Last updated：2021-10-29 17:57:41
You need to register a Kingsoft Cloud account when you use Kingsoft Cloud services for the first time. The account is the owner of your Kingsoft Cloud resources, and your resource usage is measured and billed based on the account. The account has full access to the resources that it owns and the cloud services that it activates, and enables you to reset user passwords and assign user permissions.
Resources are accessible only to the Kingsoft Cloud account by default. Other users can access the resources only after being explicitly authorized by the Kingsoft Cloud account. The Kingsoft Cloud account is the root user or administrator of an operating system. Therefore, the Kingsoft Cloud account is also known as the root account or primary account.
Three identities are provided in IAM: IAM user, IAM group, and IAM role. The IAM user and IAM group are entity identities, and the IAM role is a virtual identity. You can attach a set of policies to an identity.
An IAM user is an entity identity of IAM that has a fixed ID and credential. It represents a person or an application.
An IAM group is an entity identity of IAM. You can create IAM groups to group and authorize IAM users with the same responsibilities, to better manage the IAM users and their permissions.
An IAM role is a virtual identity. IAM roles, entity users such as IAM users and IAM groups, and textbook roles have the following differences:
Based on trusted entities, IAM supports the following three types of roles:
An entity is the initiator of an operation. Currently, Kingsoft Cloud supports two types of entities: account and IAM user.
An AccessKey is the identity credential for calling Kingsoft Cloud APIs, which consists of an AccessKeyID and a SecretAccessKey. It cannot be used for logging in to the Kingsoft Cloud console. The AccessKeyID is used to identify a user, and the SecretAccessKey is used to verify the key of the user.
Permissions indicate whether a user is allowed to perform a specific operation on a resource. Permissions include Allow and Deny.
Policies are a set of permissions defined based on the policy syntax and structure, which can accurately describe the authorized resource set, operation set, and authorization conditions.
IAM supports the following two types of policies:
Authorization is the operation of granting permissions necessary for specific work to the corresponding identity (IAM user, IAM group, or IAM role). After obtaining the permissions, the identity can access the corresponding cloud service and perform required operations.
MFA is a simple and effective best practice that adds an extra layer of protection in addition to your username and password. It provides enhanced security for your account. After MFA is enabled, you need to enter the following information when you log in to Kingsoft Cloud:
A resource is an object entity that you can operate or use, such as a KEC instance or an Elastic IP (EIP).
To make it easier to describe a resource in IAM policy documents, a KRN is used to uniquely identify each Kingsoft Cloud resource, which is in the format of