检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Examples of Using QingTian Enclave In this chapter, we will show how to use QingTian Enclave instances together with KMS (sub-service of DEW), IAM, and OBS. Workflow Creating a QingTian Enclave Image Launching a QingTian Enclave Instance Parent Topic: QingTian Enclave Management
For details about the relationship between IAM identities and operators and the operator username format, see Relationship Between IAM Identities and Operators.
AZ Management Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Querying AZs (native OpenStack API) (discarded) GET /v2.1/{project_id}/os-availability-zone ecs:availabilityZones:list - Supported Not supported Not supported
Network Management Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Querying networks (native OpenStack API) (discarded) GET /v2.1/{project_id}/os-networks ecs:networks:list vpc:networks:get Supported Not supported Not
KMS can ingest attestation documents from QingTian Enclave instances and validates the measurements in the attestation documents against these specified in the IAM policies to determine whether QingTian Enclave instances can access KMS APIs.
IAM Permission Agency IAM agency assumed by COC to execute the scheduled task. Target Instance The instance where the scheduled task is to be executed. An instance is selected by default.
ECS Management Through Console Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Obtaining the address for logging in to the console using VNC POST /v2.1/{project_id}/servers/{server_id}/remote-consoles ecs:servers:createConsole
To do so, perform the following operations: On the User Groups page of the IAM console, locate the target user group and click Authorize in the Operation column. Select policies or roles from the list. Click Next and select Region-specific projects.
The user token (no special permission requirements) of an IAM user is required if the user is requesting to verify their own token. This example uses the IAM user and the X-Auth-Token is the same as the token to be verified X-Subject-Token: Token to be verified.
Private key pair A private key pair created by an IAM user on the management console can be used only by the user. If multiple IAM users need to use the same key pair, upgrade it to an account key pair. For details, see Upgrading a Private Key Pair to an Account Key Pair.
Image Management Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Creating an image (native OpenStack API) (discarded) POST /v2.1/{project_id}/servers/{server_id}/action ecs:servers:createImage ecs:servers:list evs:volumes
When you or the IAM users under your account perform critical operations, for example, deleting ECS resources, you are required to enter a verification code based on the selected verification method.
Authorizing Redeployment for Instances that Not Using Local Disks Authorize Redeployment for Instances Using Local Disks Prerequisites If you need to perform operations as an IAM user, ensure that the IAM user has been granted the required permissions.
Specifications Query Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Querying details about flavors and extended flavor information GET /v1/{project_id}/cloudservers/flavors ecs:cloudServerFlavors:get - Supported Supported
Tenant Quota Management Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Querying quotas of a tenant GET /v1/{project_id}/cloudservers/limits ecs:cloudServerQuotas:get - Supported Supported Not supported Not supported
IAM administrators can use preset IAM authorization policies or guardrail policies to enforce attestation-based conditional access control on KMS APIs. In addition, QingTian Enclave is a developer-friendly platform in terms of usability and application compatibility.
The ECS recycle bin is enabled by IAM project. If multi-project management is used, you need to enable recycle bin for each project. Prerequisites To enable ECS recycle bin, you need to enable EVS recycle bin first. For details, see Enabling the Recycle Bin.
Batch Operations Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Stopping ECSs in a batch POST /v1/{project_id}/cloudservers/action ecs:cloudServers:stop - Supported Supported Supported Supported Restarting ECSs in a
SSH Key Management Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Creating and importing an SSH key pair (native OpenStack API) (discarded) POST /v2.1/{project_id}/os-keypairs ecs:serverKeypairs:create - Supported Not
Prerequisites If you need to perform operations as an IAM user, ensure that the IAM user has been granted the required permissions.
