- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Getting Started with MAS
- Modules
- Namespace
- Multi-Active Instances
- Application Management
- Monitor Management
- Credential Management
- Event Monitoring
- Audit Logs
- Permissions Management
-
FAQs
-
MAS FAQs
- Is MAS a Product or Solution?
- Does MAS Synchronize Data in Addition to Controlling Access from Applications to Databases?
- Is MAS Like a Management Channel for Which I Need to Configure Automatic Switchover Policies?
- What Is the Automatic Switchover Mechanism? How Does MAS Implement Switchovers in Seconds?
-
Multi-Active DR Solution FAQs
- In the Single- or Dual-Instance Data Layer Architecture (Same Region, Multi-AZ, Traffic Distribution with API Gateway), Which Components Are Provided by MAS and Which Ones Should I Prepare?
- Can I Implement the Active-Active Solution on Any Other Services in Addition to Self-Built Cloud Services?
- How Do I Implement Database Dual-Write?
- Does the Multi-Active Architecture Have Any Requirements on My Services?
- What Are the RPO and RTO of the Multi-Active DR Solution?
- Does the Multi-Active DR Solution Have Any Network Requirements? Will Incorrect Switchover Occur If the Network is Unstable or Jitters?
- How Do I Configure Monitoring for Multi-AZ Deployment in the Same Region?
- Will MAS and API Gateway Be Deployed on Both Huawei Cloud and Our Cloud?
- MAS Usage FAQs
-
MAS FAQs
- General Reference
Copied.
Credential Management
Introduction
MAS can manage, query, and access cloud resources across accounts with an IAM agency or AK/SK.
Creating a Credential
- Log in to the MAS console, go to the Credential Management page, and click Create Credential.
- Configure the credential.
Figure 1 Creating a credential
Table 1 Credential parameters Parameter
Description
Name
Customize a credential name.
Cloud
Select Huawei Cloud.
Credential Type
Options:
- IAM agency
- IAM AK/SK
Delegating Account
This is required if Credential Type is set to IAM agency.
Delegate Name
This is required if Credential Type is set to IAM agency. If no agency is available, create an agency by referring to Creating an Agency (by a Delegating Party).
AK
This is required if Credential Type is set to IAM AK/SK. For details, see Access Keys.
SK
This is required if Credential Type is set to IAM AK/SK.
Enterprise Project
Select an enterprise project.
Description
Enter the description information.
- Click Validate Credential. If the validation fails, check the configurations.
- Click OK.
Deleting a Credential
- Log in to the MAS console and go to the Credential Management page.
- Click Delete in the row that contains a target credential.
- Click OK to delete the credential.
Application Scenarios
Others can create an agency to delegate their resource management permissions to you. In this way, you can create a credential on MAS based on the agency, and use the credential to query and invoke resources under other accounts.
The following uses Account A (you) and Account B (another user) as an example:
- Account B creates an agency, then grants permissions of IAM and RDS to Account A. For account security, it is recommended to grant only the permissions required (minimum permissions) to agencies. For details, see Creating an Agency (by a Delegating Party).
- The minimum permissions required by IAM:
{ "Version": "1.1", "Statement": [{ "Action": [ "iam:projects:listProjects" ], "Effect": "Allow" }] }
- The minimum permissions required by RDS:
{ "Version": "1.1", "Statement": [{ "Action": [ "rds:instance:list" ], "Effect": "Allow" }] }
- Account A creates a credential by referring to Creating a Credential, sets Credential Type to IAM agency, and configures the Delegating Account and Delegate Name as set in 1.
- Account A creates a namespace. The Default Credential of the primary multi-active area is Current Account Credential and the Default Credential of the secondary multi-active area is the credential created in 2.
- Account A then does as follows to obtain Account B's RDS resources: perform the steps described in Creating a Data Source, set Deployment Mode to the secondary multi-active area created in 3, set Mode to RDS, and confirm that the Credential is the one created in 2.
- IAM users under Account A can be granted permissions to operate resources under Account B. For details, see Permissions Management.
{ "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": [ "iam:tokens:assume" ] }] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot