All Products
Search
Document Center

Bastionhost:Use the multi-account management feature

Last Updated:Jul 08, 2024

Bastionhost allows you to manage the assets within multiple accounts in a centralized manner. If you have multiple Alibaba Cloud accounts, you can perform centralized O&M operations on the assets within these accounts by using a bastion host based on Resource Directory.

Account types in Resource Directory

RD supports the following types of accounts. For more information about RD, see Resource Directory overview.

  • Management account: After you use an Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory.

  • Delegated administrator account: You can use the management account of a resource directory to specify a member in the resource directory as a delegated administrator account of a trusted service. The delegated administrator account can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The delegated administrator account can also be used to manage resources within the resource directory.

  • Member: You can create a new resource account as a member in a resource directory. You can also invite an existing Alibaba Cloud account to join the resource directory as a member.

Import assets within multiple accounts

  • The assets of a member, such as Elastic Compute Service (ECS) and ApsaraDB RDS instances, can be imported to a bastion host within the management account or a delegated administrator account. The assets within the management account or a delegated administrator account cannot be imported to the bastion hosts of a member.

  • The bastion hosts within an account are not available to other accounts.

  • If your bastion host cannot communicate with the assets within another account over the internal network, you can connect the bastion host to the network of the assets by using Cloud Enterprise Network (CEN), VPN, public IP addresses, or the network domain feature of Bastionhost. This ensures the connectivity between the bastion host and the assets within multiple accounts.

    For more information about how to use the network domains feature, see Use the network domain feature.

Prerequisites

  • A resource directory is enabled. For more information, see Enable a resource directory.

  • A member exists in the resource directory.

  • If you use a RAM user to manage the assets within multiple accounts, make sure that the RAM user has the AliyunYundunBastionHostFullAccess and AliyunResourceDirectoryFullAccess permissions. For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

Procedure

  1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

  2. In the bastion host list, find the bastion host for which you want to configure the multi-account management feature and choose Configuration > Multi-account Management.

  3. In the Multi-account Management panel, click Add Member Account.

  4. In the Add Member Account dialog box, select the members that you want to add and click OK.

What to do next

After you add members to a bastion host, you can import the assets of the members to the bastion host. For more information, see Add hosts or Use the database management feature.