检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
For details, see Step 2: Create IAM Users and Log In. Access Control Permissions control You can use IAM to assign different permissions to different employees in your enterprise to access your instance resources. For details about DRS permissions, see Permissions Management.
Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions for IAM projects can be used and only take effect for IAM.
With IAM, you can: Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to DRS resources. Grant only the permissions required for users to perform a specific task.
For example, to obtain the IAM token in the CN North-Beijing1 region, obtain the endpoint of IAM (iam.cn-north-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
IAM can be used free of charge. You pay only for the resources in your Huawei Cloud account. For more information about IAM, see IAM Service Overview. DRS Permissions By default, new IAM users do not have permissions assigned.
Task Creation Process Process of Creating a Migration Task Figure 1 Process of creating a real-time migration task Obtaining a User Token: Call an IAM API to obtain a user token. Creating Tasks in Batches: Create a migration task.
Inherit permissions from user groups: Add the IAM user to certain groups with the DRS FullAccess permission to make the user inherit their permissions. Select permissions: Directly assign the DRS FullAccess permission to the IAM user.
Creating an agency: iam:agencies:createAgency Querying the agency list: iam:agencies:listAgencies Assigning permissions to an agency: iam:permissions:grantRoleToAgency, iam:permissions:grantRoleToAgencyOnProject and iam:permissions:grantRoleToAgencyOnDomain Querying agency permissions
To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements.
IAM User An IAM user is created using an account to use cloud services. Each IAM user has its own identity credentials (password and access keys). The account name, username, and password will be required for API authentication.
Supported network types during migration to GaussDB on the current cloud: VPC VPN Direct Connect Public network IAM Identity and Access Management (IAM) manages permissions for DRS. Only users with the DRS administrator permissions can use DRS.
Management Use the Identity and Access Management (IAM) service to manage DRS permissions. Parent topic: Network and Security
The API used to obtain a project ID is GET https://{endpoint}/v3/projects/, where {endpoint} indicates the IAM endpoint. You can obtain the IAM endpoint from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
Fine-Grained Authorization DRS uses Identity and Access Management (IAM) to implement fine-grained permission management.
Procedure Call an IAM API to obtain a user token by referring to Authentication. Obtain the ID of the task to be queried by referring to Obtaining a Task ID.
Procedure Call an IAM API to obtain a user token by referring to Authentication. Obtain the ID of the task to be queried by referring to Obtaining a Task ID.
It is a response to the IAM API for obtaining a user token. After a request is processed, the value of X-Subject-Token in the header is the token value. X-Language No String Request language type. The default value is en-us.
The IAM username for creating required subscription tasks. setUserId(String userId) Specifies the user ID. You can obtain the user ID from My Credential on the management console. setPassword(String password) Specifies the user password.
X-Auth-Token Yes String User token obtained from IAM. It is a response to the API for obtaining a user token. This API is the only one that does not require authentication. After a request is processed, the value of X-Subject-Token in the header is the token value.
When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token. A token specifies temporary permissions in a computer system.
