User Guide...By default, new IAM users do not have any permissions assigned. You need to add a user...

Identity and Access Management

User Guide

Issue 18

Date 2021-03-27

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 18 (2021-03-27) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Before You Start....................................................................................................................... 1

2 Logging In to HUAWEI CLOUD.............................................................................................6

3 IAM Users................................................................................................................................ 133.1 Creating an IAM User.......................................................................................................................................................... 133.2 Assigning Permissions to an IAM User.......................................................................................................................... 163.3 Logging In as an IAM User................................................................................................................................................ 163.4 Viewing or Modifying IAM User Information..............................................................................................................183.5 Deleting an IAM User.......................................................................................................................................................... 193.6 Changing the Login Password of an IAM User...........................................................................................................193.7 Managing Access Keys for an IAM User....................................................................................................................... 20

4 User Groups and Authorization......................................................................................... 224.1 Creating a User Group and Assigning Permissions................................................................................................... 224.2 Adding Users to or Removing Users from a User Group........................................................................................ 284.3 Viewing or Modifying User Group Information......................................................................................................... 294.4 Canceling Permissions of a User Group........................................................................................................................ 314.5 Assigning Dependency Roles............................................................................................................................................ 31

5 Permissions............................................................................................................................. 335.1 Basic Concepts....................................................................................................................................................................... 335.2 Roles.......................................................................................................................................................................................... 345.3 Policies...................................................................................................................................................................................... 365.4 Change to the System-Defined Policy Names............................................................................................................ 415.5 Custom Policies...................................................................................................................................................................... 455.5.1 Creating a Custom Policy................................................................................................................................................465.5.2 Modifying or Deleting a Custom Policy.....................................................................................................................525.5.3 Custom Policy Use Cases................................................................................................................................................ 535.5.4 Cloud Services Supported by IAM................................................................................................................................55

6 Projects.................................................................................................................................... 57

7 Agencies...................................................................................................................................607.1 Account Delegation..............................................................................................................................................................607.1.1 Delegating Resource Access to Another Account...................................................................................................607.1.2 Creating an Agency (by a Delegating Party)...........................................................................................................61

Identity and Access ManagementUser Guide Contents

Issue 18 (2021-03-27) Copyright © Huawei Technologies Co., Ltd. ii

7.1.3 (Optional) Assigning Permissions to an IAM User (by a Delegated Party)..................................................637.1.4 Switching Roles (by a Delegated Party).................................................................................................................... 657.2 Cloud Service Delegation................................................................................................................................................... 66

8 Security Settings....................................................................................................................698.1 Security Settings Overview................................................................................................................................................ 698.2 Basic Information.................................................................................................................................................................. 718.3 Critical Operation Protection............................................................................................................................................ 728.4 Login Authentication Policy.............................................................................................................................................. 808.5 Password Policy..................................................................................................................................................................... 818.6 ACL............................................................................................................................................................................................. 82

9 Identity Providers.................................................................................................................. 849.1 Introduction............................................................................................................................................................................ 849.2 SAML-based Federated Identity Authentication........................................................................................................ 869.2.1 Configuration of SAML-based Federated Identity Authentication................................................................... 869.2.2 Step 1: Create an Identity Provider............................................................................................................................. 899.2.3 Step 2: Configure Identity Conversion Rules............................................................................................................939.2.4 Step 3: Configure Login Link in the Enterprise Management System............................................................ 979.3 OpenID Connect–based Federated Identity Authentication.................................................................................. 989.3.1 Configuration of OpenID Connect–based Federated Identity Authentication............................................. 989.3.2 Step 1: Create an Identity Provider............................................................................................................................. 999.3.3 Step 2: Configure Identity Conversion Rules......................................................................................................... 1039.3.4 Step 3: Configure Login Link in the Enterprise Management System..........................................................1069.4 Syntax of Identity Conversion Rules............................................................................................................................ 107

10 Custom Identity Broker................................................................................................... 11410.1 Enabling Custom Identity Broker Access..................................................................................................................11410.2 Creating a FederationProxyUrl Using an Agency.................................................................................................. 11710.3 Creating a FederationProxyUrl Using a Token....................................................................................................... 119

11 MFA Authentication and Virtual MFA Device............................................................ 12211.1 MFA Authentication........................................................................................................................................................ 12211.2 Virtual MFA Device.......................................................................................................................................................... 123

12 Viewing IAM Operation Records...................................................................................12612.1 Enabling CTS...................................................................................................................................................................... 12612.2 Viewing IAM Audit Logs................................................................................................................................................ 129

13 Change History.................................................................................................................. 131

Identity and Access ManagementUser Guide Contents

Issue 18 (2021-03-27) Copyright © Huawei Technologies Co., Ltd. iii

1 Before You Start

Intended AudienceThe Identity and Access Management (IAM) service is intended for administrators,including:

● Account administrator (with full permissions for all services, including IAM)● IAM users added to the admin group (with full permissions for all services,

including IAM)● IAM users assigned the Security Administrator role (with permissions to

access IAM)

If you want to view, audit, and track the records of key operations performed onIAM, enable Cloud Trace Service (CTS). For details, see Enabling CTS.

Accessing the IAM Console

Step 1 Log in to HUAWEI CLOUD and click Console in the upper right corner.

Step 2 On the management console, hover the mouse pointer over the username in theupper right corner, and choose Identity and Access Management from the drop-down list.

Identity and Access ManagementUser Guide 1 Before You Start

Issue 18 (2021-03-27) Copyright © Huawei Technologies Co., Ltd. 1

----End

AccountAn account is created after you successfully register with HUAWEI CLOUD. Youraccount has full access permissions for your cloud services and resources andmakes payments for the use of these resources. You cannot modify or delete youraccount in IAM, but you can do so in My Account.

After you log in to your account, you will see a user marked Enterpriseadministrator on the Users page of the IAM console.

IAM UserYou and other administrators can create IAM users in IAM and assign permissionsfor specific resources. As shown in the following figure, James is an IAM usercreated by an administrator. IAM users can log in to HUAWEI CLOUD using theiraccount name, username, and password, and then use resources based onassigned permissions. IAM users do not own resources and cannot makepayments.

Relationship Between an Account and IAM UsersAn account and its IAM users share a parent-child relationship. The account ownsthe resources and makes payments for the resources used by IAM users. It has fullpermissions for these resources. IAM users are created by an administrator, andonly have the permissions granted by the administrator. The administrator canmodify or cancel the IAM users' permissions at any time.



User GroupYou can use user groups to assign permissions to IAM users. By default, new IAMusers do not have permissions. To assign permissions to new users, add them toone or more groups, and grant permissions to these groups. The users then inheritpermissions from the groups to which the users belong, and can perform specificoperations on cloud services.

The default user group admin has all permissions required to use all of the cloudresources. Users in this group can perform operations on all the resources,including but not limited to creating user groups and users, assigning permissions,and managing resources.



Figure 1-1 Process of creating a user group and user

PermissionIAM provides common permissions of different services, such as administrator andread-only permissions, which you can assign to users. By default, new IAM usersdo not have permissions. To assign permissions to new users, add them to one ormore groups, and assign permissions policies or roles to these groups. The usersthen inherit permissions from the groups to which the users belong, and canperform specific operations on cloud services.

● Roles: A type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. There are only a limitednumber of roles for granting permissions to users. When using roles to grantpermissions, you also need to assign dependency roles. Roles are not an idealchoice for fine-grained authorization and secure access control.

● Policies: A type of fine-grained authorization mechanism that definespermissions required to perform operations on specific cloud resources undercertain conditions. This mechanism allows for more flexible policy-basedauthorization and secure access control. For example, you can grant ElasticCloud Server (ECS) users only the permissions required for managing a certaintype of ECS resources.

When an IAM user granted only ECS permissions accesses other services, amessage similar to the following will be displayed.



2 Logging In to HUAWEI CLOUD

You can log in to HUAWEI CLOUD using any of the accounts shown in Figure 2-1.

● HUAWEI CLOUD account: Created after you successfully register withHUAWEI CLOUD. Your account has full access permissions for your cloudresources and makes payments for the use of these resources. To log in toHUAWEI CLOUD using an account, do as follows:– Logging In Using a HUAWEI ID: A HUAWEI ID is a unified identity that

you can use to access all Huawei services.– Logging In Using Other Accounts: When logging in using a Huawei

official website account or Huawei enterprise partner account for thefirst time, associate these accounts with an existing or a new HUAWEICLOUD account. At the next login, you can directly log in using theHuawei official website account or Huawei enterprise partner account.Alternatively, you can use the HUAWEI CLOUD account to log in.

– Logging In Using a HUAWEI CLOUD Account: Use your HUAWEICLOUD account to log in. If this is the first time you use HUAWEI CLOUD,you need to register an account.

● IAM user: Created using your HUAWEI CLOUD account to use cloud services.You can grant IAM users permissions for specific resources.– Logging In as an IAM User: Your account and IAM users share a

parent-child relationship. IAM users are created by an administrator touse specific cloud services.

Figure 2-1 Logging in to HUAWEI CLOUD using different accounts

Identity and Access ManagementUser Guide 2 Logging In to HUAWEI CLOUD


https://support.huaweicloud.com/intl/en-us/usermanual-account/en-us_topic_0069252244.html

https://support.huaweicloud.com/intl/en-us/productdesc-iam/iam_01_0023.html#section2

Logging In Using a HUAWEI ID

A HUAWEI ID is a unified identity that you can use to access all Huawei services.When logging in to the HUAWEI CLOUD console using a HUAWEI ID, you canenter a mobile number, email address, login ID, or HUAWEI CLOUD account name.

NO TE

Currently, HUAWEI CLOUD accounts registered at the HUAWEI CLOUD internationalwebsite cannot be upgraded to HUAWEI IDs. To log in to HUAWEI CLOUD, enter yourHUAWEI CLOUD account and password on the HUAWEI ID login page.

To log in using a HUAWEI ID, do as follows:

Step 1 On the login page, enter your mobile number, email address, login ID, or HUAWEICLOUD account name, enter the password, and then click LOG IN.

Figure 2-2 Logging in using a HUAWEI ID

NO TE

● You can enter a HUAWEI CLOUD account or a HUAWEI ID that has been used to enableHUAWEI CLOUD services.

● If you enter a HUAWEI ID whose mobile number or email address has been used toenable HUAWEI CLOUD services, go to step 2.

● If you enter a HUAWEI ID whose mobile number or email address has not been used toenable HUAWEI CLOUD services, go to step 3.

Step 2 Select the account you want to use for login.

If the mobile number or email address you entered has been used to registera HUAWEI ID and HUAWEI CLOUD account, select an account for login.



● Select the HUAWEI ID and click OK. Then, go to step 3.● Select the HUAWEI CLOUD account and click OK. The login is successful.

Step 3 Click Obtain code, enter the verification code, and click OK.

If you have already associated both a mobile number and email address with yourHUAWEI ID, you can choose mobile number or email address verification.

Step 4 In the Trust this browser? dialog box, click Trust.

Step 5 Confirm the authorization information and click Authorize and log in.

Step 6 (Optional) If the mobile number or email address you entered has been used toregister HUAWEI CLOUD accounts, select an account, and associate it with yourHUAWEI ID.

NO TE

After you associate a HUAWEI CLOUD account with your HUAWEI ID, you can use theHUAWEI ID to access HUAWEI CLOUD, HUAWEI Developers, Vmall, and other Huaweiservices.

● Associating a HUAWEI CLOUD account with your HUAWEI ID

a. Select a HUAWEI CLOUD account and click Next.b. Enter the password of the HUAWEI CLOUD account and click Next.c. Confirm the HUAWEI ID information and click OK.d. Click OK. The HUAWEI CLOUD homepage is displayed.

NO TE

▪ After you perform the preceding steps, your HUAWEI CLOUD account isassociated with your HUAWEI ID and becomes invalid. You need to use theHUAWEI ID for the next login.

▪ If the upgrade fails, see "What Can I Do If the Upgrade to a HUAWEI IDFails?" in the IAM FAQs.

● Enabling HUAWEI CLOUD servicesClick Skip This Step and Enable HUAWEI CLOUD Services, and go to step 7.

Step 7 Read the agreements carefully. If you agree with them, click Enable. TheComplete Information page is displayed.

Then you can log in to HUAWEI CLOUD.

----End

Logging In Using Other Accounts

If you already have a Huawei official website account or Huawei enterprisepartner account, you can use them to log in to HUAWEI CLOUD and do not needto register a new account.

The following procedure describes how to use an account of the Huawei officialwebsite to log in to HUAWEI CLOUD.

Step 1 On the login page, click Huawei Official Website, as shown in Figure 2-3.



https://www.huawei.com/en/

https://e.huawei.com/en/

https://e.huawei.com/en/

Figure 2-3 Logging in using a Huawei official website account

Step 2 Log in using your Huawei official website account.

● If this is the first login, you will be requested to bind your Huawei officialwebsite account to an existing or a new HUAWEI CLOUD account. To create anew HUAWEI CLOUD account, enter the account name, mobile number, andverification code. Click Create and Bind.

● If this is not the first login, you can directly log in using your Huawei officialwebsite account.

Step 3 Alternatively, use the HUAWEI CLOUD account name or mobile number set instep 2 to log in to the HUAWEI CLOUD console. You can change your password inMy Account.

----End

Logging In Using a HUAWEI CLOUD Account

If you have a HUAWEI CLOUD account, you can use it to log in to HUAWEICLOUD. The account owns resources you purchase, makes payments for the use ofthese resources, and has full access permissions for them. You can use the accountto reset user passwords and assign permissions. When using the account to log into the HUAWEI CLOUD console, you can choose account/email login or mobilenumber login.

NO TE

If your HUAWEI CLOUD account has been upgraded to a HUAWEI ID, use the HUAWEI IDto log in. For details, see Logging In Using a HUAWEI ID.

To log in using a HUAWEI CLOUD account, do as follows:



https://support.huaweicloud.com/intl/en-us/usermanual-account/account_bi_0010.html

Step 1 On the login page, click HUAWEI CLOUD Account, as shown in Figure 2-4.

Figure 2-4 Logging in using a HUAWEI CLOUD account

Step 2 Enter your account information and click Log In.● Account name or email: The account name or the email address associated

with the account.

NO TE

Account names are case-insensitive.

● Password: The login password of the account. If you have forgotten yourlogin password, reset it on the login page.

● Mobile number: If you have forgotten the account name, click MobileNumber Login, and enter the associated mobile number and the loginpassword to log in.

----End

Logging In as an IAM UserIAM users can be created using your HUAWEI CLOUD account or by anadministrator. Each IAM user has their own identity credentials (password andaccess keys) and uses cloud resources based on assigned permissions. IAM usersdo not own resources and cannot make payments.

An account and its IAM users share a parent-child relationship.



https://support.huaweicloud.com/intl/en-us/iam_faq/iam_01_0314.html

Figure 2-5 Account and IAM users

To log in as an IAM user, do as follows:

Step 1 Click IAM User on the login page, and then enter your account name, IAM username/email address, and password.

Figure 2-6 Logging in as an IAM user

● Tenant name or HUAWEI CLOUD account name: The name of the accountthat was used to create the IAM user, that is, the HUAWEI CLOUD account.You can obtain the account name from the administrator.

● IAM user name or email address: The username or email address of the IAMuser. You can obtain the username and password from the administrator.



● IAM user password: The password of the IAM user (not the password of theaccount).

Step 2 Click Log In.

----End



3 IAM Users

Creating an IAM User

Assigning Permissions to an IAM User

Logging In as an IAM User

Viewing or Modifying IAM User Information

Deleting an IAM User

Changing the Login Password of an IAM User

Managing Access Keys for an IAM User

3.1 Creating an IAM UserIf you are an administrator, you can use IAM to implement fine-grained accesscontrol on HUAWEI CLOUD services, such as ECS, Elastic Volume Service (EVS),and Bare Metal Server (BMS), and their resources. You can create IAM users andgrant them permissions required to perform operations on specific resources. EachIAM user has their own credentials for logging in to HUAWEI CLOUD.

By default, new IAM users do not have permissions. To assign permissions tonew users, add them to one or more groups, and grant permissions to thesegroups. The users then inherit permissions from the groups to which the usersbelong, and can perform specific operations on cloud services.

NO TE

If you delete a user and create a new user with the same name, you need to grant therequired permissions to the new user.

The default user group admin has all permissions required to use all of the cloudresources. Users in this group can perform operations on all the resources,including but not limited to creating user groups and users, modifyingpermissions, and managing resources.

Identity and Access ManagementUser Guide 3 IAM Users


Procedure

Step 1 Log in to the IAM console using a HUAWEI CLOUD account.

Step 2 On the IAM console, choose Users from the navigation pane, and click CreateUser in the upper right corner.

Step 3 Specify the user information on the Create User page. To create more users, clickAdd User. You can add a maximum of 10 users at a time.

NO TE

● You cannot bind the mobile number and email address associated with your account toIAM users.

● Users who have access to the management console can log in to HUAWEI CLOUD usingthe username, email address, or mobile number.

● If users forget their password, they can reset it through email address or mobile numberverification. If no email address or mobile number has been bound to users, they needto request the administrator to reset their password.

Step 4 Select an access type and click Next.● Programmatic access: Select this option to allow the user to access HUAWEI

CLOUD services using development tools, such as APIs, CLI, and SDKs. You cangenerate an access key or set a password for the user.

● Management console access: Select this option to allow the user to accessHUAWEI CLOUD services using the management console. You can set orgenerate a password for the user or request the user to set a password at firstlogin.

NO TE

– If an IAM user accesses HUAWEI CLOUD services only by using themanagement console, specify the access type as Management console accessand the credential type as Password.

– If the user accesses HUAWEI CLOUD services only through programmatic calls,specify the access type as Programmatic access and the credential type as Accesskey.

– If the user needs to use a password as the credential for programmatic accessto certain APIs, specify the access type as Programmatic access and the credentialtype as Password.

– If the user needs to perform access key verification when using certain services inthe console, specify the access type as "Programmatic access + Managementconsole access" and the credential type as "Access Key + Password". For example,the user needs to perform access key verification when creating a data migrationjob in the Cloud Data Migration (CDM) console.

Table 3-1 Setting the credential type and login protection

Credential Typeand LoginProtection

Description

Access key After you create the user, you can download the accesskey (AK/SK) generated for the user.Each user can have a maximum of two access keys.



https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html


Credential Typeand LoginProtection

Description

Password

Set now Select this option if you are the user. Then, set apassword for login. You can choose whether to resetyour password at first login.

Automaticallygenerated

The system automatically generates a login passwordfor the user. After the user is created, you can downloadthe EXCEL password file and provide the password tothe user.This option is available only when you create asingle user.

Set byuser

If you are the administrator setting the password forthe user, select this option and enter an email addressand a mobile number. The user can then set a passwordby clicking on the one-time login URL sent over email.

LoginProtection

Enable(Recommended)

If login protection is enabled, the user will need toenter a verification code in addition to the usernameand password during login. Enable this function foraccount security.You can choose from SMS-, email-, and virtual MFA–based login verification.

Disable If login protection is disabled, you can enable it later byfollowing the instructions provided in Modifying IAMUser Information.

Step 5 (Optional) Click Next and add the user to one or more user groups.● The user will inherit the permissions assigned to the user groups to which the

user belongs.● You can also create new groups as required.

NO TE

● If a user will be an administrator, add the user to the default group admin.● You can add a user to multiple user groups.

Step 6 Click Next.● If you have specified the access type as Programmatic access in step 4, you

can download the access key on the Finish page.● If you have specified the credential type as "Password > Automatically

generated" in step 4, you can download the password file on the Finishpage.



https://support.huaweicloud.com/intl/en-us/usermanual-iam/iam_02_0002.html


Figure 3-1 Users created successfully

----End

3.2 Assigning Permissions to an IAM UserAn IAM user obtains permissions from the user groups to which the user belongs.After you attach policies or roles to the group and add the user to the group, theuser inherits the permissions defined by the policies or roles.

