Last updated：2020-07-19 00:07:27
Generally, you need to set the following information when you create a role in the Kingsoft Cloud console:
• Trusted entity type
• Role information
• Carrier information
Procedure: Log in to the Kingsoft Cloud console (new version). Choose Products and Services > Monitor and Management > IAM. In the left navigation pane, click Roles. On the Roles page, click Create Role and then follow the instructions.
When you set carrier information for a role, if the role is intended to be used by IAM users under your Kingsoft Cloud account, select Current Ksyun Account. In this case, you do not need to manually enter the account ID.
If the role is intended to be used by IAM users under another Kingsoft Cloud account, select Other Ksyun Account and enter the ID of the account, as shown in the following figure.
Note: 1. Only IAM users can assume a role. A Kingsoft Cloud account cannot assume a role. 2. If you select **Ksyun Account** as the trusted entity type, enter the ID of the Kingsoft Cloud account to which the IAM users that will assume the role belong when you set carrier information.
You can view the information about a role under your Kingsoft Cloud account. The procedure is as follows:
The Role details page consists of the Role information section and the following tab:
Role carrier and Permissions. You can click a tab to view the detailed information.
You can view the roles that are granted to the current Kingsoft Cloud account. The procedure is as follows:
A Kingsoft Cloud account or an authorized IAM user can add a trusted account and attach policies to a role. The procedure is as follows:
Log in to the Kingsoft Cloud console (new version) with your Kingsoft Cloud account or as an authorized IAM user.
Choose Products and Services > Monitor and Management > IAM. In the left navigation pane, click Roles. The Roles page appears.
On the Roles page, find the target role and click Details in the Actions column to go to the Role details page. On the Role carrier tab, you can view the trusted Kingsoft Cloud accounts of the current role. You can add and delete trusted accounts on this tab.
Only IAM users can assume a role. In accordance with recommended security practices, IAM does not allow a trusted Kingsoft Cloud account itself to assume a role.
Therefore, a trusted Kingsoft Cloud account must create an IAM user, assign the AssumeRole permission to the IAM user, and assume the role as the IAM user.
• Create an IAM user. Set a login password or create an AccessKey for the IAM user.
• Assign the AssumeRole permission to the IAM user. To do so, you can attach the system policy STSAssumeRoleAccess to the IAM user.
(1) The IAM user can assume a role to call APIs of Kingsoft Cloud services.
After the IAM user is assigned the AssumeRole permission, the IAM user can use its AccessKey to call the AssumeRole operation of Security Token Service (STS) to obtain a temporary security token for a certain role. For more information about how to call the AssumeRole operation, see the STS API reference.
(2) The IAM user can assume a role to use the Kingsoft Cloud console.
The overall procedure for using a role is as follows:
(1) Find role a and click Add User in the Actions column.
(2) Add company B’s Kingsoft Cloud account as a trusted account.
Note: Only IAM users can assume a role. A Kingsoft Cloud account cannot assume a role.
Did you find the above information helpful?
Please give us your feedback.
Thank you for your feedback.