All Documents
Current Document

Content is empty

If you don't find the content you expect, please try another search term



Last updated:2021-10-29 17:57:41


You need to register a Kingsoft Cloud account when you use Kingsoft Cloud services for the first time. The account is the owner of your Kingsoft Cloud resources, and your resource usage is measured and billed based on the account. The account has full access to the resources that it owns and the cloud services that it activates, and enables you to reset user passwords and assign user permissions.

Resources are accessible only to the Kingsoft Cloud account by default. Other users can access the resources only after being explicitly authorized by the Kingsoft Cloud account. The Kingsoft Cloud account is the root user or administrator of an operating system. Therefore, the Kingsoft Cloud account is also known as the root account or primary account.


Three identities are provided in IAM: IAM user, IAM group, and IAM role. The IAM user and IAM group are entity identities, and the IAM role is a virtual identity. You can attach a set of policies to an identity.

IAM user

An IAM user is an entity identity of IAM that has a fixed ID and credential. It represents a person or an application.

  • You can create multiple IAM users under one Kingsoft Cloud account to represent employees, systems, or applications of your Enterprise.
  • IAM users do not own resources, do not receive individual bills, and cannot make payments. Fees that are incurred by IAM users are paid by the corresponding Kingsoft Cloud accounts.
  • IAM users belong to and are visible only to their Kingsoft Cloud accounts.
  • IAM users must be authorized by their Kingsoft Cloud accounts before they can log in to the Kingsoft Cloud console or call API operations to access the resources under their Kingsoft Cloud accounts.

IAM group

An IAM group is an entity identity of IAM. You can create IAM groups to group and authorize IAM users with the same responsibilities, to better manage the IAM users and their permissions.

  • If the responsibilities of an IAM user change, you can move it to the IAM group with the corresponding responsibilities, without affecting other IAM users.
  • If the permissions of an IAM group change, you can modify the policy attached to the group. The modifications to the policy apply to all IAM users in the group.

IAM role

An IAM role is a virtual identity. IAM roles, entity users such as IAM users and IAM groups, and textbook roles have the following differences:

  • Entity users, such as IAM users, have specific login passwords or AccessKeys.
  • Textbook roles or conventional roles are a set of permissions, similar to policies in IAM. If a user assumes such a role, the user is granted a set of permissions and can access the authorized resources.
  • IAM roles are identities to which a set of policies are attached. However, IAM roles do not have login passwords or AccessKeys. After a trusted entity user assumes an IAM role, the entity user obtains the security token of the IAM role, with which the entity user can access authorized resources as the role.

Based on trusted entities, IAM supports the following three types of roles:

  • Account: role assumed by Kingsoft Cloud accounts and their IAM users. The IAM users who assume this type of role can belong to their own Kingsoft Cloud accounts or other Kingsoft Cloud accounts. This type of role is used for cross-account access and temporary authorization.
  • Service: role assumed by Kingsoft Cloud services. This type of role is used to authorize cross-service access.
  • Identity provider (IdP): role assumed by users of a trusted IdP. This type of role is used for single sign-on (SSO) between a trusted IdP and Kingsoft Cloud.


An entity is the initiator of an operation. Currently, Kingsoft Cloud supports two types of entities: account and IAM user.


An AccessKey is the identity credential for calling Kingsoft Cloud APIs, which consists of an AccessKeyID and a SecretAccessKey. It cannot be used for logging in to the Kingsoft Cloud console. The AccessKeyID is used to identify a user, and the SecretAccessKey is used to verify the key of the user.


Permissions indicate whether a user is allowed to perform a specific operation on a resource. Permissions include Allow and Deny.


Policies are a set of permissions defined based on the policy syntax and structure, which can accurately describe the authorized resource set, operation set, and authorization conditions.

IAM supports the following two types of policies:

  • System policies: Kingsoft Cloud creates and updates system policies. You can only use the policies but not modify them.
  • Custom policies: You can create, update, and delete the policies.


Authorization is the operation of granting permissions necessary for specific work to the corresponding identity (IAM user, IAM group, or IAM role). After obtaining the permissions, the identity can access the corresponding cloud service and perform required operations.

Multi-factor authentication (MFA)

MFA is a simple and effective best practice that adds an extra layer of protection in addition to your username and password. It provides enhanced security for your account. After MFA is enabled, you need to enter the following information when you log in to Kingsoft Cloud:

  1. Level 1 security factor: username and password
  2. Level 2 security factor: verification code generated by the MFA device


A resource is an object entity that you can operate or use, such as a KEC instance or an Elastic IP (EIP).

Kingsoft Resource Name (KRN)

To make it easier to describe a resource in IAM policy documents, a KRN is used to uniquely identify each Kingsoft Cloud resource, which is in the format of krn:ksc::::/.

On this page
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen