Functions
IAM provides a variety of functions for you to secure access to your resources.
Refined Permissions Management
IAM User Management
You can use your account to create IAM users and assign permissions for specific resources. Each IAM user has their own identity credentials (password and access keys) and uses cloud resources based on the assigned permissions. IAM users do not own resources.
User Group Management
An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users. This makes it easier to manage the permissions for those users. IAM users added to a user group automatically inherit the permissions from the group. If a user is added to multiple user groups, the user inherits the permissions from all these groups. To change the permissions of a user, you can remove the user from the original groups or add the user to other groups.
There is a default user group admin. It has all the permissions required to use all of the cloud resources. IAM users in this group can perform operations on all resources, including but not limited to creating user groups and users, assigning permissions, and managing resources.
Custom Policies
You can create custom policies to supplement system-defined policies and implement more refined access control. Specifically, you can allow or deny a user's operations on a resource type under certain conditions.
Project Management
A region corresponds to a project. Default projects are defined to group and physically isolate compute, storage, and network resources across regions. You can grant users permissions in a default project to access all resources in the region associated with the project. If you need more refined access control, you can create subprojects under a default project and purchase resources in subprojects. Then you can assign required permissions for users to access only resources in specific subprojects.
Agency Management
IAM enables you to delegate resource access to another account or a specific cloud service.
- Account agency: You can delegate another account to implement O&M on your resources based on assigned permissions. The following is an example to show how to delegate resource access to another account. In this example, account A is the delegating party and account B is the delegated party.
Figure 5 (Account A) Creating an agency
- Cloud service agency: Huawei Cloud services interwork with each other, and some cloud services are dependent on other services. You can create an agency to delegate a cloud service to access other services and implement O&M. The following takes a Graph Engine Service (GES) agency as an example. The agency allows GES to use other cloud services, for example, to bind your EIP to the primary load balancer if a failover occurs.
The following takes a Graph Engine Service (GES) agency as an example. The agency allows GES to use other cloud services, for example, to bind your EIP to the primary load balancer if a failover occurs.
Figure 6 Cloud service agency
Account Security Settings
Login authentication and password policies and access control list (ACL) improve security of user information and system data.
Multi-Factor Authentication
Multi-factor authentication (MFA) is a popular method that adds an additional layer of authentication on top of the username and password. If MFA is enabled, you need to enter the username and password (first factor) as well as a verification code (second factor) when performing certain operations. These factors together keep your account and resources secure.
MFA can also be enabled to verify a user's identity before the user is allowed to perform critical operations. When a user attempts to perform a critical operation, the user needs to enter a verification code to proceed.
Federated Identity Authentication
Huawei Cloud provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access Huawei Cloud through single sign-on (SSO).
Audit
Cloud Trace Service (CTS) records operations performed on cloud resources in your account. The operation logs can be used to perform security analysis, track resource changes, perform compliance audits, and locate faults.
It is recommended that the administrator enables CTS to record key IAM operations, such as creating and deleting users.
Best Practices for Using IAM
To establish secure access to your Huawei Cloud resources, follow the best practices for the IAM service. For details, see Best Practices for Using IAM.
APIs
IAM provides Representational State Transfer (REST) APIs, which you can call using HTTPS requests. For details, see Making an API Request.
SDKs
IAM provides a user management mechanism that is suitable for enterprises, and enables you to assign permissions for different resources and operations to enterprise members. With the SDKs, you can easily call IAM APIs to create upper-layer applications on Huawei Cloud. Currently, Java, Python, .NET, and Go SDKs are available.
Secure Access
Instead of sharing your password with others, you can create IAM users for employees or applications in your organization. Then, you generate identity credentials for them to securely access specific resources based on assigned permissions.
Eventual Consistency
IAM may not apply your operations immediately, such as creating users and user groups and assigning permissions. It takes time to replicate data across different servers in Huawei Cloud's data centers around the world. Do not perform any other operations until IAM has applied the operations you just made.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
