- Release Notes and Announcements
- Release Notes
- Announcements
- Notice on Disabling the Automatic Group Creation for Some Virtual Clusters in TDMQ for RocketMQ 4.x
- Notice on the Cessation of Purchase for TDMQ RocketMQ 4.x Virtual Clusters Switching Cluster Billing Modes
- Commercial Launch of TDMQ for RocketMQ Exclusive Cluster
- TDMQ for RocketMQ Beta Test to Be Ended
- TDMQ for RocketMQ Beta Test Start
- Product Introduction
- Purchase Guide
- RocketMQ 5.x
- RocketMQ 4.x
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Development Guide
- Practical Tutorial
- SDK Documentation
- Migration to Cloud
- API Documentation
- FAQs
- TDMQ for RocketMQ Service Level Agreement
- Contact Us
- Release Notes and Announcements
- Release Notes
- Announcements
- Notice on Disabling the Automatic Group Creation for Some Virtual Clusters in TDMQ for RocketMQ 4.x
- Notice on the Cessation of Purchase for TDMQ RocketMQ 4.x Virtual Clusters Switching Cluster Billing Modes
- Commercial Launch of TDMQ for RocketMQ Exclusive Cluster
- TDMQ for RocketMQ Beta Test to Be Ended
- TDMQ for RocketMQ Beta Test Start
- Product Introduction
- Purchase Guide
- RocketMQ 5.x
- RocketMQ 4.x
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Development Guide
- Practical Tutorial
- SDK Documentation
- Migration to Cloud
- API Documentation
- FAQs
- TDMQ for RocketMQ Service Level Agreement
- Contact Us
Granting Sub-Account Access to TDMQ for RocketMQ
Last updated: 2024-01-17 16:43:19
Basic Concepts in CAM
The root account authorizes sub-accounts by associating them with policies. The policies can be configured to the granularity of API, Resource, User/User Group, Allow/Deny, and Condition.
Account System
Root Account: Possesses all Tencent Cloud resources and has the capability to access any of its resources.
Sub-account: Comprised of sub-users and collaborators.
Sub-user: Created and fully owned by a root account.
Collaborator: Possesses the identity of a root account. If an account is added as a collaborator to a current root account, it is one of the sub-accounts and can switch back to its original root account identity.
Identity Credentials: Includes both login credentials and access certificates. Login Credentials refer to usernames and passwords, and Access Certificates refer to API keys (SecretId and SecretKey).
Resources and Permissions
Resources: An object within the cloud service that is subjected to operations, such as a CVM instance, a COS bucket, and a VPC instance.
Permissions: Permissions refer to allowing or rejecting certain users to perform certain actions. By default, the root account has unrestricted access to all resources under it, and a sub-account possesses no access to any resources under its root account.
Policy: A syntactical guideline that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.
Sub-account Using RocketMQ
To ensure that a sub-account can successfully use RocketMQ, the root account must grant authorization to the sub-account.
Use the root account to log in to the CAM console, locate the appropriate sub-account within the sub-account list, and then click on Authorize in the action column.
RocketMQ offers two preset policies for sub-accounts: QcloudTrocketReadOnlyaccess and QcloudTrocketFullAccess. The former only allows viewing related information in the console, and the latter allows read and write operations on the product console.
Apart from the preceding preset policies, the root account also needs to grant the sub-account permissions to call other cloud services as needed to better usage. The use of RocketMQ involves the following corresponding API permissions of cloud services:
Cloud Service | API Name | API Features | Corresponding Features in RocketMQ |
TCOP (Monitor) | GetMonitorData | Queries monitoring metric data | Views corresponding monitoring metrics displayed in the console |
TCOP (Monitor) | DescribeDashboardMetricData | Queries monitoring metric data | Views corresponding monitoring metrics displayed in the console |
Resource tags | DescribeResourceTagsByResourceIds | Queries resource tags | Views resource tags of the cluster |
To grant the preceding permissions to a sub-account, the root account needs to perform the Create Custom Policy operation on Policies page of the CAM Console. After clicking Create by syntax for creation, select a Blank Template and enter the following policy syntax:
{"version": "2.0","statement": [{"effect": "allow","action": ["monitor:GetMonitorData","monitor:DescribeDashboardMetricData","tag:DescribeResourceTagsByResourceIds"],"resource": ["*"]}]}
After creating the policy, associate the newly created policy with the sub-account under the operation column. See the following figure:
##Related Documents
Yes
No
Was this page helpful?