API standard and pre-built SDKs in multi-language
The OpenAPI specification of this product (Yundun-bastionhost/2019-12-09) follows the RPC standard. Alibaba Cloud provides pre-built SDKs for popular programming languages to abstract low-level complexities such as request signing. This enables developers to call APIs using language-specific syntax without dealing with HTTP details directly.
Custom signature
If your specific needs, such as a customized signature, are not supported by the SDK, manually sign requests using the signature mechanism. Note that manual signing requires significant effort (usually about 5 business days). For support, join our DingTalk group (ID: 147535001692).
Before you begin
An Alibaba Cloud account has full administrative privileges. A compromised AccessKey pair exposes all associated resources to unauthorized access, posing a significant security risk. Create a Resource Access Management (RAM) user with API-only access and use RAM policies to apply the principle of least privilege (PoLP). Alibaba Cloud accounts are only used when explicitly required.
To call APIs securely, configure the following:
A RAM user account
An AccessKey pair for the account
Bastionhost instance (V3.2.X only)
|
API |
Title |
Description |
| DescribeInstanceAttribute | DescribeInstanceAttribute | Queries the attribute information about the specified bastion host. The information includes the ID and remarks of the bastion host. |
| DescribeInstances | DescribeInstances | Queries bastion hosts. |
| ConfigInstanceSecurityGroups | ConfigInstanceSecurityGroups | Configures security groups for a bastion host. |
| ConfigInstanceWhiteList | ConfigInstanceWhiteList | Configures a whitelist of public IP addresses for a bastion host. |
| StartInstance | StartInstance | Starts a bastion host. |
| EnableInstancePublicAccess | EnableInstancePublicAccess | Enables Internet access to a bastion host. |
| DisableInstancePublicAccess | DisableInstancePublicAccess | Disables Internet access to a bastion host. |
| ModifyInstanceAttribute | ModifyInstanceAttribute | Modifies the information about a bastion host. |
| MoveResourceGroup | MoveResourceGroup | Moves a Bastionhost instance to a specified resource group. |
| AddInstanceRdMember | AddInstanceRdMember | Adds a member account from a Resource Directory (RD). |
| ListInstanceRdMembers | ListInstanceRdMembers | Lists the member accounts of a Resource Directory. |
| RemoveInstanceRdMember | RemoveInstanceRdMember | Removes an RD member account. |
Tags (for V3.2.X only)
|
API |
Title |
Description |
| ListTagKeys | ListTagKeys | Queries the tags that are attached to a resource. |
| ListTagResources | ListTagResources | Queries the tags attached to one or more Bastionhost instances. |
| UntagResources | UntagResources | Removes tags from one or more Bastionhost instances in a batch. |
| TagResources | TagResources | Creates and attaches tags to one or more Bastionhost instances. |
Region (V3.2.X only)
|
API |
Title |
Description |
| DescribeRegions | DescribeRegions | Queries the Alibaba Cloud regions where Bastionhost is available. |
Host (V3.2.17 and later)
|
API |
Title |
Description |
| CreateHost | CreateHost | Bastionhost allows you to perform O\\\&M operations on hosts from different sources, such as Alibaba Cloud Elastic Compute Service (ECS) instances, servers in on-premises data centers, and servers on other cloud platforms. Before you perform O\\\&M operations on hosts by using a bastion host, you must import the hosts to the bastion host. You can call this operation to import a host to a bastion host. |
| GetHost | GetHost | Queries the details of a host, such as the name, source, address, protocol, and service port of the host. |
| ListHosts | ListHosts | Queries the hosts in a bastion host. |
| DeleteHost | DeleteHost | Deletes a host. |
| ModifyHostsPort | ModifyHostsPort | Changes the port for the O\\\\\\&M protocol on one or more hosts. |
| ModifyHostsActiveAddressType | ModifyHostsActiveAddressType | Changes the endpoint type of one or more hosts for O\\\&M. Public and private IP addresses are supported. |
| ModifyHost | ModifyHost | Modifies information about a host. The information includes the address, name, and description of the host and the operating system that the host runs. |
