All Products
Search

This Product

    Key Management Service:Integrate ECS secrets in Bastionhost

    Document Center

    Key Management Service:Integrate ECS secrets in Bastionhost

    Last Updated:Apr 23, 2024

    Elastic Compute Service (ECS) secrets that are managed in Key Management Service (KMS) are integrated into Bastionhost. After you save the account password or SSH key pair of an ECS instance as an ECS secret in KMS, you can import the ECS secret in Bastionhost. When Bastionhost establishes a remote connection to the ECS instance, Bastionhost retrieves the value of the ECS secret from KMS. You do not need to enter the account password or SSH key pair in Bastionhost. This topic describes how to establish a remote connection to an ECS instance in Bastionhost by using an ECS secret.

    Overview

    After you save the account password or SSH key pair of an ECS instance as an ECS secret in KMS, you need to only import the ECS secret in Bastionhost to log on to the ECS instance. You do not need to enter the account password or SSH key pair in Bastionhost. When you establish a remote connection to the ECS instance in Bastionhost, Bastionhost retrieves the value of the ECS secret from KMS in real time to log on to the ECS instance.

    KMS allows you to configure automatic rotation for an ECS secret. Bastionhost retrieves the secret value of the ACSCurrent version from KMS in real time. Secret rotation does not affect the connection between Bastionhost and the ECS instance. For more information, see Overview.

    The following figure shows how to establish a remote connection to an ECS instance in Bastionhost by using an ECS secret.

    image

    1. A secret administrator creates an ECS secret in KMS.

    2. A Bastionhost administrator imports the ECS secret from KMS in Bastionhost.

    3. A Bastionhost O&M engineer initiates a remote connection request to the ECS instance.

    4. Bastionhost calls the ListSecrets and GetSecretValue operations of KMS to retrieve the value of the ECS secret from KMS in real time.

    5. Bastionhost uses the value of the ECS secret to log on to the ECS instance.

    Usage notes

    • You can integrate ECS secrets only in Bastionhost Basic Edition, and Bastionhost Enterprise Edition V3.2.40 and later.

    • If you delete an ECS secret from KMS, Bastionhost cannot retrieve the value of the ECS secret. In this case, the system fails to connect to the ECS instance.

    Prerequisites

    • ECS instances are imported to Bastionhost. For more information, see Import ECS instances.

    • If you use a Resource Access Management (RAM) user to manage ECS secrets and bastion hosts, the RAM user is granted the AliyunKMSSecretAdminAccess permission to manage KMS secrets and the AliyunYundunBastionHostFullAccess permission to manage bastion hosts. For more information, see Grant permissions to a RAM user.

    Procedure

    1. Create an ECS secret in KMS. For more information, see Step 1: Create an ECS secret.

      1. Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, click Secrets.

      2. Click the ECS Secrets tab, select the required instance ID from the Instance ID drop-down list, and then click Create Secret. Then, configure the parameters and click OK.

        Parameter

        Description

        Secret Name

        The name of the secret.

        Managed Instance

        The existing ECS instance that you want to manage within your Alibaba Cloud account.

        Managed User

        The name of an existing user on the ECS instance, such as the root user for Linux operating systems or the Administrator user for Windows operating systems.

        Initial Secret Value

        The value cannot exceed 30,720 bytes in length, which is equivalent to 30 KB in size.

        • Password: the password of the user that is used to log on to the ECS instance.

        • Key Pair: the SSH key pair of the user that is used to log on to the ECS instance.

          Obtain an SSH key pair

          • An SSH key pair that is created in ECS

            • Private key: After you create an SSH key pair, the browser automatically downloads the private key file to your computer. The name of the file is in the Key pair name.pem format. For more information, see Create an SSH key pair.

            • Public Key: For more information about how to view the information about a public key, see View public key information.

          • An automatically-generated SSH key pair

            Save the private key and the public key of a key pair when the key pair is generated. For example, run the ssh-keygen command to generate and save a 3072-bit Rivest-Shamir-Adleman (RSA) key pair. 

            ssh-keygen -t RSA -b 3072 -m PEM -f ~/.ssh/sshKey_demo -N ""

            The following files are generated:

            • ~/.ssh/sshKey_demo: contains the private key.

            • ~/.ssh/sshKey_demo.pub: contains the public key.

        Note

        Enter a valid secret value. If you enter an invalid secret value, the password or key pair that you retrieve from KMS cannot be used to log on to the ECS instance before the first time the ECS secret is rotated.

        CMK

        The key that is used to encrypt the secret.

        Important

        Your key and secret must belong to the same KMS instance. The key must be a symmetric key. For more information about the symmetric keys supported by KMS, see Key types and specifications.

        Tag

        The tag that you want to add to the secret. You can use tags to classify and manage secrets. A tag consists of a key-value pair.

        Note

        • A tag key or a tag value can be up to 128 characters in length and can contain letters, digits, forward slashes (/), backslashes (\), underscores (_), hyphens (-), periods (.), plus signs (+), equal sign (=), colons (:), and at signs (@).

