检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Policy IAM supports both system-defined and custom policies. System-defined Policies System-defined policies cover various common actions of a cloud service. System-defined policies can be used to assign permissions to user groups, but they cannot be modified.
With IAM, you can: Create IAM users for your employees within your Huawei Cloud account based on your company's organizational structure. This allows each employee to have their own security credentials and access to GES resources.
Making a Management Plane API Request This section describes the structure of a REST API request on the management plane of GES, and uses the IAM API for obtaining a user token as an example to demonstrate how to call an API.
IAM or enterprise projects: Type of projects for which an action will take effect. Policies that contain actions supporting both IAM and enterprise projects can be assigned to user groups and take effect in both IAM and Enterprise Management.
IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview. GES Permissions By default, new IAM users do not have permissions assigned.
Figure 3 Importing IAM users In the Import IAM User dialog box, enter the ID and username of the IAM user to be added and click OK. The system will add the IAM user to GES so that the IAM user can be selected in the user group.
Related Services IAM Identity and Access Management (IAM) authenticates access to GES on Huawei Cloud. VPC GES uses Virtual Private Cloud (VPC) to provide clusters with network topologies to isolate clusters and control access.
Due to the limitations of IAM 1.0, which only had RBAC authorization, the agency permissions for these two scenarios were relatively large. In reality, GES did not require such extensive permissions.
iam:roles:createRole, iam:permissions:grantRoleToAgencyOnDomain, iam:agencies:getAgency, iam:agencies:createAgency, iam:roles:updateRole, iam:permissions:grantRoleToAgency, and iam:permissions:grantRoleToAgencyOnProject.
policy GES Operation Dependent IAM Permission Importing IAM users iam:users:listUsers (custom policy), IAM ReadOnlyAccess (system policy), or Server Administrator role Creating or editing a user group iam:users:listUsers (custom policy), IAM ReadOnlyAccess (system policy), or Server
If the IAM user is not found due to insufficient permissions, manually import the IAM user by referring to User Details. Figure 2 Creating a user group Click Save in the lower right corner. The user group is created. The created user group is displayed on the User Groups page.
Domain name IAM account used to log in to the management console userName No. Mandatory for password-based authentication. Username IAM username used to log in to the management console password No. Mandatory for password-based authentication.
The IAM page is displayed. Choose Agencies in the left navigation pane. Then, delete any unnecessary agencies to ensure that GES has a sufficient quota for you to create an agency.
Configuring fine-grained permissions for the graph requires IAM user viewing permissions and GES Manager or higher permissions. If there is no IAM user viewing permission, refer to User Details to import IAM users.
GES uses the following infrastructure resources: IAM VPC OBS For details about how to view and increase quotas, see Quotas.
Instead, create IAM users and grant them permissions for routine management. User A user is created in IAM to use cloud services. Each user has its own identity credentials (password and access keys).
Figure 1 shows the response header fields for the IAM API used to obtain a user token. The x-subject-token header field is the desired user token. This token can then be used to authenticate the calling of other APIs.
Figure 5 Clicking Download Obtaining Token-based Authentication Information Query the IAM endpoint by referring to Regions and Endpoints.
Figure 5 Clicking Download Obtaining Token-based Authentication Information Query the IAM endpoint by referring to Regions and Endpoints.
When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token. To obtain the token, the GES scope must be project (cannot be domain).