Overview

最終更新日:2022-05-20 15:51:01

IAM (Identity and Access Management) is an identity and access management service provided by CDNetworks. Through IAM configuration, the parent account/main account can control the operation permissions and access control of the sub-accounts by assigning different permission policies to different sub-accounts as needed, for example, restrict the sub-account to only have the read permission to a specified bucket.

Note: In order to avoid resource leakage, it is strongly recommended to allocate according to the least privileges. We recommend customers to change AK/SK regularly, and clean up unused accounts and their privileges in a timely manner.

Parent account/main account

  • The resource owner who has full control authority over all resources under its account.
  • The basic subject of resource usage metering and billing, which pays for all resources under its account.

Sub-account

  • Created by the parent account, it is assigned independent keys and permissions when it is created. By default, it does not have any permissions (including any permissions on the resources created by itself). All operations need to have the parent account’s authorization.
  • It is subordinate to the parent account and it cannot own any resources. There is no independent metering and billing for sub-account.

Note:

  • Each resource has one and the only owner (resource Owner). The owner must be the parent account which has all control rights to the resource.
  • The resource owner can not be the resource creator. For example: a sub-account is granted as the permission to create resources, the owner of resources created by the sub-account is the parent account, in this case, the sub-account is the resource creator but not the resource owner.