检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Creating a User and Granting Permissions This section describes how to use IAM to implement fine-grained permissions control for your TMS resources. With IAM, you can: Create IAM users for employees based on your organizational structure.
IAM is a global service. You can create an IAM user using the endpoint of IAM in any region.
You can use IAM to control access to your TMS resources. IAM permissions define which actions on your cloud resources are allowed or denied.
Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list.
If your Huawei Cloud account does not require IAM for permissions management, you can skip this section. IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see IAM Service Overview.
The token obtained from IAM is valid for only 24 hours. If you want to use a token for authentication, you can cache it to avoid frequently calling the IAM API.
With IAM, you can: Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to TMS resources. Grant only the permissions required for users to perform a task.
The following is part of the response body for the API used to create an IAM user. { "user": { "id": "c131886aec...
user name "password": "********", // IAM user password "domain": { "name": "domainname" // Name of the account to which the IAM user belongs } } } },
To ensure account security, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
For details about all system-defined permissions of services supported by IAM, see System-defined Permissions. For more information about fine-grained permissions of each service, see corresponding documentations of each service.
TMS API Actions Table 1 API actions Permission API Action IAM Project Enterprise Project Querying predefined tags GET /v1.0/predefine_tags tms:predefineTags:list Supported Not supported Creating predefined tags POST /v1.0/predefine_tags/action tms:predefineTags:create Supported Not
{Endpoint} is the IAM endpoint and can be obtained from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions. Assume that you want to grant the permissions of the TMS FullAccess to a user but want to prevent them from deleting predefined tags.
When calling the Identity and Access Management (IAM) API to obtain a user token, set the scope field to domain. The value of X-Subject-Token in the response header is the user token.
When calling the Identity and Access Management (IAM) API to obtain a user token, set the scope field to domain. The value of X-Subject-Token in the response header is the user token.
When calling the Identity and Access Management (IAM) API to obtain a user token, set the scope field to domain. The value of X-Subject-Token in the response header is the user token.
When calling the Identity and Access Management (IAM) API to obtain a user token, set the scope field to domain. The value of X-Subject-Token in the response header is the user token.
When calling the Identity and Access Management (IAM) API to obtain a user token, set the scope field to domain. The value of X-Subject-Token in the response header is the user token.
When calling the Identity and Access Management (IAM) API to obtain a user token, set the scope field to domain. The value of X-Subject-Token in the response header is the user token.