● If you do not add an IAM user to any group, the user will not havepermissions for accessing any cloud services. For details on how to assignpermissions to an IAM user, see Creating a User Group and AssigningPermissions and Adding Users to or Removing Users from a User Group.

● If you add an IAM user to the default group admin, the user becomes anadministrator and has full permissions to perform all operations on all cloudservices.

● For the permissions of all cloud services, see System Permissions.● If you add a user to multiple user groups, the user inherits the permissions

that are assigned to all the groups. If the user groups have differentpermissions for the same service, the user obtains the least permissions forthis service.

3.3 Logging In as an IAM UserYou can log in to HUAWEI CLOUD as an IAM user by clicking IAM User on thelogin page or by using the IAM user login link.

Method 1: Logging In by Clicking IAM User

Step 1 Click IAM User on the login page, and then enter your account name, IAM username/email address, and password.



https://support.huaweicloud.com/intl/en-us/usermanual-permissions/iam_01_0001.html

Figure 3-2 Logging in as an IAM user

● Tenant name or HUAWEI CLOUD account name: The name of the accountthat was used to create the IAM user, that is, the HUAWEI CLOUD account.You can obtain the account name from the administrator.

● IAM user name or email address: The username or email address of the IAMuser. You can obtain the username and password from the administrator.

● IAM user password: The password of the IAM user (not the password of theaccount).

Step 2 Click Log In.

NO TE

● If you have not been added to any group, you do not have permissions for accessing anycloud services. In this case, contact the administrator and request for requiredpermissions (see Creating a User Group and Assigning Permissions and Adding Usersto or Removing Users from a User Group).

● If you have been added to the default group admin, you have administrator permissionsand you can perform all operations on all cloud services.

----End

Method 2: Logging In Using the IAM User Login Link

You can use the link that you obtain from the administrator, to log in. When youvisit the link, the system displays the login page and automatically populates theaccount name. You only need to enter your username and password.

Step 1 Obtain the IAM user login link from the administrator. The administrator canobtain this link on the Users page of the IAM console.

Step 2 Paste the link into the address bar of a browser, press Enter, and enter the IAMuser name/email address and password, and click Log In.

----End



3.4 Viewing or Modifying IAM User InformationAs an administrator, you can modify the basic information about an IAM user andchange the security settings of the user and the groups to which the user belongs.To view or modify user information, click Security Settings in the row containingthe IAM user.

Viewing or Modifying Basic Information

You can view the basic information, including the name, ID, creation time, status,access type, and description of each IAM user. The username, user ID, and creationtime cannot be modified.

● Status: New IAM users are enabled by default. You can set Status toDisabled to disable the IAM user. The IAM user is no longer able to log in toHUAWEI CLOUD through the management console or programmatic access.

● Access Type: Change the access type of the IAM user.

NO TE

● Pay attention to the following when you set the access type of an IAM user:

● If the user accesses HUAWEI CLOUD services only by using themanagement console, specify the access type as Management consoleaccess and the credential type as Password.

● If the user accesses HUAWEI CLOUD services only through programmaticcalls, specify the access type as Programmatic access and the credential typeas Access key.

● If the user needs to use a password as the credential for programmaticaccess to certain APIs, specify the access type as Programmatic access andthe credential type as Password.

● If the user needs to perform access key verification when using certainservices in the console, specify the access type as "Programmatic access +Management console access" and the credential type as "Access Key +Password". For example, the user needs to perform access key verificationwhen creating a data migration job in the Cloud Data Migration (CDM)console.

● If the access type of the user is Programmatic access or "Programmatic access +Management console access", deselecting Programmatic access will restrict theuser's access to HUAWEI CLOUD. Exercise caution when performing this operation.

● Description: Modify the description of the IAM user.

Changing User Groups

An IAM user inherits permissions from the groups to which the user belongs. Tochange the permissions of an IAM user, you need to change the groups towhich the user belongs. For details, see Modifying User Group Permissions.

Your HUAWEI CLOUD account belongs to the default group admin, which cannotbe changed.

● Click Add to User Groups, and select one or more groups to which the userwill become a member of. The user then inherits permissions of these groups.



https://support.huaweicloud.com/intl/en-us/usermanual-iam/iam_03_0003.html#section1

● To cancel the permissions of the user in a user group, click on the right ofthe group, and click OK.

Modifying Security Settings● MFA Authentication: You can change the multi-factor authentication (MFA)

settings of an IAM user on the Security Settings page. If you want to changethe MFA settings of your HUAWEI CLOUD account, go to the CriticalOperations page.– Change the mobile number or email address of the user.– Bind a virtual MFA device to or remove or unbind the MFA device from

the user. For more information about MFA authentication and virtualMFA device, see MFA Authentication and Virtual MFA Device.

● Login Credentials: You can change the login password of the IAM user. Formore information, see Changing the Login Password of an IAM User.

● Login Protection: You can change the login verification method of the IAMuser. Three verification methods are available: virtual MFA device, SMS, andemail.This option is disabled by default. If you enable this option, the user will needto enter a verification code in addition to the username and password whenlogging in to the console.

● Access Keys: You can manage access keys of the IAM user. For moreinformation, see Managing Access Keys for an IAM User.

3.5 Deleting an IAM User

CA UTION

If an IAM user is deleted, all data of the user will be deleted and cannot berecovered. Exercise caution when performing this operation. If you want to removean IAM user from a user group, see Adding Users to or Removing Users from aUser Group.

Procedure

Step 1 Log in to the IAM console. In the navigation pane, choose Users.

Step 2 Click Delete in the row containing the IAM user you want to delete, and click Yes.

----End

3.6 Changing the Login Password of an IAM UserAs an administrator, you can reset the password of an IAM user if the user hasforgotten the password and no email address or mobile number has been boundto the user.

To reset the login password of an IAM user, click Security Settings in the rowcontaining the user, and select a password type.



NO TE

● The Security Settings tab page is only used for resetting the password of an IAM user.● If IAM users remember their passwords, they can change the passwords on the Basic

Information tab page by referring to Basic Information. If you want to change thepassword of your account, see How Do I Change My Password?

● Set by user: The user clicks the one-time login URL received by email and setsa new password.

● Automatically generated: Download the password file and provide theautomatically generated password to the user.

● Set now: Set a new password for the user and provide the password to theuser.

3.7 Managing Access Keys for an IAM UserAn access key comprises an access key ID (AK) and secret access key (SK) pair thatis used when HUAWEI CLOUD is accessed using development tools, including APIs,CLI, and SDKs. Access keys cannot be used to log in to the console. AK is a uniqueidentifier used in conjunction with SK to sign requests cryptographically, ensuringthat the requests are secret, complete, and correct.

As an administrator, you can manage access keys for IAM users who do not havepermissions to log in to the console, if the users have forgotten their access keys.

Click Security Settings in the row containing the IAM user, and then create ordelete access keys.

NO TE

● If a user is authorized to use the console, the user can manage access keys on the MyCredentials page.

● Access keys are identity credentials used to call APIs. The account administrator andIAM users can only use their own access keys to call APIs.

● Creating an access key

a. Click Create Access Key.

NO TE

Access keys have unlimited validity, and each user can have a maximum of two accesskeys. For security purposes, change the access keys of IAM users periodically.

b. Enter the verification code.





c. Click OK. The access key is automatically generated. Download the accesskey and provide it to the user.

● Deleting an access key

a. In the access key list, click Delete in the row containing the access key tobe deleted.

b. Enter the verification code.c. Click Yes.

● Enabling/Disabling an access keyNew access keys are enabled by default. To disable an access key, perform thefollowing steps:

a. In the access key list, click Disable in the row containing the access keyyou want to disable.

b. Enter the verification code, and click Yes.

The method of enabling an access key is similar to that of disabling an accesskey.



4 User Groups and Authorization

Creating a User Group and Assigning Permissions

Adding Users to or Removing Users from a User Group

Viewing or Modifying User Group Information

Canceling Permissions of a User Group

Assigning Dependency Roles

4.1 Creating a User Group and Assigning PermissionsAs an administrator, you can create user groups, and grant them permissions byattaching policies or roles. Users you add to the user groups inherit permissions ofthe policies or roles. IAM provides administrator permissions and read-onlypermissions for each cloud service, which you can assign to user groups. Users inthe groups can then use cloud services based on the assigned permissions. Fordetails about the permissions of all cloud services, see System Permissions.

PrerequisitesBefore creating a user group, complete the following operations:

● Understand the basic concepts of permissions.● Plan the permissions required for the user group. Table 4-1 shows the

permissions of IAM. For the permissions of other services, see SystemPermissions.

● Check whether the roles you will attach to the user group have dependencies.For more information, see Assigning Dependency Roles.

Identity and Access ManagementUser Guide 4 User Groups and Authorization





Table 4-1 System-defined roles and policies of IAM

Role/PolicyName

Scope Description

IAMReadOnlyAccess

Global Read-only permissions for IAM.

SecurityAdministrator

Global Administrator permissions for IAM, includingbut not limited to the following:● Creating, modifying, and deleting IAM

users● Creating, modifying, and deleting user

groups, and granting them permissions● Creating, modifying, and deleting custom

policies● Creating and modifying projects● Creating, modifying, and deleting

agencies● Creating, modifying, and deleting identity

providers● Configuring account security settingsUsers who are granted only thesepermissions can use the IAM service butcannot switch roles.

AgentOperator

Global Permissions required for switching to adelegating account to manage its resources.Users who are granted only thesepermissions cannot use the IAM service.

Creating a User Group



Step 3 On the IAM console, choose User Groups from the navigation pane, and clickCreate User Group in the upper right corner.

Step 4 Enter a user group name, for example, Developers.



Step 5 Click OK.

----End

Assigning Permissions to a User GroupTo assign permissions to a user group, do as follows:

Step 1 In the user group list, choose Manage Permissions in the row containing theDevelopers group.

Step 2 On the Permissions tab page, click Assign Permissions.

Step 3 Specify the scope. If you select Region-specific projects, select one or moreprojects in the drop-down list.● Global service project: Services deployed without specifying physical regions

are called global services, such as Object Storage Service (OBS), ContentDelivery Network (CDN), and Tag Management Service (TMS). Permissionsfor these services must be assigned in the global service project.

● Region-specific projects: Services deployed in specific regions are calledproject-level services. Permissions for these services need to be assigned inregion-specific projects and take effect only for the corresponding regions.– All projects: Permissions take effect for both the global service project

and region-specific projects, including projects created later.– Region-specific projects: Permissions take effect for the region-specific

projects you select.



Step 4 Select policies or roles and click OK.

NO TE

If the permissions you select have dependencies, the system automatically selects all thedependency permissions. Click View Selected or expand the details area to view thedependency permissions.

----End

Table 4-2 lists the common permissions. For the complete list of service-specificpermissions, see System Permissions.

NO TE

● If you add a user to multiple groups, the user will inherit all the permissions that havebeen assigned to the groups.

● For more information about permissions management, see Assigning DependencyRoles and Custom Policy Use Cases.

Table 4-2 Common permissions

Category Policy/Role Name Description Scope

Generaladministration

FullAccess Full permissions forservices supportingpolicy-based accesscontrol

Global

Resourcemanagement

TenantAdministrator

Administratorpermissions for allservices except IAM

All regions

Viewingresources

Tenant Guest Read-only permissionsfor all resources

All regions





IAM usermanagement

SecurityAdministrator

Administratorpermissions for IAM

Global

Accountingmanagement

BSS Administrator Administratorpermissions for BillingCenter, includingmanaging invoices,orders, contracts, andrenewals, and viewingbills.NOTE

This role depends on theBSS Administrator roleto take effect.

Specific regions

ComputingO&M

ECS FullAccess Administratorpermissions for ECS

Specific regions

CCE FullAccess Administratorpermissions for CloudContainer Engine (CCE)

Specific regions

CCI FullAccess Administratorpermissions for CloudContainer Instance(CCI)

Specific regions

BMS FullAccess Administratorpermissions for BareMetal Server (BMS)

Specific regions

IMS FullAccess Administratorpermissions for ImageManagement Service(IMS)

Specific regions

AutoScalingFullAccess

Administratorpermissions for AutoScaling (AS)

Specific regions

NetworkO&M

VPC FullAccess Administratorpermissions for VirtualPrivate Cloud (VPC)

Specific regions

ELB FullAccess Administratorpermissions for ElasticLoad Balance (ELB)

Specific regions

DatabaseO&M

RDS FullAccess Administratorpermissions forRelational DatabaseService (RDS)

Specific regions




DDS FullAccess Administratorpermissions forDocument DatabaseService (DDS)

Specific regions

DDM FullAccess Administratorpermissions forDistributed DatabaseMiddleware (DDM)

Specific regions

SecurityO&M

Anti-DDoSAdministrator

Administratorpermissions for Anti-DDoS

Specific regions

CAD Administrator Administratorpermissions forAdvanced Anti-DDoS(AAD)

Specific regions

WAF Administrator Administratorpermissions for WebApplication Firewall(WAF)

Specific regions

VSS Administrator Administratorpermissions forVulnerability ScanService (VSS)

Specific regions

CGS Administrator Administratorpermissions forContainer GuardService (CGS)

Specific regions

KMS Administrator Administratorpermissions for KeyManagement Service(KMS), which has beenrenamed DataEncryption Workshop(DEW).

Specific regions

DBSS SystemAdministrator

Administratorpermissions forDatabase SecurityService (DBSS)

Specific regions

SES Administrator Administratorpermissions for SecurityExpert Service (SES)

Specific regions




SC Administrator Administratorpermissions for SSLCertificate Manager(SCM)

Specific regions

4.2 Adding Users to or Removing Users from a UserGroup

A user inherits permissions from the groups to which the user belongs. To changethe permissions of a user, add the user to a new group or remove the user froman existing group.

Adding Users to a User GroupStep 1 In the user group list, click Manage User in the row containing the Developers

group.

Step 2 In the Manage User dialog box, select the usernames to be added.

Step 3 Click OK.

----End



Removing Users from a User Group

Step 1 In the user group list, click Manage User in the row containing the Developersgroup.

Step 2 In the Selected Users area, click the X mark on the right of the usernames to beremoved and click OK.

Figure 4-1 Removing users from a user group

----End

4.3 Viewing or Modifying User Group Information

Viewing User Group Information

In the user group list, click next to a user group to view its basic information,assigned permissions, and managed users.



Modifying User Group Permissions

You can assign new permissions to or cancel the existing permissions of a usergroup in the policy view or project view.● Changing the authorization scope in the policy view

a. Choose User Groups in the navigation pane, and click ManagePermissions in the row containing the user group you want to modify.On the Permissions tab page, select Policy View.

b. Click Change Project on the right of a policy or role.

Figure 4-2 Changing projects

c. On the Change Project page, select or deselect desired projects.d. Click OK.

● Modifying permissions for certain projects in the project view

a. Choose User Groups in the navigation pane, and click ManagePermissions on the right of a user group. On the Permissions tab page,select Project View.

b. Click Modify Permissions on the right of a project.c. Select or deselect desired policies or roles, and click OK.

Modifying User Group Name and Description

In the user group list, click Modify in the row containing the user group whosename and description you want to modify, and modify the name and description.

NO TE

If the user group name has been configured in the identity conversion rules of an identityprovider, modifying the user group name will cause the identity conversion rules to fail.Exercise caution when performing this operation.

Managing Users1. In the user group list, click Manage User in the row containing the user group

you want to modify.2. In the Available Users area, select users you want to add to the user group.3. In the Selected Users area, remove users from the user group.

NO TE

For the default group admin, you can only manage its users and cannot modify itsdescription or permissions.



4.4 Canceling Permissions of a User GroupTo cancel certain permissions of a user group, do as follows:

Step 1 Log in to the IAM console. In the navigation pane, choose User Groups.

Step 2 Click the name of the user group to go to the group details page.

Step 3 On the Permissions tab page, select Policy View, and then click Remove in therow containing the permission you want to remove, as shown in Figure 4-3.

Figure 4-3 Canceling permissions

Step 4 In the displayed Remove Policy/Role dialog box, click Yes.

----End

4.5 Assigning Dependency RolesHUAWEI CLOUD services interwork with each other. Roles of some services takeeffect only if they are assigned along with roles of other services.

Procedure

Step 1 Search for the role that you want to attach to a user group.

Step 2 Click next to the role to view the content.

For example, the VBS Administrator role contains the Depends parameter whichspecifies the dependency roles. When you assign the VBS Administrator role to auser group, you also need to assign the Server Administrator and Tenant Guestroles to the group in the same project.

Step 3 Search for and select Server Administrator and Tenant Guest and assign them tothe user group for the same project as VBS Administrator.



Step 4 Click OK.

----End



5 Permissions

Basic Concepts

Roles

Policies

Change to the System-Defined Policy Names

Custom Policies

5.1 Basic Concepts

PermissionBy default, new IAM users do not have permissions. To assign permissions to newusers, add them to one or more groups, and assign permissions policies or roles tothese groups. The users then inherit permissions from the groups to which theusers belong, and can perform specific operations on cloud services.

Permission TypeYou can grant users permissions by using roles and policies.● Roles: A type of coarse-grained authorization mechanism that defines service-

level permissions based on user responsibilities. There are only a limitednumber of roles for granting permissions to users. When using roles to grantpermissions, you also need to assign dependency roles. Roles are not an idealchoice for fine-grained authorization and secure access control.

● Policies: A type of fine-grained authorization mechanism that definespermissions required to perform operations on specific cloud resources undercertain conditions. This mechanism allows for more flexible policy-basedauthorization and secure access control. For example, you can grant ECS usersonly the permissions required for managing a certain type of ECS resources.IAM supports both system-defined and custom policies.

Identity and Access ManagementUser Guide 5 Permissions


System-Defined PolicyA system-defined policy defines the common actions of a cloud service. System-defined policies can be used to assign permissions to user groups, and cannot bemodified. For details about the system-defined policies of all cloud services,see System Permissions.

If you need to assign permissions for a specific service to a user group or agencyon the IAM console but cannot find corresponding policies, it indicates that theservice does not support permissions management through IAM. Please submit aservice ticket and request that permissions for the service be made available inIAM.

Custom PolicyYou can create custom policies using the actions supported by cloud services anduse custom policies to supplement system-defined policies for more refined accesscontrol. You can create custom policies in the visual editor or in JSON view.

5.2 RolesRoles are a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. There are only a limited numberof roles for granting permissions to users.

HUAWEI CLOUD services interwork with each other. Roles of some services takeeffect only if they are assigned along with roles of other services. For moreinformation, see Assigning Dependency Roles.

Role Content

When assigning permissions, select a role and click to view the details of therole. This section uses the SDRS Administrator role as an example to describe thesyntax.

{ "Version": "1.0", "Statement": [ {




https://support.huaweicloud.com/intl/en-us/usermanual-ticket/en-us_topic_0065264094.html

https://support.huaweicloud.com/intl/en-us/usermanual-ticket/en-us_topic_0065264094.html

"Action": [ "SDRS:*:*" ], "Effect": "Allow" } ], "Depends": [ { "catalog": "BASE", "display_name": "Tenant Guest" }, { "catalog": "BASE", "display_name": "Server Administrator" } ]}

Parameter Description

Table 5-1 Parameter description

Parameter Meaning Value

Version Roleversion

1.0: Role

Statement

Action Operationsto beperformedon theservice

Format: Service name:Resourcetype:Operation.SDRS:*:*: Permissions for performing alloperations on all resource types in StorageDisaster Recovery Service (SDRS).

Effect Determineswhether toallow ordeny theoperationdefined inthe action.

● Allow● DenyNOTE

If the roles used to grant a user permissionscontain both Allow and Deny for the sameaction, the Deny takes precedence.

Depends catalog Name ofthe serviceto which adependencyrolebelongs

Service name. Example: BASE

display_name

Name ofthedependencyrole

Role nameNOTE

When you assign the SDRS Administrator roleto a user group, you also need to assign theTenant Guest and Server Administrator rolesto the group for the same project.For more information about dependencies, seeSystem Permissions.