Database (for version 3.2.40 or later)
|
API |
Title |
Description |
| CreateDatabase | CreateDatabase | Imports an ApsaraDB RDS for MySQL instance, ApsaraDB RDS for SQL Server instance, ApsaraDB RDS for PostgreSQL instance, PolarDB for MySQL cluster, PolarDB for PostgreSQL cluster, PolarDB for PostgreSQL (Compatible with Oracle) cluster, self-managed MySQL database, self-managed SQL Server database, self-managed PostgreSQL database, or self-managed Oracle database to a bastion host. |
| ModifyDatabase | ModifyDatabase | Modifies the basic information about a database. |
| GetDatabase | GetDatabase | Queries the detailed information about a database. |
| ListDatabases | ListDatabases | Queries the databases that are managed by a bastion host. |
| DeleteDatabase | DeleteDatabase | Deletes a database. |
Network domain (V3.2.40 and later)
|
API |
Title |
Description |
| CreateNetworkDomain | CreateNetworkDomain | If you want to perform O\\\&M operations on assets that reside in different networks or assets that cannot communicate with the virtual private cloud (VPC) of your bastion host in a centralized manner, we recommend that you use the network domain feature of Bastionhost. You can configure a proxy server for these assets, create a network domain for a bastion host, and then connect the network domain to the proxy server. This way, you can perform O\\\&M operations on the assets by using the bastion host. |
| GetNetworkDomain | GetNetworkDomain | Queries the detailed information about a network domain. |
| ListNetworkDomains | ListNetworkDomains | Retrieves the list of network domains for a specified Bastionhost instance. |
| DeleteNetworkDomain | DeleteNetworkDomain | Deletes a network domain. |
| ModifyNetworkDomain | ModifyNetworkDomain | Modifies the basic information about a network domain. |
| MoveHostsToNetworkDomain | MoveHostsToNetworkDomain | Adds multiple hosts to a network domain at a time. |
| MoveDatabasesToNetworkDomain | MoveDatabasesToNetworkDomain | Adds multiple databases to a network domain at a time. |
Host accounts (V3.2.17 and later)
|
API |
Title |
Description |
| CreateHostAccount | CreateHostAccount | After creating a host in Bastionhost, you can create corresponding host accounts for it, which means managing your existing host accounts in Bastionhost. After creating host accounts, O&M engineers can use these accounts to log on to hosts through Bastionhost for O&M operations. |
| GetHostAccount | GetHostAccount | Retrieves the details of a specified host account. |
| ListHostAccounts | ListHostAccounts | Queries a list of host accounts. |
| ModifyHostAccount | ModifyHostAccount | Modifies host account information, including the name, password, and private key of the host account. |
| DeleteHostAccount | DeleteHostAccount | Removes a host account. |
| ResetHostAccountCredential | ResetHostAccountCredential | Deletes the logon credential of a specified host account. The logon credential can be the password or Secure Shell (SSH) private key. |
Database accounts for V3.2.40 and later
|
API |
Title |
Description |
| CreateDatabaseAccount | CreateDatabaseAccount | After a database is created, you can create a database account for the database. After the account is created, O\\\&M engineers can use the account to log on to and perform O\\\&M operations on the database. |
| ModifyDatabaseAccount | ModifyDatabaseAccount | Modifies the basic information about a database account. |
| GetDatabaseAccount | GetDatabaseAccount | Queries the detailed information about a database account. |
| ListDatabaseAccounts | ListDatabaseAccounts | Queries the database accounts of a database. |
| ListDatabaseAccountsForUserGroup | ListDatabaseAccountsForUserGroup | Queries the database accounts of a database and whether a user group is authorized to manage each database account. |
| DeleteDatabaseAccount | DeleteDatabaseAccount | Deletes a database account. |
Users (Version 3.2.17 and later)
|
API |
Title |
Description |
| CreateUser | CreateUser | Adds a user to a bastion host. |
| GetUser | GetUser | Queries the details of a user of the specified bastion host. |
| ListUsers | ListUsers | Queries a list of users of a bastion host. |
| ModifyUser | ModifyUser | Modifies the information about a user of a bastion host. |
