IAM, Baidu AI Cloud's identity and access management service, offers centralized permission management for cloud platform products. Relevant cloud services must integrate with IAM for in-product permission control. This document provides detailed information about cloud products integrated with IAM, including supported permission granularity and relevant documentation. Currently, IAM provides two main service types for cloud products:
Identity and Access Management (IAM) primarily addresses identity, authorization, and certification between primary and IAM users
Security Token Service (STS), a temporary identity management service provided by IAM for products and services.
Platform module permissions
Platform policies detail the general service module policies of Baidu AI Cloud, covering system-level administration, operations, read-only access, finance, ticket, and certificate management, among others. Platform policies are part of IAM's system policies.
Permission name
Policy description
Related documents
System administrator permissions
Possess permissions to manage all Baidu AI Cloud resources
-
System operation and maintenance permission
Include all O&M product lines for access authentication
-
System read-only permission
Include all read-only product lines for access authentication
-
Financial permissions
Possess permissions to view, pay, and cancel orders
-
Certificate management
Support certificate read-only and O&M permissions
[Certificate management](Reference/Certificate management/Identity and access management.md)
Ticket system administrator (TicketFullControlPolicy)
Grants permission to manage global tickets, including creating, viewing, replying to, and deleting all account-level tickets.
Permission to manage their own tickets as an IAM user, including creating tickets, as well as viewing, replying to, and deleting tickets for the currently signed-in IAM user.
-
IAM system administrator (IAMFullControlAccessPolicy)
Possess permissions to manage multi-user access control
-
IAM read-only permission (IAMReadAccessPolicy)
Possess read-only multi-user access control permissions, including the authority to download access reports
-
AK management permission (IAMManageAccessKeyPolicy)
Add, delete or manage IAM user's AccessKey permissions. If Programmatic Access is checked during creation, this permission is granted by default
-
BCT management permission
Possess all permissions for managing BCT records, downloading BCT logs, managing traces, etc.
-
BCT read-only permission
Possess read-only permission for managing BCT records, downloading BCT logs, viewing traces, etc.
-
Description of IAM-integrated product services
This section describes product services integrated with IAM and STS. The meanings of fields in the following table are explained as follows:
Product name: Chinese + English abbreviations of Baidu AI Cloud products and services;
Permission granularity: Including service-level and resource-level. The service-level authorizes entire cloud products, while the resource-level enables precise authorization to instances (e.g., a specific BCC server)
System-supported operational permissions: System policies supported by cloud products at the service-level permission granularity
Security Token Service (STS): ✅ denotes supporting while - denotes not supporting;
Tag authorization: Filter permissions and resources for authorization based on selected tags. ✅ indicates supporting while - indicates not supporting;
Related documentation: A hyperlink indicates that the product has associated permission documentation, whereas a "-" signifies that no documentation is currently available.
