Use IAM for authorizing applications to access Kingsoft Cloud resources

Last updated:2021-10-29 17:57:25

This topic describes how to use the Security Token Service (STS) token of an Identity and Access Management (IAM) role to authorize applications to access Kingsoft Cloud services.


Enterprise A has purchased Kingsoft Cloud Elastic Compute (KEC) instances and plans to deploy its applications on the KEC instances. The enterprise needs to allow the applications to use AccessKeys to call the operations of other Kingsoft Cloud services.

The following methods can be used:

  • Include the AccessKeys in the application code.
  • Save the AccessKeys in the configuration files of the applications.

However, the following problems may occur if the preceding methods are used:

  • AccessKey disclosure: If the AccessKeys are stored in the KEC instances in plaintext, the AccessKeys may be disclosed after the snapshots and images are shared, or KEC instances are created by using the images.
  • O&M complexity: The AccessKeys are stored in KEC instances. If the AccessKeys change due to periodic rotations or user identity changes, the enterprise must update and redeploy all instances and images, which increases the complexity of instance and image management.


With the access control feature of IAM, the enterprise can create an IAM role for each KEC instance and attach required policies to the IAM role. The applications can use the STS token of the specified IAM role to call the operations of Kingsoft Cloud services.


Step 1: Create an IAM role and attach required policies

  1. Use the Kingsoft Cloud account to create an IAM role.

Select Kingsoft Cloud Service as the trusted entity and KEC as the trusted service. This way, KEC can assume the IAM role to access Kingsoft Cloud resources.

  1. Attach required policies to the IAM role. For more information, see Grant permissions to an IAM role.

If the permissions of the STS token are insufficient, the enterprise can attach the required policies to the IAM role. After the policies are attached, the permissions immediately take effect, and the enterprise does not need to restart the specific KEC instance.

Step 2: Assign an IAM role to the KEC instance

  1. Log in to the KEC console.

Only IAM users with required policies attached can configure IAM roles for KEC instances. For example, the required policy can be the system policy KECAdminFullAccess, which provides the full permissions on KEC instances.

  1. In the left navigation pane, click Instance.

  2. In the list of KEC instances, perform the following operations as needed:

    • Assign or remove the IAM role for one instance: Find the target instance and choose More > Instance Settings > Assign/Remove IAM Role in the Operation column.
    • Assign or remove the IAM role for multiple instances: Select the target instances and choose More > Assign/Remove IAM Role. Only the same IAM role can be assigned to the instances.
  3. In the Assign/Remove IAM Role dialog box, select Bind as the operation type and select an IAM role. If no IAM roles are available, go to the IAM console and create an IAM role, of which the trusted entity is Kingsoft Cloud Service.

  4. Click OK.

Alternatively, when the enterprise creates a KEC instance, it can set the IAM Role of Instance parameter in the Advanced Options section on the System Configuration page to an existing IAM role or create a new IAM role for the instance.

Step 3: Obtain the STS token by accessing the instance metadata URL within the instance

  1. Start the KEC instance. Then, KEC calls the STS AssumeRole operation to obtain the STS token of the IAM role.
  2. STS returns the token to KEC.
  3. KEC includes the token in the metadata of the KEC instance and passes the metadata to the applications that are deployed on the KEC instance.
    (1) Linux operating system
    Applications can query the metadata of the KEC instance to obtain the STS token and expiration time.
Sample request
Sample response

(2) Windows operating system

  • If the Windows operating system supports PowerShell and cURL commands, the method for obtaining the STS token and expiration time is the same as that for the Linux operating system.
  • If the Windows operating system does not support PowerShell and cURL commands, install other debugging tools for HTTP requests, such as Postman and Chrome plug-ins, and access to obtain the STS token and expiration time.
  1. The applications call Kingsoft Cloud operations by using the STS token.

Did you find the above information helpful?

Mostly Unhelpful
A little helpful
Very helpful

What might be the problems?

Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions


Please give us your feedback.


Thank you for your feedback.