检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
When there are both IAM projects and enterprise projects, IAM preferentially matches the IAM project policies.
This error message indicates that the IAM user does not have programmatic access permissions. Solution Contact the account administrator and log in to the IAM console. Locate the IAM user to be modified and click the username.
Table 1 IAM and RBAC authorization Authorization Description IAM authorization IAM authorization for user groups is primarily concerned with managing access to cloud platform resources. Policies are used to control the permissions of each user group on specific resources.
Authorization Information Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
service, the temporary IAM access key in a cluster expires.
Use the mounted OpenID Connect ID token file in programs in the pod to access IAM and obtain a temporary IAM token. Access the cloud service using the IAM token in programs in the pod.
Authorization Information Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
Authorization Information Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
Introduction You can use Identity and Access Management (IAM) for fine-grained permissions management of your CCE clusters. If your account does not need individual IAM users, you can skip this section. With IAM, you can control access to specific Huawei Cloud resources.
Authorization Information Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
Authorization Information Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
By integrating IAM permissions with Kubernetes cluster permissions, you can use IAM to oversee Kubernetes resource access for various users.
Use the OIDC token to access IAM from the pod and obtain a temporary IAM token. Use the IAM token to access other cloud service resources from the pod. Step 1: Obtain the Signature Public Key of the CCE Cluster Use kubectl to access the target cluster.
Authorization Information Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Authorization Information Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.
To learn more about how IAM is different from Organizations for access control, see What Are the Differences in Access Control Between IAM and Organizations? This section describes the elements used by IAM custom identity policies and Organizations SCPs.
IAM authentication is not required for running kubectl commands. Therefore, you can run kubectl commands without configuring cluster management (IAM) permissions. However, you need to obtain the kubectl configuration file (kubeconfig) with the namespace permissions.
Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only.
If an IAM user is required to grant cluster namespace permissions to other users or user groups, the user must have the IAM read-only permission.