| DeleteUser | DeleteUser | Deletes a bastion host user. |
| CreateUserPublicKey | CreateUserPublicKey | Creates a public key for a bastion host user and hosts the public key in the bastion host. This way, O\\\&M engineers can use the private key that corresponds to the public key to log on to the bastion host from an O\\\&M client. |
| ListUserPublicKeys | ListUserPublicKeys | Queries all public keys of a user. |
| ModifyUserPublicKey | ModifyUserPublicKey | Modifies the public key of the user. |
| DeleteUserPublicKey | DeleteUserPublicKey | Deletes a public key from the specified user. |
| LockUsers | LockUsers | Locks one or more users of a bastion host. |
| UnlockUsers | UnlockUsers | Unlocks one or more users of a bastion host. |
User groups (V3.2.17 and later)
|
API |
Title |
Description |
| CreateUserGroup | CreateUserGroup | Creates a user group for a bastion host. |
| GetUserGroup | GetUserGroup | Queries the details of a user group in a bastion host. |
| ListUserGroups | ListUserGroups | Queries a list of user groups on a bastion host. |
| ModifyUserGroup | ModifyUserGroup | Modifies the information about a user group. |
| DeleteUserGroup | DeleteUserGroup | Deletes a user group from a bastion host. |
| AddUsersToGroup | AddUsersToGroup | Add one or more users to a user group. |
| RemoveUsersFromGroup | RemoveUsersFromGroup | Removes one or more users from a user group. |
Asset groups (for V3.2.17 and later)
|
API |
Title |
Description |
| CreateHostGroup | CreateHostGroup | You can create asset groups based on your business requirements and add assets of the same type to an asset group. This allows you to classify assets and manage multiple assets at a time. |
| AddDatabasesToGroup | AddDatabasesToGroup | Adds multiple databases to a specified asset group. |
| AddHostsToGroup | AddHostsToGroup | Adds one or more hosts to the specified host group. |
| RemoveDatabasesFromGroup | RemoveDatabasesFromGroup | Removes multiple databases from an asset group at a time. |
| DeleteHostGroup | DeleteHostGroup | Deletes a host group. |
| RemoveHostsFromGroup | RemoveHostsFromGroup | Removes multiple hosts from an asset group at a time. |
| ModifyHostGroup | ModifyHostGroup | Modifies the name or description of the specified host group. |
| GetHostGroup | GetHostGroup | Queries the details of a specified host group. |
| ListHostGroups | ListHostGroups | Queries a list of asset groups that are managed by a bastion host. |
Host authorization (for V3.2.17 and later)
|
API |
Title |
Description |
| AttachHostAccountsToUser | AttachHostAccountsToUser | After you add a user to your bastion host, you must authorize the user to manage assets. Only authorized users can log on to the bastion host to perform O\\\&M operations on the assets. |
| ListHostsForUser | ListHostsForUser | Queries the hosts that a user group is authorized or not authorized to manage. |
| ListHostAccountsForUser | ListHostAccountsForUser | Queries the host accounts of a host and whether a user is authorized to manage each host account. |
| DetachHostAccountsFromUser | DetachHostAccountsFromUser | Revokes permissions on hosts and host accounts from a user. |
| DetachHostAccountsFromUserGroup | DetachHostAccountsFromUserGroup | Revokes the permissions on one or more hosts and host accounts from a user group. |
| DetachHostGroupAccountsFromUser | DetachHostGroupAccountsFromUser | Removes host groups and host accounts from the list of host groups and host accounts that a user is authorized to manage. |
| AttachHostAccountsToUserGroup | AttachHostAccountsToUserGroup | Authorizes a user group to manage one or more hosts and host accounts. |
| DetachHostGroupAccountsFromUserGroup | DetachHostGroupAccountsFromUserGroup | Revokes permissions on one or more host groups and host accounts from a user group. |
| AttachHostGroupAccountsToUser | AttachHostGroupAccountsToUser | Authorizes a user to manage one or more host groups and host accounts. |
| AttachHostGroupAccountsToUserGroup | AttachHostGroupAccountsToUserGroup | Authorizes a user to manage one or more host groups and host accounts. |
| ListHostAccountsForUserGroup | ListHostAccountsForUserGroup | Queries the host accounts of a host and whether a user group is authorized to manage each host account. |
