Cloud Access Management

Overview
Through the Cloud Access Management (CAM) policies, users can be granted with the permissions to view and use specific resources in the console. This document provides examples of the permissions to view and use specific resources of a private NAT gateway, for guiding the users on how to use the policies for specific parts of the console.
Authorization Definition
Resources Supporting Private NAT Gateway Authorization in CAM
Resource Type
Resource Description Method in Authorization Policies
NAT gateway instances
qcs::vpc:{region_short_name}:uin/{Uin}:nat/{NatGatewayId}
NAT gateway APIs
qcs::vpc:{region_short_name}:uin/{Uin}:nat/*
Where:
All {region_short_name} should be the ID of a certain region or empty.
All {Uin} should be the AccountId of the resource owner or empty.
All {NatGatewayId} should be the ID of a NAT instance or empty.
Others can be deduced similarly.
APIs Supporting Private NAT Gateway Authorization in CAM
In CAM, you can authorize the following actions for a NAT resource.
API Action
Resource Description
API Description
CreatePrivateNatGateway
Creates private NAT gateways.
qcs::vpc:$region:$account:intranat/*
qcs::vpc:$region:$account:vpc/*
DeletePrivateNatGateway
Deletes private NAT gateways.
qcs::vpc:$region:$account:intranat/$intranatid
ModifyPrivateNatGatewayAttribute
Modifies private NAT gateway attributes.
qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGateways
Queries private NAT gateways.
qcs::vpc:$region:$account:intranat/*
DescribePrivateNatGatewayLimits
Queries the number limit for creating private NAT gateways.
qcs::vpc:$region:$account:intranat/*
qcs::vpc:$region:$account:vpc/$vpcid
CreatePrivateNatGatewayTranslationNatRule
Creates the private NAT gateway's source port translation rules.
qcs::vpc:$region:$account:intranat/$intranatid
DeletePrivateNatGatewayTranslationNatRule
Deletes the private NAT gateway's source port translation rules.
qcs::vpc:$region:$account:intranat/$intranatid
ModifyPrivateNatGatewayTranslationNatRule
Modifies the private NAT gateway's source port translation rules.
qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGatewayTranslationNatRules
Queries the private NAT gateway's source port translation rules.
qcs::vpc:$region:$account:intranat/$intranatid
CreatePrivateNatGatewayTranslationAclRule
Creates the private NAT gateway's source port access control rules.
qcs::vpc:$region:$account:intranat/$intranatid
DeletePrivateNatGatewayTranslationAclRule
Deletes the private NAT gateway's source port access control rules.
qcs::vpc:$region:$account:intranat/$intranatid
ModifyPrivateNatGatewayTranslationAclRule
Modifies the private NAT gateway's source port access control rules.
qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGatewayTranslationAclRules
Queries the private NAT gateway's source port access control rules.
qcs::vpc:$region:$account:intranat/$intranatid
CreatePrivateNatGatewayDestinationIpPortTranslationNatRule
Creates the private NAT gateway's destination port translation rules.
qcs::vpc:$region:$account:intranat/$intranatid
DeletePrivateNatGatewayDestinationIpPortTranslationNatRule
Deletes the private NAT gateway's destination port translation rules.
qcs::vpc:$region:$account:intranat/$intranatid
ModifyPrivateNatGatewayDestinationIpPortTranslationNatRule
Modifies the private NAT gateway's destination port translation rules.
qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGatewayDestinationIpPortTranslationNatRules
Queries the private NAT gateway's destination port translation rules.
qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGatewayRegions
Queries the supported regions for the private NAT gateway.
qcs::vpc:$region:$account:intranat/*
Sample Policies
Full Read-Write Policy for All NAT Gateways
Grant a sub-account with full administrative permissions for the NAT service, including creation, management, and all other operations.
{
"version": "2.0",
"statement": [{
"action": [
"vpc:*"
],
"resource": "qcs::vpc::$uin:nat/*",
"effect": "allow"
}]}
{
"version": "2.0",
"statement": [{
"action": [
"vpc:*"
],
"resource": "qcs::vpc::$uin:intranat/*",
"effect": "allow"
}]}
Read-Only Policy
Grant a sub-account with the read-only access permission for NAT gateways.
{ 
"version": "2.0", 
"statement": [{
 "action": [ 
 "vpc:Describe*" 
 ],
  "resource": "qcs::vpc::$uin:nat/*", 
  "effect": "allow" }]}
{ 
"version": "2.0",
 "statement": [{ 
 "action": [ 
 "vpc:Describe*" 
 ], 
 "resource": "qcs::vpc::$uin:intranat/*", 
 "effect": "allow" 
 }]}
Full Read-Write Policy for a NAT Gateway Under a Specific Tag
{
"version":"2.0",
"statement":[{
"effect":"allow",
"action":"*",
"resource":"*",
"condition":{
"for_any_value:string_equal":{
"qcs:tag":[
"tagkey&tagvalue"
]}}}]}

