diff --git a/docs/iam/api-ref/ALL_META.TXT.json b/docs/iam/api-ref/ALL_META.TXT.json index 5cb71bd6d..b947b34b4 100644 --- a/docs/iam/api-ref/ALL_META.TXT.json +++ b/docs/iam/api-ref/ALL_META.TXT.json @@ -217,7 +217,7 @@ "node_id":"en-us_topic_0064274720.xml", "product_code":"iam", "code":"11", - "des":"This API is used to obtain an agency token. For example, after a trust relationship is established between A (delegating party) and B (delegated party), the delegated par", + "des":"This API is used to obtain an agency token. For example, after a trust relationship is established between account A (delegating party) and account B (delegated party), t", "doc_type":"api", "kw":"Obtaining an Agency Token,Token Management,API Reference", "search_title":"", diff --git a/docs/iam/api-ref/CLASS.TXT.json b/docs/iam/api-ref/CLASS.TXT.json index 93ce3efc9..41bbf3c1d 100644 --- a/docs/iam/api-ref/CLASS.TXT.json +++ b/docs/iam/api-ref/CLASS.TXT.json @@ -90,7 +90,7 @@ "code":"10" }, { - "desc":"This API is used to obtain an agency token. For example, after a trust relationship is established between A (delegating party) and B (delegated party), the delegated par", + "desc":"This API is used to obtain an agency token. For example, after a trust relationship is established between account A (delegating party) and account B (delegated party), t", "product_code":"iam", "title":"Obtaining an Agency Token", "uri":"en-us_topic_0064274720.html", diff --git a/docs/iam/api-ref/en-us_topic_0000001362626928.html b/docs/iam/api-ref/en-us_topic_0000001362626928.html index 591bf9791..a9942b7f7 100644 --- a/docs/iam/api-ref/en-us_topic_0000001362626928.html +++ b/docs/iam/api-ref/en-us_topic_0000001362626928.html @@ -45,7 +45,7 @@

String

-

Account ID. For details about how to obtain the account ID, see Obtaining User, Account, User Group, Project, and Agency Information.

+

Domain ID. For details about how to obtain the domain ID (account ID), see Obtaining User, Account, User Group, Project, and Agency Information.

role_id

@@ -119,7 +119,7 @@

String

-

Account ID. For details about how to obtain the account ID, see Obtaining User, Account, User Group, Project, and Agency Information.

+

Domain ID. For details about how to obtain the domain ID (account ID), see Obtaining User, Account, User Group, Project, and Agency Information.

scope.enterprise_projects_id

diff --git a/docs/iam/api-ref/en-us_topic_0057845561.html b/docs/iam/api-ref/en-us_topic_0057845561.html index 84b1a867c..a19155ea7 100644 --- a/docs/iam/api-ref/en-us_topic_0057845561.html +++ b/docs/iam/api-ref/en-us_topic_0057845561.html @@ -153,9 +153,9 @@
  • Description for the user format
    - - diff --git a/docs/iam/api-ref/en-us_topic_0057845564.html b/docs/iam/api-ref/en-us_topic_0057845564.html index 2319b831b..6f42cfd72 100644 --- a/docs/iam/api-ref/en-us_topic_0057845564.html +++ b/docs/iam/api-ref/en-us_topic_0057845564.html @@ -8,7 +8,13 @@ - + + +

    Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description

    2024-11-25

    +

    2024-12-17

    +

    This release incorporates the following change:

    +

    Deleted the constraints on the number of policies, actions, condition keys, and resources in Custom Policy Management.

    +

    2024-11-25

    This release incorporates the following change:

    Updated content in API Overview.

    @@ -144,7 +150,7 @@

    2019-01-09

    This release incorporates the following changes:

    - +

    2018-10-08

    diff --git a/docs/iam/api-ref/en-us_topic_0057845567.html b/docs/iam/api-ref/en-us_topic_0057845567.html index 75a64ebb0..b029b9ab3 100644 --- a/docs/iam/api-ref/en-us_topic_0057845567.html +++ b/docs/iam/api-ref/en-us_topic_0057845567.html @@ -76,9 +76,9 @@
  • mappings parameter description
    - - @@ -131,7 +131,7 @@ } ]

    local: indicates the information about a federated user in the cloud system.

    -
    • user: indicates the name of a federated user in the cloud system. {0} indicates the first attribute of the user information in remote.
    • group: indicates the user group to which a federated user belongs in the cloud system.
    +
    • user: indicates the name of a federated user in the cloud system. {0} indicates the first attribute of the user information in remote.
    • group: indicates the user group to which a federated user belongs in the cloud system.

    remote: indicates the information about a federated user in the IdP. This expression is a combination of assertion attributes and operators. The value of remote is determined based on the assertion.

