Sharing a Private Zone Across Accounts

Overview

DNS can work with Resource Access Manager (RAM) to allow you to share your private zones to other accounts if you are the owner of these private zones. When a resource owner shares resources with your account and you accept the resource sharing invitation, you can access and use the shared resources as if they were your own resources in your account. Resource owners can select different permissions based on the principle of least privilege (PoLP) and service requirements, and principals can only access resources within their permissions. This improves resource security. For more information about RAM, see What Is Resource Access Manager?

If your account is managed by Huawei Cloud Organizations, you can enable sharing with Organizations to share resources more easily. If your account is in an organization, you can share resources either with individual accounts or with all accounts in the organization or in an organization unit (OU) without the need to enumerate each account. For details, see Enabling Sharing with Organizations.

Resource and Region Availability

Table 1 lists the resources that can be shared and regions where resource sharing is supported.

Constraints

• You cannot share a private zone that is shared with your account. Only resource owners can share the resources in their accounts with other accounts.
• To share a private zone with your organization or an OU, you need to enable sharing with Organizations on the Resource Access Manager console. For details, see Enabling Sharing with Organizations.
• A principal can accept up to 50 private zones from resource owners.
• A private zone that is no longer shared with you will not be displayed on the Shared with Me tab. If you have associated a VPC with that private zone, the private domain name can still be resolved within that VPC. To disassociate the VPC from the private zone, the account that shared the private zone needs to share the private zone with you again.

Creating a Share

1. Go to the Private Zones page.
2. Go to the Created by Me tab, locate the private zone you want to share, and click Share in the Operation column.
3. On the Create Resource Share page, specify the resource to be shared, configure permissions, and specify users as prompted.

   For details, see Creating a Resource Share.

   

   After an owner shares a private zone with a principal, the principal needs to accept the sharing within a specified period. For details, see Responding to a Resource Sharing Invitation.

Viewing Share Details

1. Go to the Private Zones page.
2. Go to the Shared with Me tab and view the private zones that are shared with your account.
   

   • If you are the owner of a shared private zone, you can view the shared private zone, permissions, and principals on the RAM management console. For details, see Viewing a Resource Share.
   • If you are a principal of a shared private zone, you can view the shared private zone, permissions, and resource owner on the RAM management console. For details, see Viewing Resources Shared with You.

Stopping a Share

• If a share is no longer needed, you can delete it at any time as the owner. Deleting a share does not delete the shared resources. After a share is deleted, the principals will no longer be able to use the shared resources. For details, see Deleting a Resource Share.
• If you are a principal and you do not need to access the shared resources, you can leave the resource share at any time. After you leave the resource share, you lose access to the shared resources.

  You can leave a resource share only if the resources were shared with you as an individual Huawei Cloud account and not as part of an organization. You cannot leave a resource share if you were added to it by an account inside your organization and sharing with Organizations is enabled. For details, see Leaving a Resource Share.

Operation Permissions on Shared Private Zones

Billing

N/A