All Products
Search
Document Center

Bastionhost:CreateUser

Last Updated:Nov 27, 2024

Adds a user to a bastion host.

Operation description

You can call the CreateUser operation to add local users, Resource Access Management (RAM) users, Active Directory (AD)-authenticated users, or Lightweight Directory Access Protocol (LDAP)-authenticated users to a bastion host. After a Bastionhost administrator adds a user to a bastion host, O&M engineers can log on to the bastion host as the user to perform O&M operations on the hosts that the user is authorized to manage.

You can call this operation up to 10 times per second per account. If the number of the calls per second exceeds a limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limits when you call this operation.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
yundun-bastionhost:CreateUsercreate
*All Resources
*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
InstanceIdstringYes

The ID of the bastion host to which you want to add a user.

Note You can call the DescribeInstances operation to query the bastion host ID.
bastionhost-cn-st220aw****
RegionIdstringNo

The region ID of the bastion host to which you want to add a user.

Note For more information about the mapping between region IDs and region names, see Regions and zones.
cn-hangzhou
SourcestringYes

The type of the user that you want to add. Valid values:

  • Local: a local user.
  • Ram: a RAM user.
  • AD: an AD-authenticated user.
  • LDAP: an LDAP-authenticated user.
local
UserNamestringYes

The logon name of the user that you want to add. The logon name must be 1 to 128 characters in length and can contain only letters, digits, and underscores (_).

abc_def
PasswordstringNo

The logon password of the user that you want to add. The logon password must be 8 to 128 characters in length. It must contain uppercase letters, lowercase letters, digits, and special characters.

Note This parameter is required if Source is set to Local.
213****
DisplayNamestringNo

The display name of the user that you want to add. The display name can be up to 128 characters in length.

Note If you leave this parameter empty, the logon name is used as the display name.
Bob
CommentstringNo

The remarks of the user that you want to add. The remarks can be up to 500 characters in length.

comment
EmailstringNo

The email address of the user that you want to add.

Note
  • This parameter is required if TwoFactorStatus is set to Enable and TwoFactorMethods is set to email, or if TwoFactorStatus is set to Global and TwoFactorMethods is set to email in the global two-factor authentication settings.

  • You can call the GetInstanceTwoFactor operation to query the global two-factor authentication settings.

username@example.com
MobilestringNo

The mobile phone number of the user that you want to add.

Note
  • This parameter is required if TwoFactorStatus is set to Enable and TwoFactorMethods is set to sms or dingtalk, or if TwoFactorStatus is set to Global and TwoFactorMethods is set to sms or dingtalk in the global two-factor authentication settings.

  • You can call the GetInstanceTwoFactor operation to query the global two-factor authentication settings.

1359999****
SourceUserIdstringNo

The unique ID of the user that you want to add.

Note
  • This parameter uniquely identifies a RAM user of the bastion host. This parameter is required if Source is set to Ram. You can call the ListUsers operation in RAM to obtain the unique ID of the user from the UserId response parameter.

  • This parameter is required if Source is set to AD or LDAP. Specify the distinguished name (DN) of the Active Directory (AD)-authenticated user or Lightweight Directory Access Protocol (LDAP)-authenticated user that you want to add.

122748924538****
MobileCountryCodestringNo

The location where the mobile phone number of the user is registered. Default value: CN. Valid values:

  • CN: the Chinese mainland, whose international dialing code is +86.
  • HK: Hong Kong (China), whose international dialing code is +852.
  • MO: Macao (China), whose international dialing code is +853.
  • TW: Taiwan (China), whose international dialing code is +886.
  • RU: Russia, whose international dialing code is +7.
  • SG: Singapore, whose international dialing code is +65.
  • MY: Malaysia, whose international dialing code is +60.
  • ID: Indonesia, whose international dialing code is +62.
  • DE: Germany, whose international dialing code is +49.
  • AU: Australia, whose international dialing code is +61.
  • US: US, whose international dialing code is +1.
  • AE: United Arab Emirates, whose international dialing code is +971.
  • JP: Japan, whose international dialing code is +81.
  • GB: UK, whose international dialing code is +44.
  • IN: India, whose international dialing code is +91.
  • KR: Republic of Korea, whose international dialing code is +82.
  • PH: Philippines, whose international dialing code is +63.
  • CH: Switzerland, whose international dialing code is +41.
  • SE: Sweden, whose international dialing code is +46.
  • SA: Saudi Arabia, whose international dialing code is +966.
CN
EffectiveStartTimelongNo

The start time of the validity period of the user. Specify a UNIX timestamp. Unit: seconds.

1669630029
EffectiveEndTimelongNo

The end time of the validity period of the user. Specify a UNIX timestamp. Unit: seconds.

1672502400
NeedResetPasswordbooleanNo

Specifies whether password reset is required upon the next logon. Valid values:

  • true
  • false
Note If you leave this parameter empty, the default value false is used.
true
TwoFactorStatusstringNo

Specifies whether two-factor authentication is enabled for the user. Valid values:

  • Global: The global settings apply.
  • Disable: Two-factor authentication is disabled.
  • Enable: Two-factor authentication is enabled and user-specific settings apply.
Note If you leave this parameter empty, the default value Global is used.
Enable
TwoFactorMethodsstringNo

The two-factor authentication method. You can select only one method. Valid values:

  • sms: text message-based two-factor authentication.
  • email: email-based two-factor authentication.
  • dingtalk: DingTalk-based two-factor authentication.
  • totp OTP: one-time password (OTP) token-based two-factor authentication.
Note If TwoFactorStatus is set to Enable, you must select one of the preceding values for TwoFactorMethods.
["sms"]
LanguageStatusstringNo

Specifies whether to send notifications in the language specified in the global settings or a custom language.

  • Global
  • Custom
Note If you leave this parameter empty, the default value Global is used.
Custom
LanguagestringNo

This parameter is required if LanguageStatus is set to Custom. Valid values:

  • zh-cn: simplified Chinese.
  • en: English.
en

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common request parameters.

For more information about sample requests, see Sample requests.

Response parameters

ParameterTypeDescriptionExample
object

The response data.

UserIdstring

The ID of the user that is added.

1
RequestIdstring

The request ID.

EC9BF0F4-8983-491A-BC8C-1B4DD94976DE

Examples

Sample success responses

JSONformat

{
  "UserId": "1",
  "RequestId": "EC9BF0F4-8983-491A-BC8C-1B4DD94976DE"
}

Error codes

HTTP status codeError codeError messageDescription
400InvalidParameterThe argument is invalid.The argument is invalid.
400UserAlreadyExistsThe user already exists.The user already exists.
500InternalErrorAn unknown error occurred.An unknown error occurred.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-02-28The Error code has changed. The request parameters of the API has changedView Change Details