    • "type": "UserName" indicates an attribute in an IdP assertion.
    • "type": "orgPersonType" indicates an attribute in an IdP assertion.
    • not_any_of: The rule is not matched if any of the specified strings appear in the attribute type. The condition result is Boolean, not the argument that is passed as input.
    diff --git a/docs/iam/api-ref/en-us_topic_0057845581.html b/docs/iam/api-ref/en-us_topic_0057845581.html index 84cb6a5ef..888596295 100644 --- a/docs/iam/api-ref/en-us_topic_0057845581.html +++ b/docs/iam/api-ref/en-us_topic_0057845581.html @@ -177,7 +177,7 @@

    Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description
  • identity_providers.links parameter description -
    - @@ -368,14 +368,14 @@ - - @@ -396,7 +396,7 @@ - diff --git a/docs/iam/api-ref/en-us_topic_0057845597.html b/docs/iam/api-ref/en-us_topic_0057845597.html index 7087500b8..3810fefc3 100644 --- a/docs/iam/api-ref/en-us_topic_0057845597.html +++ b/docs/iam/api-ref/en-us_topic_0057845597.html @@ -53,7 +53,7 @@

    Request Parameters

    • Parameters in the request header

    Parameter

    +
    diff --git a/docs/iam/api-ref/en-us_topic_0057845582.html b/docs/iam/api-ref/en-us_topic_0057845582.html index b1151c1e1..472841099 100644 --- a/docs/iam/api-ref/en-us_topic_0057845582.html +++ b/docs/iam/api-ref/en-us_topic_0057845582.html @@ -12,7 +12,7 @@
  • Region

    A region contains a physical data center, which is completely isolated to improve fault tolerance and stability. The region that is selected during resource creation cannot be changed after the resource is created. Regions are classified into universal regions and dedicated regions. A universal region provides universal cloud services for common tenants. A dedicated region provides specific services for specific tenants.

  • AZ

    An AZ is a physical location where resources use independent power supplies and networks. A region contains one or more AZs that are physically isolated but interconnected through internal networks. Because AZs are isolated from each other, any fault that occurs in an AZ will not affect other AZs.

  • Project

    Projects group and isolate resources (including compute, storage, and network resources) across physical regions. A default project is provided for each region, and subprojects can be created under each default project. Users can be granted permissions to access all resources in a specific project. For more refined access control, create subprojects under a project and create resources in the subprojects. Users can then be assigned permissions to access only specific resources in the subprojects.

    -
    Figure 1 Project isolating model
    +
    Figure 1 Project isolation model
    • diff --git a/docs/iam/api-ref/en-us_topic_0057845583.html b/docs/iam/api-ref/en-us_topic_0057845583.html index 4e5c67fce..11e4d6a53 100644 --- a/docs/iam/api-ref/en-us_topic_0057845583.html +++ b/docs/iam/api-ref/en-us_topic_0057845583.html @@ -342,7 +342,7 @@

    Parameter

    Type
    -
  • Example response
    The following is a sample request for obtaining a token for user A. The login password of the user is ********** and the domain name is domain A. The scope of the token is domain.
    Token information stored in the response header:
+
  • Example response
    The following is a sample request for obtaining a token for user A. The login password of the user is ********** and the domain name is domain A. The scope of the token is domain.
    Token information stored in the response header:
 X-Subject-Token:MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALBglghkgBZQMEAgEwgXXXXX...
 
 Token information stored in the response body:
diff --git a/docs/iam/api-ref/en-us_topic_0057845590.html b/docs/iam/api-ref/en-us_topic_0057845590.html
index 040e387de..ea7336e07 100644
--- a/docs/iam/api-ref/en-us_topic_0057845590.html
+++ b/docs/iam/api-ref/en-us_topic_0057845590.html
@@ -111,7 +111,7 @@
             }
         ]

    local: indicates the information about a federated user in the cloud system.

    -
    • user: indicates the name of a federated user in the cloud system. {0} indicates the first attribute of the user information in remote.
    • group: indicates the user group to which a federated user belongs in the cloud system.
    +
    • user: indicates the name of a federated user in the cloud system. {0} indicates the first attribute of the user information in remote.
    • group: indicates the user group to which a federated user belongs in the cloud system.

    remote: indicates the information about a federated user in the IdP. This expression is a combination of assertion attributes and operators. The value of remote is determined based on the assertion.

    • "type": "UserName" indicates an attribute in an IdP assertion.
    • "type": "orgPersonType" indicates an attribute in an IdP assertion.
    • not_any_of: The rule is not matched if any of the specified strings appear in the attribute type. The condition result is Boolean, not the argument that is passed as input.
    diff --git a/docs/iam/api-ref/en-us_topic_0057845591.html b/docs/iam/api-ref/en-us_topic_0057845591.html index 14c3ea26a..aba29f104 100644 --- a/docs/iam/api-ref/en-us_topic_0057845591.html +++ b/docs/iam/api-ref/en-us_topic_0057845591.html @@ -350,7 +350,7 @@

    • Array of strings

    Specific operation permission on a resource. A maximum of 100 actions are allowed.

    +

    Specific operation permission on a resource.

    NOTE:
    • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
    • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
    • For a custom agency policy, this parameter should be set to "Action": ["iam:agencies:assume"].

    Object

    Conditions for the permission to take effect. A maximum of 10 conditions are allowed.

    +

    Conditions for the permission to take effect.

    Resource

    Array of strings

    Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters.

    +

    Cloud resource.

    NOTE:
    • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
    • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.
    • In the case of a custom policy for agencies, the type of this parameter is object, and the value should be set to "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]}.

    Array of strings

    Condition key. The condition key must correspond to the specified operator. A maximum of 10 condition keys are allowed.

    +

    Condition key. A key is a valid attribute that corresponds to an operator.

