- What's New
- Function Overview
- Service Overview
- Getting Started
- User Guide
- Best Practices
- API Reference
- SDK Reference
-
FAQs
- Must I Use an IAM User (Sub Account) to Configure Transfer on CTS and Perform Operations on an OBS Bucket?
- What Information Is on the Trace List?
- How Will CTS Be Affected If My Account Balance Is Insufficient?
- What Are the Recommended Users of CTS?
- What Will Happen If I Have Enabled Trace Transfer But Have Not Configured an Appropriate Policy for an OBS Bucket?
- Does CTS Support Integrity Verification of Trace Files?
- Why Are There Some Null Fields on the View Trace Page?
- Why Is an Operation Recorded Twice in the Trace List?
- What Services Are Supported by Key Event Notifications?
- How Can I Store Trace Files for a Long Time?
- Why Are user and source_ip Null for Some Traces with trace_type as SystemAction?
- How Do I Find Out Who Created a Specific ECS?
- How Do I Find Out the Login IP Address of an IAM User?
- Why Are Two deleteMetadata Traces Generated When I Buy an ECS in Pay-per-Use or Yearly/Monthly?
- What If I Cannot Query Traces?
- Can I Disable CTS?
- How Do I Make the Log Retention Period 180 Days?
- What Can I Do If a Tracker Cannot Be Created on the CTS Console?
- What Should I Do If I Cannot Enable CTS as an IAM User?
- How Do I Enable Alarm Notifications for EVS?
- Can I Receive Duplicate Traces?
- What Should I Do If I Fail to Transfer Data to an OBS Bucket Authorized by a Key of Another Tenant?
- Does the cts_admin_trust Agency Include OBS Authorization?
- Does CTS Record ECS Creation Failures?
- Glossary
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
- Querying Traces
- Management Trackers
- Data Trackers
- Application Examples
- Trace References
- Cross-Tenant Transfer Authorization
- Verifying Trace File Integrity
- Auditing
- Permissions Management
- Supported Services and Operations
-
FAQs
- Must I Use an IAM User (Sub Account) to Configure Transfer on CTS and Perform Operations on an OBS Bucket?
- What Information Is on the Trace List?
- How Will CTS Be Affected If My Account Balance Is Insufficient?
- What Are the Recommended Users of CTS?
- What Will Happen If I Have Enabled Trace Transfer But Have Not Configured an Appropriate Policy for an OBS Bucket?
- Does CTS Support Integrity Verification of Trace Files?
- Why Are There Some Null Fields on the View Trace Page?
- Why Is an Operation Recorded Twice in the Trace List?
- What Services Are Supported by Key Event Notifications?
- How Can I Store Trace Files for a Long Time?
- Why Are user and source_ip Null for Some Traces with trace_type as SystemAction?
- How Do I Find Out Who Created a Specific ECS?
- How Do I Find Out the Login IP Address of an IAM User?
- Why Are Two deleteMetadata Traces Generated When I Buy an ECS?
- What If I Cannot Query Traces?
- Can I Disable CTS?
- How Do I Enable Alarm Notifications for EVS?
- Can I Receive Duplicate Traces?
- Does CTS Record ECS Creation Failures?
- API Reference (ME-Abu Dhabi Region)
-
User Guide (Paris)
- Service Overview
- Getting Started
- Querying Traces
- Management Trackers
- Application Examples
- Trace References
- Cross-Tenant Transfer Authorization
- Verifying Trace File Integrity
- Auditing
- Permissions Management
- Supported Services and Operations
-
FAQs
- Must I Use an IAM User (Sub Account) to Configure Transfer on CTS and Perform Operations on an OBS Bucket?
- How Will CTS Be Affected If My Account Balance Is Insufficient?
- What Are the Recommended Users of CTS?
- What Will Happen If I Have Enabled Trace Transfer But Have Not Configured an Appropriate Policy for an OBS Bucket?
- Does CTS Support Integrity Verification of Trace Files?
- Why Are There Some Null Fields on the View Trace Page?
- Why Is an Operation Recorded Twice in the Trace List?
- What Services Are Supported by Key Event Notifications?
- How Can I Store Trace Files for a Long Time?
- Why Are user and source_ip Null for Some Traces with trace_type as SystemAction?
- How Do I Find Out Who Created a Specific ECS?
- How Do I Find Out the Login IP Address of an IAM User?
- Why Are Two deleteMetadata Traces Generated When I Buy an ECS?
- What If I Cannot Query Traces?
- Can I Disable CTS?
- How Do I Enable Alarm Notifications for EVS?
- Can I Receive Duplicate Traces?
- Does CTS Record ECS Creation Failures?