5.3 PoliciesYou can view all system-defined policies and custom policies by choosingPermissions in the navigation pane.

Policy Content

When you assign permissions to a user group, you can click on the left of apolicy name to view its details. This section uses the IAM ReadOnlyAccess policyas an example.

Scope: The projects for which the policy attached to the user group will takeeffect.● Global service project: You can assign permissions for global services (such as

OBS, CDN, and TMS) in the global service project. Users authorized to usethese services can access them without switching regions.

● Region-specific projects: You can assign permissions for project-level services(such as ECS, CCE, and DCS) in specific physical regions. Users authorized touse these services need to switch to a region where they have beenauthorized to use the services.

● Global service project and region-specific projects: Services such as SCM canbe accessed in all regions. Permissions for these services can be assigned foreither the global service project or region-specific projects.

Policy StructureA policy consists of a version and statements. Each policy can have multiplestatements.




Figure 5-1 Policy structure

Policy SyntaxThe following uses a custom policy for OBS as an example to describe the syntax.{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:ListAllMybuckets", "obs:bucket:HeadBucket", "obs:bucket:ListBucket", "obs:bucket:GetBucketLocation", ], "Condition": { "StringEndWithIfExsits": { "g:UserName": [ "specialCharactor" ] }, "Bool": { "g:MFAPresent": [ "true" ] } }, "Resource": [ "obs:*:*:bucket:*" ] } ]}





Version Policy version 1.1: Policy

Statement

Action Operations to beperformed on theservice

Format: Service name:Resourcetype:Operation. An asterisk (*) means alloperations on all resource types based onits position in the action.Example:● obs:bucket:ListAllMybuckets:

Permissions for listing all OBS buckets.

Effect Determineswhether to allowor deny theoperation definedin the action.

● Allow● DenyNOTE

If the policies used to grant a user permissionscontain both Allow and Deny for the sameaction, the Deny takes precedence.

Resource

Resources onwhich the policytakes effect.

Format: Service name:Region:AccountID:Resource type:Resource path. Anasterisk (*) means all based on its positionin the resource path.Example:● obs:*:*:bucket:*: All OBS buckets● obs:*:*:object:my-bucket/my-object/*:

All objects in the my-object directoryof the my-bucket bucket




Condition

Conditionsdetermine whena policy takeseffect. Acondition consistsof a condition keyand operator.Condition keys(see thedocumentation ofthe relevantcloud service) areeither global orservice-level andare used in theConditionelement of apolicy statement.Global conditionkeys (startingwith g:) areavailable foroperations of allservices, whereasservice-levelcondition keys(starting with aserviceabbreviationname such asobs:) areavailable only foroperations of thecorrespondingservice. Anoperator is usedtogether with acondition key toform a completeconditionstatement.

Format: Condition operator:{Conditionkey:[Value 1, Value 2]}Example:● StringEndWithIfExists":

{"g:UserName":["specialCharactor"]}: The statementis valid for users whose names endwith specialCharactor.

The following table lists all global condition keys.



Table 5-3 Global condition keys

Global Condition Key Type Description

g:CurrentTime Time Time when an authentication request isreceived. The time is expressed in the formatdefined by ISO 8601, for example,2012-11-11T23:59:59Z.

g:DomainName String

HUAWEI CLOUD account name

g:MFAPresent Boolean

Indicates whether to obtain a token throughMFA authentication.

g:MFAAge Number

Validity period of a token obtained throughMFA authentication. This condition must beused together with g:MFAPresent.

g:ProjectName String

Project name

g:ServiceName String

Service name

g:UserId String

IAM user ID

g:UserName String

IAM user name

Authentication ProcessWhen a user initiates an access request, the system authenticates the requestbased on the actions in the policies that have been attached to the group to whichthe user belongs. The following diagram shows the authentication process.



Figure 5-2 Authentication process

1. A user initiates an access request.2. The system looks for a Deny among the applicable actions of the policies

from which the user gets permissions. If the system finds an applicable Deny,it returns a decision of Deny, and the authentication ends.

3. If no Deny is found applicable, the system looks for an Allow that would applyto the request. If the system finds an applicable Allow, it returns a decision ofAllow, and the authentication ends.

4. If no Allow is found applicable, the system returns a decision of Deny, and theauthentication ends.

5.4 Change to the System-Defined Policy NamesAll the system-defined policies (previously called "fine-grained policies") havebeen renamed and the new names are effective from Feb 6, 2020 22:30:00 GMT+08:00. This change does not affect services.



Table 5-4 Existing and new system-defined policy names

Service Existing New

AOM AOM Admin AOM FullAccess

AOM Viewer AOM ReadOnlyAccess

APM APM Admin APM FullAccess

APM Viewer APM ReadOnlyAccess

Auto Scaling AutoScaling Admin AutoScaling FullAccess

AutoScaling Viewer AutoScalingReadOnlyAccess

BMS BMS Admin BMS FullAccess

BMS User BMS CommonOperations

BMS Viewer BMS ReadOnlyAccess

BSS EnterpriseProject_BSS_Administrator

EnterpriseProject BSSFullAccess

CBR CBR Admin CBR FullAccess

CBR User CBR BackupsAndVaults-FullAccess

CBR Viewer CBR ReadOnlyAccess

CCE CCE Admin CCE FullAccess

CCE Viewer CCE ReadOnlyAccess

CCI CCI Admin CCI FullAccess

CCI Viewer CCI ReadOnlyAccess

CDM CDM Admin CDM FullAccess

CDM Operator CDM FullAccessExcep-tUpdateEIP

CDM Viewer CDM ReadOnlyAccess

CDM User CDMCommonOperations

CDN CDN DomainConfiguration Operator

CDNDomainConfigureAccess

CDN Domain Viewer CDNDomainReadOnlyAccess

CDN Logs Viewer CDNLogsReadOnlyAccess




CDN Refresh AndPreheat Operator

CDN RefreshAndPrehea-tAccess

CDN Statistics Viewer CDN StatisticsReadOn-lyAccess

CES CES Admin CES FullAccess

CES Viewer CES ReadOnlyAccess

CS CS Admin CS FullAccess

CS Viewer CS ReadOnlyAccess

CS User CS CommonOperations

CSE CSE Admin CSE FullAccess

CSE Viewer CSE ReadOnlyAccess

DCS DCS Admin DCS FullAccess

DCS Viewer DCS ReadOnlyAccess

DCS User DCS UseAccess

DDM DDM Admin DDM FullAccess

DDM Viewer DDM ReadOnlyAccess

DDM User DDMCommonOperations

DDS DDS Admin DDS FullAccess

DDS DBA DDS ManageAccess

DDS Viewer DDS ReadOnlyAccess

DLF DLF Admin DLF FullAccess

DLF Developer DLF Development

DLF Operator DLF OperationAndMain-tenanceAccess

DLF Viewer DLF ReadOnlyAccess

DMS DMS Admin DMS FullAccess

DMS Viewer DMS ReadOnlyAccess

DMS User DMS UseAccess

DNS DNS Admin DNS FullAccess

DNS Viewer DNS ReadOnlyAccess

DSS DSS Admin DSS FullAccess




DSS Viewer DSS ReadOnlyAccess

DWS DWS Admin DWS FullAccess

DWS Viewer DWS ReadOnlyAccess

ECS ECS Admin ECS FullAccess

ECS Viewer ECS ReadOnlyAccess

ECS User ECS CommonOperations

ELB ELB Admin ELB FullAccess

ELB Viewer ELB ReadOnlyAccess

EPS EPS Admin EPS FullAccess

EPS Viewer EPS ReadOnlyAccess

EVS EVS Admin EVS FullAccess

EVS Viewer EVS ReadOnlyAccess

GES GES Admin GES FullAccess

GES Viewer GES ReadOnlyAccess

GES User GES Development

ICITY iCity Admin iCity FullAccess

iCity Viewer iCity ReadOnlyAccess

IMS IMS Admin IMS FullAccess

IMS Viewer IMS ReadOnlyAccess

Image Recognition Image Recognition User Image RecognitionFullAccess

KMS DEW Keypair Admin DEW KeypairFullAccess

DEW Keypair Viewer DEWKeypairReadOnlyAccess

KMS CMK Admin KMS CMKFullAccess

LTS LTS Admin LTS FullAccess

LTS Viewer LTS ReadOnlyAccess

MRS MRS Admin MRS FullAccess

MRS Viewer MRS ReadOnlyAccess

MRS User MRS CommonOperations

ModelArts ModelArts Admin ModelArts FullAccess




ModelArts User ModelArtsCommonOperations

Moderation Moderation User Moderation FullAccess

NAT NAT Admin NAT FullAccess

NAT Viewer NAT ReadOnlyAccess

OBS OBS Operator OBS OperateAccess

OBS Viewer OBS ReadOnlyAccess

RDS RDS Admin RDS FullAccess

RDS DBA RDS ManageAccess

RDS Viewer RDS ReadOnlyAccess

RES RES Admin RES FullAccess

RES Viewer RES ReadOnlyAccess

ROMA Connect ROMA Admin ROMA FullAccess

ROMA Viewer ROMA ReadOnlyAccess

SCM SCM Admin SCM FullAccess

SCM Viewer SCM ReadOnlyAccess

SCM Viewer SCM ReadOnlyAccess

SFS SFS Admin SFS FullAccess

SFS Viewer SFS ReadOnlyAccess

SFS Turbo SFS Turbo Administrator SFS Turbo FullAccess

SFS Turbo Viewer SFS TurboReadOnlyAccess

ServiceStage ServiceStage Admin ServiceStage FullAccess

ServiceStage Developer ServiceStageDevelopment

ServiceStage Viewer ServiceStageReadOnlyAccess

VPC VPC Admin VPC FullAccess

VPC Viewer VPC ReadOnlyAccess

5.5 Custom Policies



5.5.1 Creating a Custom PolicyYou can create custom policies to supplement system-defined policies andimplement more refined access control.

You can create custom policies in either of the following ways:

● Visual editor: Select a cloud service, specify actions and resources, and addrequest conditions. You do not need to have knowledge of JSON syntax.

● JSON: Create a policy in the JSON format from scratch or based on an existingpolicy.

Creating a Custom Policy in the Visual Editor



Step 3 On the IAM console, choose Permissions from the navigation pane, and clickCreate Custom Policy in the upper right corner.

Step 4 Enter a policy name.

Step 5 Select a scope based on the type of services related to this policy. For moreinformation about service types, see System Permissions.● Global services: Select this option if the services to which the policy is related

must be deployed in the Global region. When creating custom policies forglobally deployed services, specify the scope as Global services. Custompolicies of this scope must be attached to user groups for the global serviceproject.

● Project-level services: Select this option if the services to which the policy isrelated must be deployed in specific regions. When creating custom policiesfor regionally deployed services, specify the scope as Project-level services.Custom policies of this scope must be attached to user groups for specificprojects except the global service project.




For example, when creating a custom policy containing the actionevs:volumes:create for EVS, specify the scope as Project-level services.

NO TE

A custom policy can contain actions of multiple services that are globally accessible oraccessible through region-specific projects. To define permissions required to access bothglobal and project-level services, create two custom policies and specify the scope asGlobal services and Project-level services.

Step 6 Select Visual editor.

Step 7 Set the policy content.

1. Select Allow or Deny.2. Select a cloud service.

NO TE

Only one cloud service can be selected for each permission block. To configurepermissions for multiple cloud services, click Add Permissions, or switch to the JSONview (see Creating a Custom Policy in JSON View).

3. Select actions.4. (Optional) Select all resources, or select specific resources by specifying their

paths.Cloud services that support authorization for specific resources include: ObjectStorage Service (OBS), Intelligent EdgeFabric (IEF), Data Lake Insight (DLI),Graph Engine Service (GES), FunctionGraph, Distributed Message Service(DMS), IoT Device Access (IoTDA), Data Encryption Workshop (DEW),Autonomous Driving Cloud Service (Huawei Octopus), and Data WarehouseService (DWS). For details, see Cloud Services Supported by IAM.



Table 5-5 Resource type

Parameter

Description

Specific Permissions for specific resources. For example, to definepermissions for buckets whose names start with TestBucket,specify the bucket resource path asOBS:*:*:bucket:TestBucket*.NOTE

– Specifying bucket resourcesFormat: OBS:*:*:bucket:Bucket nameFor bucket resources, IAM automatically generates the prefix of theresource path: obs:*:*:bucket:. For the path of a specific bucket, add thebucket name to the end. You can also use an asterisk * to indicate anybucket. For example, obs:*:*:bucket:* indicates any OBS bucket.– Specifying object resourcesFormat: OBS:*:*:object:Bucket name or object nameFor object resources, IAM automatically generates the prefix of theresource path: obs:*:*:object:. For the path of a specific object, add thebucket name/object name to the end of the resource path. You can alsouse an asterisk * to indicate any object in a bucket. For example,obs:*:*:object:my-bucket/my-object/* indicates any object in the my-object directory of the my-bucket bucket.

All Permissions for all resources.

5. (Optional) Add request conditions by specifying condition keys, operators, and

values.

Table 5-6 Condition parameters

Name Description

ConditionKey

A key in the Condition element of a statement. There areglobal and service-level condition keys. Global condition keys(starting with g:) are available for operations of all services,whereas service-level condition keys (starting with a serviceabbreviation name such as obs:) are available only foroperations of the corresponding service. For details, see theuser guide of the corresponding cloud service, for example,OBS Request Conditions.

Operator Used together with a condition key to form a completecondition statement.

Value Used together with a condition key and an operator thatrequires a keyword, to form a complete condition statement.



https://support.huaweicloud.com/intl/en-us/usermanual-obs/obs_03_0155.html

Figure 5-3 Adding a request condition

Table 5-7 Global condition keys

Global Condition Key Type Description

g:CurrentTime Time Time when an authentication request isreceived. The time is expressed in theformat defined by ISO 8601, for example,2012-11-11T23:59:59Z.

g:DomainName String

HUAWEI CLOUD account name

g:MFAPresent Boolean

Indicates whether to obtain a tokenthrough MFA authentication.

g:MFAAge Number

Validity period of a token obtainedthrough MFA authentication. Thiscondition must be used together withg:MFAPresent.

g:ProjectName String

Project name

g:ServiceName String

Service name

g:UserId String

IAM user ID

g:UserName String

IAM user name

Step 8 (Optional) Switch to the JSON view and modify the policy content in the JSONformat.

NO TE

If the policy content is incorrect after modification, check and modify the content, or clickReset to cancel the modifications.

Step 9 (Optional) To add another permission block for the policy, click Add Permissions.Alternatively, click the plus (+) icon on the right of an existing permission block toclone its permissions.



Step 10 (Optional) Enter a brief description for the policy.

Step 11 Click OK.

Step 12 Attach the policy to a user group. Users in the group then inherit the permissionsdefined in the policy.

NO TE

You can attach custom policies to a user group in the same way as you attach system-defined policies. For details, see Creating a User Group and Assigning Permissions.

----End

Creating a Custom Policy in JSON View



Step 3 On the IAM console, choose Permissions from the navigation pane, and clickCreate Custom Policy in the upper right corner.

Step 4 Enter a policy name.



Step 5 Select a scope based on the type of services related to this policy. For moreinformation about service types, see System Permissions.● Global services: Select this option if the services to which the policy is related

must be deployed in the Global region. When creating custom policies forglobally deployed services, specify the scope as Global services. Custompolicies of this scope must be attached to user groups for the global serviceproject.

● Project-level services: Select this option if the services to which the policy isrelated must be deployed in specific regions. When creating custom policiesfor regionally deployed services, specify the scope as Project-level services.Custom policies of this scope must be attached to user groups for specificprojects except the global service project.

For example, when creating a custom policy containing the actionevs:volumes:create for EVS, specify the scope as Project-level services.

NO TE

A custom policy can contain actions of multiple services that are globally accessible oraccessible through region-specific projects. To define permissions required to access bothglobal and project-level services, create two custom policies and specify the scope asGlobal services and Project-level services.

Step 6 Select JSON.

Step 7 (Optional) Click Select Existing Policy/Role, and select a policy to use it as atemplate, for example, VPC FullAccess.

Step 8 Click OK.

Step 9 Modify the statement in the template.● Effect: Set it to Allow or Deny.● Action: Enter the actions listed in the API actions table (see Figure 5-4) of

the EVS service, for example, evs:volumes:create.

Figure 5-4 API actions




NO TE

– The version of each custom policy is fixed at 1.1.– For details about the API actions supported by each service, see System

Permissions.

Step 10 (Optional) Enter a brief description for the policy.

Step 11 Click OK. If the policy list is displayed, the policy is created successfully. If amessage indicating incorrect policy content is displayed, modify the policy.

Step 12 Attach the policy to a user group. Users in the group then inherit the permissionsdefined in the policy.

NO TE

You can attach custom policies to a user group in the same way as you attach system-defined policies. For details, see Creating a User Group and Assigning Permissions.

----End

5.5.2 Modifying or Deleting a Custom PolicyCustom policies can be modified or deleted.

Modifying a Custom Policy● Modifying the policy content

a. In the navigation pane of the IAM console, choose Permissions.b. In the row containing the custom policy you want to modify, click

Modify.c. Modify the policy content by following the procedure in Creating a

Custom Policy in the Visual Editor.

● Modifying the policy name and content

a. In the navigation pane of the IAM console, choose Permissions.b. Click the name of the custom policy to go to the policy details page.c. Modify the policy name and description.d. Click Modify Policy Content and then modify the content by following

the procedure in Creating a Custom Policy in the Visual Editor.e. Click OK to save the modifications.

Deleting a Custom PolicyNO TE

Only custom policies that are not attached to any user groups or agencies can be deleted. Ifa custom policy has been attached to certain user groups or agencies, detach the policy andthen delete it.

1. In the navigation pane of the IAM console, choose Permissions. Then selectCustom policy from the filter criteria drop-down list.

2. In the row containing the custom policy you want to delete, click Delete.3. Click Yes.





5.5.3 Custom Policy Use Cases

Using a Custom Policy Along with Full-Permission System-Defined Policies

Use the following method to assign permissions of the FullAccess policy to a userbut also forbid the user from accessing the Billing Center. Create a custom policyfor denying access to Billing Center, and attach the two policies to the group towhich the user belongs. Then, the user will be able to perform all operations on allservices except Billing Center.

Example policy denying access to Billing Center:

{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "bss:*:*" ] } ]}

NO TE

● Action: Operations to be performed. Each action must be defined in the format Servicename:Resource type:Operation.

For example, bss:*:* refers to permissions for performing all operations on all resourcetypes at the Billing Center.

● Effect: Determines whether to deny or allow the operation.

Using a Custom Policy Along with a System-Defined Policy● Use the following method to assign permissions of the ECS FullAccess policy

to a user but also forbid the user from deleting ECSs. Create a custom policycontaining the ecs:cloudServers:delete action, for denying ECS deletion, andattach both policies to the group to which the user belongs. Then, the userwill be able to perform all operations on ECS except deleting ECSs.Example policy denying ECS deletion:{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "ecs:cloudServers:delete" ] } ]}

● Use the following method to assign permissions of the OBS ReadOnlyAccesspolicy to all IAM users but also forbid certain users from performingoperations on specific resources, for example, forbidding users whose namesstart with TestUser from viewing buckets whose names start with TestBucket.Create a custom policy for denying the operation, and attach both policies tothe groups to which the users belong. Then, the users will be able to viewonly buckets whose names do not start with TestBucket.



Example policy forbidding users whose names start with TestUser fromviewing buckets whose names start with TestBucket:{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "obs:bucket:ListAllMybuckets", "obs:bucket:HeadBucket", "obs:bucket:ListBucket", "obs:bucket:GetBucketLocation" ], "Resource": [ "obs:*:*:bucket:TestBucket*" ], "Condition": { "StringStartWith": { "g:UserName": [ "TestUser" ] } } } ]}

NO TE

Currently, only certain cloud services (such as OBS) support resource-based authorization.For services that do not support this function, you cannot create custom policies containingresource types.

