You need to enable JavaScript to run this app.
IAM

IAM

  • Documentation
    • IAMOverviewBasic concept
Copy page
Download PDF
Overview
Basic concept
Copy page
Download PDF
Basic concept

IAM Identity

User

A user is an identity for access control, created by an account or a user with permissions. After a user is granted permissions (Policy), they can log into the console or use the Access Key to invoke the API to access cloud resources. For more user information and related operations, see User Management .

  • IAM users, also known as sub-accounts, are created by the Volcano Engine account (main account) or by an IAM user with administrative privileges.
  • After the IAM user is successfully created, it belongs to the Volcano Engine account (main account), not an independent Volcano Engine account.
  • IAM users must be authorized to access resources under the Volcano Engine account (main account) within the scope of their privileges.
  • IAM users do not own any service resources, cannot independently measure and charge, and can only be authorized by the Volcano Engine account (main account) to manage various resources under their name. The managed resources belong to the main account (paid by the main account), and there is no independent billing.

User Group

A user group is a collection of users. When a user group is associated with a policy, all users in the same user group will have the corresponding policy permissions. The same user can exist in multiple user groups and have the permissions of multiple user groups simultaneously. For more information about user groups and related operations, see User Group Management .

Role

A role is a virtual identity in access control. Roles cannot directly access Cloud as a Service. They need to configure a trust relationship to trust other identities. The trusted identity obtains temporary security credentials through an AssumeRole, and then accesses cloud resources. For more roles and related operations, see Role Management .

The trusted identity of a role supports several types:

  • User: It can be a real user or a back-end service. After the user is authorized by the role, they can use temporary credentials to access Cloud as a Service resources to ensure the security of the access.
  • Account: Roles can be credited to the current account or to other accounts.
  • Cloud as a Service (Service): Refers to Cloud as a Service on Volcano Engine. After the role is credited to the service, the service will be able to access cloud resources as an account identity.
  • Identity Provider (IdP): A customer-owned identity service. Customers can establish a trust relationship between their own IdP and Volcano Engine IAM through federated login capabilities, enabling single sign-on to the Volcano Engine console.

warning

An IAM role is both an identity and a resource. When a role acts as an identity, an associated permissions policy is required to express the access permissions that the role has (in relation to the temporary credential permissions generated by the role play). When a role acts as a resource, an associated trust policy is required to express the identity by which the role can be accessed (i.e., the identity by which the role can be played).

Policy

A policy is a set of permissions described by a grammatical structure. In the policy, the scope of operation, resource scope, and permission effective conditions can be defined. IAM users, user groups, or roles need to be granted permissions through associated policies.

The newly created IAM user, user group or role does not have any permissions by default, and requires the main account as its authorization policy. After authorization, the IAM user, user group or role can manage and access the cloud resources under the main account. In order to ensure the data security of resources, the principle of least privilege should be followed when authorizing, and the corresponding IAM user, user group or role should be granted just enough permissions.

  • Policy Type: IAM supports **system preset policies **and **custom policies **.

  • Strategy Sentence: IAM policies have a fixed syntax, allowing you to create richer and more diverse IAM policies on demand. For more information, see IAM policy syntax .

  • scope of policy

When adding an IAM policy to an IAM identity, you need to select the scope in which the IAM policy takes effect. The following two permission scopes are currently supported:

  • Global permissions :
  • When the IAM policy takes effect with global permissions, the designated IAM policy takes effect for all items in the account (including future new items).
  • If you need to give all resource permissions under the IAM identity account, the effective scope of the IAM policy can use "Global Permissions".
  • Project Permissions :
  • When the IAM policy takes effect on project permissions, the specified IAM policy takes effect only on resources within the scope of the specified project, and is invalid for resources not within the scope of the specified project.
  • If you need to precisely control the access scope of your IAM identity, the scope of the IAM policy can use "Project Permissions".

Single sign-on (SSO)

Single sign-on is also known as federated sign-on. Volcano Engine supports SSO based on SAML 2.0, providing two SSO methods: user SSO and role SSO. Customers can use IAM's SSO capabilities to enable single sign-on to the Volcano Engine console through their own IdP.

Last updated: 2025.06.23 19:21:32