tencent cloud

Feedback

Access Management (CAM)

Last updated: 2024-01-03 10:17:36

    Basic CAM Concepts

    The root account authorizes sub-accounts by associating policies. The policy setting can be specific to the level of [API, Resource, User/User Group, Allow/Deny, and Condition].

    Account

    Root account: It owns all Tencent Cloud resources and can access any of its resources.
    Sub-account: It includes sub-users and collaborators.
    Sub-user: It is created and fully owned by a root account.
    Collaborator: It has the identity of a root account. After it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account and can switch back to its root account identity.
    Identity credential: It includes login credentials and access certificates. Login credential refers to a user's login name and password. Access certificate refers to Tencent Cloud API keys (SecretId and SecretKey).

    Resource and permission

    Resource: It is an object manipulated in Tencent Cloud services. TDMQ for CMQ resources include topics and queues.
    Permission: It is an authorization that allows or forbids users to perform certain operations. By default, a root account has full access to all resources under it, while a sub-account does not have access to any resources under its root account.
    Policy: It is a syntax rule that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.

    Relevant Documents

    Content
    Document
    Understand the relationship between policies and users
    Understand the basic structure of policies
    Check CAM-enabled products

    List of APIs Supporting Resource-Level Authorization

    TDMQ for CMQ supports resource-level authorization. You can grant a specified sub-account the API permission of a specified resource.
    APIs supporting resource-level authorization include:
    API Name
    API Description
    Resource Type
    Six-Segment Resource Example
    ModifyCmqTopicAttribute
    Modifies TDMQfor CMQ topic attributes
    Topic
    qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
    CreateCmqSubscribe
    Creates a TDMQ for CMQ subscription
    Topic
    qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
    ModifyCmqSubscriptionAttribute
    Modifies TDMQf for CMQ subscription attributes
    Subscription
    qcs::tdmq:${region}:uin/${uin}:subscription/${topicName}/${subscriptionName}
    RewindCmqQueue
    Rewinds a TDMQf for CMQ queue
    Queue
    qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
    ModifyCmqQueueAttribute
    Modifies TDMQ for CMQ queue attributes
    Queue
    qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
    ClearCmqSubscriptionFilterTags
    Clears message subscription tags in TDMQ for CMQ
    Subscription
    qcs::tdmq:${region}:uin/${uin}:subscription/${topicName}/${subscriptionName}
    ClearCmqQueue
    Clears messages in a TDMQ for CMQ queue
    Queue
    qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
    DeleteCmqSubscribe
    Deletes a TDMQ for CMQ subscription
    Subscription
    qcs::tdmq:${region}:uin/${uin}:subscription/${topicName}/${subscriptionName}
    DeleteCmqTopic
    Deletes a TDMQ for CMQ topic
    Topic
    qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
    BatchReceiveMessage
    Consumes messages in batches
    Queue
    qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
    UnbindCmqDeadLetter
    Unbinds a TDMQ for CMQ dead letter queue
    Queue
    qcs::tdmq:${region}:uin/${uin}:queue/${sourceQueueName}
    DescribeCmqDeadLetterSourceQueues
    Enumerates the source queues of a TDMQ for CMQ dead letter queue
    Dead letter queue
    qcs::tdmq:${region}:uin/${uin}:dlq/${sourceQueueName}/${deadLetterQueueName}
    DescribeCmqTopics
    Enumerates all TDMQ for CMQ topics
    Topic
    qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
    DescribeCmqSubscriptionDetail
    Queries TDMQ for CMQ subscription details
    Topic
    qcs::tdmq:${region}:uin/${uin}:topic/${topicName}/${subscriptionName}
    DescribeCmqQueues
    Queries all TDMQ for CMQ queues
    Queue
    qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
    PublishCmqMsg
    Sends a TDMQ for CMQ topic message
    Topic
    qcs::tdmq:${region}:uin/${uin}:topic/${topicName}
    SendCmqMsg
    Sends a TDMQ for CMQ message
    Queue
    qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
    DescribeCmqTopicDetail
    Queries TDMQ for CMQ topic details
    Topic
    qcs::tdmq:${region}:uin/${uin}:topic/${topicName}qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
    DescribeCmqQueueDetail
    Queries TDMQ for CMQ queue details
    Queue
    qcs::tdmq:${region}:uin/${uin}:queue/${queueName}
    DeleteCmqQueue
    Deletes a TDMQ for CMQ queue
    Queue
    qcs::tdmq:${region}:uin/${uin}:queue/${queueName}

    List of APIs Not Supporting Resource-Level Authorization

    API Name
    API Description
    Six-Segment Resource
    CreateCmqTopic
    Creates a TDMQ for CMQ topic
    *
    CreateCmqQueue
    Creates a TDMQ for CMQ queue
    *
    For APIs that do not support resource-level authorization, the resource field can be configured with an asterisk *.

    Authorization Scheme Examples

    Full access policy

    Grant a sub-user full access to the TDMQ for CMQ queue service (for creating, managing, etc.).
    1. Log in to the CAM console.
    2. Click Policy on the left sidebar.
    3. In the policy list, click Create Custom Policy.
    4. In the Select Policy Creation Method pop-up window, select Create by Policy Generator.
    5. On the Edit Policy page, click Import Policy Syntax in the top-right corner.
    6. On the Import Policy Syntax page, search for TDMQ, select QcloudTDMQFullAccess in the search results, and click OK.
    7. On the Edit Policy page, click Next, enter the policy name and description, and select the user/user group you want to associate.
    8. Click Complete.

    Read-only access policy

    The following takes granting the read-only permission of a queue service as an example.
    1. Log in to the CAM console.
    2. Click Policy on the left sidebar.
    3. In the policy list, click Create Custom Policy.
    4. In the Select Policy Creation Method pop-up window, select Create by Policy Generator and enter the policy information.
    Parameter
    Description
    Effect
    Select Allow
    Service
    Select TDMQ
    Action
    Select Read operation
    Resource
    Select Specific resources and click Add six-segment resource description
    Region: Select the resource region
    Account: it is automatically populated
    Resource Prefix: queue
    Enter the name of the queue service you want to authorize
    Condition
    Allow access to specified operations only when the request is from the specified IP range
    5. Click Next, enter the policy name and description, and select the user/user group you want to associate.
    6. Click Complete.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support