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

tencent cloud

Overview

Authorization Definition

Resources Supporting Private NAT Gateway Authorization in CAM

APIs Supporting Private NAT Gateway Authorization in CAM

Sample Policies

Full Read-Write Policy for All NAT Gateways

Read-Only Policy

Full Read-Write Policy for a NAT Gateway Under a Specific Tag

About Tencent Cloud

Help & Support

Resources

User Center

Resource Type	Resource Description Method in Authorization Policies
NAT gateway instances	`qcs::vpc:{region_short_name}:uin/{Uin}:nat/{NatGatewayId}`
NAT gateway APIs	qcs::vpc:{region_short_name}:uin/{Uin}:nat/*

API Action	Resource Description	API Description
CreatePrivateNatGateway	Creates private NAT gateways.	qcs::vpc:$region:$account:intranat/* qcs::vpc:$region:$account:vpc/*
DeletePrivateNatGateway	Deletes private NAT gateways.	qcs::vpc:$region:$account:intranat/$intranatid
ModifyPrivateNatGatewayAttribute	Modifies private NAT gateway attributes.	qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGateways	Queries private NAT gateways.	qcs::vpc:$region:$account:intranat/*
DescribePrivateNatGatewayLimits	Queries the number limit for creating private NAT gateways.	qcs::vpc:$region:$account:intranat/* qcs::vpc:$region:$account:vpc/$vpcid
CreatePrivateNatGatewayTranslationNatRule	Creates the private NAT gateway's source port translation rules.	qcs::vpc:$region:$account:intranat/$intranatid
DeletePrivateNatGatewayTranslationNatRule	Deletes the private NAT gateway's source port translation rules.	qcs::vpc:$region:$account:intranat/$intranatid
ModifyPrivateNatGatewayTranslationNatRule	Modifies the private NAT gateway's source port translation rules.	qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGatewayTranslationNatRules	Queries the private NAT gateway's source port translation rules.	qcs::vpc:$region:$account:intranat/$intranatid
CreatePrivateNatGatewayTranslationAclRule	Creates the private NAT gateway's source port access control rules.	qcs::vpc:$region:$account:intranat/$intranatid
DeletePrivateNatGatewayTranslationAclRule	Deletes the private NAT gateway's source port access control rules.	qcs::vpc:$region:$account:intranat/$intranatid
ModifyPrivateNatGatewayTranslationAclRule	Modifies the private NAT gateway's source port access control rules.	qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGatewayTranslationAclRules	Queries the private NAT gateway's source port access control rules.	qcs::vpc:$region:$account:intranat/$intranatid
CreatePrivateNatGatewayDestinationIpPortTranslationNatRule	Creates the private NAT gateway's destination port translation rules.	qcs::vpc:$region:$account:intranat/$intranatid
DeletePrivateNatGatewayDestinationIpPortTranslationNatRule	Deletes the private NAT gateway's destination port translation rules.	qcs::vpc:$region:$account:intranat/$intranatid
ModifyPrivateNatGatewayDestinationIpPortTranslationNatRule	Modifies the private NAT gateway's destination port translation rules.	qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGatewayDestinationIpPortTranslationNatRules	Queries the private NAT gateway's destination port translation rules.	qcs::vpc:$region:$account:intranat/$intranatid
DescribePrivateNatGatewayRegions	Queries the supported regions for the private NAT gateway.	qcs::vpc:$region:$account:intranat/*

tencent cloud

Sign Up

Log in

Compute

Microservice

Data Migration

Database SaaS Tool

Data Security

Application Security

Big Data

Voice Technology

Internet of Things

Stream Services

Cloud Real-time Rendering

Cloud Resource Management

More

Edge Computing

Serverless

Relational Database

Networking

Business Security

Domains & Websites

Face Recognition

AI Platform Service

Middleware

Media On-Demand

Game Services

Management and Audit Tools

Container

Essential Storage Service

Enterprise Distributed DBMS

CDN and Acceleration

Security Services

Enterprise Applications

Tencent Big Model

Natural Language Processing

Communication

Media Process Services

Education Sevices

Developer Tools

Distributed cloud

Data Process and Analysis

NoSQL Database

Network Security

Cloud Security

Office Collaboration

Image Creation

Optical Character Recognition

Interactive Video Services

Media SDK

Medical Services

Monitor and Operation

Overview

Authorization Definition

Resources Supporting Private NAT Gateway Authorization in CAM

APIs Supporting Private NAT Gateway Authorization in CAM

Sample Policies

Full Read-Write Policy for All NAT Gateways

Read-Only Policy

Full Read-Write Policy for a NAT Gateway Under a Specific Tag

About Tencent Cloud

Help & Support

Resources

User Center