Identity and Access Management (IAM)
Identity and Access Management (IAM) is an authentication, authorization, and accounting system feature within the Eucalyptus private cloud software that:
- Manages user identities
- Enforces access controls over resources
- Provides reporting on resource usage as a basis for auditing and managing cloud activities
Eucalyptus stores all of the identities and policies in the local Cloud Controller (CLC) database by default. Identity data can also be pulled from LDAP or Active Directory. The user identity organizational model and the scheme of authorizations are compatible with the AWS Identity and Access Management system with some Eucalyptus extensions that support private clouds.
Eucalyptus also features significant enhancements to its resource access controls (RAC). This allows Eucalyptus cloud administrators to finely tune user group management and reveal details of of cloud usage throughout an enterprise.
RAC features in Eucalyptus include implementation support for the Amazon Web Services (AWS) Identity and Access Management (IAM) API and new service-level management mechanisms that enable customers to apply additional control over groups of users. To ease integration with existing data center software infrastructure Eucalyptus can also automatically map identities from enterprise LDAP and Active Directory (AD) servers to Eucalyptus accounts, groups, and users.
Identity & Access Management (IAM) Roles in Eucalyptus 3.4 (slated for General Availability in October 2013) allows you to delegate access to Eucalyptus cloud resources without having to share security credentials for each entity that requires access to a resource. An IAM role lets you define a set of permissions to access resources that a user or application needs, but permissions are not attached to an IAM user or group. Instead, IAM users, applications, or services can programmatically assume an IAM role.