Basic Concepts
This chapter describes the basic concepts used in the IAM service.
Account
An account is created after you successfully sign up for Huawei Cloud. Your account owns your Huawei Cloud resources and pays for the use of these resources. The account root user has full access permissions for your cloud services and resources. You can use the account root user to perform operations such as resetting the login password and assigning permissions to IAM users. We charge your account for the resources used by the IAM users in the account.
You cannot modify your account in IAM, but you can do so in My Account. You can also delete your account in My Account.
An account is identified by an account name and an account ID. In IAM or other cloud service documents, "domain name" and "domain ID" refer to the same things. The account name equals the domain name, and the account ID equals the domain ID.
IAM User
You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on the permissions assigned by administrators. IAM users cannot make payments themselves. You can use your account to pay their bills.
If an IAM user forgets their password, the user can reset the password by referring to What Should I Do If I Forgot My Password?
Account Root User
When you create an account, an account root user with the same name as the account is created by default.
Conceptually, the account root user is also an IAM user and has the same capabilities as an IAM user.
However, there are some use constraints on the account root user.
Constraint 1: The account root user has default authorizations.
The account root user has default full access to all resources in the account and can assign permissions to IAM users.
Constraint 2: The permissions of the account root user cannot be changed.
You cannot grant permissions to or revoke permissions from the account root user, or add the user to or remove it from a user group.
Constraint 3: The account root user cannot be deleted.
- We strongly recommend that you do not use the account root user for your daily tasks.
- You need to protect the account root user credentials from being leaked.
Relationship Between an Account and Its IAM Users
Conceptual models
- Account: An account is the entity that owns and pays for used resources. An account does not directly use resources.
- IAM user: IAM users are entities that use resources in an account.
Usage habits
- Account root user: An account root user is an IAM user with the same name as the account. It is created by default when an account is created. There are some restrictions on account root users.
- IAM user: An IAM user is manually created after an account is created. IAM users can be modified and deleted.
User Group
An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users in batches, making it easier to manage the permissions for those users. IAM users added to a user group automatically obtain the permissions assigned to the group. If a user is added to multiple user groups, the user inherits the permissions from all these groups.
There is a default user group admin. It has all the permissions required to use all cloud services and resources. IAM users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.
Trust Agency
A trust agency is an IAM identity with specific permissions that you can create in your account. Like IAM users, trust agencies can be bound to identity policies. Identity policies determine what an identity can and cannot do on Huawei Cloud. However, a trust agency is not attached to only one user. Instead, it can be used by anyone who needs it. Unlike IAM users, trust agencies do not have long-term credentials (such as passwords or permanent access keys) associated with them. When you switch to a trust agency, the trust agency provides temporary security credentials for your assumed-trust agency session. A trust relationship can be established between your account and another account or a cloud service.
- Account delegation: You can delegate a third-party account to implement O&M on your resources based on assigned permissions.
- Cloud service delegation: You can create a trust agency to delegate a cloud service to perform O&M on your resources.
Among them, a special type of cloud service trust agency is called a service-linked agency, which is created by the cloud service on your behalf. You can manage the permissions of a cloud service trust agency, but not a service-linked agency. Service-linked agencies are managed by cloud services. For more information, see Trust Agencies Overview.
On the Agencies page of the new IAM console, both agencies and trust agencies are displayed. For details about the differences between them, see the Trust Policy section. In the new IAM documentation, there are agencies and trust agencies. Both allow you to delegate resource management to others. In IAM documentation, we use the word "agencies" to refer to the non-trust agencies in IAM.
IAM Identity
IAM identities are IAM resources that you can attach identity policies to. They include IAM users, user groups, agencies, and trust agencies.
IAM Principal
A principal is an entity that can request operations on resources. It includes IAM users, agencies, and trust agencies. A principal must be authenticated when accessing APIs. A principal is also a resource, so the principal URN must comply with the resource URN format.
Identity Policy
- System-defined identity policies define the common actions on cloud services. These policies cannot be modified and can only be used to assign permissions to user groups. If you cannot find system-defined identity policies for a specific cloud service in IAM when you are trying to assign permissions to users, user groups, or trust agencies, it means the cloud service does not support IAM so far. In this case, you can submit a service ticket to request the identity policies to be predefined in IAM.
- You can also create custom identity policies using the actions supported by cloud services and attach the policies to users, user groups, agencies, and trust agencies. You can create custom identity policies in the visual editor or in JSON view.
