Content is empty
If you don't find the content you expect, please try another search term
Last updated:2021-10-29 17:57:25
This topic describes how to use the Security Token Service (STS) token of an Identity and Access Management (IAM) role to authorize applications to access Kingsoft Cloud services.
Enterprise A has purchased Kingsoft Cloud Elastic Compute (KEC) instances and plans to deploy its applications on the KEC instances. The enterprise needs to allow the applications to use AccessKeys to call the operations of other Kingsoft Cloud services.
The following methods can be used:
However, the following problems may occur if the preceding methods are used:
With the access control feature of IAM, the enterprise can create an IAM role for each KEC instance and attach required policies to the IAM role. The applications can use the STS token of the specified IAM role to call the operations of Kingsoft Cloud services.
Select Kingsoft Cloud Service as the trusted entity and KEC as the trusted service. This way, KEC can assume the IAM role to access Kingsoft Cloud resources.
If the permissions of the STS token are insufficient, the enterprise can attach the required policies to the IAM role. After the policies are attached, the permissions immediately take effect, and the enterprise does not need to restart the specific KEC instance.
Log in to the KEC console.
Only IAM users with required policies attached can configure IAM roles for KEC instances. For example, the required policy can be the system policy KECAdminFullAccess, which provides the full permissions on KEC instances.
In the list of KEC instances, perform the following operations as needed:
In the Assign/Remove IAM Role dialog box, select Bind as the operation type and select an IAM role. If no IAM roles are available, go to the IAM console and create an IAM role, of which the trusted entity is Kingsoft Cloud Service.
Alternatively, when the enterprise creates a KEC instance, it can set the IAM Role of Instance parameter in the Advanced Options section on the System Configuration page to an existing IAM role or create a new IAM role for the instance.
Sample request
curl http://global.cloudinit.sdns.ksyun.com:8775/latest/iam
Sample response
{
<SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY</SecretAccessKey>
<Expiration>2017-07-15T23:28:33.359Z</Expiration>
<AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId>
<SecurityToken>V1xxxxxxxxxxxx</SecurityToken>
<IamRoleName>XXXXX</IamRoleName>
}
(2) Windows operating system
Pure Mode