检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
How Do I Log In to COC as a Non-Common IAM User? You can log in to COC as a common IAM user, IAM federated user (including IAM user in SSO mode and virtual user in SSO mode), and IAM Identity Center user.
Granting COC Permissions Based on Roles This section describes how to use IAM to implement fine-grained permissions control for your COC resources. With IAM, you can: Create IAM users for employees based on your enterprise's organizational structure.
Granting COC Permissions Based on Policies To manage permissions on COC, access IAM to: Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing COC resources.
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
IAM provides identity authentication, permissions management, and access control, helping you to securely access your Huawei Cloud resources. If your HUAWEI ID does not require IAM for permissions management, you can skip this section. IAM can be used on Huawei Cloud for free.
IAM or enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both.
Table 1 User types and their sources on the O&M Engineer Management page User Type User Data Source Common IAM user Synchronized from IAM IAM Federated User (IAM User SSO) Synchronized from IAM IAM federated user (Virtual User SSO) Manually added on the O&M engineer page IAM Identity
and custom identity policies: "iam:policies:createV5", "iam:policies:listV5", "iam:groups:attachPolicyV5", "iam:groups:detachPolicyV5", "iam:policies:deleteV5", "iam:policies:listVersionsV5", "iam:policies:createVersionV5", "iam:policies:deleteVersionV5" Precautions By default,
Figure 1 Enabling COC and obtaining required permissions Table 1 Permissions in ServiceAgencyForCOC Permission Description Project [Region] Application Scenario IAM ReadOnlyAccess Read-only permissions for IAM Global service [Global] Used to read personnel information under an IAM
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
Currently, COC supports IAM login, IAM federated user login (including IAM user SSO and virtual user SSO), and login via IAM Identity Center. Login via IAM agencies is not supported.
"password": "********", //IAM user password "domain": { "name": "domainname" //Name of the account to which the IAM user belongs } } } }, "scope": {
For details, see IAM User Authorization. Select an authorization scope scheme and specify enterprise project resources. Wait until the authorization is complete. Figure 4 Successful authorization Parent topic: Product Consulting
Access Control You can use IAM to securely control access to your COC resources. For more information about IAM and COC permissions management, see Permissions Management. Parent topic: Security
FAQs About Basic Configurations How Do I Log In to COC as a Non-Common IAM User?
The API used to obtain a project ID is GET https://{Endpoint}/v3/projects, where {Endpoint} indicates the IAM endpoint. You can obtain the IAM endpoint from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
Creating a policy: Access the IAM console, create a policy on the Policies page.
If you go to the Secure Score area on the Overview page by creating an IAM 3.0 delegation and switching the role, and set the policy authorization scope to global service resources, you need to add the SecMaster ReadOnlyAccess-All resources authorization for the delegation.
Figure 12 Creating an Identity Policy for a Tenant Agency In the navigation pane of the new IAM console, choose Agencies.
Agency: name of the agency in IAM Project ID: ID of the project to which the target object belongs. Location concurrency: This parameter is optional.
