Account Management

Account Management enables you to manage IAM identities within each namespace such as users, groups, and roles.

All IAM entities have a unique ID associated with it. Deleting and re-creating an entity with the same name creates a unique ID for the new entity.

Identities

Table 1. Identities
Field Description
Namespace root user
  • Namespace root user is an admin user in the namespace.
  • Only the namespace root user can access ECS UI.
  • Namespace root user is the owner of the buckets and objects that are created by the IAM entities.
IAM user
  • An IAM user is a person or an application in the namespace that can interact with ECS resources.
  • An IAM user can belong to one or more IAM groups.
  • It is possible to create, view, modify, delete, and list IAM users in ECS using both API and UI.
  • IAM users cannot access ECS UI.
IAM group
  • An IAM group is a collection of IAM users.
  • IAM groups do not nest and contain only IAM users.
  • IAM groups let you specify permissions for all the users in the group making management easier.
  • Creating and managing groups can be done from both UI and API.
  • Tagging on groups is not supported.
IAM role
  • An IAM role is similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do.
  • An IAM role does not have any credentials that are associated with it.
  • An entity assumes a role by calling an API that provides it with temporary credentials to access a resource.
  • A federated user can assume an IAM role by authenticating with external identity provider.
  • An IAM user can assume a role in the same or different account (cross-account access).
NOTE: IAM and namespace root users access S3 and IAM APIs using Access Keys. Access Keys are long-term credentials which consists of an access key ID and secret access key. A user can have at most two Access Keys associated with it at any time.

Tagging IAM Entities (Users and Role)

A tag is a label that you assign to a resource. Each tag consists of a key and an optional value, both of which you define. Custom attributes are added to users and roles using a tag key-value pair. These tags can be used to control the access of an entity to resources or to control what tags can be attached to an entity. Groups and policies cannot be tagged. You can apply the same tag to multiple entities. But multiple tags on one entity cannot have the same key. Fifty tags per IAM entity are allowed.