Manage roles

Last updated:2020-07-19 00:07:27

Create a role

Generally, you need to set the following information when you create a role in the Kingsoft Cloud console:

• Trusted entity type

• Role information

• Carrier information

Procedure: Log in to the Kingsoft Cloud console (new version). Choose Products and Services > Monitor and Management > IAM. In the left navigation pane, click Roles. On the Roles page, click Create Role and then follow the instructions.

When you set carrier information for a role, if the role is intended to be used by IAM users under your Kingsoft Cloud account, select Current Ksyun Account. In this case, you do not need to manually enter the account ID.

If the role is intended to be used by IAM users under another Kingsoft Cloud account, select Other Ksyun Account and enter the ID of the account, as shown in the following figure.

Note:
1. Only IAM users can assume a role. A Kingsoft Cloud account cannot assume a role.
2. If you select **Ksyun Account** as the trusted entity type, enter the ID of the Kingsoft Cloud account to which the IAM users that will assume the role belong when you set carrier information.

image.png

View role information

You can view the information about a role under your Kingsoft Cloud account. The procedure is as follows:

  1. Log in to the Kingsoft Cloud console (new version) with your Kingsoft Cloud account or as an authorized IAM user.
  2. Choose Products and Services > Monitor and Management > IAM. In the left navigation pane, click Roles. The Roles page appears.
  3. On the Roles page, find the target role and click Details in the Actions column. The Role details page appears, as shown in the following figure.

image.png

The Role details page consists of the Role information section and the following tab:
Role carrier and Permissions. You can click a tab to view the detailed information.

View granted roles

You can view the roles that are granted to the current Kingsoft Cloud account. The procedure is as follows:

  1. Log in to the Kingsoft Cloud console (new version) with your Kingsoft Cloud account or as an authorized IAM user.
  2. Choose Products and Services > Monitor and Management > IAM. In the left navigation pane, click Roles. The Roles page appears.
  3. On the Roles page, click the Credited role tab. The roles that are granted to the current Kingsoft Cloud account appear, as shown in the following figure.

image.png

Add a trusted account and attach policies to a role

A Kingsoft Cloud account or an authorized IAM user can add a trusted account and attach policies to a role. The procedure is as follows:

  1. Log in to the Kingsoft Cloud console (new version) with your Kingsoft Cloud account or as an authorized IAM user.

  2. Choose Products and Services > Monitor and Management > IAM. In the left navigation pane, click Roles. The Roles page appears.

  3. On the Roles page, find the target role and click Details in the Actions column to go to the Role details page. On the Role carrier tab, you can view the trusted Kingsoft Cloud accounts of the current role. You can add and delete trusted accounts on this tab.

image.png

  1. On the Roles page, find the target role and click Details in the Actions column to go to the Role details page. Click the Permissions tab and attach policies to or detach policies from the role.

image.png

Assume a role

Only IAM users can assume a role. In accordance with recommended security practices, IAM does not allow a trusted Kingsoft Cloud account itself to assume a role.

Therefore, a trusted Kingsoft Cloud account must create an IAM user, assign the AssumeRole permission to the IAM user, and assume the role as the IAM user.

Procedure:

• Create an IAM user. Set a login password or create an AccessKey for the IAM user.

• Assign the AssumeRole permission to the IAM user. To do so, you can attach the system policy STSAssumeRoleAccess to the IAM user.

(1) The IAM user can assume a role to call APIs of Kingsoft Cloud services.

After the IAM user is assigned the AssumeRole permission, the IAM user can use its AccessKey to call the AssumeRole operation of Security Token Service (STS) to obtain a temporary security token for a certain role. For more information about how to call the AssumeRole operation, see the STS API reference.

(2) The IAM user can assume a role to use the Kingsoft Cloud console.

The overall procedure for using a role is as follows:

  1. Company A creates role a and adds company B’s Kingsoft Cloud account as a trusted account of role a.

(1) Find role a and click Add User in the Actions column.

image.png

(2) Add company B’s Kingsoft Cloud account as a trusted account.

image.png

  1. Company B creates IAM user b and attaches the STSAssumeRoleAccess policy to IAM user b.

image.png

  1. IAM user b moves the pointer over the username in the top navigation bar of the Kingsoft Cloud console and selects Identity switching to assume role a and access resources of company A.

Note: Only IAM users can assume a role. A Kingsoft Cloud account cannot assume a role.

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

Insufficient
Outdated
Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