All Documents

Current Document

Recommend

Container Engine Virtual Private Cloud Standard Storage Service

Content is empty

If you don't find the content you expect, please try another search term

Identity and Access Management

View more results

Document title with current keyword not found

Directory

Expand AllFold All Up

Networking
Security

Video Services
Data Analysis
- MapReduce (KMR)
- Kingsoft Cloud Log Service
Account Management
- Identity and Access Management
- Account Management

No products found with this keyword

Identity and Access Management

Role Management

Manage roles

Last updated：2021-10-29 17:57:34

An Identity and Access Management (IAM) role is a virtual IAM identity with permission policies that determine what the identity can do and cannot do.

A role must be assumed by an entity instead of being uniquely associated with a specific person.
A role has no standard long-term credential such as password or AccessKey. When an entity assumes a role, the role provides a temporary security credential for the role sessions.

Terms

Term	Description
IAM role	An IAM role is an identity to which a set of policies are attached. However, an IAM role does not have a login password or an AccessKey. After a trusted entity user assumes an IAM role, the entity user obtains the Security Token Service (STS) token of the IAM role, with which the entity user can access authorized resources as the role.
Role KRN	The KRN of a role is the globally unique resource identifier of the role. Role KRNs follow the KRN naming conventions of Kingsoft Cloud. For example, a KRN can be krn:ksc:iam::20052:role/rolename. After you create a role, you can click the role name and find its KRN on the Role details page.
Trusted entity	A trusted entity is an entity user who can assume a role. When you create a role, you must specify a trusted entity. A role can be assumed only by a trusted entity. A trusted entity can be a Kingsoft Cloud account, a Kingsoft Cloud service, or an identity provider (IdP).
Policy	A policy is a set of permissions. One or more policies can be attached to a role. Roles without policies can exist, but cannot access Kingsoft Cloud resources.
Role assuming	Role assuming is the method for an entity user to obtain the STS token of a role. An entity user can call the AssumeRole STS API operation to obtain the STS token of a role. Then, the entity user can use the STS token to call API operations of Kingsoft Cloud services.
Identity switching	Identity switching is the method for an entity user to switch from the login identity to a role identity in the IAM console. After an entity user logs in to the IAM console, the entity user can switch to a role that the entity user can assume. Then, the entity user can use the role to manage Kingsoft Cloud resources. After the management operations are completed, the entity user can switch back to the login identity.
Role token	A role token is a temporary AccessKey for a role. A role does not have a specific AccessKey. If an entity user wants to use a role, the entity user must assume the role to obtain the corresponding role token. Then, the entity user can use the role token to call API operations of Kingsoft Cloud services.

Role types

Role type	Description	Scenario
Account	The role assumed by Kingsoft Cloud accounts and their IAM users. The IAM users who assume this type of role can belong to their own Kingsoft Cloud accounts or other Kingsoft Cloud accounts.	This type of role is used for cross-account access and temporary authorization.
Service	The role assumed by Kingsoft Cloud services.	This type of role is used to authorize cross-service access.
IdP	The role assumed by users of an IdP.	This type of role is used for single sign-on (SSO) between an IdP and Kingsoft Cloud.

On this page

Previous:Role Management

Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen

Feedback