Concepts
Before using the IAM service, it is crucial to understand its core concepts to make flexible and effective use of IAM functions based on your enterprise's requirements. IAM mainly focuses on identity management and access control for cloud accounts, with related concepts centered around these functions.
Identity system
Account
The smallest resource isolation and billing entity on Baidu AI Cloud, as well as collection and owner of cloud resources of the customer. It is automatically generated when customers register on Baidu AI Cloud console, and serves as an independent space for future cloud resource management, billing, etc.
Primary user
The super administrator user automatically created by the system upon the creation of customer cloud account. Since the primary user possesses all permissions of the cloud account, to ensure account resource security, it is strongly recommended not to directly use the root account for cloud account management. Instead, it is recommended to create administrator IAM users via the primary user for subsequent resource management and operations.
IAM user
A type of user under the IAM identity framework for sharing or collaborating on cloud resources of the primary user. Usernames must be unique under the account. IAM users may be individuals, services, or applications that may sign in to the console via account password or programmatically access cloud resources via APIs.
Message contact
A special type of user under the IAM identity system, solely for message reception with no access to cloud account resources, which is typically used by master users to send specific AI Cloud messages to enterprise/team members. IAM users inherently possess the attribute of being a message contact by default.
Group
A collection of IAM users or message contacts with identical functions. The authorization to a group automatically grants all its permissions to users within this group. An IAM user can join multiple groups simultaneously. Newly recruited employees can be assigned to specific groups to quickly inherit all relevant permissions. Transferred employees can be removed from original groups to revoke unnecessary permissions.
Role
IAM roles refer to virtual identities that, like user identities, can be associated with permissions to operate on resources. However, they bear no definitive identity certification credentials and must be assumed by a trusted entity user for proper use.
Federated identity
Enterprises with existing identity systems as IdPs can use Baidu AI Cloud as an SP, thereby enabling single sign-on access via corporate identity accounts. Typically used with roles to access cloud resources within accounts.
User credentials
Security credentials associated with users for identity verification. IAM user credentials are currently categorized into the following three types:
- User password: Password settings depend on whether console login is required
- AccessKey: Credentials for programmatic console access, used for API calls or SDK signature verification
- Token: In temporary authorization scenarios, STS provides a token to users assuming a role.
Access control
Permission
Allows or denies a user's Execution of specific operations on certain resources. For example, resource control: create or delete a BCC server; resource operation and maintenance: stop or reboot a BCC server, without altering the resource lifecycle; read-only: view.
Policy
A collection of user permissions that defines what operations a user can perform on resources within the cloud account.
ACL
Policy descriptions, where each policy is associated with an ACL in JSON format.
Resource
A type of abstract object entity presented by the cloud service for user interaction, such as BCC instances or BOS buckets.
Policy and identity
Policies can be associated with users, groups, or roles to enable access control over cloud resources.