        • A tag key cannot start with aliyun or acs:.

        • You can configure up to 20 key-value pairs for each secret.

        Automatic Rotation

        Specifies whether to enable automatic secret rotation.

        Rotation Period

        The interval of automatic secret rotation. This setting is required only when you select Enable Automatic Rotation. The value ranges from 1 hour to 365 days.

        KMS periodically updates the secret based on the value of this parameter.

        Description

        The description of the secret.

        Advanced Settings

        The policy settings of the secret.

        • Default Policy: If the secret is used by the current Alibaba Cloud account or the Alibaba Cloud account in a resource share, select Default Policy.

          • If the KMS instance is not shared with other accounts, only the current Alibaba Cloud account can manage and use the secret.

          • If the KMS instance is shared with other accounts, the supported operations vary. For example, an instance named KMS Instance A is shared with Alibaba Cloud Account 2 by using Alibaba Cloud Account 1.

            • Secrets created by Alibaba Cloud Account 1: Only Alibaba Cloud Account 1 can manage and use the secrets.

            • Secrets created by Alibaba Cloud Account 2: Both Alibaba Cloud Account 1 and Alibaba Cloud Account 2 can manage and use the secrets.

        • Custom Policy: If you want to grant permissions to a Resource Access Management (RAM) user, RAM role, or other accounts to use the secret, select Custom Policy.

          Important

          • Administrators and users do not consume Access Management Quota. Cross-account users consume Access Management Quota of the KMS instance. The consumed quota is calculated based on the number of Alibaba Cloud accounts. If you revoke the permissions, wait approximately 5 minutes and then query the quota. The consumed quota is restored.

          • When you use a secret, you must have the permission to use the required key to decrypt the secret.

          • An administrator can manage the secret but cannot retrieve the secret value. You can select RAM users and RAM roles within the current Alibaba Cloud account.

            Permissions supported by administrators

            {
	"Statement": [
		{
			"Action": [
				"kms:List*",
				"kms:Describe*",
				"kms:PutSecretValue",
				"kms:Update*",
				"kms:DeleteSecret",
				"kms:RestoreSecret",
				"kms:RotateSecret",
				"kms:TagResource",    
				"kms:UntagResource" 
			]
		}
	]
}

          • A user can retrieve the secret value. You can select RAM users and RAM roles within the current Alibaba Cloud account.

            Permissions supported by users

            {
    "Statement": [
        {
            "Action": [
                "kms:List*",
								"kms:Describe*",
								"kms:GetSecretValue",
            ]
        }
    ]
}

          • A cross-account user can retrieve the secret value. You can select RAM users and RAM roles within other Alibaba Cloud accounts.

            • RAM user: The name of the RAM user is in the acs:ram::<userId>:user/<ramuser> format. Example: aacs:ram::119285303511****:user/testpolicyuser.

            • RAM role: The name of the RAM role is in the acs:ram::<userId>:role/<ramrole> format. Example: acs:ram::119285303511****:role/testpolicyrole.

            Note

            After you grant permissions to a RAM user or RAM role, you must use the Alibaba Cloud account of the RAM user or RAM role to authorize the RAM user or RAM role to use the secret in RAM. Then, the RAM user or RAM role can use the secret.

            For more information, see Use RAM to manage access to KMS resources, Grant permissions to a RAM user, and Grant permissions to a RAM role.

            Permissions supported by cross-account users

            {
    "Statement": [
        {
            "Action": [
                "kms:List*",
								"kms:Describe*",
								"kms:GetSecretValue",
            ]
        }
    ]
}
        Note

        When you create an ECS secret, the system automatically creates the AliyunServiceRoleForKMSSecretsManagerForECS service-linked role and attaches the AliyunServiceRolePolicyForKMSSecretsManagerForECS policy to the role. KMS uses the role to manage ECS secrets and rotate ECS passwords and SSH key pairs.

        You can log on to the RAM console to view the details of service-linked roles and policies. For more information, see View the information about a RAM role and View the basic information about a policy.

    2. Import the ECS secret in Bastionhost.

      After you import the ECS secret, Bastionhost retrieves the value of the ECS secret from KMS to log on to the ECS instance.

      1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

      2. In the left-side navigation pane, choose Assets > Hosts.

      3. In the host list, find the host that you want to manage and click Import KMS Secret in the Actions column.

      4. In the Import KMS Secret dialog box, select the ECS secrets that you want to import and click Import.

        After the ECS secrets are imported, you can click the name of the host in the host list. On the Host Account tab, view and manage the imported ECS secrets.

    What to do next

    1. Authorize a Bastionhost user to manage the ECS instance. For more information, see Authorize a user to manage hosts.

    2. Manage the ECS instance as bastionhost users. For more information, see O&M overview.

    References

    Introduction to the Basic and Enterprise editions