Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ Service Overview/ How IAM Works
Updated on 2025-11-06 GMT+08:00
View PDF
Share

How IAM Works

IAM provides the infrastructure for authentication and authorization of your account.

When a user logs in to the console or uses an application to access an API, IAM matches the credentials to an IAM principal (such as an IAM user and trust agency) and authenticates their permissions to access Huawei Cloud. IAM allows or denies access in response to an authentication request. For example, when you first log in to Huawei Cloud and access the console home page, you are not accessing any cloud service. When you select a cloud service, you send an authorization request to IAM for that service. IAM verifies whether your identity is on the list of authorized users, evaluates any policies that may be in effect, and provides the final authentication result. Once authorized, you can perform operations in your account, such as creating ECS instances, creating IAM users, and deleting OBS buckets. The following figure shows the IAM authentication and authorization process:

Figure 1 IAM authentication and authorization process

Identity Authentication

When a principal logs in to Huawei Cloud using credentials, IAM authenticates the principal before allowing the principal to send a request to Huawei Cloud. Each type of users must be authenticated.

  • Root user: Your credentials used for authentication are the HUAWEI ID/Huawei Cloud account name and password you specified.
  • IAM user: Your credentials used for authentication are your account name, IAM username, and password.
  • Federated user: Your identity provider authenticates you and passes your credentials to Huawei Cloud. You do not need to log in to Huawei Cloud. Both IAM Identity Center (external identity source) and the old IAM console support identity federation.
  • IAM Identity Center user (local identity source): Users created in IAM Identity Center log in via the IAM Identity Center user portal and provide your username and password.

You are advised to enable MFA for all users to enhance account security. For more information about MFA, see Multi-Factor Authentication.

Components of a Request

When a principal tries to access the Huawei Cloud console, API, or CLI, the principal sends a request to Huawei Cloud. The request contains the following information:

  • Action: the action that the principal wants to perform
  • Resource: the Huawei Cloud resource upon which the principal requests to perform an operation
  • Principal: the person (such as an IAM user, a trust agency, and an application) who sends the request
  • Environment data: information about the IP address, time, and user agent in the request
  • Resource data: data related to the requested resource, such as the tags of an IAM user and trust agency

Huawei Cloud collects request information into the request context. IAM evaluates the request context to authenticate the request.

Authorization and Permission Policy Basics

Authentication determines whether a principal has the permissions required to complete its request. During authentication, IAM uses the value in the request context to determine whether to allow or deny the request. There are many types of policies that can affect a request authentication. You can use an IAM identity policy to grant your IAM users permissions to access Huawei Cloud resources in your account. You can use a resource-based policy to grant permissions across accounts. For cross-account access, the resource-based policy in another account must allow you to access its resources, and the IAM principal that you use to make the request must be allowed by the identity policy.

IAM checks each policy applied to the request context. IAM evaluation uses an explicit deny. If a policy includes a denied action, IAM denies the entire request and stops the evaluation. If no authorization is performed, the request is denied by default. An applicable policy must allow every part of your request for IAM to authorize your request. The evaluation logic for a request within a single account follows these basic rules:

  • By default, all requests are denied. (Generally, requests made using the account root user to access resources in the account are always allowed.)
  • An explicit allow in any policy (identity-based or resource-based) overrides this default.
  • The existence of a service control policy (SCP) or a session policy overrides the allow. If one or more of these policy types exists, they must all allow the request. Otherwise, it is implicitly denied. For more information about SCPs, see SCP Introduction in the Organizations User Guide.
  • An explicit deny in any policy overrides any allows in any policy.

For more information, see Request Context.

After authentication, IAM determines whether to allow the request based on the policies attached to the IAM identity. Each Huawei Cloud service defines the actions they support and operations they can perform on resources, such as creating, viewing, editing, and deleting resources. For example, IAM defines dozens of actions for user resources, including the following basic actions:

  • Action for creating a user: iam:users:createUserV5
  • Action for viewing a user: iam:users:getUserV5
  • Action for editing a user: iam:users:updateUserV5
  • Action for deleting a user: iam:users:deleteUserV5

In addition, you can specify conditions in your policy to allow access to resources when the request meets the specified conditions. For example, you might want a policy statement to take effect after a specific date or to control access when a specific value appears in an API. For details, see Global Condition Keys.

After IAM allows a request, the principal can use resources in your account. Resources are objects in Huawei Cloud services, such as ECS instances, IAM users, and OBS buckets. If the principal creates a request to perform an action on a resource that is not included in the policy, the service denies the request. For example, if you have permission to create IAM users but request to create IAM user groups, the request fails if you do not have permission to create IAM user groups. For details about the supported actions, resources, and condition keys supported by different services, see Identity Policy–based Authorization.