Updated on 2023-11-03 GMT+08:00

Credential Management

Introduction

MAS can manage, query, and access Huawei Cloud resources across accounts with an IAM agency or AK/SK.

Creating a Credential

  1. Log in to the MAS console, go to the the Credential Management page, and click Create Credential.
  2. Configure the credential.

    Figure 1 Creating a credential
    Table 1 Credential parameters

    Parameter

    Description

    Name

    Customize a credential name.

    Cloud

    Select Huawei Cloud.

    Credential Type

    Options:

    • IAM agency
    • IAM AK/SK

    Delegating Account

    This is required if Credential Type is set to IAM agency.

    Delegate Name

    This is required if Credential Type is set to IAM agency. If no agency is available, create an agency by referring to Creating an Agency (by a Delegating Party).

    AK

    This is required if Credential Type is set to IAM AK/SK. For details, see Access Keys.

    SK

    This is required if Credential Type is set to IAM AK/SK.

    Enterprise Project

    Select an enterprise project.

    Description

    Enter the description information.

  3. Click Validate Credential. If the validation fails, check the configurations.
  4. Click OK.

Deleting a Credential

  1. Log in to the MAS console and go to the the Credential Management page.
  2. Click Delete in the row that contains a target credential.
  3. Click OK to delete the credential.

Application Scenarios

Others can create an agency to delegate their resource management permissions to you. In this way, you can create a credential on MAS based on the agency, and use the credential to query and invoke resources under other accounts.

The following uses Account A (you) and Account B (another user) as an example:

  1. Account B creates an agency, then grants permissions of IAM and RDS to Account A. For account security, it is recommended to grant only the permissions required (minimum permissions) to agencies. For details, see Creating an Agency (by a Delegating Party).
    • The minimum permissions required by IAM:
    {
    	"Version": "1.1",
    	"Statement": [{
    		"Action": [
    			"iam:projects:listProjects"
    		],
    		"Effect": "Allow"
    	}]
    }
    • The minimum permissions required by RDS:
    {
    	"Version": "1.1",
    	"Statement": [{
    		"Action": [
    			"rds:instance:list"
    		],
    		"Effect": "Allow"
    	}]
    }
  2. Account A creates a credential by referring to Creating a Credential, sets Credential Type to IAM agency, and configures the Delegating Account and Delegate Name as set in 1.
  3. Account A creates a namespace. The Default Credential of the primary multi-active area is Current Account Credential and the Default Credential of the secondary multi-active area is the credential created in 2.
  4. Account A then does as follows to obtain Account B's RDS resources: perform the steps described in Creating a Data Source, set Deployment Mode to the secondary multi-active area created in 3, set Mode to RDS, and confirm that the Credential is the one created in 2.
  5. IAM users under Account A can be granted permissions to operate resources under Account B. For details, see Permissions Management.
    {
    	"Version": "1.1",
    	"Statement": [{
    		"Effect": "Allow",
    		"Action": [
    			"iam:tokens:assume"
    		]
    	}]
    }