Bastionhost:Import ECS secrets from KMS

Supported versions

Enterprise Edition and SM Edition.

Prerequisites

Before you begin, ensure that you have:

• ECS secrets hosted in KMS. For more information, see Manage and use ECS secrets.

• ECS instances imported to Bastionhost. For more information, see Import ECS instances.

• The AliyunYundunBastionHostFullAccess policy attached to your RAM user, using the Alibaba Cloud account that the RAM user belongs to. For more information, see Grant permissions to RAM users.

Import KMS secrets

1. Log on to the Bastionhost system. For more information, see Log on to the system.

2. In the left-side navigation pane, choose Assets > Hosts.

3. Find the host and click Import KMS Secret in the Actions column.

4. In the Import KMS Secret dialog box, select the ECS secrets to import and click Import.

After the import completes, click the host name to open the Host Account tab, where you can view and manage the imported secrets.

Manage imported secrets

On the Host Account tab, perform any of the following operations on imported ECS secrets.

Delete ECS secrets

Select one or more ECS secrets and delete them. Deleting a secret removes it from Bastionhost only — the secret remains in KMS.

Restrict access to SFTP only

Turn on Enable Only SFTP Permission for an account to disable SSH-based logon for that account.

What's next

To let Bastionhost users log on to ECS instances using the imported secrets, grant them the necessary permissions:

• Authorize users: Grant permissions on ECS instances and secrets to Bastionhost users. See Authorize a user to manage hosts.

• Control operations: Set rules for what O&M operations authorized users can perform. See Configure a control policy.