Using Only a Custom PolicyTo grant a user permissions for accessing specific services, you can create a custompolicy and attach only the custom policy to the group to which the user belongs.

● The following is an example policy that allows access only to ECS, EVS, VPC,ELB, and Application Operations Management (AOM).{ "Version": "1.1", "Statement": [ { "Effect": "Allow" "Action": [ "ecs:*:*", "evs:*:*", "vpc:*:*", "elb:*:*", "aom:*:*" ], } ]}

● The following is an example policy that allows only IAM users whose namesstart with TestUser to delete all objects in the my-object directory of the my-bucket bucket.{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:DeleteObject"



], "Resource": [ "obs:*:*:object:my-bucket/my-object/*" ], "Condition": { "StringStartWith": { "g:UserName": [ "TestUser" ] } ]}

● The following is an example policy that allows access to all services exceptECS, EVS, VPC, ELB, and AOM.{ "Version": "1.1", "Statement": [ { "Effect": "Allow" "Action": [ "*:*:*" ], }, { "Action": [ "ecs:*:*", "evs:*:*", "elb:*:*", "aom:*:*", "apm:*:*" ], "Effect": "Deny" } ]}

5.5.4 Cloud Services Supported by IAMIf you want to grant an IAM user permissions for specific resources, create acustom policy that contains permissions for the resources, and assign the policyto the user. The user then only has the permissions for the specified resources. Forexample, to grant an IAM user permissions for buckets whose names start withTestBucket, create a custom policy, specify the resource path asOBS:*:*:bucket:TestBucket*, and assign the policy to the user.

The following table lists the cloud services that support resource-levelauthorization and the supported resource types.

Table 5-8 Cloud services that support resource-level authorization and thesupported resource types

Service Resource Type Resource Name

Object Storage Service(OBS)

bucket Bucket

object Object

Intelligent EdgeFabric(IEF)

product Product

node Edge node

group Edge node group





https://support.huaweicloud.com/intl/en-us/usermanual-ief/ief_01_0066.html

https://support.huaweicloud.com/intl/en-us/usermanual-ief/ief_01_0066.html

Service Resource Type Resource Name

deployment Deployment

batchjob Batch job

application Application template

appVersion Application templateversion

IEFInstance IEF instance

Data Lake Insight (DLI) queue DLI queue

database DLI database

table DLI table

column DLI column

datasourceauth DLI securityauthenticationinformation

jobs DLI job

Graph Engine Service(GES)

graphName GES graph name

backupName GES backup name

metadataName GES metadata name

FunctionGraph function Function

trigger Trigger

Distributed MessageService (DMS)

rabbitmq RabbitMQ instance

kafka Kafka instance

IoT Device Access(IoTDA)

app Resource space ID

Data EncryptionWorkshop (DEW)

KeyId Key ID

Autonomous DrivingCloud Service (HuaweiOctopus)

dataset Dataset

replay Replay

Data WarehouseService (DWS)

cluster Cluster



https://support.huaweicloud.com/intl/en-us/usermanual-dli/dli_01_0417.html

https://support.huaweicloud.com/intl/en-us/usermanual-ges/ges_01_0074.html

https://support.huaweicloud.com/intl/en-us/usermanual-ges/ges_01_0074.html

https://support.huaweicloud.com/intl/en-us/usermanual-functiongraph/functiongraph_01_0215.html

https://support.huaweicloud.com/intl/en-us/usermanual-rabbitmq/CreatingCustomPolicy.html

https://support.huaweicloud.com/intl/en-us/usermanual-rabbitmq/CreatingCustomPolicy.html

https://support.huaweicloud.com/intl/en-us/usermanual-dew/dew_01_0161.html

https://support.huaweicloud.com/intl/en-us/usermanual-dew/dew_01_0161.html

https://support.huaweicloud.com/intl/en-us/mgtg-dws/dws_01_0148.html

https://support.huaweicloud.com/intl/en-us/mgtg-dws/dws_01_0148.html

6 Projects

You can use projects to group and isolate resources (including compute, storage,and network resources) across physical regions. A default project is provided foreach region, and you can create subprojects under each default project. You cangrant permissions to users for accessing resources in specific projects.

For more refined access control, create subprojects under a project and purchaseresources in the subprojects. IAM users can then be assigned permissions to accessonly specific resources in the subprojects.

IAM projects are different from enterprise projects. For more information, seeDifferences Between IAM Projects and Enterprise Projects.

Figure 6-1 Project isolation

NO TE

Resources cannot be transferred across IAM projects.

Creating a Project

Step 1 On the IAM console, choose Projects from the navigation pane, and click CreateProject.

Identity and Access ManagementUser Guide 6 Projects



Step 2 Select a region in which you want to create a subproject.

Step 3 Enter a project name.

NO TE

● The project name will be in the format Name of the default project for the selectedregion_Custom project name. The name of default projects cannot be modified.

● The project name can only contain letters, digits, hyphens (-), and underscores (_). Thetotal length of the project name cannot exceed 64 characters.

Step 4 (Optional) Enter a description for the project.

Step 5 Click OK.

----End

Granting a User Group Permissions for a Project

You can assign permissions based on projects. For more refined permissionscontrol, you can grant a user group access to resources in a specific subproject.

Step 1 In the user group list, click Manage Permissions in the row containing the usergroup.



Step 2 On the Permissions tab page, click Assign Permissions.

Step 3 Specify the authorization scope. If you select Region-specific projects, select oneor more projects in the drop-down list.

Step 4 Select policies or roles and click OK.

NO TE

For more information about permissions assignment, see Creating a User Group andAssigning Permissions.

----End

Switching Regions or Projects


Step 2 Switch to a region or project in which you have been authorized to access cloudservices.

----End



7 Agencies

Account Delegation

Cloud Service Delegation

7.1 Account Delegation

7.1.1 Delegating Resource Access to Another AccountThe agency function enables you to delegate another HUAWEI CLOUD account toimplement O&M on your resources based on assigned permissions.

NO TE

You can delegate resource access only to HUAWEI CLOUD accounts. The accounts can thendelegate access to IAM users under them.

The following is the procedure for delegating access to resources in one account toanother account. Account A is the delegating party and account B is the delegatedparty.

Step 1 Account A creates an agency in IAM to delegate resource access to account B.

Identity and Access ManagementUser Guide 7 Agencies


Step 2 (Optional) Account B assigns permissions to an IAM user to manage specificresources for account A.

1. Create a user group, and grant it permissions required to manage account A'sresources.

2. Create a user and add the user to the user group.

Step 3 Account B or the authorized user manages account A's resources.

1. Log in to HUAWEI CLOUD and switch the role to account A.2. Switch to region A and manage account A's resources in this region.

----End

7.1.2 Creating an Agency (by a Delegating Party)By creating an agency, you can share your resources with another account, ordelegate an individual or team to manage your resources. You do not need toshare your security credentials (the password and access keys) with the delegatedparty. Instead, the delegated party can log in with its own account credentials andthen switches the role to your account and manage your resources.

PrerequisitesBefore creating an agency, complete the following operations:

● Understand the basic concepts of permissions.● Determine the system permissions to be assigned to the agency, and check

whether the permissions have dependencies. For more details, see AssigningDependency Roles.




Procedure



Step 3 On the IAM console, choose Agencies from the navigation pane, and click CreateAgency in the upper right corner.

Step 4 Enter an agency name.

Figure 7-1 Setting the agency name

Step 5 Specify the agency type as Account, and enter the name of a HUAWEI CLOUDaccount.

NO TE

● Account: Share resources with another account or delegate an individual or team tomanage your resources. You can specify the delegated account only as a HUAWEICLOUD account, and you cannot specify it as a federated user or IAM user.

● Cloud service: Delegate a specific service to access other services. For more information,see Cloud Service Delegation.

Step 6 Set the validity period and enter a description for the agency.

Step 7 Click Next.

Step 8 Set the authorization scope, and select the permissions you want to grant to theagency.

NO TE

● Assigning permissions to an agency is similar to assigning permissions to a user group.The two operations differ only in the number of available permissions. For details abouthow to assign permissions to a user group, see Assigning Permissions to a User Group.

● For the service-specific permissions, see System Permissions.




Step 9 Click OK.

NO TE

After creating an agency, provide your account name, agency name, agency ID, and agencypermissions to the delegated party. The delegated party can then switch the role to youraccount and manage specific resources.

----End

Related Operations● Modifying an agency

To modify the permissions, validity period, and description of an agency, clickModify in the row containing the agency.

● Deleting an agencyTo delete an agency, click Delete in the row containing the agency and clickYes.

NO TE

After you delete an agency, all permissions granted to the delegated account will becancelled.

7.1.3 (Optional) Assigning Permissions to an IAM User (by aDelegated Party)

When a trust relationship is established between another account and youraccount, you become a delegated party. By default, only your account and themembers of the admin group can manage resources for the delegating party. Toauthorize IAM users to manage these resources, assign permissions to the users.

You can authorize an IAM user to manage resources for all delegating parties. Toauthorize a user to manage resources for a delegating party, create fine-grainedpolicies and use them to grant the user specific permissions.

Prerequisites● A trust relationship has been established between another account and your

account.● You have obtained the name of the delegating account and the name and ID

of the created agency.

Procedure

Step 1 Create a custom policy.

NO TE

This step is used to create a policy containing permissions required to manage resources fora specific agency. If you want to authorize an IAM user to manage resources for allagencies, go to Step 2.

1. On the Permissions page, click Create Custom Policy.2. Enter a policy name.



3. Select Global services for Scope.4. Select JSON for Policy View.5. In the Policy Content area, enter the following content:

{ "Version": "1.1", "Statement": [ { "Action": [ "iam:agencies:assume" ], "Resource": { "uri": [ "/iam/agencies/b36b1258b5dc41a4aa8255508xxx..." ] }, "Effect": "Allow" } ]}

NO TE

– Replace b36b1258b5dc41a4aa8255508xxx... with the agency ID obtained from adelegating party. Do not make any other changes.

– For more information about permissions, see Permissions.

6. Click OK.

Step 2 Create a user group and grant permissions to it.

1. On the User Groups page, click Create User Group.2. Enter a user group name.3. Click OK.4. In the row containing the user group, click Manage Permissions.5. On the Permissions tab page, click Assign Permissions.6. Select the policy created in Step 1 or the Agent Operator role.

NO TE

– Custom policy: Allows a user to manage resources only for a specific agency.

– Agent Operator role: Allows a user to manage resources for all agencies.

7. Click OK.

Step 3 Create an IAM user and add the user to the user group.

1. On the Users page, click Create User.2. On the Create User page, enter a username and email address.3. For the access type, select Management console access and Set by user.4. Enable login protection and click Next.5. Select the user group created in Step 2 and click Next.

NO TE

After the permissions assignment is complete, the IAM user can switch to the accountof the delegating party and manage specific resources under the account.

----End



7.1.4 Switching Roles (by a Delegated Party)When an account establishes a trust relationship between itself and your account,you become a delegated party. You and all the users you have authorized canswitch to the delegating account and manage resources under the account basedon assigned permissions.

Prerequisites● A trust relationship has been established between another account and your

account.● You have obtained the name of the delegating account and the agency name.

Procedure

Step 1 Log in to the HUAWEI CLOUD console using your account or log in as the IAMuser created in Step 3.

NO TE

The IAM user created in Step 3 can switch roles to manage resources for the delegatingparty.

Step 2 Hover the mouse pointer over the username in the upper right corner and chooseSwitch Role.

Step 3 On the Switch Role page, enter the account name of the delegating party.

NO TE

If an agency other than the agencies created by the delegating party is displayed, itindicates that you do not have access permissions. Select the correct agency in the AgencyName drop-down list.

Step 4 Click OK to switch to the delegating account.

----End

Follow-Up ProcedureTo return to your own account, hover the mouse pointer over the username in theupper right corner, choose Switch Role, and select your account.



7.2 Cloud Service DelegationHUAWEI CLOUD services interwork with each other, and some cloud services aredependent on other services. To delegate a cloud service to access other servicesand perform resource O&M, create an agency for the service.

HUAWEI CLOUD provides two methods to create a cloud service agency:

1. Creating a cloud service agency on the IAM consoleTake a Graph Engine Service (GES) agency as an example. The agency allowsGES to call cloud services, for example, to bind your EIP to the primary loadbalancer when a failover occurs.

2. Automatically creating a cloud service agency to use certain resourcesThe following takes Scalable File Service (SFS) as an example to describe theprocedure for automatically creating a cloud service agency:

a. Go to the SFS console.b. On the Create File System page, enable static data encryption.c. A dialog box is displayed requesting you to confirm the creation of an SFS

agency. After you click OK, the system automatically creates an SFSagency with KMS Administrator permissions for the current project. Withthe agency, SFS can obtain KMS keys for encrypting or decrypting filesystems.

d. You can view the agency in the agency list on the IAM console.

Creating a Cloud Service Agency on the IAM Console





Step 3 On the IAM console, choose Agencies from the navigation pane, and click CreateAgency.

Step 4 Enter an agency name.

Figure 7-2 Setting the agency name

Step 5 Select the Cloud service agency type, and then select a service.

Step 6 Select a validity period.

Step 7 (Optional) Enter a description for the agency. For example, granting KMSAdministrator permissions to GES.

Step 8 Select the Tenant Administrator role for the global service project and otherregion-specific projects, such as CN North-Beijing1.

Step 9 Click OK.

----End

Related Operations● Modifying an agency

To change the permissions of a cloud service agency, click Modify in the rowcontaining the agency.



NO TE

● You can change the cloud service, validity period, description, and permissions ofcloud service agencies, but you cannot change the agency name and type.

● Changing the permissions may affect the usage of certain functions of cloudservices. Exercise caution when performing this operation.

● Deleting an agencyTo delete an agency, click Delete in the row containing the agency and clickYes.



8 Security Settings

Security Settings Overview

Basic Information

Critical Operation Protection

Login Authentication Policy

Password Policy

ACL

8.1 Security Settings OverviewYou can configure the basic information, critical operation authentication, loginauthentication policy, password policy, and access control list (ACL) on theSecurity Settings page. For details, see Basic Information, Critical OperationProtection, Login Authentication Policy, Password Policy, and ACL.

Intended AudienceTable 8-1 lists the intended audience of different functions provided on theSecurity Settings page and their access permissions for the functions.

Table 8-1 Intended audience

Function Intended Audience

BasicInformation

● IAM users: Full access● Account: To change the basic information, see Basic

Information.

CriticalOperations

● Administrator: Full access● IAM users: No access

Identity and Access ManagementUser Guide 8 Security Settings




Function Intended Audience

LoginAuthenticationPolicy

● Administrator: Full access● IAM users: Read-only access

PasswordPolicy

● Administrator: Full access● IAM users: Read-only access

ACL ● Administrator: Full access● IAM users: No access

Accessing the Security Settings Page● You and all IAM users created using your account can access the Security

Settings page from the management console.

a. Log in to HUAWEI CLOUD and click Console in the upper right corner.

b. On the management console, hover the mouse pointer over theusername in the upper right corner, and choose Security Settings fromthe drop-down list.

● As the administrator, you can also access the Security Settings page fromthe IAM console.

a. Log in to HUAWEI CLOUD and click Console in the upper right corner.

b. On the management console, hover the mouse pointer over theusername in the upper right corner, and choose Identity and AccessManagement from the drop-down list.



c. On the IAM console, choose Security Settings from the navigation pane.

8.2 Basic InformationIAM users can manage basic information on the Basic Information page. As theaccount administrator, you can change your login password, mobile number, andemail address by referring to Basic Information.

NO TE

● Each mobile number and email address can only be bound to one user.

● Each user can bind only one mobile phone, email address, and virtual MFA device.

Changing the Login Password, Mobile Number, and Email Address

The methods for changing the login password, mobile number, and email addressare similar. To change the login password, do as follows:

Step 1 Go to the Security Settings page.

Step 2 Click the Basic Information tab, and click Change next to Login Password.

Step 3 Select email address or mobile number verification, and enter the verificationcode.

NO TE

The two verification modes are available only if you have bound an email address and amobile number.

Step 4 Enter the old password and new password, and enter the new password again.

NO TE

● The password cannot be the username or the username spelled backwards. Forexample, if the username is A12345, the password cannot be A12345, a12345, 54321A,or 54321a.

● To prevent password cracking, the administrator can configure the password policy todefine password requirements, such as minimum password length. For details, seePassword Policy.

Step 5 Click OK.




NO TE

You can associate only one mobile number, email address, and virtual MFA device with youruser account.

----End

8.3 Critical Operation ProtectionOnly the administrator can configure critical operation protection, and IAM userscan only view the configurations. If an IAM user needs to modify theconfigurations, the user can request the administrator to perform the modificationor grant the required permissions.

NO TE

Federated users do not need to verify their identity when performing critical operations.

Virtual MFA Device

An MFA device generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP) standard. MFA devices can behardware- or software-based. Currently, HUAWEI CLOUD supports software-basedvirtual MFA devices, which are application programs running on smart devicessuch as mobile phones.

The following procedure details how to bind a virtual MFA device. To learn how tounbind or remove a virtual MFA device, see Virtual MFA Device.

NO TE

● Before binding a virtual MFA device, ensure that you have installed an MFA application(such as an authenticator app) on your mobile device.

● The method for binding a virtual MFA device varies depending on whether yourHUAWEI CLOUD account has been upgraded to a HUAWEI ID.

● HUAWEI CLOUD account


Step 2 Click the Critical Operations tab, and click Bind next to Virtual MFA Device.

Step 3 Set up the MFA application by scanning the QR code or manually entering thesecret key.● Scanning the QR code

Open the MFA application on your mobile phone, and use the application toscan the QR code displayed on the Bind Virtual MFA Device page. Youraccount is then added to the application.

● Manually entering the secret keyOpen the MFA application on your mobile phone, click the plus sign + on theapplication, and choose to manually enter the secret key. As the administrator,enter your account name and secret key. If you are an IAM user, enter yourusername and secret key.



NO TE

The manual entry function is time-based. Ensure that automatic time setup has beenenabled on your mobile phone.

Step 4 View the verification code on the MFA application. The code is automaticallyupdated every 30 seconds.

Step 5 On the Bind Virtual MFA Device page, enter two consecutive verification codesand click OK.

----End

● HUAWEI ID



Step 3 On the Account & security page of the HUAWEI ID Account center, associate anauthenticator with your HUAWEI ID as instructed.

----End

Login ProtectionAfter login protection is enabled, you and IAM users created using your accountwill need to enter a verification code in addition to the username and passwordduring login. Enable this function for account security.

NO TE

● For the HUAWEI CLOUD account, only the account administrator can enable loginprotection for it. For IAM users, both the account administrator and other administratorscan enable this feature for the users.

● If your HUAWEI CLOUD account has already been upgraded to a HUAWEI ID, youcannot enable login protection for the HUAWEI ID.

● Enabling Login Protection for Your HUAWEI CLOUD AccountTo enable login protection for your account, click the Critical Operations tabon the Security Settings page, click Enable next to Login Protection, select averification method, enter the verification code, and click OK.

● Enabling Login Protection for an IAM UserTo enable login protection for an IAM user, go to the Users page, click

Security Settings in the row that contains the IAM user, click next toVerification Method, and select a verification method from SMS, email, orvirtual MFA device.

NO TE

After you enable login protection, IAM users need to perform identity verificationwhen they access HUAWEI CLOUD using the management console. The setting doesnot apply if IAM users use programmatic access.

Operation Protection● Enabling operation protection



To enable operation protection, click the Critical Operations tab on theSecurity Settings page, click Enable next to Operation Protection, selectEnable, and click OK.After operation protection is enabled, you and IAM users created using youraccount need to enter a verification code when performing a criticaloperation, such as deleting an ECS resource. This function is disabled bydefault. For security purposes, enable this function.

NO TE

If your HUAWEI CLOUD account has already been upgraded to a HUAWEI ID, the loginprotection setting does not take effect for the HUAWEI ID.