    The parameter type is custom character string array.
    - diff --git a/docs/iam/api-ref/en-us_topic_0057845606.html b/docs/iam/api-ref/en-us_topic_0057845606.html index 00ebfdf2d..820e1c62f 100644 --- a/docs/iam/api-ref/en-us_topic_0057845606.html +++ b/docs/iam/api-ref/en-us_topic_0057845606.html @@ -31,13 +31,13 @@

    Request Parameters

    • Parameters in the request header -

    Parameter

    Mandatory

    +

    Mandatory

    Type

    Parameter

    +
    - - - diff --git a/docs/iam/api-ref/en-us_topic_0057845612.html b/docs/iam/api-ref/en-us_topic_0057845612.html index 837a36f32..e066352be 100644 --- a/docs/iam/api-ref/en-us_topic_0057845612.html +++ b/docs/iam/api-ref/en-us_topic_0057845612.html @@ -63,9 +63,9 @@

    Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description

    +

    Description
  • Parameters in the request body -
    Table 1 Parameters in the request body

    Parameter

    +
    - @@ -86,9 +86,9 @@
    Table 1 Parameters in the request body

    Parameter

    Mandatory

    +

    Mandatory

    Type

    -
    Table 2 identity_provider

    Parameter

    +
    - @@ -122,7 +122,7 @@

    Response Parameters

    • Parameters in the response body -
    Table 2 identity_provider

    Parameter

    Mandatory

    +

    Mandatory

    Type
    Table 3 Parameters in the response body

    Parameter

    +
    @@ -141,7 +141,7 @@
    Table 3 Parameters in the response body

    Parameter

    Type

    -
    Table 4 identity_provider

    Parameter

    +
    @@ -195,7 +195,7 @@
    Table 4 identity_provider

    Parameter

    Type

    -
    Table 5 identity_provider.links

    Parameter

    +
    diff --git a/docs/iam/api-ref/en-us_topic_0057845623.html b/docs/iam/api-ref/en-us_topic_0057845623.html index 6986123db..fcfc79f77 100644 --- a/docs/iam/api-ref/en-us_topic_0057845623.html +++ b/docs/iam/api-ref/en-us_topic_0057845623.html @@ -52,7 +52,7 @@

    Request Parameters

    • Parameters in the request header
    Table 5 identity_provider.links

    Parameter

    Type

    - diff --git a/docs/iam/api-ref/en-us_topic_0057845625.html b/docs/iam/api-ref/en-us_topic_0057845625.html index 6a1112e7b..b25d42e4b 100644 --- a/docs/iam/api-ref/en-us_topic_0057845625.html +++ b/docs/iam/api-ref/en-us_topic_0057845625.html @@ -77,7 +77,7 @@ diff --git a/docs/iam/api-ref/en-us_topic_0057845637.html b/docs/iam/api-ref/en-us_topic_0057845637.html index 3a4768989..67a7915ba 100644 --- a/docs/iam/api-ref/en-us_topic_0057845637.html +++ b/docs/iam/api-ref/en-us_topic_0057845637.html @@ -63,9 +63,9 @@

    Parameter

    Mandatory

    +

    Mandatory

    Type

    Integer

    Number of data records on each page.

    -

    Value range: [1,5000]

    +

    Value range: 1–5000
    - - @@ -179,7 +179,7 @@ POST https://sample.domain.com/v3/users
    Table 2 user

    Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description

  • Description for the user format -

    Parameter

    +
    diff --git a/docs/iam/api-ref/en-us_topic_0057845638.html b/docs/iam/api-ref/en-us_topic_0057845638.html index 42abe908c..6a298c8d1 100644 --- a/docs/iam/api-ref/en-us_topic_0057845638.html +++ b/docs/iam/api-ref/en-us_topic_0057845638.html @@ -51,7 +51,7 @@ @@ -130,9 +130,9 @@
  • Description for the user format

    • Parameter

    Mandatory

    Password expiration time. The format is password_expires_at=operator:timestamp.

    Example:

    password_expires_at=lt:2016-12-08T22:02:00Z
    -
    • The value of operator can be lt, lte, gt, gte, eq, or neq.
      • lt: The expiration time is earlier than timestamp.
      • lte: The expiration time is earlier than or equal to timestamp.
      • gt: The expiration time is later than timestamp.
      • gte: The expiration time is equal to or later than timestamp.
      • eq: The expiration time is equal to timestamp.
      • neq: The expiration time is not equal to timestamp.
      +
      • The value of operator can be lt, lte, gt, gte, eq, or neq.
        • lt: The expiration time is earlier than timestamp.
        • lte: The expiration time is earlier than or equal to timestamp.
        • gt: The expiration time is later than timestamp.
        • gte: The expiration time is equal to or later than timestamp.
        • eq: The expiration time is equal to timestamp.
        • neq: The expiration time is not equal to timestamp.
      • The timestamp format is YYYY-MM-DDTHH:mm:ssZ.
    - - diff --git a/docs/iam/api-ref/en-us_topic_0057845645.html b/docs/iam/api-ref/en-us_topic_0057845645.html index d55b1cf60..db0ba78cf 100644 --- a/docs/iam/api-ref/en-us_topic_0057845645.html +++ b/docs/iam/api-ref/en-us_topic_0057845645.html @@ -124,7 +124,7 @@ } ]

    local: indicates the information about a federated user in the cloud system.

    -
    • user: indicates the name of a federated user in the cloud system. {0} indicates the first attribute of the user information in remote.
    • group: indicates the user group to which a federated user belongs in the cloud system.
    +
    • user: indicates the name of a federated user in the cloud system. {0} indicates the first attribute of the user information in remote.
    • group: indicates the user group to which a federated user belongs in the cloud system.

    remote: indicates the information about a federated user in the IdP. This expression is a combination of assertion attributes and operators. The value of remote is determined based on the assertion.

