检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
This error message indicates that the IAM user does not have programmatic access permissions. Solution Contact the account administrator and log in to the IAM console. Locate the IAM user to be modified and click the username.
Table 1 IAM and RBAC authorization Authorization Description IAM authorization IAM authorization for user groups is primarily concerned with managing access to cloud platform resources. Policies are used to control the permissions of each user group on specific resources.
IAM users with IAM ReadOnlyAccess, CCE FullAccess, or CCE ReadOnlyAccess assigned can directly access the data in Overview.
service, the temporary IAM access key in a cluster expires.
Use the mounted OpenID Connect ID token file in programs in the pod to access IAM and obtain a temporary IAM token. Access the cloud service using the IAM token in programs in the pod.
Use the mounted OpenID Connect ID token file in programs in the pod to access IAM and obtain a temporary IAM token. Access the cloud service using the IAM token in programs in the pod.
Possible cause Your account is not granted the required IAM permissions. Solution Log in to the IAM management console using a Huawei Cloud account or an account with IAM permissions. Based on the error message, add permissions required by the CCE console to your account.
When there are both IAM projects and enterprise projects, IAM preferentially matches the IAM project policies.
As a result, all IAM users within your account will use the same key to mount OBS buckets, and they will have identical permissions on the buckets. However, this setting does not allow you to set different permissions for individual IAM users.
However, IAM users created by your accounts do not have the permissions. You need to manually assign the permissions to IAM users. For details, see Permissions Overview.
Creating an IAM User and User Group Log in to the IAM console and create an IAM user named user-example and a user group named cce-role-group.
By integrating IAM permissions with Kubernetes cluster permissions, you can use IAM to oversee Kubernetes resource access for various users.
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Operations Performed by IAM Users IAM users can only revoke their own credentials. To revoke a credential, perform the following operations: Log in to the CCE console and click the cluster name to access the cluster console. Choose Overview in the navigation pane.
Administrators of the IAM Admin user group can grant cluster management permissions (such as CCE Administrator and CCE FullAccess) to IAM users or grant namespace permissions on a cluster on the CCE console.
IAM authentication is not required for running kubectl commands. Therefore, you can run kubectl commands without configuring cluster management (IAM) permissions. However, you need to obtain the kubectl configuration file (kubeconfig) with the namespace permissions.
Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only.
Administrators of the IAM Admin user group can grant cluster management permissions (such as CCE Administrator and CCE FullAccess) to IAM users or grant namespace permissions on a cluster on the CCE console.
Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only.
If an IAM user is required to grant cluster namespace permissions to other users or user groups, the user must have the IAM read-only permission.
