Help Center> Cloud Eye> FAQ> Server Monitoring> Agent Obtaining a Temporary AK/SK by Authorization
View PDF

Agent Obtaining a Temporary AK/SK by Authorization

To use the server monitoring function more securely and efficiently, the latest Agent authorization method is provided in the CN North-Beijing1, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, and CN South-Guangzhou regions. That is, before installing Agents in those regions, you only need to click Configure on the Server Monitoring page of the Cloud Eye console or select cesgency for Agency in Advanced Options when buying an ECS, the system automatically performs temporary AK/SK authorization for the Agents installed on all ECSs or BMSs in the region. And in the future, newly created ECSs or BMSs in this region will automatically get this authorization. This section describes the authorization as follows:

  1. Authorization object

    On the Cloud Eye console, if you choose Server Monitoring > Elastic Cloud Server (or Bare Metal Server, selecting an ECS (or BMS), and click One-Click Restore, the system automatically creates an agency named cesagency on IAM. This agency is automatically granted to Cloud Eye internal account op_svc_ces.

    If the system displays a message indicating that you not have the permission, obtain the permission by referring to What Can I Do If the System Displays a Message Indicating Insufficient Permission When I Click Configure on the Server Monitoring Page?.

  2. Authorization scope

    Add the CES Administrator permission to internal account op_svc_ces in the region.

  3. Authorization reason

    The Cloud Eye Agent runs on ECSs or BMSs and reports the collected monitoring data to Cloud Eye. After being authorized, the Agent automatically obtains a temporary AK/SK. As a result, you can use the Cloud Eye console or APIs to query the ECS or BMS monitoring data.

    1. Security: The temporary AK/SK used by the Agent is only of the CES Administrator permissions.
    2. Convenient: You only need to configure the Cloud Eye Agent once in each region instead of manually configuring each Agent.
  4. If cesagency cannot be found on the IAM Agencies page after authorization, you can manually create it on the IAM console. For details about how to create an agency, see Creating an Agency (by a Delegating Party).
    • The name of the agency to be created must be cesagency.
    • If Agency Type is set to Common account, Delegated Account must be op_svc_ces.
Parent topic: Server Monitoring