Figure 3 shows the structure of an identity policy. An identity policy consists of a version and one or more statements (used for different permissions control). The version of an identity policy is 5.0. In a statement, Sid indicates the statement ID, and Effect can be Allow or Deny, which respectively indicate that the action is allowed or denied. The Action/NotAction is in the format of {service name}:{resource type}:{action name}. A resource URN is in the format of {service name}:{region id}:{account id}:{resource type}:{resource name}. Condition supports six types of condition operators: String, Number, Date, Bool, IP Address, and Null. Identity policies also provide more than 40 global condition keys for more flexible and secure access control. For details about the elements in an identity policy, see JSON Element Reference.
The following example describes the structure of an identity policy.
{
"Version": "5.0",
"Statement": [{
"Effect": "Deny",
"Action": [
"kms:cmk:decryptData"
],
"Resource": [
"*"
],
"Condition": {
"StringNotEquals": {
"g:ResourceAccount": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}]
}
This example identity policy ensures that users can use the KMS keys of only the specified users to decrypt data. For details about identity policies, see Syntax of an Identity Policy. For more examples, see Example Custom Identity Policies. IAM identity policies define more standard and fine-grained actions and support more global condition keys, while policies only support eight global condition keys. If you need to use policy-based authorization, see Permissions Management.
Authorization
Authorization is the process of granting permissions to IAM identities (users, user groups, agencies, and trust agencies) so that the principals (users, agencies, and trust agencies) can access resources on Huawei Cloud. Authorization defines the relationship between IAM identities and permissions. When authorizing IAM identities, the security administrator can directly attach system-defined or custom identity policies to users, user groups, agencies, and trust agencies. Different from the role/policy-based authorization model, there is no need to specify the authorization scope. You can directly attach identity policies to IAM identities.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": ["ecs:*:*"],
"Resource": ["*"],
"Condition": {
"StringEquals": {
"g:RequestedRegion": "cn-north-4"
}
}
}]
}
If you want to control the authorization scope as you do with identity policy-based authorization, you can use the g:RequestedRegion condition key. For example, if the preceding identity policy is directly attached to IAM users, IAM users are only allowed to access ECS resources in the cn-north-4 region. If you need to use role/policy-based authorization, see Permissions Management. Due to compatibility issues, system-defined and custom identity policies can be attached to agencies on the new IAM console, but system-defined roles and policies as well as custom policies cannot be attached to trust agencies on the old IAM console. You are advised not to use the agencies and identity policies together or trust agencies and roles/policies together.
Credentials
Credentials confirm the principal of a user when the user accesses Huawei Cloud through the console or APIs. Credentials include passwords, access keys, and temporary security credentials. You can manage the credentials of principals (IAM users, agencies, and trust agencies) in IAM.
|
Credentials |
Principal |
Security |
Reference |
|---|---|---|---|
|
Username and password |
IAM user |
You can configure the character type and minimum length of a user password as required. You can also configure the password validity period policy and minimum password validity period policy. |
|
|
Access key |
IAM user |
Huawei Cloud uses AK together with SK to sign requests cryptographically, ensuring that the requests are secret, complete, and correct. |
|
|
Temporary security credential |
Agency or trust agency |
In addition to the access key feature, a temporary access key has a validity period that can be customized. If the validity period expires, the temporary access key becomes invalid and you have to obtain a new one. |
MFA
Multi-factor authentication (MFA) adds an extra layer of protection on top of your username and password. After MFA authentication is enabled, you need to enter verification codes after your username and password are authenticated. MFA devices, together with your username and password, ensure the security of your account and resources.
URN
A uniform resource name (URN) that is used to uniquely identify a cloud service resource.
A URN is in the following format: <service-name>:<region>:<account-id>:<type-name>:<resource-path>
- service-name: the abbreviation of a cloud service name, for example, ecs.
- region: the region where the resource is located, for example, cn-north-1. If the resource is a global service resource, leave this field blank or use an asterisk (*) to replace it.
- account-id: the ID of the account. The value system indicates public system resources, such as system-defined identity policies.
- type-name: the resource type that supported by the target cloud service. For details, see the resource type description of each service in Identity Policy–based Authorization.
- resource-path: the resource path. For details, see the resource type description of each service in Identity Policy–based Authorization.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
