Help Center/ Cloud Bastion Host/ User Guide/ Authorizing Access to Cloud Assets
Updated on 2025-07-18 GMT+08:00

Authorizing Access to Cloud Assets

CBH has been interconnected with Key Management Service (KMS), Cloud Secret Management Service (CSMS), Elastic Cloud Server (ECS), and Relational Database Service (RDS), making it easier for you to use credentials managed by your bastion host.

Description

  • If you complete the authorization for each asset module, CBH can have the following permissions for each service:
    • CSMS: CBH has the permissions needed to query your credential list in CSMS. You can select credentials as resource accounts on your CBH instance.

      For secrets invoked through the bastion host, the account and password must comply with Key specifications. For details about how to create a secret, see Data Encryption Workshop - Cloud Secret Management Service.

      Example:

      username:root

      password:*****

    • KMS: CBH has the permissions needed to use KMS APIs to obtain credentials in CSMS. You can use obtained credentials to log in to the hosts managed by your CBH instance.
    • ECS: CBH will have the permissions to query your ECS list. You can synchronize your ECS list to the host list in CBH in just a few clicks.
    • RDS: CBH will have the permissions to query your RDS instance list. You can synchronize your RDS instance list to the host list in CBH in just a few clicks.
  • After you authorize CBH to access KMS, CSMS, ECS, and RDS, it takes about 10 minutes for your bastion host to obtain the delegation tokens.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner on the displayed page and select a region.
  3. Click in the upper left corner of the page and choose Security & Compliance > Cloud Bastion Host to go to the CBH instance management console.
  4. Click Cloud Asset Authorization in the upper right corner.
  5. In the displayed dialog box, switch to in the Operation column to enable the authorization.
  6. For details about how to add a resource account, see Creating a Resource Account and Associating It with the Corresponding Resource.