    • "type": "UserName" indicates an attribute in an IdP assertion.
    • "type": "orgPersonType" indicates an attribute in an IdP assertion.
    • not_any_of: The rule is not matched if any of the specified strings appear in the attribute type. The condition result is Boolean, not the argument that is passed as input.
    diff --git a/docs/iam/api-ref/en-us_topic_0057845652.html b/docs/iam/api-ref/en-us_topic_0057845652.html index 3b5747fd8..b90d90949 100644 --- a/docs/iam/api-ref/en-us_topic_0057845652.html +++ b/docs/iam/api-ref/en-us_topic_0057845652.html @@ -90,9 +90,9 @@
  • Description for the user format

    • Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description
    - - diff --git a/docs/iam/api-ref/en-us_topic_0064274720.html b/docs/iam/api-ref/en-us_topic_0064274720.html index c919a78d5..ed00d95ee 100644 --- a/docs/iam/api-ref/en-us_topic_0064274720.html +++ b/docs/iam/api-ref/en-us_topic_0064274720.html @@ -1,7 +1,7 @@

    Obtaining an Agency Token

    -

    Function

    This API is used to obtain an agency token. For example, after a trust relationship is established between A (delegating party) and B (delegated party), the delegated party B can use this API to obtain an agency token to manage A's resources that B is delegated to manage. However, B cannot use this agency token to manage its own resources. To do so, B needs to obtain a user token by referring to Obtaining a User Token.

    +

    Function

    This API is used to obtain an agency token. For example, after a trust relationship is established between account A (delegating party) and account B (delegated party), the delegated party B can use this API to obtain an agency token to manage A's resources that B is delegated to manage. However, B cannot use this agency token to manage its own resources. To do so, B needs to obtain a token by referring to Obtaining a User Token.

    The validity period of a token is 24 hours. Cache the token to prevent frequent API calling. Ensure that the token is valid while you use it. Using a token that will soon expire may cause API calling failures. Obtaining a new token does not affect the validity of the existing token.

    diff --git a/docs/iam/api-ref/en-us_topic_0079467614.html b/docs/iam/api-ref/en-us_topic_0079467614.html index b75952fc1..ffa509d11 100644 --- a/docs/iam/api-ref/en-us_topic_0079467614.html +++ b/docs/iam/api-ref/en-us_topic_0079467614.html @@ -49,7 +49,7 @@

    Request Parameters

    • Parameters in the request header -

    Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description

    Parameter

    +
    @@ -85,7 +85,7 @@

    Response Parameters

    • Parameters in the response body -

    Parameter

    Mandatory

    Parameter

    +
    @@ -108,7 +108,7 @@

    Parameter

    Mandatory

  • Description for the agency format -

    Parameter

    +
    diff --git a/docs/iam/api-ref/en-us_topic_0079467615.html b/docs/iam/api-ref/en-us_topic_0079467615.html index 6f95923d2..6f71c3ce0 100644 --- a/docs/iam/api-ref/en-us_topic_0079467615.html +++ b/docs/iam/api-ref/en-us_topic_0079467615.html @@ -31,7 +31,7 @@

    Request Parameters

    • Parameters in the request header -

    Parameter

    Mandatory

    Parameter

    +
    @@ -67,7 +67,7 @@

    Response Parameters

    • Parameters in the response body -

    Parameter

    Mandatory

    Parameter

    +
    @@ -90,7 +90,7 @@

    Parameter

    Mandatory

  • Description for the agency format -

    Parameter

    +
    diff --git a/docs/iam/api-ref/en-us_topic_0079467617.html b/docs/iam/api-ref/en-us_topic_0079467617.html index 47ac8db37..65a9dd4e5 100644 --- a/docs/iam/api-ref/en-us_topic_0079467617.html +++ b/docs/iam/api-ref/en-us_topic_0079467617.html @@ -113,11 +113,11 @@

    Response Parameters

    • Parameters in the response body

    Parameter

    Mandatory

    - - - @@ -136,11 +136,11 @@
  • Description for the agency format

    • Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description

    +

    Description
    - - - @@ -244,7 +244,7 @@

    Status Codes

    Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description

    +

    Description
    - diff --git a/docs/iam/api-ref/en-us_topic_0079467622.html b/docs/iam/api-ref/en-us_topic_0079467622.html index 68b2ca88a..86b55e94d 100644 --- a/docs/iam/api-ref/en-us_topic_0079467622.html +++ b/docs/iam/api-ref/en-us_topic_0079467622.html @@ -51,11 +51,11 @@

    Request Parameters

    • Parameters in the request header

    Status Code

    Description

    +

    Description
    - - - @@ -96,7 +96,7 @@

    Status Codes

    Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description

    +

    Description
    - diff --git a/docs/iam/api-ref/en-us_topic_0079467623.html b/docs/iam/api-ref/en-us_topic_0079467623.html index 9b343f3ca..7f0d25508 100644 --- a/docs/iam/api-ref/en-us_topic_0079467623.html +++ b/docs/iam/api-ref/en-us_topic_0079467623.html @@ -31,7 +31,7 @@

