Docs
uproject
Access Management
Cross-UCloud account access

Cross-Account Access

When other UCloud Global accounts apply for resource access permissions to you, you can assign permissions to them through trust management without sharing access secrets. The scope of its access (such as the scope of the project, the scope of the product, etc.) is determined by the role you assign.

Applicable Scenarios

  1. You need to manage multiple cloud service accounts at the same time
  2. You need to open access permissions for individual resources to partners (example: other departments/companies/organizations)

Function Features

  1. You can apply for multiple cloud service accounts, isolate the production environment from the development environment, but only manage the login information of one account
  2. You can master the ownership of resources, only open some permissions to partners, and can withdraw permissions at any time
  3. You can change the permission scope at any time according to business change
  4. You don’t need to share the access key of the account with partners
  5. You don’t need to worry about the personnel changes of the partners

Operation Steps - Authorization

  1. The visitor obtains the authorization code
  • Use the main account to log in to the console, enter “Access Control >> Trust Management” and check “I am Trusted”
  1. Create Trust

  • Use the main account to log in to the console, enter “Access Control >> Trust Management” to create trust

  • Fill in the visitor’s account

  • Fill in the authorization code provided by the visitor

  • Choose role

  • Specify the project scope that can be accessed

    • If you want to authorize a project-level Policy, you can specify a specific authorization item. (The project level is valid for the specified project. You can view policy levels in Policy Management)

    Note: [Application] will be prioritized to show projects that have been granted project-level Policies.

    • If you want to authorize Global level Policy, please select “Undistinguished Project”. (The global scope is a global service for the account. It does not distinguish projects and does not support sub-project authorization. You can view the policy level in Policy Management)
  1. The visitor specifies the role player
  • Use the main account to log in to the console, enter “Permission Management >> Trust Management”
  • Add sub-accounts to the association that you need to access
  1. Visit the resources of the trusted party
  • Log in to the console with the sub-account
  • Switch the identity to the object you want to access

Operation Steps - Change Visitor

  • Use the main account to log in to the console, enter “Permission Management >> Trust Management”
  • Change sub-account

Operation Steps - Revoke Trust

  • Use the main account to log in to the console, enter “Permission Management >> Trust Management”
  • Click on “Revoke Trust”
Project ManagementSSO Management