检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Administrators of the IAM Admin user group can grant cluster management permissions (such as CCE Administrator and CCE FullAccess) to IAM users or grant namespace permissions on a cluster on the CCE console.
Administrators of the IAM Admin user group can grant cluster management permissions (such as CCE Administrator and CCE FullAccess) to IAM users or grant namespace permissions on a cluster on the CCE console.
Based on the principle of least privilege (POLP), an IAM user must have at least the following IAM operation permissions when creating or updating an agency: iam:agencies:createAgency: for creating an agency iam:permissions:revokeRoleFromAgencyOnProject: for removing permissions of
Operations Performed by IAM Users IAM users can only revoke their own credentials. To revoke a credential, perform the following operations: Log in to the CCE console and click the cluster name to access the cluster console. Choose Overview in the navigation pane.
Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only.
Operations Performed by IAM Users IAM users can only revoke their own credentials. To revoke a credential, perform the following operations: Log in to the CCE console and click the cluster name to access the cluster console. Choose Overview in the navigation pane.
Only the users with the IAM permissions can download the cluster certificate. Note that information leakage may occur during certificate transmission. Parent topic: Permissions
Only the users with the IAM permissions can download the cluster certificate. Note that information leakage may occur during certificate transmission. Parent Topic: Permissions
kind: User name: 0c97ac3cb280f4d91fa7c0096739e1f8 # User ID of the user-example apiGroup: rbac.authorization.k8s.io The subjects section binds a Role with an IAM user so that the IAM user can obtain the permissions defined in the Role, as shown in the following figure.
Therefore, you can log in to the IAM console, create a user group named cce-sre-b4 and assign CCE FullAccess to William for his region.
Permission Configuring kubeconfig for Fine-Grained Management on Cluster Resources Configuring Namespace-level Permissions for an IAM User Performing RBAC Authentication on a Namespace Using kubectl Commands
For details about the relationship between IAM identities and operators and the operator username format, see Relationship Between IAM Identities and Operators.
Log in to the IAM console. In the navigation pane, choose Permissions > Policies/Roles. Then click Create Custom Policy. Configure parameters for the policy. Policy Name: Set it to CCE Subscribe Operator. Policy View: Select JSON.
Why Can't an IAM User Make API Calls? What Is an OBS Global Access Key and How Do I Check Whether a Global Access Key Is Used in a Cluster?
Permissions Before Optimization Table 1 cia_admin_trust permissions Granted To Policy/Role Description CCE IAM ReadOnlyAccess IAM users need to be able to access Monitoring Center and Alarm Center.
Permissions Before Optimization Table 1 cia_admin_trust permissions Granted To Policy/Role Description CCE IAM ReadOnlyAccess IAM users need to be able to access Monitoring Center and Alarm Center.
To use a bucket or objects with SSE-KMS server-side encryption enabled, the requester must have the following IAM permissions: kms:cmk:get, kms:cmk:list, kms:cmk:create, kms:dek:create, and kms:dek:crypto.
If you need to create multiple IAM users, configure the permissions of the IAM users and namespaces properly. For details about how to configure cluster permissions, see Cluster Permissions (IAM-based).
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created using an account to use cloud services. Each IAM user has their own identity credentials (password and access keys).
Custom agencies do not support IAM 5.0 trust agencies. Prerequisites You need to create a custom agency of the cloud service type on the Agencies page of the IAM console and authorize it to CCE. For details, see Creating an Agency and Assigning Permissions.
