Configuring an Agency for an ECS

You can create an agency to delegate access to services offered by Huawei Cloud. This example shows how to create an agency and delegate permissions to Huawei Cloud Elastic Cloud Server (ECS), a scalable, on-demand provisioning cloud server.

Application Scenarios

Applications running on an ECS must provide security credentials to access Huawei Cloud services.

Applications can use long-term (such as username and password) or temporary credentials for access. Temporary credentials are more secure because they have a limited lifetime and are automatically rotated. To use temporary credentials to access Huawei Cloud resources, configure an agency with permissions delegated to the ECS where the applications are running, and the applications will get the temporary credential of the agency.

Figure 1 Obtaining a temporary credential

Click to enlarge

For example, configure an agency for the ECS to enable the applications running on an ECS to use a temporary credential to access a Huawei Cloud database. The ECS sends a request to get a temporary credential (AK/SK) from ECS metadata. The ECS metadata gets a temporary AK/SK of the agency from IAM and then returns the AK/SK to the ECS. The database allows access only after checking that the temporary credential sent from the ECS is valid.

Solution

Create an agency on the IAM console and specify the permissions and scope to delegate permissions to ECS. Configure the agency for the ECS where applications are running. Then the ECS will get a temporary credential of the agency to access resources based on the permissions assigned.

Create an agency with permissions delegated to ECS and select the permissions and scope for the agency.
Configure the created agency for the ECS. Only one agency can be configured for an ECS.
Obtain the temporary credential (AK/SK) of the agency to allow applications running on the ECS to access other Huawei Cloud resources based on the assigned permissions in the authorized scope.

Figure 2 ECS agency

Click to enlarge

Process Flow

Figure 3 Flowchart

Click to enlarge

Procedure

To allow applications running on an ECS to access resources in other Huawei Cloud services, do as follows:

Create an agency for ECS as the administrator.
1. Log in to the IAM console.
2. On the IAM console, choose Agencies from the navigation pane on the left, and click Create Agency on the displayed page.
3. Enter an agency name.
4. Select Cloud service for Agency Type and Elastic Cloud Server (ECS) and Bare Metal Server (BMS) for Cloud Service.
5. Select a validity period.
6. (Optional) Enter a description for the agency to facilitate identification.
7. Click Next.
8. Select the permissions to be assigned to the agency, click Next, and specify the authorization scope.
9. Click OK.
Configure the agency for the ECS as the administrator or an IAM user with ECS permissions.
- If there are no available ECSs, create one by referring to Purchasing an ECS. When configuring advanced settings, select the agency created in Step 1 from the drop-down list.
- If there are available ECSs, configure the created agency for an ECS as follows:
1. On the ECS console, click an ECS for which you want to configure the agency.
2. In the Management Information area, click .
3. Select the agency created in Step 1 from the drop-down list.
4. Click to complete the configuration.
Enable applications on the ECS to get a temporary credential.
Configure applications running on the ECS to call API Security Key (OpenStack Metadata API) to obtain the temporary credential (AK/SK) of the agency to access other Huawei Cloud services.
- URI
/openstack/latest/securitykey
- Method
Supports GET requests.
- Example
Linux:

curl http://169.254.169.254/openstack/latest/securitykey

Windows:

Invoke-RestMethod http://169.254.169.254/openstack/latest/securitykey

ECS automatically rotates temporary credentials to ensure that they are secure and valid.