What is Identity and Access Management?

Last updated:2020-07-19 00:07:27


  • Account (Kingsoft Cloud account or member account)

An account, or Kingsoft Cloud account, is the owner of Kingsoft Cloud resources. Resource usage are measured and billed on the account level. You must register an account before you can use the services provided by Kingsoft Cloud. In general, the username of an account is the identifier used for logging in to Kingsoft Cloud.

An account is the owner of the cloud computing resources under its name. It has the full control of these resources and can purchase, renew, unsubscribe from, and upgrade these resources. It is the owner of the orders and bills for these resources. An account can access and manage any cloud computing resources that it owns.

  • IAM user

An Identity and Access Management (IAM) user is an authorization entity under an account. It is also a type of resource that belongs to the account. An IAM user does not own any cloud computing resources. Resource usage are not measured or billed on the IAM user level. An IAM user can manage the resources of an account after authorization from the account. The resources that an IAM user manages belong to an account and are paid for by the account. An IAM user does not have independent bills.

After an IAM user is authorized by an account, the IAM user can obtain a password or an AccessKey, with which the IAM user can log in to the Kingsoft Cloud console and call APIs to manage the resources of the account.

  • Role

A role is a type of virtual user or shadow user. It is an IAM user type. This type of virtual user has a defined identity, can be assigned a set of permissions through a policy, but does not have a password or an AccessKey. The difference between a role and an IAM user mainly resides in the way it is used. A role needs to be granted to a Kingsoft Cloud account, which can be your own account or another account. The account can then authorize one of its entities (IAM users) to assume this role. The entity will then obtain a temporary security token for the role, with which the entity can access authorized resources as the role. At the same time, the original permissions of the entity will be hidden.

A role is mainly used to satisfy the needs of identity federation. For example, you can use a role together with your local company accounts to achieve single sign-on (SSO). You can also allow another Kingsoft Cloud account, its IAM users, or other Kingsoft Cloud services to manage your resources through a role.

  • Resource
    A resource is an object entity that you can operate or use, such as a Kingsoft Cloud Elastic Compute (KEC) instance or an Elastic IP (EIP) instance. To make it easier to describe a resource in IAM policy documents, we use a Kingsoft Resource Name (KRN) to uniquely identify each Kingsoft Cloud resource.

  • Action
    An action is an operation that you perform when you manage or use cloud computing resources. Actions can be categorized into management actions and data actions. A management action refers to an operation that you perform when you maintain a resource or manage the lifecycle of a resource, such as creating a KEC instance, restarting a KEC instance, and creating a Kingsoft Cloud Standard Storage Service (KS3) bucket. A data action refers to an operation that you perform when you use a resource, such as installing software on a KEC instance and uploading or downloading an object in a KS3 bucket.

You can control the permissions related to management actions for all Kingsoft Cloud services in IAM. For data actions, only storage services, such as KS3, supports permission control in IAM. For more information about what actions you can control in IAM for each service, see the API document for the service.

Product design logic

IAM supports the creation and management of multiple user identifies under one Kingsoft Cloud account, as well as assigning different policies to different users. In this way, different users can manage different cloud computing resources under one account.

A user identity refers to a person, system, or application that can manage Kingsoft Cloud resources through the Kingsoft Cloud console or APIs. IAM currently only supports one type of identity, which is IAM user. An IAM user has a defined identity and can own AccessKeys. An IAM user normally corresponds to a person or an application.

IAM allows you to create and manage multiple policies under one Kingsoft Cloud account. A policy is a set of permissions. A Kingsoft Cloud account can attach one or more policies to an IAM user. The policy language of IAM can express refined permissions. You can use a policy to assign permissions related to an API action or a resource.

Did you find the above information helpful?

Mostly Unhelpful
A little helpful
Very helpful

What might be the problems?

Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions


Please give us your feedback.


Thank you for your feedback.