Updated on 2023-11-23 GMT+08:00

Before You Start

Intended Audience

The Identity and Access Management (IAM) service is intended for administrators, including:

  • Account administrator (with full permissions for all services, including IAM)
  • IAM users added to the admin group (with full permissions for all services, including IAM)
  • IAM users assigned the Security Administrator role (with permissions to access IAM)

If you want to view, audit, and track the records of key operations performed on IAM, enable Cloud Trace Service (CTS). For details, see Enabling CTS.

Accessing the IAM Console

  1. Log in to Huawei Cloud and click Console in the upper right corner.

    Figure 1 Accessing the console

  2. On the management console, hover the mouse pointer over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.

Account

An account is created after you successfully register with Huawei Cloud. Your account has full access permissions for your resources and makes payments for the use of these resources. You cannot modify or delete your account in IAM, but you can do so in My Account.

After you log in to your account, you will see a user marked Enterprise administrator on the Users page of the IAM console.

Figure 2 IAM user corresponding to the account

IAM User

You can create users in IAM as the administrator and assign permissions for specific resources. As shown in the following figure, James is an IAM user created by the administrator. IAM users can log in to Huawei Cloud using their account name, usernames, and passwords, and then use resources based on assigned permissions. IAM users do not own resources and cannot make payments. You use your account to pay their bills.

Figure 3 IAM user created by the administrator

Relationship Between an Account and Its IAM Users

An account and its IAM users share a parent-child relationship. The account owns the resources and makes payments for the resources used by IAM users. It has full permissions for these resources.

IAM users are created by the account administrator, and only have the permissions granted by the administrator. The administrator can modify or revoke the IAM users' permissions at any time. Fees generated by IAM users' use of resources are paid by the account.

Figure 4 Relationship between an account and its IAM users

User Group

You can use user groups to assign permissions to IAM users. After an IAM user is added to a user group, the user has the permissions of the group and can perform operations on cloud services as specified by the permissions. If a user is added to multiple user groups, the user inherits the permissions assigned to all these groups.

The default user group admin has all permissions required to use all of the cloud resources. Users in this group can perform operations on all the resources, including but not limited to creating user groups and users, modifying permissions, and managing resources.

Figure 5 User group

Permission

IAM provides common permissions for different services, such as administrator and read-only permissions. New IAM users do not have any permissions assigned by default. The administrator must add them to one or more groups and attach permissions policies or roles to these groups so that the IAM users can inherit permissions from the groups. IAM users can also assign permissions to themselves. Then the IAM users can perform specific operations on cloud services.

  • Roles: a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. There are only a limited number of roles for granting permissions to users. When using roles to grant permissions, you also need to assign dependency roles. Roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: a type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization on a principle of least privilege (PoLP) basis. For example, you can grant Elastic Cloud Server (ECS) users only the permissions required for managing a certain type of ECS resources.

When an IAM user granted only ECS permissions accesses other services, a message similar to the following will be displayed.

Figure 6 No permissions