- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Practical Tutorial
- Use of GitHub Actions in TEM
- Hosting a Static Website
- Public Network Access of TEM Applications
- TEM Application Access to Public Network (Through API Gateway)
- TEM Application Failure Troubleshooting Guide
- Quick Access to TEM Application Through API Gateway
- Java Application Fine-Tuning
- Migration from Java 8 to Java 11
- API Documentation
- FAQs
- Contact Us
- Glossary
- TEM Policy
- Release Notes
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Practical Tutorial
- Use of GitHub Actions in TEM
- Hosting a Static Website
- Public Network Access of TEM Applications
- TEM Application Access to Public Network (Through API Gateway)
- TEM Application Failure Troubleshooting Guide
- Quick Access to TEM Application Through API Gateway
- Java Application Fine-Tuning
- Migration from Java 8 to Java 11
- API Documentation
- FAQs
- Contact Us
- Glossary
- TEM Policy
Basic CAM Concepts
A root account authorizes sub-accounts by binding policies. The policy settings can be specific to the level of API, Resource, User/User Group, Allow/Deny, and Condition.
User type
Root account: A root accounts owns all the resources in Tencent Cloud and can access any of these resources.
Sub-account: Sub-accounts include sub-users, WeCom sub-users, collaborators, and message recipients.
For detailed definitions of the root account and sub-accounts and descriptions of their features, see User Types.
Resources and Permissions
Resource: An object that Tencent Cloud services operate on, such as a CVM instance, a COS bucket, or a VPC instance.
Permission: An authorization to allow or forbid users to perform certain operations. By default, a root account has full access to all resources under the account, while a sub-account does not have access to any resources under its root account.
Policy: Syntax rule to define and describe one or more permissions. A root account performs authorization by associating policies with users/user groups.
Using TEM with a Sub-account
To allow a sub-account such as collaborator to use TEM, you need to complete the following authorization operations:
1. To pass a role and its policies to TEM, the user must have the permission to pass roles to the service, i.e., the PassRole policy must be created. For detailed directions, see Granting the
PassRole policy.2. The permission to use TEM is required. You can grant the target sub-account the
QcloudTEMFullAccess or QcloudTEMReadOnlyAccess policy to grant it full or read-only access to TEM. For detailed directions, see Granting the permission to use TEM.3. TEM may call other Tencent Cloud products when used, so the root account needs to authorize the target sub-account accordingly. For more information, see Granting permissions to access other Tencent Cloud products.
Granting the PassRole policy
Step 1. Create policies
1. Log in to the CAM console.
2. On the left sidebar, click Policies to enter the policy management page.
3. Click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, click Create by Policy Syntax.
5. On the Create by Policy Syntax page, select Blank Template and click Next.
6. Enter the policy name and content and click Create Policy. Use the root account or a sub-account with admin permissions to create the following two custom policies:
Access to resources of Tencent Cloud products other than CLS:
{"version": "2.0","statement": {"effect": "allow","action": "cam:PassRole","resource": "qcs::cam::uin/${OwnerUin}:role/tencentcloudServiceRoleName/TEM_QCSLinkedRoleInAccessCluster"}}
Access to CLS resources:
{"version": "2.0","statement": {"effect": "allow","action": "cam:PassRole","resource": "qcs::cam::uin/${OwnerUin}:role/tencentcloudServiceRoleName/TEM_QCSLinkedRoleInTEMLog"}}
Here,
${OwnerUin} is the root account ID, which can be obtained on the Account Info page in the console.Step 2. Bind the policies to the user
1. On the left sidebar, click User > User List to enter the user management page.
2. Select the target user and click Authorize in the Operation column.
3. Filter the policies created in step 1 in the Policy List.
4. Click OK to bind the policies, which will be displayed in the Policy List of the user.
Granting the permission to use TEM
Full access policy
Grant a sub-user full access (including resource creation and management) to the TEM service.
{"version": "2.0","statement": [{"action": "tem:*","resource": "*","effect": "allow"}]}
1. Log in to the CAM console.
2. Click Policies on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Syntax.
5. In Template Type, search for "tem", select QcloudTEMFullAccess (full access to TEM), and click Next.
6. Click Complete.
Subsequent operation: Bind the created policy to the target user.
Read-only policy
Grant a sub-user read-only access to the TEM service.
{"version": "2.0","statement": [{"action": ["tem:Describe*"],"resource": "*","effect": "allow"}]}
1. Log in to the CAM console.
2. Click Policies on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Syntax.
5. In Template Type, search for "tem", select QcloudTEMReadOnlyAccess (read-only access to TEM), and click Next.
6. Click Create Policy.
Granting permissions to access other Tencent Cloud products
TEM may call the following Tencent Cloud products when used, so the root account needs to authorize the target sub-account separately to ensure that the sub-account can use TEM product features normally:
Below is the sample code for authorization:
{"version": "2.0","statement": [{"effect": "allow","action": ["cam:DescribeRoleList","cvm:DescribeSecurityGroups","vpc:DescribeVpcEx","vpc:DescribeSubnetEx","tse:DescribeSREInstances","cls:DescribeLogsets","cls:DescribeTopics","cfs:DescribeCfsFileSystems","ssl:DescribeCertificate","tcr:DescribeRepositoryOwnerPersonal","tcr:DescribeRepositories","tcr:DescribeInstances","tcr:DescribeInternalEndpoints","tcr:CreateInstanceToken"],"resource":["*"]}]}
Yes
No
Was this page helpful?