Use role

This topic describes how an IAM user uses the Kingsoft Cloud console and API to assume an IAM role whose trusted entity is a Kingsoft Cloud account.

Only IAM users can assume a role. A Kingsoft Cloud account cannot assume a role.

Prerequisites

1. You have created an IAM user. For more information, see Create an IAM user.
2. You have created an AccessKey for the IAM user. For more information, see Create an AccessKey for an IAM user.
3. You have granted permissions to the IAM user.
   • You have attached the STSAssumeRoleAccess system policy to the IAM user. This policy specifies the permission to call the AssumeRole STS API operation.
   • For more information about how to grant permissions, see Grant permissions to an IAM user.

Assume an IAM role in the Kingsoft Cloud console

After you log in to the Kingsoft Cloud console as an IAM user by using SSO, you can assume an IAM role by switching your login identity to the role.

1. Log in to the Kingsoft Cloud console as an IAM user.
2. Move the pointer over the username in the upper-right corner.
3. In the shortcut menu that appears, click Identity switching.
4. On the Switch Role page, set Username and Role name.
5. Click Confirm.

• After the switching is complete, your login identity changes to the IAM role, and you have the permissions that are granted to the IAM role.
• The smaller value of the maximum session duration of the IAM role and login session validity period of the IAM user is used as the login session validity period of the IAM role.

Assume an IAM role by calling an API operation

An authorized IAM user can use an AccessKey to call the AssumeRole API operation to obtain the STS token of an IAM role.