Cross-Tenant Transfer Authorization
Scenarios
To centrally manage management traces, you can configure the management tracker to transfer the traces of multiple accounts to one OBS bucket. This topic describes how to configure cross-tenant transfer.
Authorizing Cross-Tenant Transfer
- Tenant B logs in to the management console.
- Tenant A is the account for which you want to configure cross-tenant transfer, and tenant B is the account where the OBS bucket resides.
- OBS does not support cross-region transfer. Currently, OBS buckets must be located in the same region of different tenants.
- Click
in the upper left corner to select the desired region and project. - Click
in the upper left corner and choose Storage > Object Storage Service. - In the navigation pane, choose Buckets. In the bucket list, click the name of the desired bucket. The Objects page is displayed.
- In the navigation pane, choose Permissions > Bucket Policies.
- In the upper right corner of the page, select JSON and click Edit, and grant permissions to tenant A as follows. Set the italic parameters based on site requirements. Bucket policies are described in JSON format. For details, see Bucket Policy Parameters.
Bucket policies have different authorization objects based on tenant A's login modes. The login modes include logging in as a common user, logging in as a federated tenant, switching as an agency, and logging in as an IAM Identity Center user.
- When tenant A logs in to the console as a common user to configure a CTS tracker:
{ "Statement": [{ "Sid": "xxxx", "Effect": "Allow", "Principal": { "ID": [ "domain/Domain ID of tenant A:agency/cts_admin_trust" ] }, "Action": [ "PutObject" ], "Resource": [ "Example bucket name/*" ] }, { "Sid": "xxxx1", "Effect": "Allow", "Principal": { "ID": [ "domain/Domain ID of tenant A:user/*" ] }, "Action": [ "HeadBucket", "ListBucket" ], "Resource": [ "Example bucket name" ] } ] } - When tenant A logs in to the console as a federated tenant to configure a CTS tracker:
{ "Statement": [{ "Sid": "xxxx", "Effect": "Allow", "Principal": { "ID": [ "domain/Domain ID of tenant A:agency/cts_admin_trust" ] }, "Action": [ "PutObject" ], "Resource": [ "Example bucket name/*" ] }, { "Sid": "xxxx1", "Effect": "Allow", "Principal": { "Federated": [ "domain/Domain ID of tenant A:identity-provider/Provider name" ] }, "Action": [ "HeadBucket", "ListBucket" ], "Resource": [ "Example bucket name" ] } ] } - When a user switches to tenant A as an agency to configure the CTS tracker:
{ "Statement": [{ "Sid": "xxxx", "Effect": "Allow", "Principal": { "ID": [ "domain/Domain ID of tenant A:agency/cts_admin_trust" ] }, "Action": [ "PutObject" ], "Resource": [ "Example bucket name/*" ] }, { "Sid": "xxxx1", "Effect": "Allow", "Principal": { "ID": [ "domain/Domain ID of tenant A:agency/Agency name" ] }, "Action": [ "HeadBucket", "ListBucket" ], "Resource": [ "Example bucket name" ] } ] } - When tenant A logs in to the console as an IAM Identity Center user to configure a CTS tracker:
{ "Statement": [{ "Sid": "xxxx", "Effect": "Allow", "Principal": { "ID": [ "domain/Domain ID of tenant A:agency/cts_admin_trust" ] }, "Action": [ "PutObject" ], "Resource": [ "Example bucket name/*" ] }, { "Sid": "xxxx1", "Effect": "Allow", "Principal": { "ID": [ "domain/Domain ID of tenant A:agency/Agency name" ] }, "Action": [ "HeadBucket", "ListBucket" ], "Resource": [ "Example bucket name" ] } ] }
Table 1 Bucket policy parameters Parameter
Description
Sid
ID of a statement. The value is a string that describes the statement.
Action
Actions which a statement applies to. This parameter specifies a set of all the operations supported by OBS. Its values are case insensitive. CTS requires only two actions: PutObject and HeadBucket.
Effect
Whether the permission in a statement is allowed or denied. The value is Allow or Deny.
Principal
Tenant A is authorized to use the bucket policy. You can obtain the domain ID on the My Credential page. Principal formats:
- domain/Tenant A's account ID:agency/cts_admin_trust: indicates that permissions are granted to the cts_admin_trust agency of tenant A, allowing CTS to transfer logs to OBS buckets using the agency. For details, see Bucket Policy Parameters.
- domain/Account ID:user/*: indicates that permissions are granted to all users of tenant A.
- domain/Account ID:identity-provider/provider-name: indicates that permissions are granted to the specified identity provider of tenant A.
Resource
A group of resources on which the statement takes effect. The wildcard (*) is supported, indicating all resources. Example bucket name/* and Example bucket name are required for cross-account transfer.
- When tenant A logs in to the console as a common user to configure a CTS tracker:
- Click Save.
- If the OBS bucket of tenant B is encrypted using a custom key, you need to authorize tenant A in Data Encryption Workshop (DEW). For details, see Creating a Grant.
You are advised to use a custom key when configuring encryption for buckets of different tenants. Otherwise, the default OBS key of tenant A may be used. In this case, tenant B may fail to download transferred files.
- Tenant A logs in to the management console.
- Click
in the upper left corner to select the desired region and project. - Click
in the upper left corner and choose Management & Governance > Cloud Trace Service. The CTS console is displayed. - Choose Tracker List in the navigation pane.
- Locate a data tracker and click Configure in the Operation column.
- Select Yes for Transfer to OBS. If OBS Bucket Account is set to Other users, you need to enter the name of the bucket used for transfer.
- Click OK to complete the tracker configuration.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
