IAM
IAM
- Documentation
IAMUser GuideIdentitiesRole Management
Copy page
Download PDFCopy pageDownload PDFcharacter introduction
Role (Role) is a kind of virtual identity in the IAM system, which is used to grant certain access rights in the account to various identity entities. Trusted identity entities can play this role to access cloud resources in the account.
Roles support the following identities:
- **Other accounts (Account) **: After trusting other accounts through roles, the identities of other accounts will be able to play this role to access the resources of this account, which is mostly used for cross-account authorization scenarios.
- **This account (Account) **: Roles can trust this account to play, usually used in exchange for temporary credentials for API calls. The following is the flow of a role-playing request API:
Note: The main account cannot play a role directly. You need to create an IAM child user and give the STSAssumeRoleAccess policy to play a role to obtain temporary security credentials for access to cloud resources.
- **Cloud as a Service (Service) **: In some cases, Cloud as a Service relies on the resource permissions of another Cloud as a Service, in which case the dependent account grants the resource permissions to Cloud as a Service for cross-service access.
In order to facilitate your cross-service authorization, when you use some products, the console may pop up a cross-service authorization page to guide you to authorize. At this time, you can click the authorization button to complete the authorization. After the authorization is successful, the system will automatically create a service-related role under your account.
- **Identity Provider ( ****IdP ****) **: Scenarios used for federated SSO logins for enterprise identity providers, see the Identity Provider Management section.
To create a character on the console, please refer to the following process:
Create role
By console
On the "Role Management" page, click the New Role button, select the authorized identity type as Account or Cloud as a Service, enter the account ID or select Cloud as a Service to complete the role creation.
Create a new role through the API
Refer to the API documentation for creating roles .
Common usage
| scene | plan | principle |
|---|---|---|
| cross-service authorization | service role | Access to cloud resources is granted to Cloud as a Service through roles of the Trust Cloud as a Service type. |
| Client side access | Role Playing | Play the role of a trusted account through a long-term API key (AK/SK) at the server level, in exchange for temporary security credentials, and then download it to the client side for access |
| Request API in ECS | Instance Role (trust service is the role of ECS) | Trust ECS through roles to support ECS in exchange for account temporary security credentials and inject them into the instance metadata of Cloud as a Service |
| Request an API in a container service | IRSA | Trust the built-in identity provider of the container service through the role to support the container service in exchange for account temporary security credentials and inject them into the cluster pod |
| single sign-on | Identity Provider SSO | Trust the enterprise's identity provider through the role, so that after the enterprise side completes the identity authentication, it can exchange the account temporary security credentials to access the Volcano Engine. |
