Help Center/ Cloud Operations Center/ Best Practices/ Changing Passwords in Batches Using the COC Account Baselines
Updated on 2026-04-23 GMT+08:00
View PDF
Share

Changing Passwords in Batches Using the COC Account Baselines

Scenarios

As the scale of enterprise cloud resources (such as ECS, RDS, GaussDB, and middleware) expands, several critical issues frequently arise: scattered credential management, inefficient manual password rotation, and security risks like password reuse or leakage, which lead to non-compliance with security standards.

Traditional manual password rotation suffers from significant drawbacks.

  • Managing multiple instances, accounts, and regions renders operations complex and prone to human error.
  • Inconsistent password strength and infrequent updates create severe security vulnerabilities.
  • The lack of centralized management and auditing makes it impossible to meet graded protection and internal control requirements.
  • The absence of a standardized process for batch updates on existing resources is excessively time-consuming and labor-intensive.

Solutions

Huawei Cloud COC account management offers a robust account baseline capability designed to automate batch password rotation for existing resources, ensuring unified management, security compliance, and O&M efficiency.

Core Principle: By creating an account baseline in the password rotation module of COC, you can filter target instances by resource type, account, or region, and define specific password rules and execution policies. The system then automates the batch rotation process while centrally managing passwords. This approach supports password-free login and provides comprehensive audit trails for full visibility.

Table 1 Advantages

Dimension

Traditional Manual Password Rotation

Password Rotation for COC Accounts in Batches

Efficiency

Low, performed on a per-resource basis

High, batch execution in a few clicks

Security

Easy to leak and inconsistent strength

Unified strong password and centralized management

Compliance

No audit and difficult to trace

Full-process logs and auditable

Cost

High labor costs

Automation to reduce costs and human errors

Coverage

Limited and easy to miss

Unified coverage of multiple regions and resources

Step 1: Creating an Application

If you have created an application and associated it with resources, skip this step.

  1. Log in to COC.
  2. In the navigation pane, choose Resources > Application and Resource Management.
  3. Click the Applications tab. Click Create Application.

    Figure 1 Creating an application

  4. Set Application Structure Type to Lightweight.
  5. Specify Application and Description. For example, set the application name to COC_01.
  6. Click OK.

    Figure 2 Creating an application

  7. Specify a component name, for example, COC_001, and click OK.

    Figure 3 Creating a component

  8. Configure the parameters for creating a group by referring to Table 2 and retain the preset values for the parameters that are not listed in the table.

    Table 2 Parameters for creating a group

    Parameter

    Example Value

    Description

    Group

    COC_0001

    Specify the group name based on the naming rule.

    Cloud Service Provider

    Huawei Cloud

    Select the cloud service provider to which the target instance belongs.

    Region

    CN North-Beijing4

    Select a region from the drop-down list.

    Resource Association Method

    Manual association

    Select a resource association method.

    Associate with Resource

    coc-xxxx

    Manually select the resources whose passwords need to be changed and associate them with the group.
    Figure 4 Creating a group

  9. Click OK.
  10. Click OK.

Step 2: Configuring a Key

Use the key from DEW to encrypt passwords. COC connects only to DEW deployed in the AP-Singapore region. The key of this region is used to encrypt and decrypt data on hosts in all regions.

  1. In the navigation pane, choose Resource O&M > Automated O&M.
  2. In the Routine O&M area, click Account Management.
  3. On the displayed page, click Keys.

    Figure 5 Going to the key management page

  4. Click Bind Key.
  5. In the key list, select the key to be bound and click OK.

    If no key is available, click Create Key to switch to the DEW service page. For details, see Creating a Key. After the key is created, go to the Bind Key or Update Key page and click on the right to update the key list.

  6. In the displayed dialog box, click OK.

Step 3: Creating an Account Baseline

Create an account baseline based on service requirements. The created baseline is a component baseline. You can add baseline accounts and components to the component baseline.

  1. Go to the Account Management page.
  2. Click Change Account Password.
  3. On the displayed page, click Create Account Baseline.
  4. Set account baseline information by referring to Table 3.

    Table 3 Parameters for creating an account baseline

    Parameter

    Example Value

    Description

    Baseline Name

    Practice

    Specify the baseline name based on naming rules.

    Baseline Type

    Component Baseline

    Account baseline type, which cannot be changed.

    Baseline Accounts

    Linux

    root user

    Read-only account

    Enter the account type, account name, and account level.

    WARNING:

    Exercise caution when entering the account name. Once an account name is submitted, the system automates its password rotation. Note: The account used in the service code to connect to the database cannot be specified in this module. After the password is changed, the service cannot connect to the database.

    Associated Components

    COC_001

    Select the required applications or components. If you select an application, all components of the application are automatically selected.

    Associated components can be deleted.

  5. Click OK.

    After the account baseline is created, the system automatically changes the passwords of all resources under the associated components set in 4.

Step 4: Checking Password Change Result

After the password is automatically changed, you can view the password change result in the password change history area.

  1. Click Accounts.
  2. Enter the name of the resource to be viewed in the search box and press Enter.
  3. Locate the target resource and choose More > Password Change History in the Operation column.

    Figure 6 Viewing password change history

  4. On the displayed page, check the password change result of the corresponding account, such as the password change status, failure cause, and change time.
  5. Locate the target account and click Obtain Password in the Operation column to view the new password.

    Figure 7 Viewing the account password
    Figure 8 Viewing the account password