Log on to an ECS instance in Bastionhost without a password - Key Management Service

Storing ECS instance credentials directly in Bastionhost creates two risks: credentials can be exposed if Bastionhost is compromised, and rotating passwords or SSH key pairs requires manual updates in Bastionhost. By saving ECS credentials as secrets in Key Management Service (KMS) and linking them to Bastionhost, you eliminate both risks. Bastionhost retrieves the current secret value from KMS in real time at connection time — no credentials are stored in Bastionhost, and secret rotation never disrupts active connections.

This guide walks through three roles:

Secret administrator — creates and manages ECS secrets in KMS
Bastionhost administrator — imports ECS secrets into Bastionhost
O&M engineer — connects to ECS instances through Bastionhost

How it works

When an O&M engineer initiates a connection, Bastionhost calls the ListSecrets and GetSecretValue KMS APIs to retrieve the ACSCurrent secret version in real time. Secret rotation does not affect the connection between Bastionhost and the ECS instance.

Workflow diagram: ECS secret integration between KMS and Bastionhost

A secret administrator creates an ECS secret in KMS.
A Bastionhost administrator imports the ECS secret from KMS into Bastionhost.
An O&M engineer initiates a remote connection to the ECS instance.
Bastionhost calls ListSecrets and GetSecretValue to retrieve the current secret value from KMS.
Bastionhost uses the secret value to log on to the ECS instance.

For more information about secret versions, see Secret versions.

Supported editions

This integration is supported in:

Bastionhost Basic Edition
Bastionhost Enterprise Edition V3.2.40 and later

Important

If you delete an ECS secret from KMS, Bastionhost can no longer retrieve the secret value and all connections that rely on that secret fail.

Prerequisites

Before you begin, make sure that you have:

ECS instances imported into Bastionhost. See Import ECS instances.
(If using a Resource Access Management (RAM) user) The AliyunKMSSecretAdminAccess permission to manage KMS secrets and the AliyunYundunBastionHostFullAccess permission to manage bastion hosts. See Grant permissions to a RAM user.

Step 1: Create an ECS secret in KMS

*Role: secret administrator*

Log on to the KMS console. In the top navigation bar, select a region. In the left navigation pane, choose Resource > Secrets.
Click the Customer-managed Secrets tab, locate the ECS Secrets type, and select the target instance from the Instance ID drop-down list.

Click Create Secret, configure the parameters, and click OK.

The following parameters are required for Bastionhost integration:

Parameter	Description
Secret name	A name that is unique within the region.
Managed instance	An existing ECS instance in your Alibaba Cloud account.
Managed user	The name of an existing OS user on the instance — for example, `root` for Linux or `Administrator` for Windows.
Initial secret value	The password or SSH key pair of the managed user. The value cannot exceed 30,720 bytes (30 KB).
CMK	The symmetric key used to encrypt the secret. The key and secret must belong to the same KMS instance. If you use a RAM user, the user must have permission to call `GenerateDataKey` with this key. See Key specifications.
Tag	Optional. Tags classify and manage secrets as key-value pairs. A tag key or value can be up to 128 characters and can contain letters, digits, `/`, `\`, `_`, `-`, `.`, `+`, `=`, `:`, `@`, and spaces. Tag keys cannot start with `aliyun` or `acs:`. You can add up to 20 key-value pairs per secret.
Automatic rotation	Enable to have KMS periodically update the secret value.
Rotation period	How often KMS rotates the secret. Ranges from 1 hour to 365 days. Required when automatic rotation is enabled.

You can configure Description and Advanced settings > Policy settings after creation.

Note

Enter a valid credential as the initial secret value. If the value is invalid, Bastionhost cannot log on to the ECS instance until the first rotation completes.

Obtaining an SSH key pair for the initial secret value

Use a key pair created in ECS:

Private key: Downloaded automatically as a .pem file when you create the key pair. See Create an SSH key pair.
Public key: See View public key information.

Or generate a key pair locally. The following command creates a 3072-bit RSA key pair:

ssh-keygen -t RSA -b 3072 -m PEM -f ~/.ssh/sshKey_demo -N ""

This generates two files:

~/.ssh/sshKey_demo — private key
~/.ssh/sshKey_demo.pub — public key

Note

When you create an ECS secret, KMS automatically creates the AliyunServiceRoleForKMSSecretsManagerForECS service-linked role and attaches the AliyunServiceRolePolicyForKMSSecretsManagerForECS policy. KMS uses this role to manage ECS secrets and rotate passwords and SSH key pairs. To view the role and policy details, log on to the RAM console. See View the information about a RAM role and View the information about a policy.

Step 2: Import the ECS secret into Bastionhost

*Role: Bastionhost administrator*

After you import the secret, Bastionhost retrieves the secret value from KMS each time an O&M engineer initiates a connection.

Log on to the Bastionhost console. See Log on to the system.
In the left navigation pane, choose Assets > Hosts.
In the host list, find the target host and click Import KMS Secret in the Actions column.
In the Import KMS Secret dialog box, select the ECS secrets to import and click Import.

After the import, click the host name in the host list and go to the Host Account tab to view and manage the imported ECS secrets.

What to do next

Authorize Bastionhost users to manage the ECS instance. See Authorize a user to manage assets and asset accounts.
Connect to the ECS instance as a Bastionhost O&M engineer. See O&M overview.

References

Introduction to the Basic and Enterprise editions