检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Rotating IAM Secrets Using FunctionGraph Scenario This section describes how to rotate IAM secrets through KMS using a FunctionGraph template. Constraints Only IAM member accounts can be rotated. IAM master accounts cannot be rotated.
With IAM, you can: Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources. Grant users only the permissions required to perform a task.
For example, to obtain an IAM token in region CN North-Hong Kong, obtain the endpoint of IAM (iam.cn-ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
IAM projects or enterprise project: Scope of users a permission is granted to. Policies that contain actions supporting both IAM and enterprise projects can be assigned to user groups and take effect in both IAM and Enterprise Management.
User User ID: Enter the IAM user ID. To obtain the ID, click the username in the upper right corner of the page, choose My Credentials. Choose API Credentials from the navigation pane, and copy the value of IAM User ID.
To let multiple IAM users use the same key pair, you can create a key pair (by using PuTTYgen or other tools) and import it as an IAM user resource. For details, see Importing a Key Pair. Upgrade a private key pair to an account key pair.
Error information: httpcode=401,code=APIGW.0301,Msg=Incorrect IAM authentication information: current ip:xx.xx.xx.xx refused Possible Causes Access control is configured in IAM. By default, IAM allows access from any IP addresses.
For details about IAM, see IAM Service Overview. DEW Permissions By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups.
Access Control DEW uses Identity and Access Management (IAM) to implement refined access control. By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups.
User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys). The account name, username, and password will be required for API authentication.
Rotating Secrets Overview Rotating a Secret for a User Rotating a Secret for Two Users Rotating IAM Secrets Using FunctionGraph Parent topic: Cloud Secret Management Service
If multiple IAM users need to use the same key pair, use another tool (such as PuTTYgen) to create a key pair and import it for each of the IAM users separately. Prerequisites The public and private key files of the key pair to be imported are ready.
Centralized secret management and control IAM identity and permission management ensure only authorized users can retrieve and modify secrets. CTS monitors access to secrets. These services prevent unauthorized access to and breach of sensitive information.
Key Pair Management Permission API Action Dependent Permission IAM Project Enterprise Project Creating and importing an SSH key pair (native OpenStack API) POST /v2.1/{project_id}/os-keypairs ecs:serverKeypairs:create - √ x Querying an SSH key pair (native OpenStack API) GET /v2.1
All resources: IAM users will be able to use all resources, including those in enterprise projects, region-specific projects, and global services under your account based on assigned permissions.
NOTE: Use this ID as the value of Path if you are creating a custom policy in IAM and have selected Specify resource path for KeyId. Status Status of a CMK, which can be one of the following: Enabled The CMK is enabled. Disabled The CMK is disabled.
Restrictions The KMS Administrator right must be granted to the user in the region of RDS by using Identity and Access Management (IAM). For details about how to assign permissions to user groups, see "How Do I Manage User Groups and Grant Permissions to Them?"
{Endpoint} is the IAM endpoint and can be obtained from Regions and Endpoints. For details about API authentication, see Authentication.
Identity and Access Management (IAM) provides the permission management function for DEW.
Key pairs created by an IAM user on the management console can be used only by the user. If multiple IAM users need to use the same key pair, you can create an account key pair.