● Disabling operation protectionTo disable operation protection, click the Critical Operations tab on theSecurity Settings page, click Change next to Operation Protection, andselect Disable. In the Identity Verification dialog box, choose a verificationmethod, enter the verification code, and click OK.

NO TE

● Each cloud service has its own critical operations.● When IAM users created using your account perform a critical operation, they will be

prompted to choose a verification method from email, SMS, and virtual MFA device.● If a user is only associated with a mobile number, only SMS verification will be

available.● If a user is only associated with an email address, only email verification will be

available.● If a user is not associated with an email address, mobile number, or virtual MFA

device, the user will need to associate an email address, mobile number, or virtualMFA device with their account before the user can perform any critical operations.

● Email or SMS verification codes may not be received due to communication errors. Youare advised to use a virtual MFA device.

● You can change the mobile number or email address in My Account and change thevirtual MFA device on the Security Settings page of the IAM console.

● If operation protection is enabled, IAM users need to enter a verification code whenperforming a critical operation. The verification code is sent to the mobile number oremail address bound to the IAM users.

Access Key Management● Enabling access key management

To enable access key management, click the Critical Operations tab on theSecurity Settings page, click next to Access Key Management.After access key management is enabled, only IAM users who have therequired permissions can create, enable, disable, or delete their own accesskeys. For details about how to grant permissions to IAM users, see AssigningPermissions to an IAM User. This function is disabled by default. For securitypurposes, enable this function.

● Disabling access key managementTo disable access key management, click the Critical Operations tab on theSecurity Settings page, click next to Access Key Management.After access key management is disabled, all IAM users can create, enable,disable, or delete their own access keys.




Critical OperationsThe following tables list the critical operations of each cloud service that requireidentity verification.

Table 8-2 Critical operations of cloud services

ServiceType

Service Critical Operation

Compute Elastic CloudServer (ECS)

● Stopping, restarting, or deleting an ECS● Resetting the password for logging in to an

ECS● Detaching a disk● Unbinding an EIP

Bare Metal Server(BMS)

● Stopping or restarting a BMS● Resetting the BMS password● Detaching a disk● Unbinding an EIP

Auto Scaling (AS) ● Deleting an AS group

Cloud ContainerEngine (CCE)

● Deleting a cluster

Storage Object StorageService (OBS)

● Deleting a bucket● Creating, editing, or deleting a bucket

policy● Configuring an object policy● Creating, editing, or deleting a bucket ACL● Configuring access logging● Modifying URL validation● Creating or editing a bucket inventory

Elastic VolumeService (EVS)

● Deleting an EVS disk

Content DeliveryNetwork (CDN)

● Configuring the service termination policy

Network Domain NameService (DNS)

● Modifying, suspending, or deleting adomain name

● Modifying, disabling, or deleting a recordset

● Modifying or deleting a PTR record● Deleting a custom line



ServiceType


Virtual PrivateCloud (VPC)

● Unbinding an EIP● Deleting a VPC peering connection● Security group operations

– Deleting an inbound or outbound rule– Modifying an inbound or outbound rule– Deleting inbound or outbound rules

Elastic LoadBalance (ELB)

● Classic load balancers– Deleting a load balancer– Deleting a listener– Deleting a certificate– Disabling a load balancer

● Shared load balancers– Deleting a load balancer– Deleting a listener– Deleting a certificate– Removing a backend server– Unbinding an EIP– Unbind a public or private IPv4 address– Unbinding an IPv6 address– Removing from IPv6 shared bandwidth

Elastic IP (EIP) ● Deleting a shared bandwidth● Releasing or unbinding an EIP● Releasing or unbinding EIPs

Virtual PrivateNetwork (VPN)

● Deleting a VPN connection● Unsubscribing from a yearly/monthly VPN

gateway

Direct Connect ● Deleting a virtual interface

Security SSL CertificateManager (SCM)

● Deleting a certificate● Revoking a certificate

Management &Deployment

Identity andAccessManagement(IAM)

● Disabling operation protection● Disabling login protection● Changing the mobile number● Changing the email address● Changing the login password● Changing the login authentication method



ServiceType


Cloud TraceService (CTS)

● Disabling a system tracker

Log Tank Service(LTS)

● Deleting a log stream or log group● Uninstalling the ICAgent

Application

Distributed CacheService (DCS)

● Resetting the password of a DCS instance● Deleting a DCS instance● Clearing DCS instance data

DedicatedCloud

DedicatedDistributedStorage Service(DSS)

● Deleting a disk

Database RelationalDatabase Service(RDS)

● Resetting the administrator password● Rebooting, deleting, or restoring DB

instances● Deleting a database backup● Restoring the current DB instance from a

backup file● Restoring an existing DB instance from a

backup file● Restoring the current DB instance to a

point in time● Restoring an existing DB instance to a point

in time● Restoring a table to a specified point in

time● Switching between primary and standby DB

instances● Changing the database port● Deleting a database account● Deleting a database● Resetting the password of a database

account● Changing a floating IP address● Unbinding an EIP● Enabling or disabling one-click alarm

reporting



ServiceType


DocumentDatabase Service(DDS)

● Resetting the password● Restarting or deleting a DB instance● Restarting a node● Switching the primary and secondary nodes

of a replica set● Deleting a security group rule● Enabling IP addresses of shard and config

nodes● Restoring the current DB instance from a

backup● Restoring an existing DB instance from a

backup● Changing a yearly/monthly instance to pay-

per-use● Enabling or disabling one-click alarm

reporting

EnterpriseIntelligence

Data WarehouseService (DWS)

● Scaling out or resizing a cluster● Restarting a cluster● Repairing a node● Resetting the password



ServiceType


MapReduceService (MRS)

● Clusters– Deleting a cluster– Changing a pay-per-use cluster to

yearly/monthly billing– Stopping all components– Synchronizing cluster configurations

● Nodes– Stopping all roles– Isolating a host– Canceling isolation of a host

● Components– Disabling a service– Restarting a service– Performing a rolling service restart– Stopping a role instance– Restarting a role instance– Performing a rolling instance restart– Recommissioning a role instance– Decommissioning a role instance– Saving service configurations

● Patches– Installing a patch– Uninstalling a patch– Rolling back a patch

CloudCommunications

Message&SMS ● Deleting a signature● Deleting a template● Obtaining an app_secret● Binding a mobile number or email address

to a HUAWEI CLOUD account● Configuring an IP address whitelist● Renewing a package

DevCloud ProjectMan ● Deleting a project● Deleting a project member● Modifying member information● Modifying or deleting permissions● Modifying basic project information● Deleting a work item



8.4 Login Authentication PolicyThe Login Authentication Policy tab of the Security Settings page provides theSession Timeout, Account Lockout, Account Disabling, Recent LoginInformation, and Custom Information settings.

Only the administrator can configure the login authentication policy, and IAMusers can only view the configurations. If an IAM user needs to modify theconfigurations, the user can request the administrator to perform the modificationor grant the required permissions.

NO TE

If your HUAWEI CLOUD account has already been upgraded to a HUAWEI ID, the loginauthentication policy does not take effect for the HUAWEI ID.

Session Timeout

Set the session timeout that will apply if you or users created using your accountdo not perform any operations within a specific period.

The timeout ranges from 15 minutes to 24 hours, and the default timeout is 1hour.

Account Lockout

Set a duration to lock users out if a specific number of unsuccessful login attemptsare reached within a certain period.

You can set the time for resetting the account lockout counter, maximum numberof unsuccessful login attempts, and account lock duration.

● Time for resetting the account lockout counter: The value ranges from 15 to60 minutes, and the default value is 15 minutes.

● Maximum number of unsuccessful login attempts: The value ranges from 3 to10, and the default value is 5.

● Lockout duration: The value ranges from 15 to 30 minutes, and the defaultvalue is 15 minutes.

Account Disabling

Set a validity period to disable IAM users if they have not accessed HUAWEICLOUD using the console or APIs within a certain period.

This option is disabled by default. The validity period ranges from 1 to 240 days.

If you enable this option, the setting will take effect only for IAM userscreated using your account. If an IAM user is disabled, the user can request theadministrator to enable their account again.



Recent Login InformationConfigure whether you want IAM to display the previous login information afteryou log in. If incorrect login information is displayed on the Login Verificationpage, change your password immediately.

This option is disabled by default and can be enabled by the administrator.

Custom InformationSet custom information that will be displayed upon successful login. For example,enter the word Welcome.

This option is disabled by default and can be enabled by the administrator.

You and all the IAM users created using your account will see the same messageupon successful login.

8.5 Password PolicyThe Password Policy tab of the Security Settings page provides the PasswordComposition & Reuse, Password Expiration, and Minimum Password Agesettings.

Only the administrator can configure the password policy, and IAM users can onlyview the configurations. If an IAM user needs to modify the configurations, theuser can request the administrator to perform the modification or grant therequired permissions.

You can configure the password policy to ensure that IAM users create strongpasswords and rotate them periodically. In the password policy, you can define



password requirements, such as minimum password length, whether to allowconsecutive identical characters in a password, and whether to allow previouslyused passwords.

NO TE

If your HUAWEI CLOUD account has already been upgraded to a HUAWEI ID, the passwordpolicy does not take effect for the ID.

Password Composition & Reuse● Ensure that the password contains at least 2 to 4 of the following character

types: uppercase letters, lowercase letters, digits, and special characters. Bydefault, the password must contain at least 2 of these character types.

● Set the minimum number of characters that a password must contain. Thevalue ranges from 6 to 32, and the default value is 6.

● (Optional) Enable the Restrict consecutive identical characters option andset the maximum number of times that a character is allowed to beconsecutively present in a password. For example, value 1 indicates thatconsecutive identical characters are not allowed in a password.

● (Optional) Enable the Disallow previously used passwords option and setthe number of previously used passwords that are not allowed. For example,value 3 indicates that the user cannot set the last three passwords that theuser has previously used, when the user sets the new password.

Password ExpirationSet a validity period for passwords so that users change their passwordsperiodically. The users will be prompted to change their passwords 15 days beforepassword expiration. Expired passwords cannot be used to log in to HUAWEICLOUD.

This option is disabled by default. If you enable this option, you can set a validityperiod from 1 to 180 days.

NO TE

The change takes effect only for passwords that will be created after you set the validityperiod. Passwords that were created before you set the validity period are still valid withinthe original validity period.

Minimum Password AgeTo prevent password loss due to frequent password changes, you can set aminimum period after which users are allowed to make a password change.

This option is disabled by default. If you enable this option, you can set a periodfrom 0 to 1440 minutes.

8.6 ACLThe ACL tab of the Security Settings page provides the IP Address Ranges, IPv4CIDR Blocks, and VPC Endpoints settings for allowing user access only fromspecified IP address ranges, IPv4 CIDR blocks, or VPC endpoints.



Only the administrator can configure the ACL, and IAM users cannot configurethe ACL. If an IAM user needs to configure the ACL, the user can request theadministrator to perform the configuration or grant the required permissions.

Access type:● Console Access: The ACL will take effect only for IAM users who are created

using your account and have permissions to access the console.● API Access: The ACL will take effect only for IAM users and controls their API

access through API Gateway. The ACL will take effect 2 hours after youcomplete the configuration.

NO TE

You can configure a maximum of 200 access control items.

IP Address RangesSpecify IP address ranges from 0.0.0.0 to 255.255.255.255 to allow access toHUAWEI CLOUD. The default value is 0.0.0.0–255.255.255.255. If this parameter isleft blank or the default value is used, your IAM users can access the HUAWEICLOUD console from anywhere.

IPv4 CIDR BlocksSpecify IPv4 CIDR blocks to allow access to HUAWEI CLOUD. For example,10.10.10.10/32.

VPC EndpointsSpecify VPC endpoints, such as 0ccad098-b8f4-495a-9b10-613e2a5exxxx, toallow API-based access to HUAWEI CLOUD.

NO TE

● If IP Address Ranges, IPv4 CIDR Blocks, and VPC Endpoints are set, users who meetthe preset conditions will be allowed to access HUAWEI CLOUD.

● To restore IP Address Ranges to the default settings (0.0.0.0–255.255.255.255) andclear the settings in IPv4 CIDR Blocks and VPC Endpoints, click Restore Defaults.



9 Identity Providers

Introduction

SAML-based Federated Identity Authentication

OpenID Connect–based Federated Identity Authentication

Syntax of Identity Conversion Rules

9.1 IntroductionHUAWEI CLOUD provides the identity provider function to implement federatedidentity authentication based on Security Assertion Markup Language (SAML) orOpenID Connect. This function allows users in your own identity authenticationsystem to access resources in your HUAWEI CLOUD account through single sign-on (SSO).

HUAWEI CLOUD supports two types of federated identity authentication:

● WebSSO: Browsers are used as the communication media. This authenticationtype enables common users to access HUAWEI CLOUD using browsers.

● API calling: Development tools (such as OpenStack Client and ShibbolethECPClient) are used as the communication media. This authentication typeenables enterprise users and common users to access HUAWEI CLOUD bycalling APIs.

This chapter describes how to access HUAWEI CLOUD through WebSSO login. Fordetails about how to access HUAWEI CLOUD by calling APIs, see FederatedIdentity Authentication Management.

Basic Concepts● Identity Provider (IdP)

An identity provider collects and stores user identity information, such asusernames and passwords, and authenticates users during login. For federatedidentity authentication between an enterprise and HUAWEI CLOUD, theidentity authentication system of the enterprise is the identity provider.Common third-party identity providers include Microsoft Active Directory (ADFS) and Shibboleth.

Identity and Access ManagementUser Guide 9 Identity Providers


https://support.huaweicloud.com/intl/en-us/api-iam/iam_02_0001.html


● Service Provider (SP)

A service provider establishes a trust relationship between an identity providerand itself, and uses the user information provided by the identity provider toprovide services. For federated identity authentication between an enterpriseand HUAWEI CLOUD, HUAWEI CLOUD is the service provider.

● Federated identity authentication

Federated identity authentication is a process in which a trust relationship isestablished between an enterprise identity provider and service provider toimplement SSO.

● SSO

SSO is an access type that allows a user to access a trusted service providersystem after logging in to the enterprise identity provider system. Forexample, after a trust relationship is established between an identity providerand HUAWEI CLOUD, users in the identity provider system can use theirexisting accounts and passwords to access HUAWEI CLOUD through the loginlink in the identity provider system.

● SAML 2.0

SAML 2.0 is an XML-based protocol that uses securityTokens containingassertions to pass information about an end user between an identityprovider and a service provider. It is an open standard ratified by theOrganization for the Advancement of Structured Information Standards(OASIS) and is being used by many identity providers. For more informationabout this standard, see SAML 2.0 Technical Overview. HUAWEI CLOUDimplements federated identity authentication in compliance with SAML 2.0.To successfully federate existing users to HUAWEI CLOUD, ensure that youridentity provider is compatible with this protocol.

● OpenID Connect

OpenID Connect is a simple identity layer on top of the Open Authorization2.0 (OAuth 2.0) protocol. HUAWEI CLOUD implements federated identityauthentication in compliance with OpenID Connect 1.0. To successfullyfederate existing users to HUAWEI CLOUD, ensure that your identity provideris compatible with this protocol. For more information about OpenID Connect,see Welcome to OpenID Connect.

● OAuth 2.0

OAuth 2.0 is an open authorization protocol. The authorization framework ofthis protocol allows third-party applications to obtain access permissions.

Advantages of Federated Identity Authentication● Easy user management

As an administrator, you only need to create users in the enterprisemanagement system. The users can use their own accounts to access both theenterprise management system and HUAWEI CLOUD (see Figure 9-1).

● Simplified operations

To access the enterprise management system and HUAWEI CLOUD, users inthe enterprise only need to log in to the enterprise management system (seeFigure 9-1).



https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

https://openid.net/connect/

Figure 9-1 Advantages of federated identity authentication

Precautions● To implement federated identity authentication, ensure that your identity

provider server and HUAWEI CLOUD use Greenwich Mean Time (GMT) timein the same time zone.

● Federated users are virtual identities that your identity provider maps toHUAWEI CLOUD. The identity information of federated users is stored in theidentity provider system, so their access to HUAWEI CLOUD has the followingrestrictions:– Federated users do not need to complete verification when performing

critical operations. The critical operation protection settings on HUAWEICLOUD do not apply to federated users.

– Federated users cannot create access keys with unlimited validity, butthey can obtain temporary access credentials using user or agency tokens(see Obtaining a Temporary Access Key and SecurityToken).If a federated user needs an access key with unlimited validity, the usercan contact the account administrator or an IAM user to create one. Anaccess key contains the permissions granted to a user, so it isrecommended that an IAM user in the same group as the federated usercreate an access key for the federated user.

9.2 SAML-based Federated Identity Authentication

9.2.1 Configuration of SAML-based Federated IdentityAuthentication

This section describes the process and configuration of SAML-based federatedidentity authentication between an enterprise identity provider and HUAWEICLOUD.




CA UTION

Ensure that your identity provider system supports SAML 2.0.

Configuring Federated Identity Authentication

To implement federated identity authentication between an identity provider andHUAWEI CLOUD, complete the following configuration:

1. Establish a trust relationship and create an identity provider: Exchange themetadata files of the identity provider and HUAWEI CLOUD (see Figure 9-2).

Figure 9-2 Metadata file exchange model

2. Configure identity conversion rules: Map the users, user groups, andpermissions in the identity provider system to HUAWEI CLOUD (see Figure9-3).

Figure 9-3 User identity conversion model



3. Configure a login link: Configure a login link (see Figure 9-4) in theenterprise management system to allow users to access HUAWEI CLOUDthrough SSO.

Figure 9-4 SSO login model

Process of Federated Identity Authentication

Figure 9-5 shows the interaction between an identity provider and HUAWEICLOUD after a user initiates an SSO request.

Figure 9-5 Process of federated identity authentication

NO TE

To view interactive requests and assertions with a better experience, you are advised to usethe Google Chrome browser and install the SAML Message Decoder plug-in.

As shown in Figure 9-5, the process of federated identity authentication is asfollows:

1. A user uses a browser to open the login link obtained from IAM, and then thebrowser sends an SSO request to HUAWEI CLOUD.



2. HUAWEI CLOUD searches for a metadata file based on the login link, andsends a SAML request to the browser.

3. The browser responds and forwards the SAML request to the enterpriseidentity provider.

4. The user enters their username and password on the login page displayed inthe identity provider system. After the identity provider authenticates theuser's identity, it constructs a SAML assertion containing the user information,and sends the assertion to the browser as a SAML response.

5. The browser responds and forwards the SAML response to HUAWEI CLOUD.6. HUAWEI CLOUD parses the assertion in the SAML response, and issues a

token to the user after identifying the group to which the user is mapped,according to the configured identity conversion rules.

7. If the login is successful, the user accesses HUAWEI CLOUD successfully.

NO TE

The assertion must carry a signature; otherwise, the login will fail.

9.2.2 Step 1: Create an Identity ProviderTo establish a trust relationship between an enterprise identity provider andHUAWEI CLOUD, upload the metadata file of HUAWEI CLOUD to the identityprovider, and then create an identity provider and upload the metadata file of theidentity provider on the IAM console.

PrerequisitesAs an enterprise administrator, you have registered an account on HUAWEICLOUD and created user groups and granted them permissions in IAM. For details,see Creating a User Group and Assigning Permissions.

NO TE

The user groups created in IAM will be used to assign permissions to identity provider usersmapped to HUAWEI CLOUD.

Establishing a Trust Relationship Between the Identity Provider andHUAWEI CLOUD

The metadata file of HUAWEI CLOUD needs to be configured for the identityprovider to establish a trust relationship between the two systems.

Step 1 Download the metadata file of HUAWEI CLOUD.

Download the metadata file at https://auth-intl.huaweicloud.com/authui/saml/metadata.xml (Google Chrome is recommended), and save the file as SP-metadata.xml.

Step 2 Upload the metadata file to the identity provider server. For details about how toupload the metadata file, see the documentation of your identity provider.

Step 3 Obtain the metadata file of the enterprise identity provider. For details about howto obtain the metadata file, see the documentation of your identity provider.

