Help Center/ Cloud Application Engine/ Best Practices/ Configuring the Interconnection Between CAE and DEW to Help Applications Obtain Encrypted Secrets from DEW/ Disabling the Sub-account Permission to Read Keys for Key Protection
Updated on 2024-05-25 GMT+08:00
View PDF
Share

Disabling the Sub-account Permission to Read Keys for Key Protection

When you use many accounts to manage the CAE environment, you can create sub-accounts under your cloud service account for employees in different departments based on your organization structure and set different access permissions for these sub-accounts to isolate user permissions.

For example, you can create a development account and a test account for development and test personnel respectively. Because test personnel do not need to be aware of sensitive information, you can disable the permission of the test account to obtain sensitive information.

This practice describes how to disable all DEW permissions and CAE remote login permission of a sub-account so that the sub-user cannot read keys.

Creating a Custom Policy

  1. Log in to IAM.
  2. Choose Permissions > Policies/Roles.
  3. Click Create Custom Policy in the upper right corner.

    Figure 1 IAM console

  4. Configure a custom policy.

    • Policy Name: Enter cae-subuser.
    • Policy Content: Select Deny.
    • Select service: Select Cloud Application Engine.
    • Select Action: Select cae:application:createConsole.
    Figure 2 Creating a custom policy

  5. Click OK.

Creating a User Group and Assigning Permissions

  1. Choose User Groups and click Create User Group.

    Figure 3 Creating a user group

  2. Enter a user group name, for example, cae-test, and click OK.
  3. In the user group list, click cae-test.
  4. On the Permissions tab, click Authorization and select the custom policy created in Creating a Custom Policy.

    Figure 4 Authorizing a custom policy

  5. Click Next and set Scope to All resources.
  6. Click OK.

    Click Finish to go back to the User Groups page.
    Figure 5 User group authorized

  7. Click the Users tab.
  8. In the user list, select the sub-user whose permissions need to be configured and click OK.

    Figure 6 Configuring user management

Verifying Sub-user Permissions

  1. Log in to CAE as the sub-user in 8.
  2. Perform operations such as Adding a Secret and Configuring an Environment Variable. The operations are normal.
  3. Choose Instance List.
  4. Select the target instance and click Remote Login in the Operation column. The secret details cannot be viewed.

    Figure 7 No remote login permission

  5. Click in the upper left corner. In the service list, choose Data Encryption Workshop to go to the DEW console.
  6. Choose Cloud Secret Management Service > Secrets. The secret details cannot be viewed.

    Figure 8 No DEW agency permission