You can grant IAM role with the permission to access the resources of Baidu AI Cloud. By using IAM role, you can choose to grant specific access permission to the IAM user under your own account, or establish trust relationship with other cloud accounts, thus allowing the IAM user of other cloud accounts to make use of the IAM role you created to access your cloud resources. For example, you can allow a third party cloud account to access to the data stored by your object storage BOS in the storage bucket.

Upon the establishment of the trust relationship, the users, services or applications of trusted accounts can use _AssumeRole_ API of the services of Baidu AI Cloud Security Token Service (STS) to substitute to the role. Such operation provides trusted users or services with temporary security credentials to access your cloud resources.
For relevant concepts on IAM roles, please refer to Related Concepts.

This section describes how to create a role using the console.

Prerequisite

Before using the console to create a role, you need to: 1.Have an activated account of Baidu AI Cloud, and as to how to register and activate the cloud account, please refer to Registration; 2.Have the system administrator permission of the account.

Operation Steps

Please refer to the following steps to create your role in the console: 1.Log in the Baidu AI Cloud Console, move the mouse to the user's head portrait at the top right corner, and select the Identity and Access Management; 2.Select Role Management at the navigation bar on the left, and click the button Create a New Role; 3.Fill in the basic information, such as role name and description, etc. Please note that the role name must be unique under the same account, and the name is not case sensitive, namely TESTROLE and testrole are regarded as a same role; 4.Select Role Carrier, you can select Current Cloud Account, which represents that the role is created by the current cloud account, but only supports the access made by the IAM user or service under the current cloud account; if you choose Other Cloud Account, it means that the role is created by other cloud accounts, and you need to fill in the Account ID of other cloud account at this point (You can find the ID from User Center > User ID), and a role can trust 10 other cloud accounts at most at the same time; 5.Authorize the role. Select appropriate system policy or Custom Policy in Policy Management to grant the role; if the existing policy does not meet the requirements, you can select to add Custom Policy. Please refer to Permission Policy. You can also choose not to authorize the role later; 6.Click Completion.

Complete the creation of a new role under an account of Baidu AI Cloud through the above steps.

Note: The completion of the above steps is only to complete the first half of the required configuration. You must also grant the policy permission _STSAssumeRoleAccess_ for all users in the trusted accounts. For detailed operation, please refer to Use the Role.