Monitoring Temporary Security Credentials
Huawei Cloud records call logs of all operations in CTS, allowing account administrators to trace activities. When configuring a trust agency, the administrator can require to pass a custom string to identify the person or application that performs operations on Huawei Cloud. This string is stored as the source identity information in CTS. When viewing activities in CTS, the administrator can determine who assumed the trust agency to perform operations based on the source identity information.
After the source identity information is set, it is included in any Huawei Cloud operation request processed during the assumed-trust agency session. If you use the AssumeAgency API to assume another trust agency in an agency chain, the source identity information will be passed from one to another and cannot be changed. Administrators can configure identity policies based on whether there is source identity information and its value to control Huawei Cloud operations allowed for trust agencies. You can determine whether to use the source identity information and what it can be.
Permissions Required for Setting Source Identity Information
sts::setSourceIdentity
- To specify source identity information for an IAM user to assume a trust agency, the identity policy of the IAM user and the trust policy of the trust agency must have the sts::setSourceIdentity permission.
- To specify source identity information for an agency to assume another agency, the identity policy of the agency initiating the assumption and the trust policy of the target agency must have the sts::setSourceIdentity permission.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"sts:agencies:assume",
"sts::setSourceIdentity"
],
"Condition": {
"StringEquals": {
"sts:SourceIdentity": [
"${g:UserName}"
]
}
}
}]
}
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"sts:agencies:assume",
"sts::setSourceIdentity"
],
"Condition": {
"StringEquals": {
"sts:SourceIdentity": [
"${g:UserName}"
]
}
}
}]
}
For details about the source identity information passed when you call the AssumeAgency API, see the source_identity description in Obtaining Temporary Security Credentials Through an Agency or Trust Agency.
Viewing Source Identity Information in CTS
{
"api_version": "v5",
"code": "204",
"account_id": "xxxxxx",
"event_type": "global",
"message": "xxxxxx",
"operation_id": "DeleteUserV5",
"project_id": "xxxxxx",
"read_only": false,
"request_id": "xxxxxx",
"resource_account_id": "xxxxxx",
"resource_id": "xxxxxx",
"resource_name": "xxxxxx",
"resource_type": "user",
"service_type": "IAM",
"source_ip": "xxx.xxx.xxx.xxx",
"trace_id": "xxxxxx",
"trace_name": "deleteUserV5",
"trace_rating": "normal",
"trace_type": "ApiCall",
"tracker_name": "system",
"user_agent": "xxxxxx",
"is_consistent": true,
"user": {
"access_key_id": "xxxxxx",
"account_id": "xxxxxx",
"domain": {
"id": "xxxxxx",
"name": "xxxxxx"
},
"name": "xxxxxx/test",
"principal_id": "xxxxxx:name",
"principal_urn": "sts::xxxxxx:assumed-agency:test/name",
"session_context": {
"assumed_by": {
"principal_id": "xxxxxx"
},
"attributes": {
"created_at": "xxxxxx",
"mfa_authenticated": "false"
},
"source_identity": "IAM User A"
},
"type": "AssumedAgency"
},
"response": "null",
"time": xxxxxx,
"record_time": xxxxxx
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