    Request Parameters

    • Parameters in the request header -

    Status Code

    Description

    +

    Description

    Parameter

    +
    @@ -111,7 +111,7 @@

    Response Parameters

    • Parameters in the response body -

    Parameter

    Mandatory

    Parameter

    +
    @@ -134,7 +134,7 @@

    Parameter

    Mandatory

  • Description for the agency format -

    Parameter

    +
    diff --git a/docs/iam/api-ref/en-us_topic_0079467625.html b/docs/iam/api-ref/en-us_topic_0079467625.html index fb20cfe67..be81ff9a3 100644 --- a/docs/iam/api-ref/en-us_topic_0079467625.html +++ b/docs/iam/api-ref/en-us_topic_0079467625.html @@ -33,13 +33,13 @@

    Request Parameters

    • Parameters in the request header -

    Parameter

    Mandatory

    Parameter

    +
    - - @@ -78,9 +78,9 @@

    Status Codes

    -

    Parameter

    Mandatory

    Type

    +

    Type

    Description

    +

    Description

    Status Code

    +
    - diff --git a/docs/iam/api-ref/en-us_topic_0079467627.html b/docs/iam/api-ref/en-us_topic_0079467627.html index 4ca498e55..040f02ca2 100644 --- a/docs/iam/api-ref/en-us_topic_0079467627.html +++ b/docs/iam/api-ref/en-us_topic_0079467627.html @@ -51,11 +51,11 @@

    Request Parameters

    • Parameters in the request header

    Status Code

    Description

    +

    Description
    - - - @@ -96,7 +96,7 @@

    Status Codes

    Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description

    +

    Description
    - diff --git a/docs/iam/api-ref/en-us_topic_0079578163.html b/docs/iam/api-ref/en-us_topic_0079578163.html index 1a6ce194c..68b7a8e9f 100644 --- a/docs/iam/api-ref/en-us_topic_0079578163.html +++ b/docs/iam/api-ref/en-us_topic_0079578163.html @@ -93,10 +93,10 @@ } -

    Status Codes

    -

    Status Code

    Description

    +

    Description

    Status Code

    +

    Status Codes

    +
    - diff --git a/docs/iam/api-ref/en-us_topic_0079578165.html b/docs/iam/api-ref/en-us_topic_0079578165.html index 74db030e9..389b40f58 100644 --- a/docs/iam/api-ref/en-us_topic_0079578165.html +++ b/docs/iam/api-ref/en-us_topic_0079578165.html @@ -51,11 +51,11 @@

    Request Parameters

    • Parameters in the request header

    Status Code

    Description

    +

    Description
    - - - @@ -96,7 +96,7 @@

    Status Codes

    Parameter

    Mandatory

    +

    Mandatory

    Type

    +

    Type

    Description

    +

    Description
    - diff --git a/docs/iam/api-ref/iam_02_0001.html b/docs/iam/api-ref/iam_02_0001.html index b15993807..af0af87bb 100644 --- a/docs/iam/api-ref/iam_02_0001.html +++ b/docs/iam/api-ref/iam_02_0001.html @@ -8,7 +8,7 @@

    Description

    1. The client calls the API (federated token obtained in the SP-initiated mode) provided by the cloud system.
    2. The cloud system searches for the metadata file based on the user and IdP information in the URL and sends the SAML request to the client.
    3. The client encapsulates the SAML request and forwards the SAML request to the IdP.
    4. A user enters a username and password on the IdP server for identity authentication.
    5. After the user passes the authentication, IdP constructs an assertion carrying the user identity information and sends the SAML response. The response passes through the client.
    6. The client encapsulates the SAML response and forwards the SAML response to the cloud platform.
    7. The cloud platform verifies and authenticates the assertion, and generates a temporary access credential according to the identity conversion rule configured by users in the identity provider.
    8. Users can access cloud resources according to their permissions.

    OpenStackClient

    You must have permissions of user root to install the unified command-line client. To perform the following operations, you only need to have the permissions of a common user.

    -

    The API calling operation must be performed in a secure network environment (in a VPN or a cloud server of a domain). Otherwise, this operation may be under the man-in-the-middle (MITM) attack.

    +

    The API calling operation must be performed in a secure network environment (in a VPN or a cloud server of a domain). Otherwise, this operation may be under man-in-the-middle (MITM) attacks.

    1. Create an environment variable file under the installation directory of OpenStackClient. Modify the environment variable file in a text editor. Add parameters, such as the username, password, region, SAML protocol version, and the IP address and port number of IAM, to the file. Table 1 describes the parameters.

      For example:

      @@ -121,7 +121,7 @@ Using auth plugin: v3samlpassword

      AttributeFilterPolicy id indicates the name of the downloaded metadata file of the SP system.

      value indicates the EntityID in the metadata file of the SP system.

      -

    2. Configure the endpoint address of the enterprise IdP in the ecp.py script.

      # mapping from user friendly names or tags to IdP ECP enpoints
+
    3. Configure the endpoint address of the enterprise IdP in the ecp.py script.

