检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
If your Huawei Cloud account does not need individual IAM users for permission management, you may skip this section. IAM is a free service. You only pay for the resources in your account. For more information about IAM, see What Is IAM?
With IAM, you can: Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing the resources.
What Should I Do If a Table Cannot Be Created After I Switch to an IAM Identity Center User? Symptom A user created in IAM Identity Center was configured with the v3 system policy LakeFormation FullAccess.
Identity Authentication and Access Control Identity Authentication IAM users of the current tenant access LakeFormation on the console. LakeFormation authenticates IAM tokens in HTTPS requests delivered by the console to identify tenants and IAM users.
Policies that contain actions only for IAM projects can be used and applied to IAM only. Parent topic: Permissions and Supported Actions
Coarse-grained IAM permissions are broad permissions on various operations.
", "iam:agencies:getAgency", "iam:users:listUsers", "iam:permissions:listRolesForAgency", "iam:groups:listGroups", "iam:permissions:listRolesForAgencyOnProject", "iam:roles:getRole"
For details about how to create an IAM user, see Creating an IAM User and Granting the LakeFormation Permissions to Users. Parent topic: LakeFormation Data Permission Management
Custom User Information Obtaining Class The AuthenticationManager class is used to obtain the information of the user who accesses LakeFormation, which may be an IAM user or a local LDAP user.
Custom Authentication Information Obtaining Class The IdentityGenerator class is used to obtain IAM authentication information (token, permanent AK/SK, and temporary AK/SK and securityToken) for accessing LakeFormation.
For example, to obtain an IAM token in the CN-Hong Kong region, use the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
agencies:listAgencies iam:permissions:listRolesForAgency iam:permissions:listRolesForAgencyOnProject iam:roles:listRoles iam:agencies:createAgency iam:agencies:updateAgency iam:permissions:grantRoleToAgencyOnProject DELETE /v2/agency lakeformation::dropAgency iam:agencies:deleteAgency
Procedure Create a user on the IAM console and add the user to a user group with LakeFormation operation permissions. For details, see Creating an IAM User. The username can contain only letters, digits, and underscores (_). Parent topic: Metadata Management
Table 1 Relationships with other services Service Name Relationships Identity and Access Management (IAM) IAM authenticates IAM users or agencies and controls some access. Cloud Trace Service (CTS) CTS records LakeFormation operations for query, auditing, or backtracking.
Select User Group: Select the user group to be authorized, for example, IAM user group. You can create one on the IAM console in advance. Role: Select the role to be authorized.
After cloud service authorization, LakeFormation will create an agency named lakeformation_admin_trust in Identity and Access Management (IAM). Do not delete the agency when using LakeFormation.
IAM: IAM (user or user group) LOCAL: LakeFormation AGENTTENANT: IAM agency Authorization Object Name or path of the authorized resource. If the authorization type is set to Resources, the format is Catalog.[Database].[Table].
Custom authentication information retrieval class: used to obtain IAM authentication credentials for accessing LakeFormation. Custom user information retrieval class: used to obtain the identity of the user currently accessing LakeFormation.
IAM: cloud user SAML: SAML-based federation LDAP: ID user LOCAL: local user AGENTTENANT: agency OTHER: others Enumeration values: IAM SAML LDAP LOCAL AGENTTENANT OTHER principal_name String Entity name. The value can contain 1 to 49 characters.
Permission Management LakeFormation Permission Overview IAM Permissions LakeFormation Permissions