| ListHostGroupAccountNamesForUser | ListHostGroupAccountNamesForUser | Queries the names of the host accounts that a specified user is authorized to manage in a specified host group. |
| ListHostGroupAccountNamesForUserGroup | ListHostGroupAccountNamesForUserGroup | Queries the names of the host accounts that a user group is authorized to manage in a host group. |
| ListHostGroupsForUser | ListHostGroupsForUser | Queries a list of host groups that a bastion host user is authorized or is not authorized to manage. |
| ListHostGroupsForUserGroup | ListHostGroupsForUserGroup | Queries the hosts that a specified user group is authorized or not authorized to manage. |
| ListHostsForUserGroup | ListHostsForUserGroup | Queries the hosts that a user group is authorized or not authorized to manage. |
Database authorization (V3.2.40 and later)
|
API |
Title |
Description |
| AttachDatabaseAccountsToUser | AttachDatabaseAccountsToUser | Authorizes a user to manage databases and database accounts. |
| ListDatabasesForUser | ListDatabasesForUser | Queries the databases that a user is authorized to manage. |
| DetachDatabaseAccountsFromUserGroup | DetachDatabaseAccountsFromUserGroup | Revokes permissions on databases and database accounts from a user group. |
| ListDatabaseAccountsForUser | ListDatabaseAccountsForUser | Queries the database accounts of a database and whether a user is authorized to manage each database account. |
| DetachDatabaseAccountsFromUser | DetachDatabaseAccountsFromUser | Revokes permissions on databases and database accounts from a user. |
| AttachDatabaseAccountsToUserGroup | AttachDatabaseAccountsToUserGroup | Grants permissions on databases and database accounts to a user group. |
| ListDatabasesForUserGroup | ListDatabasesForUserGroup | Queries the list of databases that are authorized for a user group. |
O&M token (for V3.2.40 and later)
|
API |
Title |
Description |
| ListOperationDatabases | ListOperationDatabases | Queries a list of databases that the current Resource Access Management (RAM) user is authorized to manage. |
| ListOperationHosts | ListOperationHosts | Queries a list of hosts that the current Resource Access Management (RAM) user is authorized to manage. |
| ListOperationHostAccounts | ListOperationHostAccounts | Queries a list of host accounts that the current Resource Access Management (RAM) user is authorized to manage. |
| ListOperationDatabaseAccounts | ListOperationDatabaseAccounts | Queries a list of database accounts that the current Resource Access Management (RAM) user is authorized to manage. |
| GenerateAssetOperationToken | GenerateAssetOperationToken | Applies for an O\\\&M token. |
| RenewAssetOperationToken | RenewAssetOperationToken | Renews an O\\\&M token for one hour. |
| CreateOperationTicket | CreateOperationTicket | When an administrator enables operation approval in control policies, operations and maintenance (O&M) engineers must first create an operation request and obtain administrator approval before performing O&M operations. |
Authorization rules (for V3.2.40 and later)
|
API |
Title |
Description |
| CreateRule | CreateRule | You can create authorization rules to authorize multiple users to manage assets. You can also specify a validity period for an authorization rule. This way, you can manage users and assets in a more efficient manner and limit the time periods during which users can access assets. |
| ModifyRule | ModifyRule | Modifies the basic information of an authorization rule. |
| GetRule | GetRule | Queries the detailed information about an authorization rule. |
| ListRules | ListRules | Queries a list of authorization rules of a bastion host. |
| EnableRule | EnableRule | Enables an authorization rule. |
| DisableRule | DisableRule | Disables an authorization rule. |
| DeleteRule | DeleteRule | Deletes an authorization rule. |
Control policies for V3.2.40 and later
|
API |
Title |
Description |
| CreatePolicy | CreatePolicy | Configures a command control, command approval, protocol control, or access control policy to manage O\\\&M operations. This effectively prevents users from performing high-risk operations or accidental operations to ensure O\\\&M security. |
| ModifyPolicy | ModifyPolicy | Modifies the basic information about a control policy. |
