IAM
In this article:
IAM#
IAM service allows you to control access to your infrastructure in K2 Cloud. In particular, you can set up two-factor authentication for better security, as well as delegate administration rights to users for certain resources and grant them rights to use only certain types of cloud resources. In this case, connecting an external Identity Provider (IdP) allows you to centrally manage access to cloud resources by setting privileges for groups without setting them up for each user individually.
Attention
For security reasons, we strongly recommend to use the administrator account for working in the IAM section only. For operating with other cloud services, we recommend you to use only additional accounts, created without grants to administer IAM.
User actions in the IAM section are logged by the Activity Log service.
IAM service migration#
User rights are now assigned by policies and groups instead of roles (for details, see section Policies and groups). Users and roles were migrated to the new scheme automatically, following the rules below.
Role migration#
Instead of predefined roles, policies or groups with a similar set of rights are now used. The mapping between roles and policies/groups is shown in the table.
Role template |
Analogue |
Policy/group name |
|---|---|---|
Auto Scaling administrator |
Group |
AutoScalingAdministrators |
Backup administrator |
Group |
BackupAdministrators |
Backup operator |
Group |
BackupOperators |
Cloud administrator |
Group |
CloudAdministrators |
CloudTrail administrator |
Group |
ActivityLogAdministrators |
DNSaaS administrator |
Group |
Route53Administrators |
Kubernetes EBS Provider User |
Policy |
EKSCSIPolicy |
Kubernetes administrator |
Policy |
EKSFullAccess |
ELB administrator |
Group |
ELBAdministrators |
PaaS backup user |
Policy |
PaaSBackupPolicy |
PaaS administrator |
Policy |
PaaSFullAccess |
Public user |
n/a |
n/a |
Storage administrator |
Group |
ObjectStorageAdministrators |
Viewer |
Group |
InstanceViewers |
VM administrator |
Group |
InstanceAdministrators |
If you used to have custom roles, then policies are created for them with the names in the following format:
# Original role name can be seen in the policy description
role-<normalized_role_name>
User migration#
If a user has rights to the IAM or billing service, then such user is added to the appropriate global group.
If a user has rights in a particular project, then from all the collection of the user’s rights, the widest possible sets of rights are selected to match the existing groups and policies. Thereafter, the user is assigned rights as follows:
the user is added to the predefined project group;
the user is assigned the custom policy that was created during role migration (if any);
the user is assigned a predefined policy.
If the user still has any non-covered rights, a new policy is created based on them and assigned to the user. The policy name looks like this:
# Full user login can be seen in the policy description
user-<index>-<normalized_user_login>
If the user was responsible for PaaS service backup, the PaaSBackupPolicy is assigned to such a user in the relevant projects. A special user with the Kubernetes EBS Provider User role is assigned the EKSCSIPolicy in the relevant projects.
Identity Provider group migration#
If an Identity Provider group has rights to the IAM or billing service, then such group is added to the appropriate IAM global groups.
If the Identity Provider group is granted rights in a project, they are distributed among the existing groups and policies as follows:
the Identity Provider group is added to the predefined IAM project group;
the Identity Provider group is assigned a predefined policy.
If there are still non-covered rights that cannot be assigned to any group, a policy with these rights is created and assigned to the Identity Provider group. The policy name looks like this:
# Original Identity Provider group name can be seen in the policy description
ad-group-<index>-<normalized_identity_provider_group_name>