Last updated:2020-07-19 00:07:27

Manage and use cloud computing resources within a company (Account + IAM user)

Company Alice purchased various cloud computing resources, such as KEC instances, RDS instances, SLB instances, and KS3 storage, on Kingsoft Cloud. The employees from its different departments need to use these resources. As employees have different job responsibilities, the permissions that they require are also different.
To lower information security risks, Alice does not want to share its Kingsoft Cloud account and password, which is equivalent to granting all permissions, to all the employees that need it. Instead, Alice wants to give each employee a subaccount with the minimum permissions necessary for their work. The permissions of a subaccount can be flexibly assigned and revoked. A subaccount can also be disabled or deleted at any time by the company.
A subaccount can only manage resources after authorization. Subaccounts are not billed individually. Alice bears all costs and expenses.
The Account + IAM user model is suitable for this scenario. It not only satisfies the need for permission management, but also eliminates the risks of sharing a Kingsoft Cloud account.

Use resources and manage permissions between companies (Cross-account + Role)

Different companies sometimes need to share cloud computing resources. For example, company Blue purchased various resources on Kingsoft Cloud. It then delegates the operation and maintenance of these resources to company Carry. Carry can then assign the permissions on different resources of Blue to its one or more employees. Carry can also control these permissions in a refined way. If the contract between Blue and Carry comes to an end, Blue can revoke the permissions assigned to Carry.

The procedure is as follows:

  1. Blue creates role D, adds Carry’s Kingsoft Cloud account as a trusted account, and attach relevant policies to role D.

  2. Carry creates IAM user Q and assigns Q the permission to assume and switch between roles.

  3. Q assumes role D to obtain the permissions to manage resources as defined by the policies attached to role D.

Did you find the above information helpful?

Mostly Unhelpful
A little helpful
Very helpful

What might be the problems?

Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions


Please give us your feedback.


Thank you for your feedback.