Access Acquisition by Sub-account

Tencent Cloud Elastic Microservice

Release Notes and Announcements

Announcements

Announcement about TEM TEM returning to Beta Testing

Product Introduction

Purchase Guide

Getting Started

Step 1. Get the Access Permission

Access Acquisition by Root Account

Access Acquisition by Sub-account

Step 2. Create an Environment

Step 3. Create an Application

Step 4. Deploy the Application

Deploying a General Application

Deploying Microservice Application

Operation Guide

Practical Tutorial

Use of GitHub Actions in TEM

Hosting a Static Website

Public Network Access of TEM Applications

TEM Application Access to Public Network (Through API Gateway)

TEM Application Failure Troubleshooting Guide

Quick Access to TEM Application Through API Gateway

Java Application Fine-Tuning

Migration from Java 8 to Java 11

API Documentation

Making API Requests

Application APIs

ModifyApplicationInfo

GenerateApplicationPackageDownloadUrl

Application Version APIs

RestartApplication

DeleteApplication

StopApplication

DescribeApplicationsStatus

Environment APIs

DescribeEnvironmentStatus

Resource APIs

ModifyIngress

DescribeRelatedIngresses

RollingUpdateApplicationByVersion

RestartApplicationPod

DescribeApplicationPods

DeployApplication

RollingUpdateApplicationByVersion

Service APIs

DescribeApplications

Workload APIs

DescribeApplicationInfo

Access Policy APIs

ModifyApplicationService

DescribeApplicationServiceList

DeleteApplicationService

CreateApplicationService

Configuration file APIs

ModifyConfigData

DestroyConfigData

DescribeConfigDataList

Log collecting APIs

DescribePagedLogConfigList

DescribeLogConfig

CreateLogConfig

Scaling Rule APIs

ModifyApplicationAutoscaler

EnableApplicationAutoscaler

DisableApplicationAutoscaler

DescribeApplicationAutoscalerList

DeleteApplicationAutoscaler

CreateApplicationAutoscaler

Other APIs

FAQs

TEM Policy

Data Privacy and Security Agreement

DocumentationTencent Cloud Elastic MicroserviceGetting StartedStep 1. Get the Access PermissionAccess Acquisition by Sub-account