      # mapping from user friendly names or tags to IdP ECP endpoints
 IDP_ENDPOINTS = {
     "idp1": "https://idp.example.com/idp/profile/SAML2/SOAP/ECP"
 }
      diff --git a/docs/iam/api-ref/iam_02_0005.html b/docs/iam/api-ref/iam_02_0005.html index 6f099b052..6e4fbe10d 100644 --- a/docs/iam/api-ref/iam_02_0005.html +++ b/docs/iam/api-ref/iam_02_0005.html @@ -182,7 +182,7 @@
    - diff --git a/docs/iam/api-ref/iam_02_0011.html b/docs/iam/api-ref/iam_02_0011.html index 5fee4c6c2..df8ad26d0 100644 --- a/docs/iam/api-ref/iam_02_0011.html +++ b/docs/iam/api-ref/iam_02_0011.html @@ -150,7 +150,7 @@ - - @@ -302,7 +302,7 @@ - @@ -318,14 +318,14 @@ - - @@ -366,7 +366,7 @@ - diff --git a/docs/iam/api-ref/iam_02_0012.html b/docs/iam/api-ref/iam_02_0012.html index 9c9cc80ce..0ce94fc79 100644 --- a/docs/iam/api-ref/iam_02_0012.html +++ b/docs/iam/api-ref/iam_02_0012.html @@ -227,7 +227,7 @@ - @@ -246,7 +246,7 @@ - @@ -264,14 +264,14 @@ - - @@ -312,7 +312,7 @@ - diff --git a/docs/iam/api-ref/iam_02_0013.html b/docs/iam/api-ref/iam_02_0013.html index 34ede21ca..2da4ed989 100644 --- a/docs/iam/api-ref/iam_02_0013.html +++ b/docs/iam/api-ref/iam_02_0013.html @@ -150,7 +150,7 @@ - @@ -173,7 +173,7 @@ - @@ -195,7 +195,7 @@ - - @@ -387,7 +387,7 @@ - @@ -406,7 +406,7 @@ - @@ -424,7 +424,7 @@ - - diff --git a/docs/iam/api-ref/iam_02_0014.html b/docs/iam/api-ref/iam_02_0014.html index 66188b98f..6e043fcf7 100644 --- a/docs/iam/api-ref/iam_02_0014.html +++ b/docs/iam/api-ref/iam_02_0014.html @@ -174,7 +174,7 @@ - @@ -197,7 +197,7 @@ - @@ -219,7 +219,7 @@ - - @@ -277,7 +277,7 @@ - @@ -449,7 +449,7 @@ - @@ -468,7 +468,7 @@ - @@ -486,14 +486,14 @@ - - @@ -534,7 +534,7 @@ - diff --git a/docs/iam/api-ref/iam_02_0023.html b/docs/iam/api-ref/iam_02_0023.html index 882212581..a704c9c6c 100644 --- a/docs/iam/api-ref/iam_02_0023.html +++ b/docs/iam/api-ref/iam_02_0023.html @@ -91,7 +91,7 @@ - - - - - @@ -184,42 +184,42 @@ - - - - - - - - - - - - diff --git a/docs/iam/api-ref/iam_02_0026.html b/docs/iam/api-ref/iam_02_0026.html index ca77264ec..c19f40ec6 100644 --- a/docs/iam/api-ref/iam_02_0026.html +++ b/docs/iam/api-ref/iam_02_0026.html @@ -21,7 +21,7 @@ - @@ -84,7 +84,7 @@ - - @@ -315,7 +315,7 @@ - - diff --git a/docs/iam/api-ref/iam_11_0016.html b/docs/iam/api-ref/iam_11_0016.html index 3fba4a4b1..f2cb62b4b 100644 --- a/docs/iam/api-ref/iam_11_0016.html +++ b/docs/iam/api-ref/iam_11_0016.html @@ -150,7 +150,7 @@ - @@ -394,7 +394,7 @@ - diff --git a/docs/iam/api-ref/iam_11_0017.html b/docs/iam/api-ref/iam_11_0017.html index 3ffbb4baf..9061d252d 100644 --- a/docs/iam/api-ref/iam_11_0017.html +++ b/docs/iam/api-ref/iam_11_0017.html @@ -174,7 +174,7 @@ - @@ -417,7 +417,7 @@ - diff --git a/docs/iam/api-ref/iam_19_0003.html b/docs/iam/api-ref/iam_19_0003.html index 73a5eaa04..a5fa041f3 100644 --- a/docs/iam/api-ref/iam_19_0003.html +++ b/docs/iam/api-ref/iam_19_0003.html @@ -4,8 +4,8 @@

    By default, new users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

    An account has all the permissions required to call all APIs, but users must be assigned the required permissions. The permissions required for calling an API are determined by the actions supported by the API. Only users who have been granted permissions allowing the actions can call the API successfully. For example, if a user queries ECSs using an API, the user must have been granted permissions that allow the ecs:servers:list action.

    Supported Actions

    IAM provides system-defined policies that can be directly used. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

    -
    • Permission: Defined by actions in a custom policy.
    • APIs: REST APIs that can be called in a custom policy.
    • Actions: Added to a custom policy to control permissions for specific operations.
    • IAM or enterprise projects: A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions supporting both IAM and enterprise projects can be assigned to user groups and take effect in both IAM and Enterprise Management. Policies that only contain actions supporting IAM projects can be assigned to user groups and only take effect for IAM. Such policies will not take effect if they are assigned to user groups in Enterprise Management. For details about the differences between IAM and enterprise projects, see "Differences Between IAM Projects and Enterprise Projects".
    -
    • The check mark (√) and cross symbol (x) indicate that an action takes effect or does not take effect for the corresponding type of projects. A hyphen (-) indicates that an action is irrelevant to the corresponding type of projects.
    • IAM is a global service which does not involve project-based authorization.
    • Some permissions support only actions and do not support APIs, such as permissions for virtual MFA device management.
    +
    • Permission: Defined by actions in a custom policy.
    • APIs: REST APIs that can be called in a custom policy.
    • Actions: Added to a custom policy to control permissions for specific operations.
    +
    • The check mark (√) and cross symbol (x) indicate that an action takes effect or does not take effect for the corresponding type of projects. A hyphen (-) indicates that an action is irrelevant to the corresponding type of projects.
    • IAM is a global service which does not involve project-based authorization.
    • Some permissions only support actions and do not support APIssuch as permissions for virtual MFA device management.

