Identity and Access Management (IAM) is a set of rights management systems provided by Volcano Engine for customers to control the access rights of different identities to cloud resources.
For example, in an enterprise, the enterprise uses the master account to purchase cloud resources and assigns access to cloud resources to different IAM identities on demand. Organizations can allow employees to log into the console using IAM identities to access cloud resources, or use credentials generated by IAM users or role-plays for enterprise workloads to programmatically request access to Cloud as a Service.

Multi-identity management #

The main account has full access to the cloud resources under the account. In complex access scenarios on the cloud, sharing the main account credentials is not only inconvenient to use, but also poses security risks. With access control, you can create users, roles, and other identity applications in different scenarios without having to fully trust the main account.

Permission management #

An identity created through access control does not have access to cloud resources by default. Access control provides predefined permission spots for each cloud offering, and you can assign permissions to identities based on your actual needs. You can also customize permissions in Policy Management to meet the need for granular permission control.

Login access or API access with SSO #

Access control provides login access, API access and single sign-on SSO (Single Sign On) three access methods.

1. Login access: Access control allows you to set a login password for IAM users, allowing users to log in to the Volcano Engine console with a password to access cloud resources.

2. API access: Access control allows you to generate an access key for IAM users, who can use the key to invoke the product's OpenAPI to access cloud resources.

3. SSO access: Access control allows you to configure and manage an enterprise Identity Provider (Identity Provider), implementing a user SSO or role SSO.

Security control #

Volcano Engine access control provides multi-factor authentication capability (MFA) on the basis of security configuration such as valid period of user login password and limit of number of password attempts. You can require IAM users to perform additional one-time password (OTP) authentication based on virtual MFA devices in addition to password authentication when logging in. In the future, Volcano Engine will also provide more security configuration capabilities to help you further enhance the security of your account.

Temporary Token Service #

In addition to providing long-term access keys, access control provides a temporary security token service (STS). With STS, you can generate temporary security credentials with limited privileges to access cloud resources. For example, an enterprise developed an app based on Volcano Engine Cloud as a Service, which allows enterprises to access cloud resources by sending temporary security credentials to mobile apps through STS services, thus avoiding the security risks caused by long-term key storage in users' mobile end devices.

Others #

Volcano Engine Access Control will provide more access management capabilities in the future to help individuals and businesses manage access to cloud resources securely and efficiently.