检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Creating an IAM User and Granting Organizations Permissions This section describes how a management account creates an IAM user and grants organization administrator permissions to the user.
startIdentityCenter Grants permission to enable IAM Identity Center. write - - IdentityCenter:instance:deleteIdentityCenter Grants permission to disable IAM Identity Center. write - - IdentityCenter:instance:list Grants permission to query the IAM Identity Center instance list. list
For details about the condition keys defined by IAM Access Analyzer, see Conditions. The following table lists the actions that you can define in SCP statements for IAM Access Analyzer.
What Are the Differences in Access Control Between IAM and Organizations? They grant permissions to different entities. IAM policies define permissions for IAM users, IAM user groups, and IAM agencies in an account.
}/info iam:users:update - GET /v3/users iam:users:list - POST /v3/users iam:users:create - GET /v3/users/{user_id} iam:users:get - DELETE /v3/users/{user_id} iam:users:delete - PATCH /v3/users/{user_id} iam:users:update - GET /v3/users/{user_id}/groups iam:users:listGroups - GET /
Obtaining Account, IAM User, Group, Project, Region, and Agency Information Obtaining Account, IAM User, and Project Information Using the console On the Huawei Cloud homepage, click Console in the upper right corner.
Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only.
Regions for Using SCPs SCPs are available in the following regions: Regions for using SCPs also support the use of IAM identity policies.
Service Name Reference Document 1 Simple Message Notification (SMN) Simple Message Notification (SMN) 2 Log Tank Service (LTS) Log Tank Service (LTS) 3 Identity and Access Management (IAM) Identity and Access Management (IAM) 4 Security Token Service (STS) Security Token Service (
principal is an IAM root user.
IAM provides identity authentication, permissions management, and access control, helping you securely access Huawei Cloud resources. With IAM, you can create IAM users and assign permissions enabling them to control their access to specific resources.
Service control policies (SCPs) in Organizations use a similar syntax to that used by Identity and Access Management (IAM) policies. They both use the JSON syntax. For details, see SCP Syntax.
Accessing Account Resources Via IAM Identity Center You can associate an account with users and permission sets in IAM Identity Center, and log in to the IAM Identity Center console via the user portal URL to access the resources in the account in the given organization.
Management & Governance Simple Message Notification (SMN) Log Tank Service (LTS) Identity and Access Management (IAM) Security Token Service (STS) Resource Formation Service (RFS) IAM Identity Center Organizations Resource Access Manager (RAM) Enterprise Project Management Service
Actions Organization Management Permission API Action IAM Project Enterprise Project Creating an organization POST /v1/organizations organizations:organizations:create iam:agencies:createServiceLinkedAgency Not supported Not supported Getting organization information GET /v1/organizations
Preventing IAM Users and Agencies from Making Certain Changes Preventing IAM Users and Agencies from Making Specified Changes, with an Exception for Specified Accounts Preventing Member Accounts from Leaving an Organization The following SCP prevents member accounts from leaving
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
listAgencies iam:permissions:listRolesForAgency iam:permissions:listRolesForAgencyOnProject POST /v1.0/{project_id}/clusters/{cluster_id}/node/offline css:cluster:shrinkNodes iam:agencies:listAgencies iam:permissions:listRolesForAgency iam:permissions:listRolesForAgencyOnProject POST
There is no change to the permissions assigned to the management account and its IAM users. Impact on Member Accounts Each member account will become a standalone account.
Permissions Management Creating an IAM User and Granting Organizations Permissions Creating Custom Policies
