检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Rotating IAM Secrets Using FunctionGraph Scenario This section describes how to rotate IAM secrets through KMS using a FunctionGraph template. Constraints Only IAM member accounts can be rotated. IAM master accounts cannot be rotated.
Error information: httpcode=401,code=APIGW.0301,Msg=Incorrect IAM authentication information: current ip:xx.xx.xx.xx refused Possible Causes Access control is configured in IAM. By default, IAM allows access from any IP addresses.
With IAM, you can: Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources. Grant users only the permissions required to perform a task.
Rotating IAM Secrets Using FunctionGraph Use the function workflow template and CSMS to rotate IAM secrets.
To let multiple IAM users use the same key pair, you can create a key pair (by using PuTTYgen or other tools) and import it as an IAM user resource. For details, see Importing a Key Pair. Upgrade a private key pair to an account key pair.
In this case, when the permission take effect depends on the time when IAM broadcasts the permission change to the gateway. Parent topic: About DEW
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
How It Works You can configure an agency for elastic cloud server (ECS) on Identity and Access Management (IAM) to obtain the temporary access key (AK), thereby protecting the AK and secret key (SK).
Replace the italic fields in bold with the actual values. accountid: ID of the account to which the IAM user belongs. username: IAM username to be created. email: email address of the IAM user. **********: password of the IAM user.
Centralized secret management and control IAM identity and permission management ensure only authorized users can retrieve and modify secrets. CTS monitors access to secrets. These services prevent unauthorized access to and breach of sensitive information.
Therefore, users need to ensure that the account has the following IAM permissions: iam:permissions:grantRoleToAgencyOnProject, iam:agencies:listAgencies, iam:roles:listRoles, iam:agencies:createAgency, iam:permissions:checkRoleForAgencyOnProject and iam:roles:createRole.
With IAM, you can: Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources.
Access Control DEW uses Identity and Access Management (IAM) to implement refined access control. By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups.
On the displayed API Credentials page, obtain the IAM user ID. After the grant is created, the IAM user can use the specified keys. Account Account ID: To obtain the account ID, hover the cursor over the username in the upper right corner, and choose My Credentials.
IAM projects or enterprise project: Scope of users a permission is granted to. Policies that contain actions supporting both IAM and enterprise projects can be assigned to user groups and take effect in both IAM and Enterprise Management.
Key Pair Management Permission API Action Dependent Permission IAM Project Enterprise Project Creating and importing an SSH key pair (native OpenStack API) POST /v2.1/{project_id}/os-keypairs ecs:serverKeypairs:create - √ x Querying an SSH key pair (native OpenStack API) GET /v2.1
Therefore, users need to ensure that the account has the following IAM permissions: iam:permissions:grantRoleToAgencyOnProject, iam:agencies:listAgencies, iam:roles:listRoles, iam:agencies:createAgency, iam:permissions:checkRoleForAgencyOnProject and iam:roles:createRole.
For details about IAM, see IAM Service Overview. DEW Permissions By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups.
An account key pair can be used by multiple IAM users under the account. Private key pair: Only the IAM user who creates the private key pair on the console can use it. If multiple IAM users need to use the same key pair, upgrade it to an account key pair.
Rotating Secrets Overview Single-User Secret Rotation Dual-User Secret Rotation Rotating IAM Secrets Using FunctionGraph Parent topic: Cloud Secret Management Service