Help Center> Cloud Trace Service> User Guide> Cross-Tenant Transfer Authorization
Updated on 2023-12-15 GMT+08:00
View PDF

Cross-Tenant Transfer Authorization

Scenario

To centrally manage management traces, you can configure the management tracker to transfer the traces of multiple accounts to the same OBS bucket. This topic describes how to configure cross-tenant transfer.

Procedure

  1. Tenant B logs in to the management console.
    • Tenant A is the account for which you want to configure cross-tenant transfer, and tenant B is the account where the OBS bucket resides.
    • OBS does not support cross-region transfer. Currently, OBS buckets must be located in the same region of different tenants.
  2. Click in the upper left corner to select the desired region and project.
  3. Click in the upper left corner and choose Storage > Object Storage Service.
  4. In the navigation pane, choose Buckets. In the bucket list, click the name of the desired bucket. The Objects page is displayed.
  5. In the navigation pane, choose Permissions > Bucket Policy.
  6. In the upper right corner of the page, select JSON and click Edit, and grant permissions to tenant A in the following format. A bucket policy is in JSON format. For details, see Bucket Policy Parameters.
    { 
     "Statement": [{ 
             "Sid": "xxxx", 
             "Effect": "Allow", 
             "Principal": { 
                 "ID": [ 
                     "domain/{{domainId}}:agency/*" 
                 ] 
             }, 
             "Action": [ 
                 "PutObject", 
                 "PutObjectAcl" 
             ], 
             "Resource": [ 
                 "{{bucketName}}/*" 
             ] 
         },
        {
            "Sid": "xxxxx1",
            "Effect": "Allow",
            "Principal": {
            // After the OBS bucket permission of tenant B is granted to all sub-users of tenant A, the sub-users of tenant A can configure cross-tenant transfer.
                "ID": [
                    "domain/{{domainId}}:user/*"  
                ]
            // For a federated user, after the OBS bucket permission of tenant B is granted to a specified identity provider of tenant A, the login federated user can configure cross-tenant transfer. If no federated users are involved, delete this line.
                "Federated": "domain/{{domainId}}:identity-provider/{{provider-name}}"
            },
            "Action": [
                "HeadBucket"
            ],
            "Resource": [
                "{{bucketName}}"
            ]
        }
    ] 
 }
    Table 1 Bucket policy parameters

    Parameter

    Description

    Sid

    ID of a statement. The value is a string that describes the statement.

    Action

    Actions which a statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. CTS requires only three actions: "PutObject", "PutObjectAcl", and "HeadBucket".

    Effect

    Whether the permission in a statement is allowed or denied. The value is Allow or Deny.

    Principal

    Tenant A is authorized to use the bucket policy. You can obtain the domain ID on the My Credential page. Principal format:

    • "domain/account ID: agency/*" (indicating all agencies of tenant A) For details, see Bucket Policy Parameters.
    • "domain/account ID: user/*" (indicating all sub-users of tenant A)

    Resource

    Specifies a group of resources on which the statement takes effect. The wildcard (*) is supported, indicating all resources. bucketName/* and bucketName are required when cross-account transfer is configured.
  7. Click Save.
  8. If bucket encryption is configured for the OBS bucket of tenant B and the encryption key type is custom, you need to authorize tenant A in Data Encryption Workshop (DEW). For details, see Creating a Grant.

    You are advised to use a custom key when configuring encryption for buckets of different tenants. Otherwise, the default OBS key of tenant A may be used, which may cause tenant B to fail to download transferred files.

  9. Tenant A logs in to the management console.
  10. Click in the upper left corner to select the desired region and project.
  11. Click in the upper left corner and choose Management & Governance > Cloud Trace Service. The CTS console is displayed.
  12. Choose Tracker List in the left navigation pane.
  13. Locate a data tracker and click Configure in the Operation column.
  14. Select Yes for Transfer to OBS. If OBS Bucket Account is set to Other users, you need to enter the name of the bucket used for transfer.
  15. Click OK to complete the tracker configuration.