检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
How Do I Grant Some CDN Permissions to IAM Users? You can use IAM to implement fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.
The account administrator grants only the permissions of an enterprise project to the IAM user, so the IAM user cannot obtain the domain ID of the account, and the following error message is displayed when the IAM user calls an API.
Create a user group on the IAM console, and assign the CDN DomainReadOnlyAccess policy to the group. Create an IAM user and add it to the user group. Create a user on the IAM console and add the user to the group created in 1. Log in as the IAM user and verify permissions.
Possible causes: Your IAM agency quota has been used up. On the Agencies page of the IAM console, check whether the agency quota has been used up. If yes, delete unnecessary agencies or submit a service ticket to increase the quota. You are an IAM user.
Table 3 Dependency policies and roles Console Function Dependent Services Roles or Policies Required OBS authorization Identity and Access Management (IAM) Creating an agency: iam:agencies:createAgency Listing agencies: iam:agencies:listAgencies Querying agency details: iam:agencies
For example, to obtain an IAM token in the ALL region, obtain the endpoint of IAM (iam.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Perform the following steps: If you are using CDN as an IAM user with insufficient permissions, view each permission on Permissions Management and ask the account administrator to assign the required permissions to you by referring to Creating a User and Granting CDN Permissions.
IAM or enterprise projects: Type of projects for which an action will take effect. Policies that contain actions supporting both IAM and enterprise projects can be assigned to user groups and take effect in both IAM and Enterprise Management.
Perform the following operations to rectify the fault: If you log in as an IAM user, check whether you have the permissions required to perform cache purge and prefetch. If you do not have the required permissions, apply for them from your account administrator.
Associated Cloud Service Permission IAM iam:roles:listRoles iam:roles:createRole iam:agencies:listAgencies iam:agencies:createAgency iam:permissions:grantRoleToAgencyOnDomain CDN cdn:configuration:modifyChargeMode CDN ReadOnlyAccess SCM scm:cert:list After creating an agency, IAM
IAM users can enable OBS authorization only when they have the following permissions: IAM permissions iam:agencies:listAgencies iam:agencies:createAgency iam:permissions:grantRoleToAgencyOnProject CDN permissions cdn:configuration:modifyChargeMode CDN ReadOnlyAccess Procedure Log
Object Storage Service (OBS) Accelerating Delivery of OBS Resources IAM provides: User and permission management IAM user and user group management Fine-grained policy management Agency management Allow CDN to access your OBS private buckets on the IAM console.
For security purposes, create IAM users and grant them permissions for routine management. IAM user An IAM user is created using an account to use cloud services. Each IAM user has its own identity credentials (password and access keys).
API Permissions Domain Name Operations Permission Action API IAM Project Enterprise Project Querying domain names cdn:configuration:queryDomains GET /v1.0/cdn/domains √ √ Creating a domain name cdn:configuration:createDomains POST /v1.0/cdn/domains √ √ Disabling domain names cdn:configuration
Why Is the Error Message Indicating Failed to Obtain the Domain ID Displayed When an IAM User Calls an API After the Enterprise Project Function Is Enabled? Can CDN Share an Acceleration Domain Name with Live?
The token can be obtained by calling the IAM API used to obtain a user token. The value of **X-Subject-Token** in the response header is the user token.
The token can be obtained by calling the IAM API used to obtain a user token. The value of **X-Subject-Token** in the response header is the user token.
The token can be obtained by calling the IAM API used to obtain a user token. The value of **X-Subject-Token** in the response header is the user token.
The token can be obtained by calling the IAM API used to obtain a user token. The value of **X-Subject-Token** in the response header is the user token.
The token can be obtained by calling the IAM API used to obtain a user token. The value of **X-Subject-Token** in the response header is the user token.
