If your organization uses multiple Alibaba Cloud accounts to manage different business units or environments, Bastionhost lets you import assets from member accounts and operate them centrally from a single bastion host. This feature is built on Resource Directory (RD), Alibaba Cloud's account organization service.
Supported versions
Enterprise Edition and SM Edition.
Basic Edition does not support this feature. To use it, upgrade your instance to Enterprise Edition or SM Edition.
How it works
Resource Directory organizes Alibaba Cloud accounts into a hierarchy with three account types:
| Account type | Description |
|---|---|
| Management account | The account used to enable a resource directory. Acts as the super administrator with full control over the resource directory, its folders, and all members. |
| Delegated administrator account | A member that the management account designates to manage a specific trusted service. Can access organizational and member information in the corresponding trusted service for organization-wide administration. |
| Member | An account in the resource directory, either created as a resource account or added by inviting an existing Alibaba Cloud account. |
Asset import direction: Member assets—such as Elastic Compute Service (ECS) instances and ApsaraDB RDS instances—can be imported into a bastion host under the management account or a delegated administrator account. The reverse is not supported: management account and delegated administrator account assets cannot be imported into a member's bastion host.
Account scope: Bastion hosts are account-scoped and are not available to other accounts.
Network connectivity: If a bastion host cannot reach assets in another account over the internal network, establish connectivity using one of the following options: Cloud Enterprise Network (CEN), VPN, public IP addresses, or the network domain feature of Bastionhost.
Prerequisites
Before you begin, make sure you have:
| Requirement | Details |
|---|---|
| Resource Directory enabled | Enable a resource directory |
| At least one member in the resource directory | Create a member or invite an existing account |
| (If using a RAM user) Required permissions | The RAM user must have both AliyunYundunBastionHostFullAccess and AliyunResourceDirectoryFullAccess. See Grant permissions to a RAM user. |
Add member accounts to a bastion host
Log on to the Bastionhost console and select the region where your bastion host is deployed in the top navigation bar.
In the bastion host list, find the target bastion host and choose Configuration > Multi-account Management.
In the Multi-account Management panel, click Add Member Account.
In the Add Member Account dialog box, select the member accounts to add and click OK.
What's next
After adding member accounts, import their assets into the bastion host for centralized O&M:
To add hosts: See Add hosts.
To add databases: See Use the database management feature.