检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Procedure Log in to the IAM console. On the IAM console, choose Agencies from the left navigation pane and click Create Agency on the displayed page. Configure agency parameters. Agency Name: Enter an agency name. Agency Type: Select Cloud service.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
For details about the relationship between IAM identities and operators and the operator username format, see Relationship Between IAM Identities and Operators.
Examples of Using QingTian Enclave QingTian Enclave can work with KMS (a sub-service of DEW), IAM, and OBS to support a wide range of scenarios, including some roles and basic workflows.
KMS can ingest attestation documents from QingTian Enclave instances and validates the measurements in the attestation documents against those specified in the IAM policies to determine whether QingTian Enclave instances can access KMS APIs.
AZ Management Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Querying AZs (native OpenStack API) (discarded) GET /v2.1/{project_id}/os-availability-zone ecs:availabilityZones:list - Supported Not supported Not supported
users, see Using IAM Roles or Policies to Grant Access to ECS.
Network Management Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Querying networks (native OpenStack API) (discarded) GET /v2.1/{project_id}/os-networks ecs:networks:list vpc:networks:get Supported Not supported Not
IAM Permission Agency IAM agency assumed by COC to execute the scheduled task. Target Instance The instance where the scheduled task is to be executed. An instance is selected by default.
Prerequisites If you need to perform operations as an IAM user, ensure that the IAM user has been granted the required permissions.
The user token (no special permission requirements) of an IAM user is required if the user is requesting to verify their own token. This example uses the IAM user and the X-Auth-Token is the same as the token to be verified X-Subject-Token: Token to be verified.
Private key pair A private key pair created by an IAM user on the management console can be used only by the user. If multiple IAM users need to use the same key pair, upgrade it to an account key pair. For details, see Upgrading a Private Key Pair to an Account Key Pair.
Authorization Each account has all of the permissions required to call all APIs, but IAM users must have the required permissions specifically assigned. If you are using role/policy-based authorization, see the required permissions in Permissions and Supported Actions.
To do so, perform the following operations: On the User Groups page of the IAM console, locate the target user group and click Authorize in the Operation column. Select policies or roles from the list. Click Next and select Region-specific projects.
ECS Management Through Console Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Obtaining the address for logging in to the console using VNC POST /v2.1/{project_id}/servers/{server_id}/remote-consoles ecs:servers:createConsole
Image Management Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Creating an image (native OpenStack API) (discarded) POST /v2.1/{project_id}/servers/{server_id}/action ecs:servers:createImage ecs:servers:list evs:volumes
When you or the IAM users under your account perform critical operations, for example, deleting ECS resources, you are required to enter a verification code based on the selected verification method.
In the left navigation pane of the IAM console, choose Security Settings. On the Security Settings page, choose Critical Operations > Operation Protection > Change. Figure 1 Modifying operation protection settings On the Operation Protection page, select Disable and click OK.
Specifications Query Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Querying details about flavors and extended flavor information GET /v1/{project_id}/cloudservers/flavors ecs:cloudServerFlavors:get - Supported Supported
Tenant Quota Management Permission API Action Dependencies IAM Project Enterprise Project Authorization by Instance Authorization by Tag Querying quotas of a tenant GET /v1/{project_id}/cloudservers/limits ecs:cloudServerQuotas:get - Supported Supported Not supported Not supported