    Status Code

    Description

    +

    Description

    Request Time-out

    The client does not produce a request within the time that the server was prepared to wait.

    +

    The request timed out.

    The client may repeat the request without modifications at any later time.

    String

    ID of the domain which the custom policy belongs to.

    +

    ID of the domain that the custom policy belongs to.

    references

    @@ -283,7 +283,7 @@

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.

    Array of strings

    Specific operation permission on a resource. A maximum of 100 actions are allowed.

    +

    Specific operation permission on a resource.

    NOTE:
    • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
    • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
    • For a custom policy for agencies, this parameter should be set to "Action": ["iam:agencies:assume"].

    Object

    Conditions for the permission to take effect. A maximum of 10 conditions are allowed.

    +

    Conditions for the permission to take effect.

    Resource

    Array of strings

    Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters.

    +

    Cloud resource.

    NOTE:
    • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
    • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.
    • In the case of a custom policy for agencies, the type of this parameter is Object, and the value should be set to "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]}.

    Array of strings

    Condition key. The condition key must correspond to the specified operator. A maximum of 10 condition keys are allowed.

    +

    Condition key. A key is a valid attribute that corresponds to an operator.

    The parameter type is custom character string array.

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.

    Array of strings

    Specific operation permission on a resource. A maximum of 100 actions are allowed.

    +

    Specific operation permission on a resource.

    NOTE:
    • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
    • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
    • For a custom policy for agencies, this parameter should be set to "Action": ["iam:agencies:assume"].

    Object

    Conditions for the permission to take effect. A maximum of 10 conditions are allowed.

    +

    Conditions for the permission to take effect.

    Resource

    Array of strings

    Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters.

    +

    Cloud resource.

    NOTE:
    • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
    • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.
    • In the case of a custom policy for agencies, the type of this parameter is Object, and the value should be set to "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]}.

    Array of strings

    Condition key. The condition key must correspond to the specified operator. A maximum of 10 condition keys are allowed.

    +

    Condition key. A key is a valid attribute that corresponds to an operator.

    • The parameter type is custom character string array.

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.

    Array of strings

    Specific operation permission on a resource. A maximum of 100 actions are allowed.

    +

    Specific operation permission on a resource.

    NOTE:
    • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
    • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.

    Object

    Conditions for the permission to take effect. A maximum of 10 conditions are allowed.

    +

    Conditions for the permission to take effect.

    NOTE:

    Take the condition in the sample request as an example, the condition key (obs:prefix) and the string (public) must be equal (StringEquals).

     "Condition": {
               "StringEquals": {
@@ -213,7 +213,7 @@

    Array of strings

    Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters.

    +

    Cloud resource.

    NOTE:
    • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
    • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.

    Array of strings

    Specific operation permission on a resource. A maximum of 100 actions are allowed.

    +

    Specific operation permission on a resource.

    NOTE:
    • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
    • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.

    Map<String,Map<String,Array<String>>>

    Conditions for the permission to take effect. A maximum of 10 conditions are allowed.

    +

    Conditions for the permission to take effect.

    NOTE:

    Take the condition in the sample request as an example, the condition key (obs:prefix) and the string (public) must be equal (StringEquals).

     "Condition": {
               "StringEquals": {
@@ -440,7 +440,7 @@

    Array of strings

    Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters.

    +

    Cloud resource.

    NOTE:
    • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
    • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.

    Array of strings

    Specific operation permission on a resource. A maximum of 100 actions are allowed.

    +

    Specific operation permission on a resource.

    NOTE:
    • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
    • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.

    Object

    Conditions for the permission to take effect. A maximum of 10 conditions are allowed.

    +

    Conditions for the permission to take effect.

    Resource

    @@ -228,7 +228,7 @@

    Array of strings

    Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters.

    +

    Cloud resource.

    NOTE:
    • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
    • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.

    Array of strings

    Condition key. The condition key must correspond to the specified operator. A maximum of 10 condition keys are allowed.

    +

    Condition key. A key is a valid attribute that corresponds to an operator.

    • The parameter type is custom character string array.

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.

    Array of strings

    Specific operation permission on a resource. A maximum of 100 actions are allowed.

    +

    Specific operation permission on a resource.

    NOTE:
    • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
    • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.

    Object

    Conditions for the permission to take effect. A maximum of 10 conditions are allowed.

    +

    Conditions for the permission to take effect.

    Resource

    Array of strings

    Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters.

    +

    Cloud resource.

    NOTE:
    • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
    • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.

    Array of strings

    Condition key. The condition key must correspond to the specified operator. A maximum of 10 condition keys are allowed.

    +

    Condition key. A key is a valid attribute that corresponds to an operator.

    • The parameter type is custom character string array.

    Integer

    Maximum number of times that a character is allowed to consecutively present in a password. Value range: 0–32.

    +

    The maximum number of times that a character is allowed to consecutively present in a password. Value range: 0–32

    minimum_password_age

    @@ -100,7 +100,7 @@

    Integer

    Minimum period (minutes) after which users are allowed to make a password change. Value range: 0–1440.

