to the username and password during login. Enable this function for account security.

      You can choose from SMS-, email-, and virtual MFA–based login verification.

    • Disable: The user does not need to enter a verification code for login. If you want to enable login protection after the user is created, see Login Protection.

  7. Click Next. Select the user group to which the user is to be added, and add the user to the user group. The user will have the permissions assigned to the user group.

    • You can also create a new group and add the user to that group.
    • If the user will be an administrator, add the user to the default group admin.
    • You can add a user to a maximum of 10 user groups.

  8. Click Create.

    • If you have selected Access key for Credential Type in 5, you can download the access key on the Finish page.
    • If you have selected Password > Automatically generated for Credential Type in 4, you can download the password file on the Finish page.
      Figure 1 Users created successfully