Updated on 2025-07-21 GMT+08:00

Notes and Constraints

This section describes notes and constraints on using IAM.

Quotas

You can log in to the console and view your default quotas by referring to How Do I View My Quotas? You can submit a service ticket to increase your quotas if needed.

Table 1 Quotas

Category

Item

Quota

Adjustable

User

IAM users

50

Yes

Submit a service ticket to request for increasing the quota.

Characters allowed in a username

64

No

Groups that a user can be added to

10

No

AK/SK pairs that a user can create

2

No

Virtual MFA devices that can be associated with a user

1

No

Permissions (including system-defined permissions and custom policies) that can be assigned to a user for enterprise projects

500

Yes

Submit a service ticket to request for increasing the quota.

User group

User groups

20

Yes

Submit a service ticket to request for increasing the quota.

Characters allowed in a user group name

128

No

Users that can be added to a user group

IAM users in an account

No

Permissions (including system-defined permissions and custom policies) that can be assigned to a user group for IAM projects

200

Yes

Submit a service ticket to request for increasing the quota.

Permissions (including system-defined permissions and custom policies) that can be assigned to a user group for enterprise projects

500

Yes

Submit a service ticket to request for increasing the quota.

Project

Subprojects in each region

10

Yes

Submit a service ticket to request for increasing the quota.

Policy

Characters allowed in a policy name

128

No

Custom policy

Custom policies

200

Yes

Submit a service ticket to request for increasing the quota.

Characters per policy

6,144

No

Statements per policy

Unlimited

No

Actions per statement

Unlimited

No

Resources per statement

Unlimited

No

Conditions per statement

Unlimited

No

Agency

Agencies

50

Yes

Submit a service ticket to request for increasing the quota.

Characters allowed in an agency name

64

No

Permissions (including system-defined permissions and custom policies) that can be assigned to an agency

200

Yes

Submit a service ticket to request for increasing the quota.

Identity provider

Identity providers

10

Yes

Submit a service ticket to request for increasing the quota.

Characters allowed in an identity provider name

64

No

Mapping rules of all identity providers in an account

10

Yes

Submit a service ticket to request for increasing the quota.

User groups associated with a federated virtual user

100

No

Characters allowed in a federated virtual user name

255

No

Naming Rules

Table 2 Naming rules

Item

Description

Username

  • A maximum of 64 characters.
  • Only letters (case-sensitive), digits, spaces, hyphens (-), underscores (_), and periods (.) are allowed. A username cannot start with a digit or space.

User group name

  • A maximum of 128 characters.
  • Only letters (case-sensitive), digits, spaces, hyphens (-), and underscores (_) are allowed.

Name of a custom policy

  • A maximum of 128 characters.
  • Only letters (case-sensitive), digits, spaces, and special characters (-_.,) are allowed.

Project name

  • A maximum of 53 characters.
  • Only letters (case-sensitive), digits, hyphens (-), and underscores (_) are allowed.

Agency name

A maximum of 64 characters.

Identity provider name

  • A maximum of 64 characters.
  • Only letters (case-sensitive), digits, hyphens (-), and underscores (_) are allowed.

Operation Constraints

Table 3 Operation constraints

Scenario

Item

Description

Creating IAM users

IAM users that can be created at a time

A maximum of 10 users can be created at a time.

IAM username

A new username must be different from existing IAM usernames.

Mobile number and email address

A mobile number or an email address can be bound only to one account or IAM user.

IAM user password

An IAM user password cannot be the username or the username spelled backwards. For example, if the username is A12345, the password cannot be A12345, a12345, 54321A, or 54321a.

Creating custom policies

Policy content

  • Actions, condition keys, and resource types are all case-insensitive.
  • If a custom policy contains actions of multiple services, all of them must be global services or project-level services. If you need permissions for both global and project-level services, create two custom policies.

Creating agencies

Delegated account

The delegated account can only be an account, rather than an IAM user or a federated user.

Configuring security settings

Critical operations

  • An IAM user or account can only bind one device for 2-step verification, which can be a mobile number, an email address or a virtual MFA device.
  • Before binding a virtual MFA device, ensure that you have installed an MFA application on your device.
  • Login protection only applies to console access for IAM users. It is not applied to programmatic access.
  • If your Huawei Cloud account has been upgraded to a HUAWEI ID, login protection cannot be enabled in security settings. To enable login protection, go to Huawei account center, choose Account & security, locate Two-step verification in the Security verification area, and click ENABLE.
  • The verification is valid for 15 minutes and you do not need to be verified again when performing critical operations within the validity period.

Login authentication policy

  • The account lockout policy applies to both Huawei Cloud accounts and IAM users.
  • Once locked, accounts or IAM users cannot be unlocked by themselves. The next login is available only after the lock time expires.
  • The account disabling policy applies only to IAM users. It is not applied to accounts.
  • The USB key certificate expiration policy applies to both accounts and IAM users.

Password policy

  • If your Huawei Cloud account has been upgraded to a HUAWEI ID, the password policy is not applied to your account (HUAWEI ID).
  • Only the administrator can configure the password policy. IAM users can only view the policy settings and cannot modify them. If an IAM user needs to modify the settings, the user can request the administrator to do so or grant the required permissions.
  • The password composition & reuse policy applies to both Huawei Cloud accounts and IAM users.
  • The password expiration policy is disabled by default.
  • After the password expires, the newly set password must be different from the old password.
  • The minimum password age policy is disabled by default. It applies to both accounts and IAM users.

ACL

  • A maximum of 200 access control entries can be added.
  • If an IAM user or a federated user accesses Huawei Cloud through a proxy server, set the allowed IP addresses, address ranges or CIDR blocks based on the proxy IP address. If an IAM user or a federated user accesses Huawei Cloud through a public network, set them based on the public IP address.
  • Only IPv4 addresses are supported.
  • Console access (recommended): The ACL policy only applies to console access for IAM users and federated users (SP-initiated). It is not applied to accounts.
  • API access: The ACL policy only applies to API access through API gateways for IAM users and federated users. Modifications to the settings will be applied two hours later.
  • If IP Address Ranges, CIDR Blocks, and VPC Endpoints are all set, access from any of them is allowed.

Creating projects

/

  • If Enterprise Project is enabled, IAM projects cannot be created.
  • Resources cannot be transferred across IAM projects.

Deleting projects

/

Preset projects cannot be deleted.

Before deleting a project, submit a service ticket for technical consultation.

Accessing Huawei Cloud as a federated user

Federated user login modes

IAM supports two types of identity federation:

  • Web SSO: Browsers are used as the communication media. This authentication type enables common users to access Huawei Cloud using browsers.
  • API calling: Development tools (such as OpenStackClient and Shibboleth ECP Client) are used as the communication media. This authentication type enables enterprise users and common users to access Huawei Cloud by calling APIs.

Critical operation protection

Federated users do not need to perform a 2-step verification when performing critical operations even though login protection or operation protection is enabled.

Permanent access key (AK/SK)

Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and security tokens) using user or agency tokens. For details, see Obtaining Temporary Access Keys and Security Tokens of an IAM User.