Basic CAM Concepts
The root account authorizes sub-accounts by associating policies. The policy setting can be specific to the level of [API, Resource, User/User Group, Allow/Deny, and Condition].
Account
Root account: It owns all Tencent Cloud resources and can access any of its resources.
Sub-account: It includes sub-users and collaborators.
Sub-user: It is created and fully owned by a root account.
Collaborator: It has the identity of a root account. After it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account and can switch back to its root account identity.
Identity credential: It includes login credentials and access certificates. Login credential refers to a user's login name and password. Access certificate refers to Tencent Cloud API keys (SecretId and SecretKey).
Resource and permission
Resource: It is an object manipulated in Tencent Cloud services. TDMQ for CMQ resources include topics and queues.
Permission: It is an authorization that allows or forbids users to perform certain operations. By default, a root account has full access to all resources under it, while a sub-account does not have access to any resources under its root account.
Policy: It is a syntax rule that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.
Relevant Documents
|
Understand the relationship between policies and users | |
Understand the basic structure of policies | |
Check CAM-enabled products | |
List of APIs Supporting Resource-Level Authorization
TDMQ for CMQ supports resource-level authorization. You can grant a specified sub-account the API permission of a specified resource.
APIs supporting resource-level authorization include:
|
| Modifies TDMQfor CMQ topic attributes | | qcs::tdmq:${region}:uin/${uin}:topic/${topicName} |
| Creates a TDMQ for CMQ subscription | | qcs::tdmq:${region}:uin/${uin}:topic/${topicName} |
ModifyCmqSubscriptionAttribute | Modifies TDMQf for CMQ subscription attributes | | qcs::tdmq:${region}:uin/${uin}:subscription/${topicName}/${subscriptionName} |
| Rewinds a TDMQf for CMQ queue | | qcs::tdmq:${region}:uin/${uin}:queue/${queueName} |
| Modifies TDMQ for CMQ queue attributes | | qcs::tdmq:${region}:uin/${uin}:queue/${queueName} |
ClearCmqSubscriptionFilterTags | Clears message subscription tags in TDMQ for CMQ | | qcs::tdmq:${region}:uin/${uin}:subscription/${topicName}/${subscriptionName} |
| Clears messages in a TDMQ for CMQ queue | | qcs::tdmq:${region}:uin/${uin}:queue/${queueName} |
| Deletes a TDMQ for CMQ subscription | | qcs::tdmq:${region}:uin/${uin}:subscription/${topicName}/${subscriptionName} |
DeleteCmqTopic | Deletes a TDMQ for CMQ topic | | qcs::tdmq:${region}:uin/${uin}:topic/${topicName} |
BatchReceiveMessage | Consumes messages in batches | Queue | qcs::tdmq:${region}:uin/${uin}:queue/${queueName} |
| Unbinds a TDMQ for CMQ dead letter queue | | qcs::tdmq:${region}:uin/${uin}:queue/${sourceQueueName} |
DescribeCmqDeadLetterSourceQueues | Enumerates the source queues of a TDMQ for CMQ dead letter queue | | qcs::tdmq:${region}:uin/${uin}:dlq/${sourceQueueName}/${deadLetterQueueName} |
| Enumerates all TDMQ for CMQ topics | | qcs::tdmq:${region}:uin/${uin}:topic/${topicName} |
DescribeCmqSubscriptionDetail | Queries TDMQ for CMQ subscription details | | qcs::tdmq:${region}:uin/${uin}:topic/${topicName}/${subscriptionName} |
| Queries all TDMQ for CMQ queues | | qcs::tdmq:${region}:uin/${uin}:queue/${queueName} |
| Sends a TDMQ for CMQ topic message | | qcs::tdmq:${region}:uin/${uin}:topic/${topicName} |
| Sends a TDMQ for CMQ message | | qcs::tdmq:${region}:uin/${uin}:queue/${queueName} |
| Queries TDMQ for CMQ topic details | | qcs::tdmq:${region}:uin/${uin}:topic/${topicName}qcs::tdmq:${region}:uin/${uin}:queue/${queueName} |
| Queries TDMQ for CMQ queue details | | qcs::tdmq:${region}:uin/${uin}:queue/${queueName} |
| Deletes a TDMQ for CMQ queue | | qcs::tdmq:${region}:uin/${uin}:queue/${queueName} |
List of APIs Not Supporting Resource-Level Authorization
|
| Creates a TDMQ for CMQ topic | |
| Creates a TDMQ for CMQ queue | |
For APIs that do not support resource-level authorization, the resource field can be configured with an asterisk *.
Authorization Scheme Examples
Full access policy
Grant a sub-user full access to the TDMQ for CMQ queue service (for creating, managing, etc.).
2. Click Policy on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Policy Generator.
5. On the Edit Policy page, click Import Policy Syntax in the top-right corner.
6. On the Import Policy Syntax page, search for TDMQ, select QcloudTDMQFullAccess in the search results, and click OK.
7. On the Edit Policy page, click Next, enter the policy name and description, and select the user/user group you want to associate.
8. Click Complete.
Read-only access policy
The following takes granting the read-only permission of a queue service as an example.
2. Click Policy on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Policy Generator and enter the policy information.
|
| |
| |
| |
| Select Specific resources and click Add six-segment resource description Region: Select the resource region Account: it is automatically populated Resource Prefix: queue Enter the name of the queue service you want to authorize |
| Allow access to specified operations only when the request is from the specified IP range |
5. Click Next, enter the policy name and description, and select the user/user group you want to associate.
6. Click Complete.
