检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
If your Huawei Cloud account does not need individual IAM users for permission management, you may skip this section. IAM is a free service. You only pay for the resources in your account. For more information about IAM, see What Is IAM?.
agencies:listAgencies iam:permissions:listRolesForAgency iam:permissions:listRolesForAgencyOnProject iam:roles:listRoles iam:agencies:createAgency iam:agencies:updateAgency iam:permissions:grantRoleToAgencyOnProject DELETE /v2/agency lakeformation::dropAgency iam:agencies:deleteAgency
Table 1 Relationships with other services Service Name Relationships Identity and Access Management (IAM) IAM authenticates IAM users or agencies and controls some access. Cloud Trace Service (CTS) CTS records LakeFormation operations for query, auditing, or backtracking.
Custom User Information Obtaining Class The AuthenticationManager class is used to obtain the information of the user who accesses LakeFormation, which may be an IAM user or a local LDAP user.
Custom Authentication Information Obtaining Class The IdentityGenerator class is used to obtain IAM authentication information (token, permanent AK/SK, and temporary AK/SK and securityToken) for accessing LakeFormation.
IAM: cloud user SAML: SAML-based federation LDAP: ID user LOCAL: local user AGENTTENANT: agency OTHER: others Enumeration values: IAM SAML LDAP LOCAL AGENTTENANT OTHER principal_name String Entity name. The value can contain 1 to 49 characters.
After cloud service authorization, LakeFormation will create an agency named lakeformation_admin_trust in Identity and Access Management (IAM). Do not delete the agency when using LakeFormation.
IAM: cloud user SAML: SAML-based federation.
Identity Authentication and Access Control Identity Authentication IAM users of the current tenant access LakeFormation on the console. LakeFormation authenticates IAM tokens in HTTPS requests delivered by the console to identify tenants and IAM users.
For example, to obtain an IAM token in the CN-Hong Kong region, use the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Coarse-grained IAM permissions are broad permissions on various operations.
Creating a User and Assigning Permissions This chapter describes how to use What Is IAM? to implement fine-grained permissions control for your LakeFormation instances. With IAM, you can: Create IAM users for employees based on your enterprise's organizational structure.
The options are IAM (cloud user), SAML (SAML-based federation), LDAP (lD user), LOCAL (local user), AGENTTENANT (agency), and OTHER (others). The response body of phase 1 does not contain this parameter.
Policies that contain actions only for IAM projects can be used and applied to IAM only. Parent topic: Permissions and Supported Actions
If the migration type is set to DLF, the mapping and migration policies are as follows: RAM user: IAM user (If the corresponding IAM user does not exist, the permission policy will not be migrated.)
IAM User: Select an IAM user that you want to grant permissions to. Agency: Select an agency. Granted To Resources: authorizes the resources in LakeFormation instances. Paths: authorizes the paths in the OBS service.
Permission Management LakeFormation Permission Overview IAM Permissions LakeFormation Permissions
USER: Huawei Cloud IAM user GROUP: Huawei Cloud IAM user group ROLE: LakeFormation role Authorization Objects Metadata objects managed in LakeFormation, including data resources such as catalogs, databases, and tables.
IAM users and user groups can also be associated with fine-grained permission policies of LakeFormation for authorization. For details, see Creating a Custom Policy.
IAM indicates that the entity is from IAM (user or user group), LOCAL indicates that the entity is from LakeFormation, and AGENTTENANT indicates that the entity is from IAM agency. Authorization Object Name or path of the authorized resource.
