检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Admin ucs-group-2-admin Viewer ucs-group-2-readonly Step 1: Authorizing the IAM Administrator Log in to the IAM console as the IAM administrator. In the navigation pane, choose User Groups. In the upper right corner, click Create User Group.
ReadOnlyAccess permission (read-only permissions on IAM) to IAM users to obtain the IAM user list.
Figure 1 Granting permissions Log in to the IAM console as the administrator and grant the UCS system policy permission to the user group of the IAM user. Select the system policy to be granted based on the operation scope.
ReadOnlyAccess permission (read-only permissions on IAM) to IAM users to obtain the IAM user list.
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
In the first and third phases, UCS resource permissions are granted following the IAM system policies on the IAM console.
Authentication and Access UCS provides refined permission management based on the role access control (RBAC) capability of IAM and Kubernetes. Permission control can be implemented by UCS service resource and Kubernetes resource in a cluster.
API to obtain the IAM token.
verbs: - list - get Replace <user-id> with the IAM user ID and <group-id> with the IAM user group ID.
ReadOnlyAccess permission (read-only permissions on IAM) to IAM users to obtain the IAM user list.
Figure 4 Choosing general settings Click Service Endpoints, click Create Service Endpoint, and select IAM user from the drop-down list. Figure 5 Configuring a service endpoint Configure IAM information for the service endpoint. For details, see Table 1.
UCS.00010012 400 IAM agency quota insufficient, please expand agency quota IAM agency quota exceeded. UCS.00010013 400 fail to get iam pdp authorize result Failed to obtain the PDP authentication result. UCS.00010014 403 iam pdp authentication denied PDP authentication rejected.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created by an account in IAM to use cloud services. Each IAM user has its own identity credentials (password and access keys).
UCS.00010012 400 IAM agency quota insufficient, please expand agency quota IAM agency quota exceeded. UCS.00010013 400 fail to get iam pdp authorize result Failed to obtain the PDP authentication result. UCS.00010014 403 iam pdp authentication denied PDP authentication rejected.
Administrator: IAM Authorization Tenant Administrator performs IAM authorization for each functional team by creating four user groups, granting the UCS FullAccess, UCS CommonOperations, UCS CIAOperations, and UCS ReadOnlyAccess permissions to these user groups, and adding users to
Ensure that the IAM domain name resolution and the IAM service connectivity are normal.
Ensure that the IAM domain name resolution and the IAM service connectivity are normal.
Permission Configuration Granting UCS Permissions to IAM Users
Permissions UCS Permissions UCS Resource Permissions (IAM Authorization) Kubernetes Resource Permissions in a Cluster (RBAC Authorization) Kubernetes Resource Objects Example: Designing and Configuring Permissions for Users in a Company
Log in to the IAM console using your AWS account ID or account alias, and your IAM username and password. To obtain an AWS account ID, contact the administrator of your AWS account.