- API Reference (Paris)
-
User Guide (Kuala Lumpur Region)
- Service Overview
- Getting Started
- Querying Traces
- Management Trackers
- Trackers
- Organization Trackers
- Application Examples
- Trace References
- Cross-Tenant Transfer Authorization
- Verifying Trace File Integrity
- Auditing
- Permissions Management
- Supported Services and Operations
-
FAQs
- Must I Use an IAM User (Sub Account) to Configure Transfer on CTS and Perform Operations on an OBS Bucket?
- What Information Is on the Trace List?
- How Will CTS Be Affected If My Account Balance Is Insufficient?
- What Are the Recommended Users of CTS?
- What Will Happen If I Have Enabled Trace Transfer But Have Not Configured an Appropriate Policy for an OBS Bucket?
- Does CTS Support Integrity Verification of Trace Files?
- Why Are There Some Null Fields on the View Trace Page?
- Why Is an Operation Recorded Twice in the Trace List?
- What Services Are Supported by Key Event Notifications?
- How Can I Store Trace Files for a Long Time?
- Why Are user and source_ip Null for Some Traces with trace_type as SystemAction?
- How Do I Find Out Who Created a Specific ECS?
- How Do I Find Out the Login IP Address of an IAM User?
- Why Are Two deleteMetadata Traces Generated When I Buy an ECS?
- What If I Cannot Query Traces?
- Can I Disable CTS?
- How Do I Enable Alarm Notifications for EVS?
- Can I Receive Duplicate Traces?
- Does CTS Record ECS Creation Failures?
- API Reference (Kuala Lumpur Region)
-
User Guide (ME-Abu Dhabi Region)
- Videos
- General Reference
Copied.
Cross-Tenant Transfer Authorization
Scenario
To centrally manage management traces, you can configure the management tracker to transfer the traces of multiple accounts to the same OBS bucket. This topic describes how to configure cross-tenant transfer.
Procedure
- Tenant B logs in to the management console.
NOTE:
- Tenant A is the account for which you want to configure cross-tenant transfer, and tenant B is the account where the OBS bucket resides.
- OBS does not support cross-region transfer. Currently, OBS buckets must be located in the same region of different tenants.
- Click
in the upper left corner to select the desired region and project.
- Click
in the upper left corner and choose Storage > Object Storage Service.
- In the navigation pane, choose Buckets. In the bucket list, click the name of the desired bucket. The Objects page is displayed.
- In the navigation pane, choose Permissions > Bucket Policy.
- In the upper right corner of the page, select JSON and click Edit, and grant permissions to tenant A in the following format.
{ "Statement": [{ "Sid": "xxxx", "Effect": "Allow", "Principal": { "ID": [ "domain/{{domainId}}:agency/*" ] }, "Action": [ "PutObject", "PutObjectAcl" ], "Resource": [ "{{bucketName}}/*" ] }, { "Sid": "xxxxx1", "Effect": "Allow", "Principal": { // After the OBS bucket permission of tenant B is granted to all sub-users of tenant A, the sub-users of tenant A can configure cross-tenant transfer. "ID": [ "domain/{{domainId}}:user/*" ] // For a federated user, after the OBS bucket permission of tenant B is granted to a specified identity provider of tenant A, the login federated user can configure cross-tenant transfer. If no federated users are involved, delete this line. "Federated": "domain/{{domainId}}:identity-provider/{{provider-name}}" }, "Action": [ "HeadBucket" ], "Resource": [ "{{bucketName}}" ] } ] }
Table 1 Bucket policy parameters Parameter
Description
Sid
ID of a statement. The value is a string that describes the statement.
Action
Actions which a statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. CTS requires only three actions: "PutObject", "PutObjectAcl", and "HeadBucket".
Effect
Whether the permission in a statement is allowed or denied. The value is Allow or Deny.
Principal
Tenant A is authorized to use the bucket policy. You can obtain the domain ID on the My Credential page. Principal format:
- "domain/account ID: agency/*" (indicating all agencies of tenant A)
- "domain/account ID: user/*" (indicating all sub-users of tenant A)
Resource
Specifies a group of resources on which the statement takes effect. The wildcard (*) is supported, indicating all resources. bucketName/* and bucketName are required when cross-account transfer is configured.
- Click Save.
- If bucket encryption is configured for the OBS bucket of tenant B and the encryption key type is custom, you need to authorize tenant A in Data Encryption Workshop (DEW).
NOTE:
You are advised to use a custom key when configuring encryption for buckets of different tenants. Otherwise, the default OBS key of tenant A may be used, which may cause tenant B to fail to download transferred files.
- Tenant A logs in to the management console.
- Click
in the upper left corner to select the desired region and project.
- Click
in the upper left corner and choose > Cloud Trace Service. The CTS console is displayed.
- Choose Tracker List in the left navigation pane.
- Locate a data tracker and click Configure in the Operation column.
- Select Yes for Transfer to OBS. If OBS Bucket Account is set to Other users, you need to enter the name of the bucket used for transfer.
- Click OK to complete the tracker configuration.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot