Credential Management
Introduction
MAS can manage, query, and access cloud resources across accounts with an IAM agency or AK/SK.
Creating a Credential
- Log in to the MAS console, go to the Credential Management page, and click Create Credential.
- Configure the credential.
Figure 1 Creating a credential
Table 1 Credential parameters Parameter
Description
Name
Customize a credential name.
Cloud
Select Huawei Cloud.
Credential Type
Options:
- IAM agency
- IAM AK/SK
Delegating Account
This is required if Credential Type is set to IAM agency.
Delegate Name
This is required if Credential Type is set to IAM agency. If no agency is available, create an agency by referring to Creating an Agency (by a Delegating Party).
AK
This is required if Credential Type is set to IAM AK/SK. For details, see Access Keys.
SK
This is required if Credential Type is set to IAM AK/SK.
Enterprise Project
Select an enterprise project.
Description
Enter the description information.
- Click Validate Credential. If the validation fails, check the configurations.
- Click OK.
Deleting a Credential
- Log in to the MAS console and go to the Credential Management page.
- Click Delete in the row that contains a target credential.
- Click OK to delete the credential.
Application Scenarios
Others can create an agency to delegate their resource management permissions to you. In this way, you can create a credential on MAS based on the agency, and use the credential to query and invoke resources under other accounts.
The following uses Account A (you) and Account B (another user) as an example:
- Account B creates an agency, then grants permissions of IAM and RDS to Account A. For account security, it is recommended to grant only the permissions required (minimum permissions) to agencies. For details, see Creating an Agency (by a Delegating Party).
- The minimum permissions required by IAM:
{ "Version": "1.1", "Statement": [{ "Action": [ "iam:projects:listProjects" ], "Effect": "Allow" }] }
- The minimum permissions required by RDS:
{ "Version": "1.1", "Statement": [{ "Action": [ "rds:instance:list" ], "Effect": "Allow" }] }
- Account A creates a credential by referring to Creating a Credential, sets Credential Type to IAM agency, and configures the Delegating Account and Delegate Name as set in 1.
- Account A creates a namespace. The Default Credential of the primary multi-active area is Current Account Credential and the Default Credential of the secondary multi-active area is the credential created in 2.
- Account A then does as follows to obtain Account B's RDS resources: perform the steps described in Creating a Data Source, set Deployment Mode to the secondary multi-active area created in 3, set Mode to RDS, and confirm that the Credential is the one created in 2.
- IAM users under Account A can be granted permissions to operate resources under Account B. For details, see Permissions Management.
{ "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": [ "iam:tokens:assume" ] }] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot