CreateUser - Bastionhost - Alibaba Cloud Documentation Center

Adds a user to a bastion host.

Operation description

You can call the CreateUser operation to add local users, Resource Access Management (RAM) users, Active Directory (AD)-authenticated users, or Lightweight Directory Access Protocol (LDAP)-authenticated users to a bastion host. After a Bastionhost administrator adds a user to a bastion host, O&M engineers can log on to the bastion host as the user to perform O&M operations on the hosts that the user is authorized to manage.

You can call this operation up to 10 times per second per account. If the number of the calls per second exceeds a limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limits when you call this operation.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-bastionhost:CreateUser

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the bastion host to which you want to add a user. Note You can call the DescribeInstances operation to query the bastion host ID.	bastionhost-cn-st220aw****
RegionId	string	No	The region ID of the bastion host to which you want to add a user. Note For more information about the mapping between region IDs and region names, see Regions and zones.	cn-hangzhou
Source	string	Yes	The type of the user that you want to add. Valid values: Local: a local user. Ram: a RAM user. AD: an AD-authenticated user. LDAP: an LDAP-authenticated user.	Local
UserName	string	Yes	The logon name of the user that you want to add. The logon name must be 1 to 128 characters in length and can contain only letters, digits, and underscores (_).	abc_def
Password	string	No	The logon password of the user that you want to add. The logon password must be 8 to 128 characters in length. It must contain uppercase letters, lowercase letters, digits, and special characters. Note This parameter is required if Source is set to Local.	213****
DisplayName	string	No	The display name of the user that you want to add. The display name can be up to 128 characters in length. Note If you leave this parameter empty, the logon name is used as the display name.	Bob
Comment	string	No	The remarks of the user that you want to add. The remarks can be up to 500 characters in length.	comment
Email	string	No	The email address of the user that you want to add. Note This parameter is required if TwoFactorStatus is set to Enable and TwoFactorMethods is set to email, or if TwoFactorStatus is set to Global and TwoFactorMethods is set to email in the global two-factor authentication settings. You can call the GetInstanceTwoFactor operation to query the global two-factor authentication settings.	username@example.com
Mobile	string	No	The mobile phone number of the user that you want to add. Note This parameter is required if TwoFactorStatus is set to Enable and TwoFactorMethods is set to sms or dingtalk, or if TwoFactorStatus is set to Global and TwoFactorMethods is set to sms or dingtalk in the global two-factor authentication settings. You can call the GetInstanceTwoFactor operation to query the global two-factor authentication settings.	1359999****
SourceUserId	string	No	The unique ID of the user that you want to add. Note This parameter uniquely identifies a RAM user of the bastion host. This parameter is required if Source is set to Ram. You can call the ListUsers operation in RAM to obtain the unique ID of the user from the UserId response parameter. This parameter is required if Source is set to AD or LDAP. Specify the distinguished name (DN) of the Active Directory (AD)-authenticated user or Lightweight Directory Access Protocol (LDAP)-authenticated user that you want to add.	122748924538****
MobileCountryCode	string	No	The location where the mobile phone number of the user is registered. Default value: CN. Valid values: CN: the Chinese mainland, whose international dialing code is +86. HK: Hong Kong (China), whose international dialing code is +852. MO: Macao (China), whose international dialing code is +853. TW: Taiwan (China), whose international dialing code is +886. RU: Russia, whose international dialing code is +7. SG: Singapore, whose international dialing code is +65. MY: Malaysia, whose international dialing code is +60. ID: Indonesia, whose international dialing code is +62. DE: Germany, whose international dialing code is +49. AU: Australia, whose international dialing code is +61. US: US, whose international dialing code is +1. AE: United Arab Emirates, whose international dialing code is +971. JP: Japan, whose international dialing code is +81. GB: UK, whose international dialing code is +44. IN: India, whose international dialing code is +91. KR: Republic of Korea, whose international dialing code is +82. PH: Philippines, whose international dialing code is +63. CH: Switzerland, whose international dialing code is +41. SE: Sweden, whose international dialing code is +46. SA: Saudi Arabia, whose international dialing code is +966.	CN
EffectiveStartTime	integer	No	The start time of the validity period of the user. Specify a UNIX timestamp. Unit: seconds.	1669630029
EffectiveEndTime	integer	No	The end time of the validity period of the user. Specify a UNIX timestamp. Unit: seconds.	1672502400
NeedResetPassword	boolean	No	Specifies whether password reset is required upon the next logon. Valid values: true false Note If you leave this parameter empty, the default value false is used.	true
TwoFactorStatus	string	No	Specifies whether two-factor authentication is enabled for the user. Valid values: Global: The global settings apply. Disable: Two-factor authentication is disabled. Enable: Two-factor authentication is enabled and user-specific settings apply. Note If you leave this parameter empty, the default value Global is used.	Enable
TwoFactorMethods	string	No	The two-factor authentication method. You can select only one method. Valid values: sms: text message-based two-factor authentication. email: email-based two-factor authentication. dingtalk: DingTalk-based two-factor authentication. totp OTP: one-time password (OTP) token-based two-factor authentication. Note If TwoFactorStatus is set to Enable, you must select one of the preceding values for TwoFactorMethods.	["sms"]
LanguageStatus	string	No	Specifies whether to send notifications in the language specified in the global settings or a custom language. Global Custom Note If you leave this parameter empty, the default value Global is used.	Custom
Language	string	No	This parameter is required if LanguageStatus is set to Custom. Valid values: zh-cn: simplified Chinese. en: English.	en

All Alibaba Cloud API operations must include common request parameters. For more information about common request parameters, see Common request parameters.

For more information about sample requests, see Sample requests.

Response elements

Element	Type	Description	Example
	object	The response data.
UserId	string	The ID of the user that is added.	1
RequestId	string	The request ID.	EC9BF0F4-8983-491A-BC8C-1B4DD94976DE

Examples

Success response

JSON format

{
  "UserId": "1",
  "RequestId": "EC9BF0F4-8983-491A-BC8C-1B4DD94976DE"
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidParameter	The argument is invalid.	The argument is invalid.
400	UserAlreadyExists	The user already exists.	The user already exists.
500	InternalError	An unknown error occurred.	An unknown error occurred.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.