----End



https://support.huaweicloud.com/intl/en-us/usermanual-iam/en-us_topic_0046611269.html

Creating an Identity Provider on HUAWEI CLOUD

Create an identity provider and configure the metadata file in IAM.

Step 1 Log in to the IAM console, choose Identity Providers from the navigation pane,and click Create Identity Provider in the upper right corner.

Step 2 Specify the name, protocol, status, and description of the identity provider.

NO TE

The identity provider name must be unique under your account.

Step 3 Click OK.

----End

Configuring the Metadata File for the Enterprise Identity Provider

Configure a metadata file for the enterprise identity provider on HUAWEI CLOUD.You can upload or manually edit metadata configurations in IAM. For a metadatafile larger than 500 KB, manually configure the metadata. If the metadata haschanged, upload the latest metadata file or edit the existing metadata to ensurethat the federated users can log in to HUAWEI CLOUD successfully.

NO TE

For details about how to obtain the metadata file, see the documentation of the enterpriseidentity provider.

● Upload a metadata file.

a. Click Modify in the row containing the identity provider.b. Click Select File and select the metadata file you have obtained.

Figure 9-6 Uploading a metadata file

c. Click Upload. The metadata extracted from the uploaded file is displayed.Click OK.

▪ If the uploaded metadata file contains multiple identity providers,select the identity provider you want to use from the Entity ID drop-down list.

▪ If a message is displayed indicating that no entity ID is specified orthe signing certificate has expired, check the metadata file andupload it again, or configure the metadata manually.

d. Click OK.● Manually configure metadata.

a. Click Manually configure.



b. In the Configure Metadata dialog box, set the metadata parameters,such as the entity ID, signing certificate, and SingleSignOnService.

Parameter Mandatory

Description

Entity ID Yes The unique identifier of an identityprovider. Enter the value of entityIDdisplayed in the identity provider metadatafile.If the metadata file contains multipleidentity providers, choose the one you wantto use.

Protocol Yes The SAML protocol is used for federatedidentity authentication between anenterprise identity provider and serviceprovider.

NameIdFormat No Enter the value of NameIdFormatdisplayed in the metadata file.This parameter indicates the username andID format used for communicationbetween the identity provider andfederated users.

Signing Certificate Yes Enter the value of <X509Certificate>displayed in the metadata file.A signing certificate is a public keycertificate used for signature verification.For security purposes, enter a public keycontaining no less than 2048 bits. Thesigning certificate is used during federatedidentity authentication to ensure thatassertions are credible and complete.

SingleSignOnSer-vice

Yes Enter the value of SingleSignOnServicedisplayed in the metadata file.This parameter defines how SAML requestsare sent during the SSO process. TheSingleSignOnService parameter in themetadata file must support HTTP Redirector HTTP POST.

SingleLogoutSer-vice

No Enter the value of SingleLogoutServicedisplayed in the metadata file.This parameter indicates the address towhich federated users will be redirectedafter logging out their sessions. TheSingleLogoutService parameter in themetadata file must support HTTP Redirector HTTP POST.



The following example shows the metadata file of an enterprise identityprovider and the metadata information that needs to be completedduring manual configuration.

Figure 9-7 Metadata file of an enterprise identity provider

Figure 9-8 Manually configuring metadata

c. Click OK.

● Click OK to save the settings.



Logging In as a Federated User

Step 1 Click the login link displayed on the identity provider details page to check if thelogin page of the identity provider server is displayed.

1. On the Identity Providers page, click View in the Operation column of theidentity provider. Copy the login link displayed on the identity provider detailspage and visit the link using a browser.

2. If the login page is not displayed, check the metadata file and configurationsof the identity provider server.

Step 2 Enter the username and password of a user that was created in the enterprisemanagement system.● If the login is successful, add the login link to the enterprise's official website.● If the login fails, check the username and password.

NO TE

Federated users only have read permissions for HUAWEI CLOUD by default. To assignpermissions to federated users, configure identity conversion rules for the identity provider.For more information, see Step 2: Configure Identity Conversion Rules.

----End

Related Operations● Viewing identity provider information: In the identity provider list, click View

in the row containing the identity provider, and view its basic information,metadata, and identity conversion rules.

NO TE

To modify the configurations of an identity provider, click Modify at the bottom of thedetails page.

● Modifying an identity provider: In the identity provider list, click Modify in therow containing the identity provider, and then change its status and modifythe description, metadata, and identity conversion rules.

● Deleting an identity provider: In the identity provider list, click Delete in therow containing the identity provider, and click Yes.

Follow-Up Procedure● In the Identity Conversion Rules area, configure identity conversion rules to

map identity provider users to IAM user groups and grant the userspermissions. For details, see Step 2: Configure Identity Conversion Rules.

● Configure the enterprise management system to allow users to accessHUAWEI CLOUD through SSO. For details, see Step 3: Configure Login Linkin the Enterprise Management System.

9.2.3 Step 2: Configure Identity Conversion RulesFederated users are named FederationUser by default on HUAWEI CLOUD. Theseusers can only log in to HUAWEI CLOUD and they do not have any otherpermissions. You can configure identity conversion rules on the IAM console toachieve the following:



● Display federated users with different names on HUAWEI CLOUD.● Grant federated users permissions to use HUAWEI CLOUD resources by

mapping these users to IAM user groups. Ensure that you have created therequired user groups. For details, see Creating a User Group and AssigningPermissions.

NO TE

● Modifications to identity conversion rules will take effect only after the federated userslog in again.

● To modify the permissions of a federated user, modify the permissions of the user groupto which the user belongs. Then restart the identity provider system for themodifications to take effect.

PrerequisitesAn identity provider has been created in HUAWEI CLOUD, and the login link of theidentity provider is accessible. (For details about how to create and verify anidentity provider, see Step 1: Create an Identity Provider.)

ProcedureIf you configure identity conversion rules by clicking Create Rule, IAM convertsthe rule parameters to the JSON format. Alternatively, you can click Edit Rule toconfigure rules in the JSON format. For details, see Syntax of Identity ConversionRules.

● Creating a Rule

a. Choose Identity Providers from the navigation pane.b. In the identity provider list, click Modify in the row containing the

identity provider.c. In the Identity Conversion Rules area, click Create Rule. Then, configure

the rule in the Create Rule dialog box.

Figure 9-9 Clicking Create Rule



Figure 9-10 Creating a rule


Parameter

Description Remarks

Username

Username offederatedusers to bedisplayed onHUAWEICLOUD

To distinguish federated users from HUAWEICLOUD users, it is recommended that youset the username to "FederationUser-IdP_XXX". IdP indicates an identity providername, for example, AD FS and Shibboleth.XXX indicates a custom name.You can also set the federated user name toa simple expression, for example,FederationUser-IdP_{email}. After the ruleis created successfully, {email} isautomatically replaced with the emailaddress of each federated user. The ruletakes effect only if a returned assertioncontains an email address.NOTICE

Each federated username must be unique underthe account. Identical usernames under one ormore identity providers of the same account willbe identified as the same federated user inHUAWEI CLOUD.

UserGroup

User groupsto which thefederatedusers willbelong inHUAWEICLOUD

The federated users will inherit permissionsfrom the groups to which they belong.



Parameter

Description Remarks

RuleConditions

Conditionsthat afederateduser mustmeet toobtainpermissionsfrom theselected usergroups

Federated users who do not meet theseconditions cannot access HUAWEI CLOUD.You can create a maximum of 10 conditionsfor an identity conversion rule.The Attribute and Value parameters areused for the enterprise identity provider totransfer user information to HUAWEICLOUD through SAML assertions. TheCondition parameter can be set to empty,any_one_of, or not_any_of. For detailsabout these parameters, see Syntax ofIdentity Conversion Rules.NOTE

● An identity conversion rule can have multipleconditions. It takes effect only if all of theconditions are met.

● An identity provider can have multiple identityconversion rules. If a federated user does notmeet any of the rules, the user will not beallowed to access HUAWEI CLOUD.

For example, set an identity conversion rule for enterprise administrators.

▪ Username: FederationUser-IdP_admin_{email}

▪ User group: admin

▪ Rule condition: _NAMEID_ (attribute), any_one_of (condition), andID1;ID2;ID3 (value).Only users with ID1, ID2, or ID3 inherit permissions from the adminuser group.

d. In the Create Rule dialog box, click OK.e. On the Modify Identity Provider page, click OK.

● Editing a Rule

a. Log in to HUAWEI CLOUD as an administrator, and go to the IAMconsole. Then, choose Identity Providers from the navigation pane.

b. In the identity provider list, click Modify in the row containing theidentity provider.

c. In the Identity Conversion Rules area, click Edit Rule. Then configurethe rule in the Edit Rule dialog box.

d. Edit the identity conversion rule in the JSON format. For details, seeSyntax of Identity Conversion Rules.

e. Click Validate to verify the syntax of the rule.f. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on

the Modify Identity Provider page.



If a message indicating that the JSON file is incomplete is displayed,modify the statement or click Cancel to cancel the modifications.

Verifying Federated User PermissionsAfter configuring identity conversion rules, verify the permissions of federatedusers.

Step 1 Log in to HUAWEI CLOUD as a federated user, such as user ID1.

On the Identity Providers page of the IAM console, click View in the rowcontaining the identity provider. Copy the login link displayed on the identityprovider details page, open the link using a browser, and then enter the usernameand password.

Step 2 Check that the federated user has the permissions assigned to the user group towhich the user belongs.

For example, an identity conversion rule has defined full permissions for all cloudservices for federated user ID1 in the admin user group. On the managementconsole, select any cloud service, and check if you can access the service.

----End

Related OperationsViewing identity conversion rules: Click View Rule on the Modify IdentityProvider page. The identity conversion rules are displayed in the JSON format. Fordetails about the JSON format, see Syntax of Identity Conversion Rules.

9.2.4 Step 3: Configure Login Link in the EnterpriseManagement System

Configure the login link of the identity provider in the enterprise managementsystem so that enterprise users can use this link to access HUAWEI CLOUD.

Prerequisites● An identity provider has been created in HUAWEI CLOUD, and the login link

of the identity provider is accessible. (For details about how to create andverify an identity provider, see Step 1: Create an Identity Provider.)

● A HUAWEI CLOUD login link has already been configured in the enterprisemanagement system.

Procedure

Step 1 Log in to the IAM console, and choose Identity Providers from the navigationpane.

Step 2 Click View in the row containing the identity provider.

Step 3 Click Copy next to the login link.

Step 4 Add the following statement to the page file of the enterprise managementsystem:



<a href="<Login link>"> Login </a>

Step 5 Log in to the enterprise management system, and then click the configuredHUAWEI CLOUD login link to access HUAWEI CLOUD.

----End

9.3 OpenID Connect–based Federated IdentityAuthentication

9.3.1 Configuration of OpenID Connect–based FederatedIdentity Authentication

This section describes the process and configuration of OpenID Connect–basedfederated identity authentication between an enterprise identity provider andHUAWEI CLOUD.

Configuring Federated Identity AuthenticationTo implement federated identity authentication between an identity provider andHUAWEI CLOUD, complete the following configuration:

1. Establish a trust relationship and create an identity provider: CreateOAuth 2.0 credentials in the enterprise identity provider, and create anidentity provider in HUAWEI CLOUD.

2. Configure identity conversion rules: Map the users, user groups, andpermissions in the identity provider to HUAWEI CLOUD.

3. Configure a login link: Configure a login link in the enterprise managementsystem to allow users to access HUAWEI CLOUD through SSO.

Process of Federated Identity AuthenticationFigure 9-11 shows the interaction between an identity provider and HUAWEICLOUD after a user initiates an SSO request.



Figure 9-11 Process of federated identity authentication

The process of federated identity authentication is as follows:

1. A user uses a browser to open the login link obtained from IAM, and then thebrowser sends an SSO request to HUAWEI CLOUD.

2. HUAWEI CLOUD searches for identity provider configurations based on thelogin link, and sends an OpenID Connect authorization request to thebrowser.

3. The browser forwards the authorization request to the enterprise identityprovider.

4. The user enters their username and password on the login page displayed inthe identity provider system. After the identity provider authenticates theuser's identity, it constructs an ID token containing the user information, andsends the ID token to the browser as an OpenID Connect authorizationresponse.

5. The browser responds and forwards the authorization response to HUAWEICLOUD.

6. HUAWEI CLOUD parses the ID token in the authorization response, and issuesa token to the user after identifying the group to which the user is mapped,according to the configured identity conversion rules.

7. If the login is successful, the user accesses HUAWEI CLOUD successfully.

9.3.2 Step 1: Create an Identity ProviderTo establish a trust relationship between an enterprise identity provider andHUAWEI CLOUD, create an identity provider and configure authorizationinformation on the IAM console, and set the user redirect URLs and create OAuth2.0 credentials in the enterprise identity provider.



PrerequisitesAs an enterprise administrator, you have registered an account on HUAWEICLOUD and created user groups and granted them permissions in IAM. For details,see Creating a User Group and Assigning Permissions.

NO TE

The user groups created in IAM will be used to assign permissions to identity provider usersmapped to HUAWEI CLOUD.

Creating OAuth 2.0 Credentials in the Enterprise Identity Provider

Step 1 Set redirect URLs https://auth.huaweicloud.com/authui/oidc/redirect andhttps://auth.huaweicloud.com/authui/oidc/post in the enterprise identityprovider so that users can be redirected to the OpenID Connect identity providerin HUAWEI CLOUD.

Step 2 Obtain OAuth 2.0 credentials of the enterprise identity provider.

NO TE

The configurations vary depending on the identity provider. For details about the requiredconfigurations, see the documentation provided by your identity provider.

----End

Creating an Identity Provider on HUAWEI CLOUDCreate an identity provider and configure authorization information in IAM.

Step 1 Log in to the IAM console, choose Identity Providers from the navigation pane,and click Create Identity Provider in the upper right corner.

Step 2 Enter an identity provider name, select OpenID Connect and Enabled, and clickOK.

NO TE

The identity provider name must be unique under your account.

----End

Configuring Authorization Information in HUAWEI CLOUD

Step 1 Click Modify in the Operation column of the row containing the identity provideryou want to modify.

Step 2 Select an access type.



https://support.huaweicloud.com/intl/en-us/usermanual-iam/en-us_topic_0046611269.html

Table 9-2 Access type description

Access Type Description

Programmatic accessand managementconsole access

● Programmatic access: Federated users can usedevelopment tools (including APIs, CLI, and SDKs)that support key authentication to access HUAWEICLOUD.

● Management console access: Federated users canlog in to the HUAWEI CLOUD console by using theirown usernames and passwords.Select this access type if you want to accessHUAWEI CLOUD using SSO.

Programmatic access Federated users can only use development tools(including APIs, CLIs, and SDKs) that support keyauthentication to access HUAWEI CLOUD.

Step 3 Specify the configuration information.

Table 9-3 Configuration information


Identity ProviderURL

URL of the OpenID Connect identity provider.Specify this parameter as the value of issuer in theOpenid-configuration.NOTEOpenid-configuration indicates a URL defined in OpenID Connect,containing configurations of an enterprise identity provider. TheURL format is https://{base URL}/.well-known/openid-configuration, where base URL is defined by the enterpriseidentity provider. For example, the Openid-configuration ofGoogle is https://accounts.google.com/.well-known/openid-configuration.

Client ID ID of a client registered with the OpenID Connect identityprovider. The client ID is an OAuth 2.0 credential createdin the enterprise identity provider.

AuthorizationEndpoint

Authorization endpoint of the OpenID Connect identityprovider. Specify this parameter as the value ofauthorization_endpoint in the Openid-configuration.This field is required only if the access type is set toprogrammatic access and management console access.




Scopes Scopes of authorization requests. openid is selected bydefault.This field is required only if the access type is set toprogrammatic access and management console access.Enumerated values:● openid● email● profile

Response Type Response type of authorization requests. The default valueis id_token.This field is required only if the access type is set toprogrammatic access and management console access.

Response Mode Response mode of authorization requests. The optionsinclude form_post and fragment. form_post isrecommended.● form_post: If this mode is selected, set the redirect URL

to http://auth.ctcloudshcso.com/authul/oidc/post inthe enterprise identity provider.

● fragment: If this mode is selected, set the redirect URLto https://auth.huaweicloud.com/authui/oidc/redirectin the enterprise identity provider.

This field is required only if the access type is set toprogrammatic access and management console access.

Signing Key Public key used to sign the ID token of the OpenID Connectidentity provider. For account security purposes, changethe signing key periodically.

Step 4 Click OK.

----End

Logging In as a Federated User

Step 1 Click the login link displayed on the identity provider details page to check if thelogin page of the identity provider server is displayed.

1. On the Identity Providers page, click Modify in the Operation column of theidentity provider.

2. Copy the login link displayed on the Modify Identity Provider page and visitthe link using a browser.

3. If the identity provider login page is not displayed, check the configurations ofthe identity provider and the identity provider server.

Step 2 Enter the username and password of a user that was created in the enterprisemanagement system.



● If the login is successful, add the login link to the enterprise's official website.● If the login fails, check the username and password.

NO TE

Federated users only have read permissions for HUAWEI CLOUD by default. To assignpermissions to federated users, configure identity conversion rules for the identity provider.For more information, see Step 2: Configure Identity Conversion Rules.

----End

Related Operations● Viewing identity provider information: In the identity provider list, click View

in the row containing the identity provider, and view its basic information,metadata, and identity conversion rules.

NO TE

To modify the configurations of an identity provider, click Modify at the bottom of thedetails page.

● Modifying an identity provider: In the identity provider list, click Modify in therow containing the identity provider, and then change its status and modifythe description, metadata, and identity conversion rules.

● Deleting an identity provider: In the identity provider list, click Delete in therow containing the identity provider, and click Yes.

Follow-Up Procedure● Configure identity conversion rules to map identity provider users to IAM user

groups and grant the users permissions. For details, see Step 2: ConfigureIdentity Conversion Rules.

● Configure the enterprise management system to allow users to accessHUAWEI CLOUD through SSO. For details, see Step 3: Configure Login Linkin the Enterprise Management System.

9.3.3 Step 2: Configure Identity Conversion RulesFederated users are named FederationUser by default on HUAWEI CLOUD. Theseusers can only log in to HUAWEI CLOUD and they do not have any otherpermissions. You can configure identity conversion rules on the IAM console toachieve the following:

● Display federated users with different names on HUAWEI CLOUD.● Grant federated users permissions to use HUAWEI CLOUD resources by

mapping these users to IAM user groups. Ensure that you have created therequired user groups. For details, see Creating a User Group and AssigningPermissions.

NO TE

● Modifications to identity conversion rules will take effect only after the federated userslog in again.

● To modify the permissions of a federated user, modify the permissions of the user groupto which the user belongs. Then restart the identity provider system for themodifications to take effect.



PrerequisitesAn identity provider has been created in HUAWEI CLOUD, and the login link of theidentity provider is accessible. (For details about how to create and verify anidentity provider, see Step 1: Create an Identity Provider.)

ProcedureIf you configure identity conversion rules by clicking Create Rule, IAM convertsthe rule parameters to the JSON format. Alternatively, you can click Edit Rule toconfigure rules in the JSON format. For details, see Syntax of Identity ConversionRules.

● Creating a Rule

a. Choose Identity Providers from the navigation pane.b. In the identity provider list, click Modify in the row containing the

identity provider.c. In the Identity Conversion Rules area, click Create Rule. Then, configure

the rule in the Create Rule dialog box.

Figure 9-12 Create Rule

Figure 9-13 Setting the rule parameters




Parameter

Description Remarks

Username

Username offederatedusers to bedisplayed onHUAWEICLOUD

To distinguish federated users from HUAWEICLOUD users, it is recommended that youset the username to "FederationUser-IdP_XXX". IdP indicates an identity providername, for example, AD FS and Shibboleth.XXX indicates a custom name.You can also set the federated username toa simple expression, for example,FederationUser-IdP_{email}. After the ruleis created successfully, {email} isautomatically replaced with the emailaddress of each federated user.NOTICE

Each federated username must be unique underthe account. Identical usernames under one ormore identity providers of the same account willbe identified as the same federated user inHUAWEI CLOUD.

