tencent cloud

All product documents
Serverless Application Center
DocumentationServerless Application CenterOperation GuidePermission ConfigurationAccount and Permission Configuration
Account and Permission Configuration
Download PDF
Last updated: 2024-12-02 10:48:10
Account and Permission Configuration
Last updated: 2024-12-02 10:48:10
Download PDF
This document describes several authorization methods of Serverless Cloud Framework and demonstrates actual operations by configuring sub-account permissions.

Prerequisites

Serverless Cloud Framework enables you to quickly deploy your project to Serverless Application Center (SAC). Before the deployment, please make sure that you have registered a Tencent Cloud account.

Authorization Method

Authorizing by scanning code

When you perform deployment by running scf deploy, you can scan the QR code for quick authorization and deployment. After you grant the authorization by scanning the code, temporary key information (which will expire in 60 minutes) will be generated and written to the .env file in the current directory.
TENCENT_APP_ID=xxxxxx     # `AppId` of authorizing account
TENCENT_SECRET_ID=xxxxxx  # `SecretId` of authorizing account
TENCENT_SECRET_KEY=xxxxxx # `SecretKey` of authorizing account
TENCENT_TOKEN=xxxxx       # Temporary token
For more information about the permissions obtained during quick authorization, see scf_QcsRole role permission list.
Note
If your account is a Tencent Cloud sub-account, policy authorization needs to be first configured by using the root account. For more information about the configuration, see Sub-account Permission Configuration.

Authorizing with local key

To eliminate the need for repeated authorization due to information expiration in case of authorization by scanning the code, you can authorize with a key. Create an .env file in the root directory of the project to be deployed and configure the Tencent Cloud SecretId and SecretKey information:
# .env
TENCENT_SECRET_ID=xxxxxxxxxx # `SecretId` of your account
TENCENT_SECRET_KEY=xxxxxxxx # `SecretKey` of your account
You can obtain SecretId and SecretKey in API Key Management.
Note
To ensure the account security, we recommend you use a sub-account key for authorization. The sub-account can be used to deploy the project only after being granted the relevant permissions. For more information about the configuration, see Sub-account Permission Configuration.

Configuring with permanent key

You can run the scf credentials command to quickly set the persistent storage of the global key information. This command must be configured under the created SCF project. Make sure that you have created a project with serverless.yml by using scf init or manually.
Below are all the commands:
scf credentials   Manage global user authorization information
  set                     Store user authorization information
      --secretId / -i          (Required) `secretId` of the Tencent Cloud CAM account
      --secretKey / -k         (Required) `secretKey` of the Tencent Cloud CAM account
      --profile / -n {name}    Authorization name, which is `default` by default
      --overwrite / -o         Overwrite the key with an existing authorization name
  remove                  Remove user authorization information
      --profile / -n {name}    (Required) Authorization name
  list                    View user authorization information
Configure global authorization information:
# Configure authorization information through the default profile name
$ scf credentials set --secretId xxx --secretKey xxx

# Configure authorization information through the specified profile name
$ scf credentials set --secretId xxx --secretKey xxx --profile profileName1

# Update the authorization information in the specified profile name
$ scf credentials set --secretId xxx --secretKey xxx --profile profileName1 --overwrite
Delete the global authorization information:
$ scf credentials remove --profile profileName1
View all the current authorization information:
$ scf credentials list
Perform deployment by using the global authorization information:
# Deploy through the default profile
$ scf deploy
# Deploy through the specified profile
$ scf deploy --profile newP
# Ignore global variables and scan the QR code for deployment
$ scf deploy --login

Sub-account Permission Configuration

Directions

If you use a Tencent Cloud sub-account, it does not have the operation permissions by default; therefore, it needs to be authorized by the root account (or a sub-account with the authorization permission) in the following steps:
1. On the CAM User List page, select the target sub-account and click Authorize in the Action column.


2. Search for and select QcloudscfFullAccess in the pop-up window and click OK to grant the sub-account the permission to manipulate all Serverless Cloud Framework resources.



3. On the CAM User List page, select the target sub-account and click the username to go to the user details page.



4. Click Associate Policy. On the policy adding page, click the Select policies from the policy list tab, and then click Create Custom Policy. Policy association page:

Policy creation page:



5. Choose Create by Policy Syntax > Blank Template and enter the following content. Make sure to replace the role parameter with the UIN of your root account:
{
 "version": "2.0",
 "statement": [
     {
         "action":[
             "cam:PassRole"
         ],
         "resource": [
             "qcs::cam::uin/${Enter the UIN of your account}:roleName/scf_QcsRole"
         ],
         "effect": "allow"
     },
     {
         "resource": [
             "*"
         ],
         "action":[
             "name/sts:AssumeRole"
         ],
         "effect": "allow"
     }
 ]
}
6. After completing the custom policy configuration, go back to the authorization page in step 4, search for the custom policy just created, click Next, and then click OK to grant the sub-account the operation permissions of scf_QcsRole. At this point, your sub-account should have a custom policy and a preset policy QcloudscfFullAccess and can use Serverless Cloud Framework normally.

Note
In addition to the permission to call the default scf_QcsRole role, you can also grant the sub-account the permission to call a custom role and control the sub-account permissions with refined permission policies in the custom role. For more information, see Configuring Role for Specified Operation.

scf_QcsRole role permission list

Policy
Description
QcloudCOSFullAccess
Full access to Tencent Cloud Object Storage (COS).
QcloudSCFFullAccess
Full access to Serverless Cloud Function (SCF).
QcloudSSLFullAccess
Full access to SSL Certificate Service.
QcloudTCBFullAccess
Full access to Tencent CloudBase (TCB).
QcloudAPIGWFullAccess
Full access to API Gateway.
QcloudVPCFullAccess
Full access to Virtual Private Cloud (VPC).
QcloudMonitorFullAccess
Full access to Cloud Monitor.
QcloudslsFullAccess
Full access to Serverless Cloud Framework (SLS).
QcloudCDNFullAccess
Full access to Content Delivery Network (CDN).
QcloudCKafkaFullAccess
Full access to CKafka.
QcloudCodingFullAccess
Full access to CODING DevOps.
QcloudPostgreSQLFullAccess
Full access to TencentDB for PostgreSQL.
QcloudCynosDBFullAccess
Full access to TencentDB for CynosDB.
QcloudCLSFullAccess
Full access to Tencent Cloud Log Service (CLS).
QcloudAccessForscfRole
This policy can be associated with the service role (scf_QCSRole) of Serverless Cloud Framework to access other Tencent Cloud service resources by using the quick experience feature of Serverless Cloud Framework. The scf_QCSRole role has the permissions to perform CAM-related operations.

Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Contact Us
Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

Submit a Ticket
7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon