tencent cloud

Feedback

Granting Tag-Level Permissions to Sub-Accounts

Last updated: 2023-09-22 09:40:03

    Overview

    This document describes how to use the root account to authorize sub-accounts at the tag level. After successful authorization, the sub-accounts will have the capability to control a certain resource under the authorized tag.

    Prerequisites

    You must have a Tencent Cloud root account and have activated the Cloud Access Management (CAM) service.
    Your root account must have at least one sub-account, and you have completed the authorization as instructed in Access Authorization for Sub-Accounts.
    You must have at least one TDMQ for RocketMQ cluster instance.
    You must have at least one tag, if you don’t have one, you can go to the Tag console > Tag List to create a new one.

    Directions

    By using the policy feature in the CAM console, you can grant a sub-account full access to the tagged TDMQ for RocketMQ resources owned by the root account through the tag authorization. The following describes the detailed steps for granting the sub-account access to CKafka resources by tag

    Step 1. Bind tags to resources

    1. Log in to the TDMQ for RocketMQ console and enter the Cluster page.
    
    2. Select the target cluster, click Edit Tag in the upper left corner, and bind the resource tag to the instance.
    

    Step 2. Authorize by Tag

    1. Log in to the CAM console and click Policies on the left sidebar.
    2. Click Create Custom Policy > Authorize by Tag.
    3. In the visual policy generator, enter "tdmq" in Service to filter, and select Tencent Distributed Message Queue (tdmq). Then, select All actions in Action, and you can also select the action type as needed.
    Note
    Currently, some APIs don't support tag authentication, which is as displayed in the console page.
    
    4. Click Next and enter a policy name as needed.
    5. Click Select Users or Select User Groups to select the users or user groups that need to be granted resource permissions.
    
    6. Click Complete. The sub-account can control the resources under the specified tag according to the policy.

    Managing Resource Tags

    You can also manage resource tags in a unified manner in the Tag console. The detailed operations are as follows.
    1. Log in to the Tag console.
    2. Select Resource Tag in the left navigation bar, select query conditions as needed, and select Tencent Distributed Message Queue > Cluster in Resource type.
    3. Click Query Resources.
    4. Select the required resources in the result and click Edit Tag to bind or unbind tags in batches.
    

    Other authorization methods

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support