UserGroup

User groupsto which thefederatedusers willbelong inHUAWEICLOUD

The federated user will inherit permissionsfrom the groups to which they belong.

RuleConditions

Conditionsthat afederateduser mustmeet toobtainpermissionsfrom theselected usergroups

Federated users who do not meet theseconditions cannot access HUAWEI CLOUD.You can create a maximum of 10 conditionsfor an identity conversion rule.NOTE

● An identity conversion rule can have multipleconditions. It takes effect only if all of theconditions are met.

● An identity provider can have multiple identityconversion rules. If a federated user does notmeet any of the rules, the user will not beallowed to access HUAWEI CLOUD.

For example, set an identity conversion rule for enterprise administrators.

▪ Username: FederationUser-IdP_admin_{email}

▪ User group: admin

▪ Rule condition: _NAMEID_ (attribute), any_one_of (condition), andID1;ID2;ID3 (value). Only users with ID1, ID2, or ID3 inheritpermissions from the admin user group.



d. In the Create Rule dialog box, click OK.

e. On the Modify Identity Provider page, click OK.

● Editing a Rule

a. Log in to HUAWEI CLOUD as an administrator, and go to the IAMconsole. Then, choose Identity Providers from the navigation pane.

b. In the identity provider list, click Modify in the row containing theidentity provider.

c. In the Identity Conversion Rules area, click Edit Rule. Then configurethe rule in the Edit Rule dialog box.

d. Edit the identity conversion rule in the JSON format. For details, seeSyntax of Identity Conversion Rules.

e. Click Validate to verify the syntax of the rule.

f. If the rule is correct, click OK in the Edit Rule dialog box, and click OK onthe Modify Identity Provider page.

If a message indicating that the JSON file is incomplete is displayed,modify the statement or click Cancel to cancel the modifications.

Verifying Federated User Permissions

After configuring identity conversion rules, verify the permissions of federatedusers.

Step 1 Log in to HUAWEI CLOUD as a federated user, such as user ID1.

On the Identity Providers page of the IAM console, click View in the rowcontaining the identity provider. Copy the login link displayed on the identityprovider details page, open the link using a browser, and then enter the usernameand password.

Step 2 Check that the federated user has the permissions assigned to the user group towhich the user belongs.

For example, an identity conversion rule has defined full permissions for all cloudservices for federated user ID1 in the admin user group. On the managementconsole, select any cloud service, and check if you can access the service.

----End

Related Operations

Viewing identity conversion rules: Click View Rule on the Modify IdentityProvider page. The identity conversion rules are displayed in the JSON format. Fordetails about the JSON format, see Syntax of Identity Conversion Rules.

9.3.4 Step 3: Configure Login Link in the EnterpriseManagement System

Configure the login link of the identity provider in the enterprise managementsystem so that enterprise users can use this link to access HUAWEI CLOUD.



Prerequisites● An identity provider has been created in HUAWEI CLOUD, and the login link

of the identity provider is accessible. (For details about how to create andverify an identity provider, see Step 1: Create an Identity Provider.)

● A HUAWEI CLOUD login link has already been configured in the enterprisemanagement system.

Procedure

Step 1 Log in to the IAM console, and choose Identity Providers from the navigationpane.

Step 2 Click View in the row containing the identity provider.

Step 3 Click Copy next to the login link.

Step 4 Add the following statement to the page file of the enterprise managementsystem:<a href="<Login link>"> Login </a>

Step 5 Log in to the enterprise management system, and then click the configuredHUAWEI CLOUD login link to access HUAWEI CLOUD.

----End

9.4 Syntax of Identity Conversion RulesAn identity conversion rule is a JSON object which can be modified. The followingis an example JSON object:[ { "local": [ { "<user> or <group> or <groups>" } ], "remote": [ { "<condition>" } ] }]

Parameter description:

● local: Identity information of a federated user mapped to HUAWEI CLOUD.The value of this field can contain placeholders, such as {0...n}. The attributes{0} and {1} represent the first and second remote attributes of the userinformation, respectively.

● remote: Information about a federated user in the identity provider system.This field is an expression consisting of assertion attributes and operators. Thevalue of this field is determined by the assertion.– condition: Conditions for the identity conversion rule to take effect. The

following three types of conditions are supported:



▪ empty: The rule is matched to all claims containing the attributetype. This condition does not need to be specified.

▪ any_one_of: The rule is matched only if any of the specified stringsappear in the attribute type. The condition result is Boolean, not theargument that is passed as input.

▪ not_any_of: The rule is not matched if any of the specified stringsappear in the attribute type. The condition result is Boolean, not theargument that is passed as input.

Examples of the empty ConditionThe empty condition returns character strings to replace the local attributes{0..n}.

● In the following example, the username of a federated user will be "the valueof the first remote attribute+space+the value of the second remote attribute"in HUAWEI CLOUD, that is, FirstName LastName. The group to which the userbelongs is the value of the third remote attribute Group. This attribute hasonly one value.[ { "local": [ { "user": { "name": "{0} {1}" } }, { "group": { "name": "{2}" } } ], "remote": [ { "type": "FirstName" }, { "type": "LastName" }, { "type": "Group" } ] } ]

If the following assertion (simplified for easy understanding) is received, theusername of the federated user will be John Smith in HUAWEI CLOUD andthe user will only belong to the admin group.{FirstName: John} {LastName: Smith} {Group: admin}

● If a federated user will belong to multiple user groups in HUAWEI CLOUD, theidentity conversion rule can be configured as follows:In the following example, the username of a federated user will be "the valueof the first remote attribute+space+the value of the second remote attribute"in HUAWEI CLOUD, that is, FirstName LastName. The groups to which theuser belongs are the value of the third remote attribute Groups.



[ { "local": [ { "user": { "name": "{0} {1}" } }, { "groups": "{2}" } ], "remote": [ { "type": "FirstName" }, { "type": "LastName" }, { "type": "Groups" } ] } ]

If the following assertion is received, the username of the federated user willbe John Smith in HUAWEI CLOUD and the user will belong to the admin andmanager groups.{FirstName: John} {LastName: Smith} {Groups: [admin, manager]}

Examples of the "any one of" and "not any of" ConditionsUnlike the empty condition, the any one of and not any of conditions returnBoolean values. These values will not be used to replace the local attributes. In thefollowing example, only {0} will be replaced by the returned value of the firstempty condition in the remote block. The value of group is fixed as admin.

● The username of the federated user in HUAWEI CLOUD is the value of thefirst remote attribute, that is, UserName. The federated user belongs to theadmin group. This rule takes effect only for users who are members of theidp_admin group in the identity provider system.[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "any_one_of": [ "idp_admin"



] } ] } ]

● If a federated user will belong to multiple user groups in HUAWEI CLOUD, theidentity conversion rule can be configured as follows:The username of the federated user in HUAWEI CLOUD is the value of thefirst remote attribute, that is, UserName. The federated user belongs to theadmin and manager groups. This rule takes effect only for users who aremembers of the idp_admin group in the identity provider system.[ { "local": [ { "user": { "name": "{0}" } }, { "groups": "[\"admin\",\"manager\"]" } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "any_one_of": [ "idp_admin" ] } ] } ]

– The following assertion indicates that the federated user John Smith is amember of the idp_admin group. Therefore, the user can access HUAWEICLOUD.{UserName: John Smith} {Groups: [idp_user, idp_admin, idp_agency]}

– The following assertion indicates that the federated user John Smith isnot a member of the idp_admin group. Therefore, the rule does not takeeffect for the user and the user cannot access HUAWEI CLOUD.{UserName: John Smith} {Groups: [idp_user, idp_agency]}

Example Condition Containing a Regular ExpressionYou can add "regex": true to a condition to calculate results using a regularexpression.

This rule takes effect for any user whose username ends with @mail.com. Theusername of each applicable federated user is UserName in HUAWEI CLOUD andthe user belongs to the admin group.[ { "local": [ { "user": { "name": "{0}" }



}, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "any_one_of": [ ".*@mail.com$" ], "regex": true } ] } ]

Examples of Combined ConditionsMultiple conditions can be combined using the logical operator AND.

This rule takes effect only for the federated users who do not belong to theidp_user or idp_agent user group in the identity provider system. The usernameof each applicable federated user is UserName in HUAWEI CLOUD and the userbelongs to the admin group.[ { "local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "not_any_of": [ "idp_user" ] }, { "type": "Groups", "not_any_of": [ "idp_agent" ] } ] } ]

The preceding rule is equivalent to the following:[ {



"local": [ { "user": { "name": "{0}" } }, { "group": { "name": "admin" } } ], "remote": [ { "type": "UserName" }, { "type": "Groups", "not_any_of": [ "idp_user", "idp_agent" ] } ] } ]

Examples of Combined Rules

If multiple rules are combined, the methods for matching usernames and usergroups are different.

The name of a federated user will be the username matched in the first rule thattakes effect, and the user will belong to all groups matched in all rules that takeeffect. A federated user can log in only if at least one rule takes effect to matchthe username. For easy understanding, username and user group rules can beconfigured separately.

In the following example, the rules take effect for users in the idp_admin group.The username of each applicable federated user is UserName in HUAWEI CLOUDand the user belongs to the admin group.

[ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "UserName" } ] }, { "local": [ { "group": { "name": "admin" } } ], "remote": [



{ "type": "Groups", "any_one_of": [ "idp_admin" ] } ] }]

The following assertion indicates that user John Smith is a member of theidp_admin group in the identity provider system and therefore meets the rules.The username of this user will be John Smith in HUAWEI CLOUD, and the userwill belong to the admin group.

{UserName: John Smith} {Groups: [idp_user, idp_admin, idp_agency]}



10 Custom Identity Broker

Enabling Custom Identity Broker Access

Creating a FederationProxyUrl Using an Agency

Creating a FederationProxyUrl Using a Token

10.1 Enabling Custom Identity Broker AccessIf the identity authentication system of your enterprise is not compatible withSAML or OpenID Connect, you can create a custom identity broker to perform asimilar function. You can write and run code to create a login URL. Users in yourenterprise can then use the URL to log in to HUAWEI CLOUD after beingauthenticated by your enterprise identity authentication system.

NO TE

Custom identity brokers are suitable for organizations whose identity authenticationsystems are not compatible with SAML or OpenID Connect. If your identity authenticationsystem supports SAML or OpenID Connect, configure federated identity authenticationfor your enterprise users to access HUAWEI CLOUD through SSO.

Prerequisites● Your enterprise already has an identity authentication system.● The administrator of your enterprise has registered an account (e.g.

DomainA) on HUAWEI CLOUD and created a user group (e.g. GroupC) withAgent Operator permissions under the account. (For details, see Creating aUser Group and Assigning Permissions.)

Procedure

Step 1 Use the DomainA account to create an IAM user (e.g. UserB) and add the user toGroupC by following the instructions in Adding Users to a User Group.

NO TE

Ensure that the IAM user can programmatically access HUAWEI CLOUD services. Fordetails about how to change the access type, see Viewing or Modifying IAM UserInformation.

Identity and Access ManagementUser Guide 10 Custom Identity Broker






Step 2 Configure the access key (recommended) or username and password of UserB inthe configuration file of your enterprise management system to obtain a usertoken for calling APIs. For account security, encrypt the password and access keybefore you store them.

Step 3 In the navigation pane of the IAM console, choose Agencies. Then, click CreateAgency in the upper right corner.

Step 4 Set agency parameters.

For example, set the agency name to testagency, agency type to Account, anddelegated account to DomainA. Set the validity period, assign permissions, andclick OK.

Step 5 In the enterprise management system, create a user group named testagency(same as the name of the agency created in Step 4), add local users to the group,and grant the users permissions to log in to HUAWEI CLOUD through a customidentity broker. For details, see the documentation of the enterprise managementsystem.

Step 6 (Users) Access the identity broker through an agency as a user. You can obtain theagency from the security administrator or the root user. If you have any questions,contact the enterprise administrator.

NO TE

The identity broker agencies must exist in HUAWEI CLOUD and have the same names asthe user groups created in the enterprise management system.

Step 7 (Custom identity broker) Use the token of userB to call the API POST /v3.0/OS-CREDENTIAL/securitytokens used to obtain a temporary securityToken. Fordetails, see Obtaining a Temporary Access Key and SecurityToken Through anAgency.

Step 8 (Custom identity broker) Use the temporary access key and securityToken andglobal domain name iam.myhuaweicloud.com to call the API POST /v3.0/OS-AUTH/securitytoken/logintokens and obtain a loginToken. The value of X-Subject-LoginToken in the response header is the loginToken. For details, seeObtaining a LoginToken.







NO TE

● To call the API POST /v3.0/OS-AUTH/securitytoken/logintokens and obtain aloginToken, use the global domain name (iam.myhuaweicloud.com) of IAM.

● LoginTokens are issued to users to log in through custom identity brokers. EachloginToken contains identity and session information and is valid for 10 minutes bydefault. LoginTokens are required for authentication when users log in to a serviceconsole using the FederationProxyUrl.

● You can set the validity period of the loginToken using the API POST /v3.0/OS-AUTH/securitytoken/logintokens. The validity period ranges from 10 minutes to 12 hours. Ifthe value you have specified is greater than the remaining validity period of thetemporary securityToken, the remaining validity period of the temporary securityTokenis used.

Step 9 (Custom identity broker) Create a FederationProxyUrl and return it to the browserthrough Location. The FederationProxyUrl will be in the following format:

https://auth.huaweicloud.com/authui/federation/login?idp_login_url={enterprise_system_loginURL}&service={console_service_region_url}&logintoken={logintoken}

Example:

https://auth.huaweicloud.com/authui/federation/login?idp_login_url=https%3A%2F%2Fexample.com&service=https%3a%2f%2fconsole.huaweicloud.com%2fapm%2f%3fregion%3dcn-north-4%23%2fapm%2fatps%2ftopology&logintoken=******



idp_login_url Login URL of the enterprise management system

service Access address of a HUAWEI CLOUD service

logintoken LoginToken of the custom identity broker

Create a FederationProxyUrl by referring to the examples provided in Creating aFederationProxyUrl Using an Agency.

NO TE

The FederationProxyUrl contains the loginToken you have obtained from IAM for identityauthentication, and must be percent-encoded.

Step 10 If the loginToken is authenticated successfully, federated users will beautomatically redirected to the HUAWEI CLOUD console.

If the loginToken fails to be authenticated, the enterprise management system isdisplayed.

----End



10.2 Creating a FederationProxyUrl Using an AgencyThis section provides example code used to programmatically create aFederationProxyUrl using an agency for logging in to HUAWEI CLOUD services.

Example Code Using JavaThe following code shows how to create a FederationProxyUrl that gives federatedusers direct access to the HUAWEI CLOUD console.

import java.net.*;import java.util.Collections;import com.huaweicloud.sdk.core.auth.GlobalCredentials;import com.huaweicloud.sdk.core.exception.ClientRequestException;import com.huaweicloud.sdk.core.exception.ServerResponseException;import com.huaweicloud.sdk.core.http.HttpConfig;import com.huaweicloud.sdk.iam.v3.IamClient;import com.huaweicloud.sdk.iam.v3.model.*;

// Use the global domain name to obtain a loginToken.String endpoint = "https://iam.myhuaweicloud.com";

// Configure client attributes.HttpConfig config = HttpConfig.getDefaultHttpConfig() .withIgnoreSSLVerification(true) .withProxyHost("proxy.huawei.com") .withProxyPort(8080);

// Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client "{Service}Client". For details about how to create userB, see section "Enabling Custom Identity Broker Access".IamClient iamClient = IamClient.newBuilder().withCredential(new GlobalCredentials() .withDomainId("domainId") .withAk("ak") .withSk("sk")) .withEndpoint(endpoint) .withHttpConfig(config) .build(); /*CreateTemporaryAccessKeyByAgencyCall the API used to obtain a temporary access key and securityToken with an agency.The default validity period of an access key and securityToken is 900 seconds, that is, 15 minutes. The value ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that is, 1 hour.When you obtain a loginToken with a specified validity period, ensure that the validity period of the loginToken is not greater than the remaining validity period of the securityToken.*/IdentityAssumerole identityAssumerole = new IdentityAssumerole(). withAgencyName("testagency").withDomainId("0525e2c87exxxxxxx").withSessionUser(new AssumeroleSessionuser().withName("ExternalUser")).withDurationSeconds(3600);AgencyAuth agencyAuth = new AgencyAuth().withIdentity(new AgencyAuthIdentity().withAssumeRole(identityAssumerole). withMethods(Collections.singletonList(AgencyAuthIdentity.MethodsEnum.fromValue("assume_role"))));CreateTemporaryAccessKeyByAgencyRequestBody createTemporaryAccessKeyByAgencyRequestBody = new CreateTemporaryAccessKeyByAgencyRequestBody().withAuth(agencyAuth);CreateTemporaryAccessKeyByAgencyResponse createTemporaryAccessKeyByAgencyResponse = iamClient.createTemporaryAccessKeyByAgency(new CreateTemporaryAccessKeyByAgencyRequest().withBody(createTemporaryAccessKeyByAgencyRequestBody));Credential credential = createTemporaryAccessKeyByAgencyResponse.getCredential();

/*CreateLoginTokenObtain a loginToken.LoginTokens are issued to users to log in through custom identity brokers. Each loginToken contains identity



and session information of a user.To log in to a cloud service console using a custom identity broker URL, call this API to obtain a loginToken for authentication.The default validity period of a loginToken is 600 seconds, that is, 10 minutes. The value ranges from 10 minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.Ensure that the validity period of the loginToken is not greater than the remaining validity period of the securityToken.*/CreateLoginTokenRequestBody createLoginTokenRequestBody = new CreateLoginTokenRequestBody(). withAuth(new LoginTokenAuth().withSecuritytoken(new LoginTokenSecurityToken(). withAccess(credential.getAccess()). withId(credential.getSecuritytoken()). withSecret(credential.getSecret()).withDurationSeconds(1800)));CreateLoginTokenResponse createLoginTokenResponse = iamClient.createLoginToken(new CreateLoginTokenRequest().withBody(createLoginTokenRequestBody));String loginToken = createLoginTokenResponse.getXSubjectLoginToken();

// Login URL of an enterprise management system.String authURL = "https://auth.huaweicloud.com/authui/federation/login";// Obtain a custom identity broker URL.String enterpriseSystemLoginURL = "https://example.com/";// HUAWEI CLOUD service address you want to access.String targetConsoleURL = "https://console.huaweicloud.com/iam/?region=cn-north-4";

// Create a FederationProxyUrl and return it to the browser through Location.String FederationProxyUrl = authURL + "?idp_login_url=" + URLEncoder.encode(enterpriseSystemLoginURL, "UTF-8") + "&service=" + URLEncoder.encode(targetConsoleURL, "UTF-8") + "&logintoken=" +URLEncoder.encode(loginToken, "UTF-8");

Example Code Using PythonThe following code shows how to create a FederationProxyUrl that gives federatedusers direct access to the HUAWEI CLOUD console.from huaweicloudsdkcore.auth.credentials import GlobalCredentialsfrom huaweicloudsdkcore.http.http_config import HttpConfigfrom huaweicloudsdkiam.v3 import *

import urllib

# Use the global domain name to obtain a loginToken.endpoint = "https://iam.myhuaweicloud.com"

# Configure client attributes.config = HttpConfig.get_default_config()config.ignore_ssl_verification = Trueconfig.proxy_protocol = "https"config.proxy_host = "proxy.huawei.com"config.proxy_port = 8080credentials = GlobalCredentials(ak, sk, domain_id)

# Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client "{Service}Client". For details about how to create userB, see section "Enabling Custom Identity Broker Access".client = IamClient().new_builder(IamClient) \ .with_http_config(config) \ .with_credentials(credentials) \ .with_endpoint(endpoint) \ .build()

# CreateTemporaryAccessKeyByAgency# Call the API used to obtain a temporary access key and securityToken with an agency.# The default validity period of an access key and securityToken is 900 seconds, that is, 15 minutes. The value ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that is, 1 hour.# When you obtain a loginToken with a specified validity period, ensure that the validity period of the loginToken is not greater than the remaining validity period of the securityToken.



assume_role_session_user = AssumeroleSessionuser(name="ExternalUser")identity_assume_role = IdentityAssumerole(agency_name="testagency", domain_id="0525e2c87exxxxxxx", session_user=assume_role_session_user, duration_seconds=3600)identity_methods = ["assume_role"]body = CreateTemporaryAccessKeyByAgencyRequestBody( AgencyAuth(AgencyAuthIdentity(methods=identity_methods, assume_role=identity_assume_role)))request = CreateTemporaryAccessKeyByAgencyRequest(body)create_temporary_access_key_by_agency_response = client.create_temporary_access_key_by_agency(request)credential = create_temporary_access_key_by_agency_response.credential

# CreateLoginToken# Obtain a loginToken.# The default validity period of a loginToken is 600 seconds, that is, 10 minutes. The value ranges from 10 minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.# Ensure that the validity period of the loginToken is not greater than the remaining validity period of the securityToken.login_token_security_token = LoginTokenSecurityToken(access=credential.access, secret=credential.secret, id=credential.securitytoken, duration_seconds=1800)body = CreateLoginTokenRequestBody(LoginTokenAuth(login_token_security_token))request = CreateLoginTokenRequest(body)create_login_token_response = client.create_login_token(request)login_token = create_login_token_response.x_subject_login_token

# Obtain a custom identity broker URL.auth_URL = "https://auth.huaweicloud.com/authui/federation/login"# Login URL of an enterprise management system.enterprise_system_login_URL = "https://example.com/"# HUAWEI CLOUD service address you want to access.target_console_URL = "https://console.huaweicloud.com/iam/?region=cn-north-4"

# Create a FederationProxyUrl and return it to the browser through Location.FederationProxyUrl = auth_URL + "?idp_login_url=" + urllib.parse.quote( enterprise_system_login_URL) + "&service=" + urllib.parse.quote( target_console_URL) + "&logintoken=" + urllib.parse.quote(login_token)print(FederationProxyUrl)

10.3 Creating a FederationProxyUrl Using a TokenThis section provides example code used to programmatically create aFederationProxyUrl using a token for logging in to HUAWEI CLOUD services.