Access Acquisition by Sub-account

Download PDF

Last updated: 2024-01-09 12:00:35

Access Acquisition by Sub-account

Last updated: 2024-01-09 12:00:35

Download PDF

Basic CAM Concepts
A root account authorizes sub-accounts by binding policies. The policy settings can be specific to the level of API, Resource, User/User Group, Allow/Deny, and Condition.
User type
Root account: A root accounts owns all the resources in Tencent Cloud and can access any of these resources.
Sub-account: Sub-accounts include sub-users, WeCom sub-users, collaborators, and message recipients.
For detailed definitions of the root account and sub-accounts and descriptions of their features, see User Types.
Resources and Permissions
Resource: An object that Tencent Cloud services operate on, such as a CVM instance, a COS bucket, or a VPC instance.
Permission: An authorization to allow or forbid users to perform certain operations. By default, a root account has full access to all resources under the account, while a sub-account does not have access to any resources under its root account.
Policy: Syntax rule to define and describe one or more permissions. A root account performs authorization by associating policies with users/user groups.
Using TEM with a Sub-account
To allow a sub-account such as collaborator to use TEM, you need to complete the following authorization operations:
1. To pass a role and its policies to TEM, the user must have the permission to pass roles to the service, i.e., the PassRole policy must be created. For detailed directions, see Granting the PassRole policy.
2. The permission to use TEM is required. You can grant the target sub-account the QcloudTEMFullAccess or QcloudTEMReadOnlyAccess policy to grant it full or read-only access to TEM. For detailed directions, see Granting the permission to use TEM.
3. TEM may call other Tencent Cloud products when used, so the root account needs to authorize the target sub-account accordingly. For more information, see Granting permissions to access other Tencent Cloud products.
Granting the PassRole policy
Step 1. Create policies
1. Log in to the CAM console.
2. On the left sidebar, click Policies to enter the policy management page.
3. Click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, click Create by Policy Syntax.
5. On the Create by Policy Syntax page, select Blank Template and click Next.
6. Enter the policy name and content and click Create Policy. Use the root account or a sub-account with admin permissions to create the following two custom policies:
Access to resources of Tencent Cloud products other than CLS:
{
     "version": "2.0",
     "statement": {
             "effect": "allow",
             "action": "cam:PassRole",
             "resource": "qcs::cam::uin/${OwnerUin}:role/tencentcloudServiceRoleName/TEM_QCSLinkedRoleInAccessCluster"
     }
}
Access to CLS resources:
{
     "version": "2.0",
     "statement": {
             "effect": "allow",
             "action": "cam:PassRole",
             "resource": "qcs::cam::uin/${OwnerUin}:role/tencentcloudServiceRoleName/TEM_QCSLinkedRoleInTEMLog"
     }
}
Here, ${OwnerUin} is the root account ID, which can be obtained on the Account Info page in the console.
Step 2. Bind the policies to the user
1. On the left sidebar, click User > User List to enter the user management page.
2. Select the target user and click Authorize in the Operation column.
3. Filter the policies created in step 1 in the Policy List.
4. Click OK to bind the policies, which will be displayed in the Policy List of the user.
Granting the permission to use TEM
Full access policy
Grant a sub-user full access (including resource creation and management) to the TEM service.
{
    "version": "2.0",
    "statement": [
        {
            "action": "tem:*",
            "resource": "*",
            "effect": "allow"
        }
    ]
}
You can also configure the system's full read/write policy to support this permission.
1. Log in to the CAM console.
2. Click Policies on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Syntax.
5. In Template Type, search for "tem", select QcloudTEMFullAccess (full access to TEM), and click Next.
6. Click Complete.
Subsequent operation: Bind the created policy to the target user.
Read-only policy
Grant a sub-user read-only access to the TEM service.
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "tem:Describe*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}
You can also configure the system's read-only policy to support this permission.
1. Log in to the CAM console.
2. Click Policies on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Syntax.
5. In Template Type, search for "tem", select QcloudTEMReadOnlyAccess (read-only access to TEM), and click Next.
6. Click Create Policy.
Granting permissions to access other Tencent Cloud products
TEM may call the following Tencent Cloud products when used, so the root account needs to authorize the target sub-account separately to ensure that the sub-account can use TEM product features normally:
Below is the sample code for authorization:
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cam:DescribeRoleList",
                "cvm:DescribeSecurityGroups",
                "vpc:DescribeVpcEx",
                "vpc:DescribeSubnetEx",
                "tse:DescribeSREInstances",
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cfs:DescribeCfsFileSystems",
                "ssl:DescribeCertificate",
                "tcr:DescribeRepositoryOwnerPersonal",
                "tcr:DescribeRepositories",
                "tcr:DescribeInstances",
                "tcr:DescribeInternalEndpoints",
                "tcr:CreateInstanceToken"
            ],
            "resource":[
                "*"
            ]
        }
    ]
}
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

tencent cloud

New User Offers

Next-Generation CDN：EdgeOne

Elasticsearch Service Special Offers

Free Tier

Tencent Cloud Startup Program

Special Offers

Lighthouse Special Offers

Cloud Object Storage Special Offers

Featured Products

New Products

Education

Tencent Cloud Online Education Solutions

Gaming

Gaming Solution

Game Media Solutions

Financial Services

Financial Services Solution

Audio & Video

Audio/Video Solution

LVB Recording Solution

Interactive Classroom Solution

Interactive Live Streaming Solution

Audio Chat Social Networking Solution

Real Estate

Tencent Cloud LinkBase(Weiling)

E-commerce

E-commerce retail solutions

Compute

Cloud Virtual Machine

Auto Scaling

Batch Compute

CVM Dedicated Host

Database

TencentDB for MySQL

TencentDB for Redis®

TencentDB for CTSDB

TDSQL for MySQL

Data Transfer Service

TencentDB for MongoDB

TencentDB for PostgreSQL

TencentDB for SQL Server

TencentDB for TcaplusDB

Video Service

Cloud Streaming Services

Video on Demand

Media Processing Service

Cloud Application Rendering

Cloud Contact Center

Game Multimedia Engine

Chat

Real-time Communication

Tencent Effect SDK

AI and Machine Learning

Image Creation Large Model

Face Fusion

eKYC

Optical Character Recognition

Video Creation Large Model

Industry Applications

Tencent HealthCare Omics Platform

Container and Middleware

TDMQ for CKafka

Serverless Cloud Function

Tencent Kubernetes Engine

Tencent Kubernetes Engine for Serverless

Networking

Cloud Load Balancer

Virtual Private Cloud

Direct Connect

Cloud Connect Network

NAT Gateway

VPN Connection

Bandwidth Package

Anycast Internet Acceleration

Elastic Network Interface

Flow Logs

Global Application Acceleration Platform

Security

Captcha