Bastionhost lets you manage the assets within multiple accounts centrally. If you have multiple Alibaba Cloud accounts, perform centralized O&M operations on the assets within these accounts using a bastion host based on Resource Directory (RD).
Account types in RD
RD supports the following types of accounts:
Management account: After you use an Alibaba Cloud account to enable a resource directory, the account becomes the management account. The management account serves as the super administrator of the resource directory, having all administrative permissions over the resource directory, folders and members.
Delegated administrator account: You can use the management account to specify a member in the resource directory as a delegated administrator account of a trusted service. The delegated administrator account receives authorization from the management account. It can access organizational and member information in the corresponding trusted service, enabling organization-wide management.
Member: You can create a new resource account as a member in a resource directory, or invite an existing Alibaba Cloud account to join the resource directory as a member.
Import assets within multiple accounts
The assets of a member, such as Elastic Compute Service (ECS) and ApsaraDB RDS instances, can be imported to a bastion host within the management account or a delegated administrator account. The assets within the management account or a delegated administrator account cannot be imported to the bastion hosts of a member.
The bastion hosts within an account are not available to other accounts.
If your bastion host cannot communicate with the assets within another account over the internal network, connect the bastion host to the network of the assets using Cloud Enterprise Network (CEN), VPN, public IP addresses, or the network domain feature of Bastionhost. This ensures the connectivity between the bastion host and the assets within multiple accounts.
Supported versions
Enterprise Edition and SM Edition.
If your Bastionhost instance is Basic Edition, upgrade to the corresponding version. For more information, see Upgrade instance type.
Prerequisites
A member exists in the resource directory. For instructions, see Create a member or Invite an Alibaba Cloud account to join a resource directory.
If you use a RAM user to manage the assets within multiple accounts, ensure that the RAM user has the AliyunYundunBastionHostFullAccess and AliyunResourceDirectoryFullAccess permissions. For more information, see Grant permissions to a RAM user.
Procedure
Log on to the Bastionhost console and select the region where your bastion host is deployed in the top navigation bar.
In the bastion host list, find the bastion host for which you want to configure the multi-account management feature and choose .
In the Multi-account Management panel, click Add Member Account.
In the Add Member Account dialog box, select the members that you want to add and click OK.
What to do next
After adding members to a bastion host, you can import the assets of the members to the bastion host. For more information, see Add hosts or Use the database management feature.