- Releases Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- SQL Developer Guide
- Python Developer Guide
- ETL Developer Guide
- FAQ
- Contact Us
- Releases Notes and Announcements
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- SQL Developer Guide
- Python Developer Guide
- ETL Developer Guide
- FAQ
- Contact Us
This document describes how a root account grants a Stream Compute Service sub-user the required permissions. If you are a sub-user, contact your root account to grant you the permissions. The specific authorization steps are as follows.
CAM policy
Stream Compute Service uses the unified Tencent Cloud CAM service to help organizations manage users' access to their resources. For details, see Cloud Access Management.
Granting a sub-user access to Stream Compute Service
By default, a root account has access to all Stream Compute Service resources, but a sub-account has no access to these resources. If you try to access Stream Compute Service with a sub-account, a CAM authentication error will occur.
In this case, the root account needs to associate the sub-account with the predefined policy
QcloudOceanusFullAccess in the CAM console as instructed in Authorization Management. After the sub-account is associated with the policy QcloudOceanusFullAccess, it will have access to Stream Compute Service. For details, see CAM.Access to other services
The underlying system services of Stream Compute Service must be authorized to access various cloud service resources such as CKafka, COS, and CLS via your VPC. This is the most basic authorization required for the proper running of the Stream Compute Service system.
When this authorization is required during the use of Stream Compute Service, the authorization page will automatically appear. However, only a root account, a sub-user with
QcloudCamRoleFullAccess, and a sub-user with QcloudCamSubaccountsAuthorizeRoleFullAccess can perform this operation for themselves.In the other case, a sub-account is granted an additional PassRole.
Granting a sub-account a PassRole
When a user logs in with a sub-account, although the above authorizations have been completed and the
Oceanus_QCSRole role created successfully, the underlying system services of Stream Compute Service still cannot play the Oceanus_QCSRole role.In this case, the root account or a sub-account with the admin permission needs to grant the sub-account the PassRole permissions, so that PassRole can pass the Stream Compute Service role to the underlying system services. After the settings, the underlying system services can access various cloud service resources such as CKafka, COS, and CLS via your VPC.
Steps: The root account or a sub-account with the admin permission creates a policy and grants the sub-account the
cam:PassRole permission.Policy content
{"version": "2.0","statement": [{"effect": "allow","action": "cam:PassRole","resource": "qcs::cam::uin/${OwnerUin}:roleName/Oceanus_QCSRole"}]}
Note
For how to create a policy, see Creating Custom Policy.
For authorization, see Authorization Management.
Directions
1. On the Create by Policy Syntax page, select Blank Template,
2. enter the above policy content (replace the UIN of the root account with your UIN) on the Edit Policy page,
3. go back to the User List page, click Authorize of
4. the target user, select the policy created, and click OK.
Note
Till now, the sub-account can properly access Stream Compute Service and various cloud resources such as CKafka, COS, and CLS via VPC in the Stream Compute Service console. To control access to jobs and resources at a finer granularity, see Space Role Permissions.
Yes
No
Was this page helpful?