tencent cloud

Feedback

Cloud Access Management

Last updated: 2022-05-23 15:27:20

    Overview

    Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you with the security management of access permissions for resources under your Tencent Cloud account. With CAM, you can create, manage, and terminate users or user groups, and can use identity and policy management to control the permissions other users have to use Tencent Cloud resources. Policies can be used to authorize or block the use of specified resources by users to complete specified tasks. When you use CAM, you can associate policies with a user or user group to perform permissions control.
    TAT is connected with CAM for permission controlling.

    Access Control Levels

    TAT supports the access control by resources and tags.
    Resource-level control: Specify a policy to assign a sub-account with permissions to a single resource. For details, see Creating Custom Policy.
    Control by tags: Add tags to resources for access control

    Preset Policies

    Preset policy
    Permissions granted
    QcloudTATReadOnlyAccess
    TAT read-only permission
    QcloudTATFullAccess
    TAT read/write permission

    Types of Manageable Resources

    TAT supports resource-level authorization. You can grant a specified sub-account the API permission of a specified resource.
    In CAM, the types of TAT resources that can be authorized are as follows:
    Resource Type
    Resource Description Method in Authorization Policy
    Remote command-related
    qcs::tat:$region:$account:command/$commandId
    APIs supporting action-level authorization include:
    API name
    Description
    Resource
    CreateCommand
    Create a command
    *
    APIs supporting resource-level authorization include:
    API nameAPI description
    Resource type
    Resource (in six-segment format)
    DeleteCommandDelete a command
    Command
    qcs::tat:$region:$account:command/$commandId
    DescribeAutomationAgentsQuery the agent running status
    CVM instances, Lighthouse instances
    qcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId
    DescribeCommandsQuery a command
    Command
    qcs::tat:$region:$account:command/$commandId
    DescribeInvocationsQuery the execution result
    Command
    qcs::tat:$region:$account:command/$commandId
    DescribeInvocationTasksQuery the execution tasks
    Command, CVM instances, Lighthouse instances
    qcs::tat:$region:$account:command/$commandIdqcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId
    InvokeCommandInvoke a command
    Command, CVM instances, Lighthouse instances
    qcs::tat:$region:$account:command/$commandIdqcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId
    ModifyCommandModify a command
    Command
    qcs::tat:$region:$account:command/$commandId
    PreviewReplacedCommandContentQuery the command after rendering
    Command
    qcs::tat:$region:$account:command/$commandId
    RunCommandRun a command
    Command, CVM instances, Lighthouse instances
    qcs::tat:$region:$account:command/$commandIdqcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId

    Examples

    Check the examples below to learn about how to control permissions by using CAM.
    Note:
    Guangzhou region is used for all the examples below. Replace $account with the Tencent Cloud root account of the user.
    Allow a user to modify and delete the command cmd-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "resource": [
    "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
    ],
    "action": [
    "tat:ModifyCommand",
    "tat:DeleteCommand"
    ]
    }
    ]
    }
    Allow a user to check the details of the command cmd-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "resource": [
    "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
    ],
    "action": [
    "tat:DescribeCommands"
    ]
    }
    ]
    }
    Allow a user to check the result of the command cmd-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "resource": [
    "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
    ],
    "action": [
    "tat:DescribeInvocations",
    "tat:DescribeInvocationTasks"
    ]
    }
    ]
    }
    Disallow a user from executing the command cmd-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
    ],
    "action": [
    "tat:InvokeCommands"
    ]
    }
    ]
    }
    Disallow a user from executing any commands
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::tat:ap-guangzhou:$account:command/*"
    ],
    "action": [
    "tat:InvokeCommand",
    "tat:RunCommand"
    ]
    }
    ]
    }
    Disallow a user from executing any commands on the CVM ins-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"
    ],
    "action": [
    "tat:InvokeCommand",
    "tat:RunCommand"
    ]
    }
    ]
    }
    Disallow a user from executing commands on any CVMs
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::cvm:ap-guangzhou:$account:instance/*"
    ],
    "action": [
    "tat:InvokeCommand",
    "tat:RunCommand"
    ]
    }
    ]
    }
    Disallow a user from executing any commands on the Lighthouse instance lhins-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"
    ],
    "action": [
    "tat:InvokeCommand",
    "tat:RunCommand"
    ]
    }
    ]
    }
    Disallow a user from executing commands on any Lighthouse instances
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::lighthouse:ap-guangzhou:$account:instance/*"
    ],
    "action": [
    "tat:InvokeCommand",
    "tat:RunCommand"
    ]
    }
    ]
    }
    Allow a user to execute the command cmd-xxxxxxxx or cmd-yyyyyyyy on the CVM ins-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "resource": [
    "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx",
    "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx",
    "qcs::tat:ap-guangzhou:$account:command/cmd-yyyyyyyy"
    ],
    "action": [
    "tat:InvokeCommand"
    ]
    }
    ]
    }
    Allow a user to execute the command cmd-xxxxxxxx or cmd-yyyyyyyy on the Lighthouse instance lhins-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "resource": [
    "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx",
    "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx",
    "qcs::tat:ap-guangzhou:$account:command/cmd-yyyyyyyy"
    ],
    "action": [
    "tat:InvokeCommand"
    ]
    }
    ]
    }
    Disallow a user from checking the command execution result on the CVM ins-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"
    ],
    "action": [
    "tat:DescribeInvocationTasks"
    ]
    }
    ]
    }
    Disallow a user from checking the command execution result on the Lighthouse instance lhins-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"
    ],
    "action": [
    "tat:DescribeInvocationTasks"
    ]
    }
    ]
    }
    Disallow a user from checking the Agent status on the CVM ins-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"
    ],
    "action": [
    "tat:DescribeAutomationAgentStatus"
    ]
    }
    ]
    }
    Disallow a user from checking the Agent status on the Lighthouse instance lhins-xxxxxxxx
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "deny",
    "resource": [
    "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"
    ],
    "action": [
    "tat:DescribeAutomationAgentStatus"
    ]
    }
    ]
    }
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support