    +

    The minimum period (minutes) after which users are allowed to make a password change. Value range: 0–1440

    minimum_password_length

    @@ -109,7 +109,7 @@

    Integer

    Minimum number of characters that a password must contain. Value range: 6–32.

    +

    The minimum number of characters that a password must contain. Value range: 6–32

    number_of_recent_passwords_disallowed

    @@ -118,7 +118,7 @@

    Integer

    Number of previously used passwords that are not allowed. Value range: 0–10.

    +

    The number of previously used passwords that are not allowed. Value range: 0–10

    password_not_username_or_invert

    @@ -145,7 +145,7 @@

    Integer

    Minimum number of character types that a password must contain. Value range: 2–4.

    +

    The minimum number of character types that a password must contain. Value range: 2–4

    Integer

    Maximum number of times that a character is allowed to consecutively present in a password.

    +

    The maximum number of times that a character is allowed to consecutively present in a password.

    maximum_password_length

    Integer

    Maximum number of characters that a password can contain.

    +

    The maximum number of characters that a password can contain.

    minimum_password_age

    Integer

    Minimum period (minutes) after which users are allowed to make a password change.

    +

    The minimum period (minutes) after which users are allowed to make a password change.

    minimum_password_length

    Integer

    Minimum number of characters that a password must contain.

    +

    The minimum number of characters that a password must contain.

    number_of_recent_passwords_disallowed

    Integer

    Number of previously used passwords that are not allowed.

    +

    The number of previously used passwords that are not allowed.

    password_not_username_or_invert

    Boolean

    Indicates whether the password can be the username or the username spelled backwards.

    +

    Whether the password can be the username or the username spelled backwards.

    password_requirements

    diff --git a/docs/iam/api-ref/iam_02_0025.html b/docs/iam/api-ref/iam_02_0025.html index 30d6385cf..128922d5e 100644 --- a/docs/iam/api-ref/iam_02_0025.html +++ b/docs/iam/api-ref/iam_02_0025.html @@ -91,7 +91,7 @@

    Integer

    Validity period (days) to disable users if they have not logged in within the period. Value range: 0–240. If this parameter is set to 0, no users will be disabled.

    +

    Validity period (days) to disable users if they have not logged in within the period. Value range: 0–240 If this parameter is set to 0, no users will be disabled.

    custom_info_for_login

    @@ -109,7 +109,7 @@

    Integer

    Duration (minutes) to lock users out. Value range: 15–30.

    +

    Duration (minutes) to lock users out. Value range: 15–30

    login_failed_times

    @@ -118,7 +118,7 @@

    Integer

    Number of unsuccessful login attempts to lock users out. Value range: 3–10.

    +

    Number of unsuccessful login attempts to lock users out. Value range: 3–10

    period_with_login_failures

    @@ -127,7 +127,7 @@

    Integer

    Period (minutes) to count the number of unsuccessful login attempts. Value range: 15–60.

    +

    Period (minutes) to count the number of unsuccessful login attempts. Value range: 15–60

    session_timeout

    @@ -136,7 +136,7 @@

    Integer

    Session timeout (minutes) that will apply if you or users created using your account do not perform any operations within a specific period. Value range: 15–1440.

    +

    Session timeout (minutes) that will apply if you or users created using your account do not perform any operations within a specific period. Value range: 15–1440

    show_recent_login_info

    @@ -145,7 +145,7 @@

    Boolean

    Indicates whether to display last login information upon successful login. The value can be true or false.

    +

    Whether to display last login information upon successful login. The value can be true or false.

    String

    Domain ID.

    +

    Domain ID

    Integer

    Validity period (days) to disable users if they have not logged in within the period. Value range: 0–240. If this parameter is set to 0, no users will be disabled.

    +

    Validity period (days) to disable users if they have not logged in within the period. Value range: 0–240 If this parameter is set to 0, no users will be disabled.

    custom_info_for_login

    diff --git a/docs/iam/api-ref/iam_10_0011.html b/docs/iam/api-ref/iam_10_0011.html index f35c301b7..3f6b693bd 100644 --- a/docs/iam/api-ref/iam_10_0011.html +++ b/docs/iam/api-ref/iam_10_0011.html @@ -297,7 +297,7 @@

    Array of strings

    Specific operation permissions on a resource. A maximum of 100 actions are allowed. For details about supported actions, see "Permissions Policies and Supported Actions" in the API Reference of cloud services.

    +

    Specific operation permissions on a resource. For details about supported actions, see "Permissions Policies and Supported Actions" in the API Reference of cloud services.

    NOTE:
    • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
    • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
    • In the case of a custom policy for agencies, this parameter should be set to "Action": ["iam:agencies:assume"].

    Object

    Conditions for the permission to take effect. The number of conditions cannot exceed 10. If this parameter is not specified during policy creation, it will not be returned in the response.

    +

    Conditions for the permission to take effect. If this parameter is not specified during policy creation, it will not be returned in the response.

    NOTE:

    Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals).

     "Condition": {
               "StringEquals": {
@@ -331,7 +331,7 @@

    Object

    Cloud resource. If this parameter is not specified during policy creation, it will not be returned in the response. The object can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters.

    +

    Cloud resource. If this parameter is not specified during policy creation, it will not be returned in the response.

    NOTE:
    • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
    • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.
    • In the case of a custom policy for agencies, the type of this parameter is Object, and the value should be set to "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]}.

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.

    Array of objects

    Statement of the policy. A policy can contain a maximum of eight statements.

    +

    Statement of the policy.