检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
IAM-based Permissions Management Creating a User and Granting Permissions to Use RFS Based on Roles and Policies Creating a User and Granting Permissions to Use RFS Based on Identity Policies Granting Permissions to Use the RFS Frontend Based on IAM Policies
Granting Permissions to Use the RFS Frontend Based on IAM Policies To simplify selection, the frontend page lists agencies authorized to RFS. However, if the current user lacks permission to read the IAM agency information, it will not be displayed.
Procedure Log in to the IAM console. On the IAM console, choose Agencies from the navigation pane on the left, and click Create Agency in the upper right corner. Figure 1 Creating an agency Enter an agency name. Set Cloud Service to RFS.
Stack set permission models Self-managed permissions: When using this permissions model, create IAM roles required by stack sets for deployment across accounts and Huawei Cloud regions.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
{Endpoint} is the IAM endpoint and can be obtained from Regions and Endpoints. For details on API calling authentication, see Authentication. The following is an example response.
list", "iam:agencies:listV5" ] } ] } Parent topic: Granting Permissions to Use the RFS Frontend Based on IAM Policies
For details about the differences between IAM and enterprise projects, see What Are the Differences Between IAM and Enterprise Management?
Example: variable "iam_user_password" { type = string description = "The password for iam user to log in."
Identity authentication on the console RFS is interconnected with Identity and Access Management (IAM) to manage tenant identity authentication and access using IAM permissions.
The frontend requires only the "iam:agencies:list" and "iam:agencies:listV5" IAM action permissions. The IAMReadOnlyPolicy in step 3 may include unnecessary permissions.
With IAM, you can: Use your Huawei Cloud account to create IAM users or groups for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for using RFS.
With IAM, you can: Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for using RFS. Grant only the permissions required for users to perform a specific task.
For example, to obtain an IAM token in the CN North-Beijing4 region, obtain the endpoint of IAM (iam.cn-north-4.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Creating a Stack Set Note: If the error shown in the following figure is displayed, grant permissions to the user by referring to Granting Permissions to Use the RFS Frontend Based on IAM Policies. 1.
* SERVICE_MANAGED: Based on the Organization service, RFS will automatically create all IAM agency required when deploying organization member accounts.
The frontend requires only the "iam:agencies:list" and "iam:agencies:listV5" IAM action permissions. The IAMReadOnlyPolicy in step 3 may include unnecessary permissions.
Creating a Stack Note: If the error shown in the following figure is displayed, grant permissions to the user by referring to Granting Permissions to Use the RFS Frontend Based on IAM Policies.
Use fine-grained authorization to add iam:tokens:assume and required operation permissions to the agency.
It manages system and service resources (all physical or logical entities that can be located and described, such as databases, VPCs, pipelines, and IAM roles).