Example Code Using JavaThe following code shows how to create a FederationProxyUrl that gives federatedusers direct access to the HUAWEI CLOUD console.

import java.net.URLEncoder;import java.util.Collections;import com.huaweicloud.sdk.core.auth.GlobalCredentials;import com.huaweicloud.sdk.core.http.HttpConfig;import com.huaweicloud.sdk.core.exception.*;import com.huaweicloud.sdk.iam.v3.IamClient;import com.huaweicloud.sdk.iam.v3.model.*;

// Use the global domain name to obtain a loginToken.String endpoint = "https://iam.myhuaweicloud.com";

// Configure client attributes.HttpConfig config = HttpConfig.getDefaultHttpConfig() .withIgnoreSSLVerification(true) .withProxyHost("proxy.huawei.com") .withProxyPort(8080);

// Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client



"{Service}Client". For details about how to create userB, see section "Enabling Custom Identity Broker Access".IamClient iamClient = IamClient.newBuilder().withCredential(new GlobalCredentials() .withDomainId(domainId) .withAk(ak) .withSk(sk)) .withEndpoint(endpoint) .withHttpConfig(config) .build();

/*CreateTemporaryAccessKeyByTokenCall the API used to obtain a temporary access key and securityToken with a token.The default validity period of an access key and securityToken is 900 seconds, that is, 15 minutes. The value ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that is, 1 hour.When you obtain a loginToken with a specified validity period, ensure that the validity period of the loginToken is not greater than the remaining validity period of the securityToken.*/TokenAuthIdentity tokenAuthIdentity = new TokenAuthIdentity().withMethods(Collections.singletonList(TokenAuthIdentity.MethodsEnum.fromValue("token"))).withToken(new IdentityToken().withDurationSeconds(3600));CreateTemporaryAccessKeyByTokenRequestBody createTemporaryAccessKeyByTokenRequestBody = new CreateTemporaryAccessKeyByTokenRequestBody().withAuth(new TokenAuth().withIdentity(tokenAuthIdentity));CreateTemporaryAccessKeyByTokenResponse createTemporaryAccessKeyByTokenResponse = iamClient.createTemporaryAccessKeyByToken(new CreateTemporaryAccessKeyByTokenRequest().withBody(createTemporaryAccessKeyByTokenRequestBody));Credential credential = createTemporaryAccessKeyByTokenResponse.getCredential();

/*CreateLoginTokenObtain a loginToken.LoginTokens are issued to users to log in through custom identity brokers. Each loginToken contains identity and session information of a user.To log in to a cloud service console using a custom identity broker URL, call this API to obtain a loginToken for authentication.The default validity period of a loginToken is 600 seconds, that is, 10 minutes. The value ranges from 10 minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.Ensure that the validity period of the loginToken is not greater than the remaining validity period of the securityToken.*/CreateLoginTokenRequestBody createLoginTokenRequestBody = new CreateLoginTokenRequestBody(). withAuth(new LoginTokenAuth().withSecuritytoken(new LoginTokenSecurityToken(). withAccess(credential.getAccess()). withId(credential.getSecuritytoken()). withSecret(credential.getSecret()).withDurationSeconds(1800)));CreateLoginTokenResponse createLoginTokenResponse = iamClient.createLoginToken(new CreateLoginTokenRequest().withBody(createLoginTokenRequestBody));String loginToken = createLoginTokenResponse.getXSubjectLoginToken();

// Obtain a custom identity broker URL.String authURL = "https://auth.huaweicloud.com/authui/federation/login";// Login URL of an enterprise management system.String enterpriseSystemLoginURL = "https://example.com/";// HUAWEI CLOUD service address you want to access.String targetConsoleURL = "https://console.huaweicloud.com/iam/?region=cn-north-4";

// Create a FederationProxyUrl and return it to the browser through Location.String FederationProxyUrl = authURL + "?idp_login_url=" + URLEncoder.encode(enterpriseSystemLoginURL, "UTF-8") + "&service=" + URLEncoder.encode(targetConsoleURL, "UTF-8") + "&logintoken=" +URLEncoder.encode(loginToken, "UTF-8");

Example Code Using PythonThe following code shows how to create a FederationProxyUrl that gives federatedusers direct access to the HUAWEI CLOUD console.from huaweicloudsdkcore.auth.credentials import GlobalCredentialsfrom huaweicloudsdkcore.http.http_config import HttpConfig



from huaweicloudsdkiam.v3 import *

import urllib

# Use the global domain name to obtain a loginToken.endpoint = "https://iam.myhuaweicloud.com"

# Configure client attributes.config = HttpConfig.get_default_config()config.ignore_ssl_verification = Trueconfig.proxy_protocol = "https"config.proxy_host = "proxy.huawei.com"config.proxy_port = 8080credentials = GlobalCredentials(ak, sk, domain_id)

# Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client "{Service}Client". For details about how to create userB, see section "Enabling Custom Identity Broker Access".client = IamClient().new_builder(IamClient) \ .with_http_config(config) \ .with_credentials(credentials) \ .with_endpoint(endpoint) \ .build()

# CreateTemporaryAccessKeyByToken# Call the API used to obtain a temporary access key and securityToken with a token.# The default validity period of an access key and securityToken is 900 seconds, that is, 15 minutes. The value ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that is, 1 hour.# When you obtain a loginToken with a specified validity period, ensure that the validity period of the loginToken is not greater than the remaining validity period of the securityToken.identity_methods = ["token"]identity_token = IdentityToken(duration_seconds=3600)body = CreateTemporaryAccessKeyByTokenRequestBody( TokenAuth(TokenAuthIdentity(methods=identity_methods, token=identity_token)))request = CreateTemporaryAccessKeyByTokenRequest(body)create_temporary_access_key_by_token_response = client.create_temporary_access_key_by_token(request)credential = create_temporary_access_key_by_token_response.credential

# CreateLoginToken# Obtain a loginToken.# LoginTokens are issued to users to log in through custom identity brokers. Each loginToken contains identity and session information of a user.# To log in to a cloud service console using a custom identity broker URL, call this API to obtain a loginToken for authentication.# The default validity period of a loginToken is 600 seconds, that is, 10 minutes. The value ranges from 10 minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.# Ensure that the validity period of the loginToken is not greater than the remaining validity period of the securityToken.login_token_security_token = LoginTokenSecurityToken(access=credential.access, secret=credential.secret, id=credential.securitytoken, duration_seconds=1800)body = CreateLoginTokenRequestBody(LoginTokenAuth(login_token_security_token))request = CreateLoginTokenRequest(body)create_login_token_response = client.create_login_token(request)login_token = create_login_token_response.x_subject_login_token

# Obtain a custom identity broker URL.auth_URL = "https://auth.huaweicloud.com/authui/federation/login"# Login URL of an enterprise management system.enterprise_system_login_URL = "https://example.com/"# HUAWEI CLOUD service address you want to access.target_console_URL = "https://console.huaweicloud.com/iam/?region=cn-north-4"

# Create a FederationProxyUrl and return it to the browser through Location.FederationProxyUrl = auth_URL + "?idp_login_url=" + urllib.parse.quote( enterprise_system_login_URL) + "&service=" + urllib.parse.quote( target_console_URL) + "&logintoken=" + urllib.parse.quote(login_token)print(FederationProxyUrl)



11 MFA Authentication and VirtualMFA Device

MFA Authentication

Virtual MFA Device

11.1 MFA Authentication

What Is MFA Authentication?MFA authentication provides an additional layer of protection on top of theusername and password. If you enable MFA authentication, users need to enterthe username and password as well as a verification code before they can log into the console.

MFA authentication can also be enabled to verify a user's identity before the useris allowed to perform critical operations.

MFA Authentication MethodsMFA authentication can be performed through SMS, email, and virtual MFAdevice.

Application ScenariosMFA authentication is suitable for login protection and critical operationprotection.

● Login protection: When an IAM user logs in to the console, the user needs toenter a verification code in addition to the username and password. As anadministrator, you can enable this function for an IAM user on the user detailspage.

● Operation protection: When an IAM user attempts to perform a criticaloperation, such as deleting an ECS resource, the user needs to enter averification code to proceed. As an administrator, you can enable this functionon the Security Settings > Operation Protection page.

Identity and Access ManagementUser Guide 11 MFA Authentication and Virtual MFA Device


For more information about login protection and critical operation protection,see Critical Operation Protection.

11.2 Virtual MFA DeviceThis section describes how to bind and unbind a virtual MFA device. If the boundvirtual MFA device of an IAM user is deleted or the mobile phone on which it runsis unavailable, you can remove the virtual MFA device for the IAM user.

What Is a Virtual MFA Device?

An MFA device generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP) standard. MFA devices can behardware- or software-based. Currently, HUAWEI CLOUD supports software-basedvirtual MFA devices, which are application programs running on smart devicessuch as mobile phones.

Binding a Virtual MFA Device

Before binding a virtual MFA device, ensure that you have installed an MFAapplication (such as an authenticator app) on your mobile device.



Step 3 Set up the MFA application by scanning the QR code or manually entering thesecret key.

● Scanning the QR code

Open the MFA application on your mobile phone, and use the application toscan the QR code displayed on the Bind Virtual MFA Device page. Youraccount is then added to the application.

● Manually entering the secret key

Open the MFA application on your mobile phone, click the plus sign + on theapplication, and choose to manually enter the secret key. As the administrator,enter your account name and secret key. If you are an IAM user, enter yourusername and secret key.

NO TE

The manual entry function is time-based. Ensure that automatic time setup has beenenabled on your mobile phone.

Step 4 View the verification code on the MFA application. The code is automaticallyupdated every 30 seconds.

Step 5 On the Bind Virtual MFA Device page, enter two consecutive verification codesand click OK.

----End



Obtaining MFA Verification Codes

If virtual MFA–based login protection or operation protection is enabled, you needto enter an MFA verification code when you log in to the console or performing acritical operation.

Open the MFA application on your smart device, view the verification codedisplayed next to your account, and then enter the code on the console.

Unbinding a Virtual MFA Device

You can unbind the virtual MFA device as long as the mobile phone used to bindthe virtual MFA device is available and the virtual MFA device is still installed onyour phone.

● IAM user: If your mobile phone is unavailable or the virtual MFA device hasbeen removed from your phone, request the administrator to remove thevirtual MFA device.

● Account administrator: If your mobile phone is unavailable or the virtual MFAdevice has been removed from your phone, contact customer service toremove the virtual MFA device.


Step 2 On the management console, hover the mouse pointer over the username in theupper right corner, and choose Security Settings from the drop-down list.

Step 3 Click the Critical Operations tab, and click Unbind next to Virtual MFA Device.

Step 4 On the Unbind Virtual MFA Device page, enter a verification code generated bythe MFA application.

Step 5 Click OK.

----End



Removing the Virtual MFA DeviceAs the account administrator, If your mobile phone is unavailable or the virtualMFA device has been removed from your phone, contact customer service toremove the virtual MFA device.

If the mobile phone of an IAM user is unavailable or the virtual MFA device hasbeen removed from the user's phone, as an administrator, you can remove thevirtual MFA device by performing the following procedure:



Step 3 On the Users page, click Security Settings in the row containing the user forwhom you want to remove the bound virtual MFA device.

Step 4 On the Security Settings tab page, click Remove next to Virtual MFA Device.

Step 5 Click Yes.

----End



12 Viewing IAM Operation Records

Enabling CTS

Viewing IAM Audit Logs

12.1 Enabling CTSCTS records operations performed on cloud resources in your account. Theoperation logs can be used to perform security analysis, track resource changes,audit compliance, and locate faults.

It is recommended that you enable the CTS service to record key IAM operations,such as creating and deleting users.

Procedure

Step 1 On the management console, choose Service List > Cloud Trace Service.

Step 2 On the CTS console, click Enable the service on the Trace List page to enableCTS.

Identity and Access ManagementUser Guide 12 Viewing IAM Operation Records


Step 3 View the records of IAM operations, such as creating users and user groups. Table12-1 shows the IAM operations that can be recorded by CTS.

Table 12-1 IAM operations

Operation Resource Type Trace Name

Obtaining a token token createTokenByPwd

Obtaining a token token createTokenByAssumeR-ole

Obtaining a token token createTokenByToken

Obtaining a token token createTokenByAssumeR-ole

Obtaining a token token createTokenByHwRe-newToken

Login user login

Logout user logout

Changing the password user changePassword

Creating a user user createUser

Modifying userinformation

user updateUser

Deleting a user user deleteUser




Adding users to a usergroup

userGroup addUserToGroup andupdateUser

Removing users from auser group

userGroup removeUserFromGroupand updateUser

Changing the emailaddress

user modifyUserEmail

Changing the mobilenumber

user modifyUserMobile

Creating an access key(AK/SK)

user addCredential

Deleting an access key(AK/SK)

user deleteCredential

Disabling or enabling anaccess key (AK/SK)

user changeCredentialStatus

Modifying an access key(AK/SK)

user updateCredential

Changing the passwordof a user (by theadministrator)

user modifyUserPassword

Setting a password for auser (by theadministrator)

user setPasswordByAdmin

Creating a user group userGroup createUserGroup

Modifying a user group userGroup updateUserGroup

Deleting a user group userGroup deleteUserGroup

Creating a project project createProject

Modifying a project project updateProject

Creating an agency agency createAgency

Modifying an agency agency updateAgency

Deleting an agency agency deleteAgency

Registering an identityprovider

identityProvider createIdentityProvider

Modifying an identityprovider

identityProvider updateIdentityProvider

Deleting an identityprovider

identityProvider deleteIdentityProvider




Updating an identityconversion rule

identityProvider updateMetaConfigure

Updating the identityprovider metadata

identityProvider updateMetaConfigureand uploadMetadataFile

Updating the loginauthentication policy

domain updateSecurityPolicies

Modifying the passwordpolicy

domain updatePasswordPolicies

Modifying the ACL domain updateACLPolicies

Obtaining an unscopedtoken in enhanced clientor proxy (ECP) mode

unscopedOS-FederationToken

createUnscopedOS-FederationToken

----End

12.2 Viewing IAM Audit LogsAfter CTS is enabled, it records key operations performed on IAM and othersupported services. CTS retains operation records for the last 7 days.

Procedure

Step 1 On the IAM console, perform an operation, such as creating a user named CTS-Test.

Step 2 Log in to the CTS console and view the operation records of IAM.

NO TE

IAM is a global service, and the operations on IAM will be recorded by CTS under the AP-Hong-Kong project by default. On the CTS console, switch to the AP-Hong-Kong regionand then view IAM operation records.

Step 3 Click next to a trace to view its basic information.



Step 4 Click View Trace on the right of a trace to view the trace structure.

----End



13 Change History

Table 13-1 Change history

Released On Description

2021-03-27 This issue is the eighteenth official release, whichincorporates the following change:Updated Logging In to HUAWEI CLOUD based onthe new feature of HUAWEI ID login.

2021-03-24 This issue is the seventeenth official release, whichincorporates the following change:Added section Cloud Services Supported by IAM.

2020-12-30 This issue is the sixteenth official release, whichincorporates the following changes:Updated the document based on changes in thelogin page, security settings function, and UI strings.

2020-11-26 This issue is the fifteenth official release, whichincorporates the following change:Modified section Security Settings based on consolechanges.

2020-11-05 This issue is the fourteenth official release, whichincorporates the following changes:● Adjusted the structure of Identity Providers.● Added section Configuration of OpenID

Connect–based Federated IdentityAuthentication.

2020-10-26 This issue is the thirteenth official release, whichincorporates the following change:Updated the screenshots of the login page based onthe change to the login method.

Identity and Access ManagementUser Guide 13 Change History



2020-09-11 This issue is the twelfth official release, whichincorporates the following change:Modified section IAM Users based on consolechanges.

2020-08-18 This issue is the eleventh official release, whichincorporates the following change:Added section Logging In to HUAWEI CLOUD.

2020-04-20 This issue is the tenth official release, whichincorporates the following changes:Added descriptions about removing users in AddingUsers to or Removing Users from a User Group.Added section Canceling Permissions of a UserGroup.

2020-03-30 This issue is the ninth official release, whichincorporates the following change:Deleted descriptions of open beta testing for policy-based access control. This function is currently incommercial use.

2020-02-10 This issue is the eighth official release, whichincorporates the following changes:Added section Change to the System-DefinedPolicy Names.Modified section Creating a User Group andAssigning Permissions based on policy namechanges.

2020-01-20 This issue is the seventh official release, whichincorporates the following changes:Modified the following sections based on consolechanges:User Groups and Authorization and Permissions

2019-11-20 This issue is the sixth official release, whichincorporates the following changes:Added VPC Endpoints in ACL.Added Enabling/Disabling an access key inManaging Access Keys for an IAM User.




2019-10-15 This issue is the fifth official release, whichincorporates the following changes:Added section Modifying or Deleting a CustomPolicy.Added descriptions about creating custom policies inthe visual editor in Creating a Custom Policy.Added descriptions about the syntax for policies usedto assign resource- and condition-level permissionsin Policies and Custom Policy Use Cases.

2019-09-29 This issue is the fourth official release, whichincorporates the following change:Added section Custom Identity Broker.

2019-06-11 This issue is the third official release, whichincorporates the following change:Optimized chapters Before You Start, IAM Users,User Groups and Authorization, Permissions,Projects, Security Settings, and Viewing IAMOperation Records.

2018-02-13 This issue is the second official release, whichincorporates the following change:Added a table that describes agency types inAgencies.

2017-12-30 This issue is the first official release.



User Guide...By default, new IAM users do not have any permissions assigned. You need to add a user...

Documents

Transcript of User Guide...By default, new IAM users do not have any permissions assigned. You need to add a user...