检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Using IAM to Grant Access to ECS Creating a User and Granting ECS Permissions ECS Custom Policies
Application identity federation is built to allow tenant applications to use SAML and OIDC to securely exchange external tokens with Huawei Cloud IAM tokens. All IAM users are disabled.
"iam:agencies:list*", "iam:agencies:createAgency", "iam:agencies:createServiceLinkedAgencyV5", "coc:agency:get", "coc:agency:create", "iam:permissions:grantRoleToAgency",
You can use your account to create IAM users, and assign permissions to the IAM users to control their access to specific resources. IAM permissions define which actions on your cloud resources are allowed or denied.
In the condition keys of KMS key policies, you can use the SHA384 hash value of IAM agency as PCR3. This ensures that only QingTian Enclaves running on instances with the correct IAM agency can perform specific KMS actions on KMS keys.
Procedure Log in to the IAM console. On the IAM console, choose Agencies from the left navigation pane and click Create Agency on the displayed page. Configure agency parameters. Agency Name: Enter an agency name. Agency Type: Select Cloud service.
IAM PDP supports multiple types of access control policies, including VPCEP policies, IAM identity policies, and cloud service resource policies. IAM access control policies support a variety of condition attributes.
Creating a User and Granting ECS Permissions Use IAM to implement fine-grained permissions control over your ECSs. With IAM, you can: Create IAM users for personnel based on your enterprise's organizational structure.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
following is an example of a deny policy: { "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "ecs:cloudServers:delete" ] } ] } Parent Topic: Using IAM
username "password": "$ADMIN_PASS", //IAM user password.
Prerequisites If you need to perform operations as an IAM user, ensure that the IAM user has been granted the required permissions.
IAM is a global service. You can create an IAM user using the endpoint of IAM in any region.
IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources. With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources.
Create a custom policy policyTest using the account and attach the policy to an IAM user. Log in to the IAM console using the account.
Using an IAM agency for an instance You can configure an IAM agency when creating an ECS. An IAM agency for an instance is a virtual identity created by an IAM administrator. It represents the IAM identity for ECSs to access cloud service resources.
The following shows part of the response body for the API used to create an IAM user. { "user": { "id": "c131886aec...
Prerequisites If you need to perform operations as an IAM user, ensure that the IAM user has been granted the required permissions.
IAM projects/Enterprise projects: Authorization scope of custom policies, which can be IAM projects, enterprise projects, or both.
The data security administrator sets PCR0 and PCR8 as condition keys of the IAM access control policies (controlling the kms-decrypt API). On the IAM console, use an account with administrator permissions to create a custom identity policy.
