检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Granting UCS Permissions to IAM Users Application Scenarios UCS permissions management offers fine-grained control over permissions using IAM and Kubernetes RBAC. It also supports IAM-based fine-grained permissions control and IAM token-based authentication.
Why Can't an IAM User Obtain Cluster or Fleet Information After Logging In to UCS? Symptom After an IAM user logs in to the UCS console and goes to the Fleets page, information about the created fleet and registered clusters cannot be obtained.
ReadOnlyAccess permissions (read-only permissions on IAM) to IAM users to obtain the IAM user list.
figure shows the permissions management flow of a new IAM user.
ReadOnlyAccess permissions (read-only permissions on IAM) to IAM users to obtain the IAM user list.
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Authentication and Access UCS provides refined permission management based on the role access control (RBAC) capability of IAM and Kubernetes. Permission control can be implemented by UCS service resource and Kubernetes resource in a cluster.
API to obtain the IAM token.
verbs: - list - get Replace <user-id> with the IAM user ID and <group-id> with the IAM user group ID.
ReadOnlyAccess permissions (read-only permissions on IAM) to IAM users to obtain the IAM user list.
Figure 4 Choosing general settings Click Service Endpoints, click Create Service Endpoint, and select IAM user from the drop-down list. Figure 5 Configuring a service endpoint Configure IAM information for the service endpoint. For details, see Table 1.
The following shows part of the response body for the API used to create an IAM user. { "user": { "id": "c131886aec...
UCS.00010012 400 IAM agency quota insufficient, please expand agency quota IAM agency quota exceeded. UCS.00010013 400 fail to get iam pdp authorize result Failed to obtain the PDP authentication result. UCS.00010014 403 iam pdp authentication denied PDP authentication rejected.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
Ensure that the IAM domain name resolution and the IAM service connectivity are normal.
Ensure that the IAM domain name resolution and the IAM service connectivity are normal.
Administrator: Performing IAM Authorization The administrator with the Tenant Administrator role performs IAM authorization for each functional team by creating four user groups, granting the UCS FullAccess, UCS CommonOperations, UCS CIAOperations, and UCS ReadOnlyAccess permissions
Permissions Granting UCS Permissions to IAM Users
UCS.00010012 400 IAM agency quota insufficient, please expand agency quota IAM agency quota exceeded. Submit a service ticket to increase the agency quota. UCS.00010013 400 fail to get iam pdp authorize result Failed to obtain the PDP authentication result.
domain ID IAM_DOMAIN_ID: # IAM service address IAM_ENDPOINT: Parent topic: Managing an On-Premises Cluster