| GetPolicy | GetPolicy | Queries the detailed information about a control policy. |
| ListPolicies | ListPolicies | Queries a list of control policies. |
| GetPolicyAssetScope | GetPolicyAssetScope | Queries the assets to which a control policy applies. |
| SetPolicyProtocolConfig | SetPolicyProtocolConfig | Configures the Remote Desktop Protocol (RDP) options, SSH options, and SSH Fine Transfer Protocol (SFTP) options for a control policy. |
| SetPolicyCommandConfig | SetPolicyCommandConfig | Specifies the commands that can or cannot be run by the users or on the assets associated with the policy and the commands that must be reviewed. |
| SetPolicyIPAclConfig | SetPolicyIPAclConfig | Specifies whether a source IP address can access the assets to which a control policy applies. |
| GetPolicyUserScope | GetPolicyUserScope | Queries the scope of users to whom a control policy applies. |
| SetPolicyAccessTimeRangeConfig | SetPolicyAccessTimeRangeConfig | Configures the logon period limits in a control policy. |
| SetPolicyAssetScope | SetPolicyAssetScope | Specifies the assets to which a control policy applies. |
| SetPolicyUserScope | SetPolicyUserScope | Specifies the users to whom a control policy applies. |
| SetPolicyApprovalConfig | SetPolicyApprovalConfig | Configures the O\&M approval setting in a control policy. |
| DeletePolicy | DeletePolicy | Deletes a control policy. |
Approval (V3.2.37 and later)
|
API |
Title |
Description |
| ListApproveCommands | ListApproveCommands | Queries commands to be reviewed. |
| AcceptApproveCommand | AcceptApproveCommand | If an O\\\&M engineer attempts to run a command specified in the Command Approval field on the Create Control Policy page, the administrator is notified to review the command in the Bastionhost console. The command can be run only after it is approved by the administrator. |
| RejectApproveCommand | RejectApproveCommand | If an O\\\&M engineer attempts to run a command specified in the Command Approval section of the Create Control Policy page, the administrator is notified to review the command in the Bastionhost console. The command can be run only after it is approved by the administrator. |
| ListOperationTickets | ListOperationTickets | Queries O\\\\\\&M applications to be reviewed. |
| AcceptOperationTicket | AcceptOperationTicket | Approves an O\\\\\\\\\\&M application. |
| RejectOperationTicket | RejectOperationTicket | If a Bastionhost administrator enables O\\\&M Approval on the Create Control Policy page, O\\\&M engineers can log on to assets to perform O\\\&M operations only after the administrator approves their O\\\&M applications. |
System Settings (available only for bastion hosts that run V3.2.X)
|
API |
Title |
Description |
| GetInstanceADAuthServer | GetInstanceADAuthServer | Queries the settings of Active Directory (AD) authentication on a bastion host. |
| ModifyInstanceADAuthServer | ModifyInstanceADAuthServer | Modifies the settings of the Active Directory (AD) authentication server of a bastion host. |
| GetInstanceTwoFactor | GetInstanceTwoFactor | Queries the settings of two-factor authentication on a bastion host. |
| ModifyInstanceTwoFactor | ModifyInstanceTwoFactor | Modifies the two-factor authentication settings of a bastion host. |
| ModifyInstanceLDAPAuthServer | ModifyInstanceLDAPAuthServer | Modifies the settings of the Lightweight Directory Access Protocol (LDAP) authentication server of a bastion host. |
| GetInstanceLDAPAuthServer | GetInstanceLDAPAuthServer | Queries the settings of Lightweight Directory Access Protocol (LDAP) authentication on a bastion host. |
| GetInstanceStoreInfo | GetInstanceStoreInfo | Queries the storage usage of a Bastionhost instance. |
| CreateExportConfigJob | CreateExportConfigJob | Creates a configuration backup export task. Only one configuration backup export task can run at a time for a Bastionhost instance. |
| GetExportConfigJob | GetExportConfigJob | null |
Other
|
API |
Title |
Description |
| VerifyInstanceLDAPAuthServer | VerifyInstanceLDAPAuthServer | Verifies the LDAP service configuration of an instance. |
| VerifyInstanceADAuthServer | VerifyInstanceADAuthServer | Verifies the Active Directory service configuration of an instance. |