How Does the Cloud Eye Agent Obtain a Temporary AK/SK by Authorization?
To enable you to use the server monitoring function more securely and efficiently, Cloud Eye provides the latest Agent permission-granting method. That is, before installing Agents, you only need to click Configure on the Server Monitoring page of the Cloud Eye console, or select cesgency for Agency in Advanced Options when buying an ECS, the system automatically performs temporary AK/SK authorization for the Agents installed on all ECSs or BMSs in the region. And in the future, newly created ECSs or BMSs in this region will automatically get this authorization. This section describes the authorization as follows:
- Authorization object
On the Cloud Eye console, if you choose Server Monitoring > Elastic Cloud Server (or Bare Metal Server), selecting an ECS (or BMS), and click One-Click Restore, the system automatically creates an agency named cesagency on IAM. This agency is automatically granted to Cloud Eye internal account op_svc_ces.
If the system displays a message indicating that you not have the required permission, obtain the permission by referring to What Can I Do If the System Displays a Message Indicating Insufficient Permissions When I Click Configure on the Server Monitoring Page?
- Authorization scope
Add the CES Administrator permission to internal account op_svc_ces in the region.
- Authorization reason
The Cloud Eye Agent runs on ECSs or BMSs and reports the collected monitoring data to Cloud Eye. After being authorized, the Agent automatically obtains a temporary AK/SK. As a result, you can use the Cloud Eye console or APIs to query the ECS or BMS monitoring data.
- Security: The AK/SK used by the Agent is only the temporary AK/SK that has the CES Administrator permissions. That is, the temporary AK/SK has only the permissions to operate Cloud Eye resources.
- Convenient: You only need to configure the Cloud Eye Agent once in each region instead of manually configuring each Agent.
- If cesagency cannot be found on the IAM Agencies page after authorization, you can manually create it on the IAM console. For details, see Creating an Agency (by a Delegating Party).
- The name of the agency to be created must be cesagency.
- If Agency Type is set to Common account, Delegated Account must be op_svc_ces.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.