tencent cloud

All product documents
Tencent Cloud Automation Tools
DocumentationTencent Cloud Automation ToolsProduct IntroductionCloud Access Management
Cloud Access Management
Download PDF
Last updated: 2022-05-23 15:27:20
Cloud Access Management
Last updated: 2022-05-23 15:27:20
Download PDF

Overview

Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you with the security management of access permissions for resources under your Tencent Cloud account. With CAM, you can create, manage, and terminate users or user groups, and can use identity and policy management to control the permissions other users have to use Tencent Cloud resources. Policies can be used to authorize or block the use of specified resources by users to complete specified tasks. When you use CAM, you can associate policies with a user or user group to perform permissions control.
TAT is connected with CAM for permission controlling.

Access Control Levels

TAT supports the access control by resources and tags.
Resource-level control: Specify a policy to assign a sub-account with permissions to a single resource. For details, see Creating Custom Policy.
Control by tags: Add tags to resources for access control

Preset Policies

Preset policy
Permissions granted
QcloudTATReadOnlyAccess
TAT read-only permission
QcloudTATFullAccess
TAT read/write permission

Types of Manageable Resources

TAT supports resource-level authorization. You can grant a specified sub-account the API permission of a specified resource.
In CAM, the types of TAT resources that can be authorized are as follows:
Resource Type
Resource Description Method in Authorization Policy
Remote command-related
qcs::tat:$region:$account:command/$commandId
APIs supporting action-level authorization include:
API name
Description
Resource
CreateCommand
Create a command
*
APIs supporting resource-level authorization include:
API nameAPI description
Resource type
Resource (in six-segment format)
DeleteCommandDelete a command
Command
qcs::tat:$region:$account:command/$commandId
DescribeAutomationAgentsQuery the agent running status
CVM instances, Lighthouse instances
qcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId
DescribeCommandsQuery a command
Command
qcs::tat:$region:$account:command/$commandId
DescribeInvocationsQuery the execution result
Command
qcs::tat:$region:$account:command/$commandId
DescribeInvocationTasksQuery the execution tasks
Command, CVM instances, Lighthouse instances
qcs::tat:$region:$account:command/$commandIdqcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId
InvokeCommandInvoke a command
Command, CVM instances, Lighthouse instances
qcs::tat:$region:$account:command/$commandIdqcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId
ModifyCommandModify a command
Command
qcs::tat:$region:$account:command/$commandId
PreviewReplacedCommandContentQuery the command after rendering
Command
qcs::tat:$region:$account:command/$commandId
RunCommandRun a command
Command, CVM instances, Lighthouse instances
qcs::tat:$region:$account:command/$commandIdqcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId

Examples

Check the examples below to learn about how to control permissions by using CAM.
Allow a user to modify and delete commands
Allow a user to check command details
Allow a user to check command execution results
Disallow a user from executing a specified command
Disallow a user from executing any commands
Disallow a user from executing any commands on a specified CVM
Disallow a user from executing commands on any CVMs
Disallow a user from executing any commands on a specified Lighthouse instance
Disallow a user from executing commands on any Lighthouse instances
Allow a user to execute the specified commands on the specified CVM
Allow a user to execute the specified commands on the specified Lighthouse instance
Disallow a user to check the command execution result on a CVM
Disallow a user to check the command execution result on a Lighthouse instance
Disallow a user to check the Agent status on a CVM
Disallow a user to check the Agent status on a Lighthouse instance
Note:
Guangzhou region is used for all the examples below. Replace $account with the Tencent Cloud root account of the user.
Allow a user to modify and delete the command cmd-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "resource": [
              "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
          ],
          "action": [
              "tat:ModifyCommand",
              "tat:DeleteCommand"
          ]
      }
  ]
}
Allow a user to check the details of the command cmd-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "resource": [
              "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
          ],
          "action": [
              "tat:DescribeCommands"
          ]
      }
  ]
}
Allow a user to check the result of the command cmd-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "resource": [
              "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
          ],
          "action": [
              "tat:DescribeInvocations",
              "tat:DescribeInvocationTasks"
          ]
      }
  ]
}
Disallow a user from executing the command cmd-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
          ],
          "action": [
              "tat:InvokeCommands"
          ]
      }
  ]
}
Disallow a user from executing any commands
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::tat:ap-guangzhou:$account:command/*"
          ],
          "action": [
              "tat:InvokeCommand",
              "tat:RunCommand"
          ]
      }
  ]
}
Disallow a user from executing any commands on the CVM ins-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"
          ],
          "action": [
              "tat:InvokeCommand",
              "tat:RunCommand"
          ]
      }
  ]
}
Disallow a user from executing commands on any CVMs
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::cvm:ap-guangzhou:$account:instance/*"
          ],
          "action": [
              "tat:InvokeCommand",
              "tat:RunCommand"
          ]
      }
  ]
}
Disallow a user from executing any commands on the Lighthouse instance lhins-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"
          ],
          "action": [
              "tat:InvokeCommand",
              "tat:RunCommand"
          ]
      }
  ]
}
Disallow a user from executing commands on any Lighthouse instances
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::lighthouse:ap-guangzhou:$account:instance/*"
          ],
          "action": [
              "tat:InvokeCommand",
              "tat:RunCommand"
          ]
      }
  ]
}
Allow a user to execute the command cmd-xxxxxxxx or cmd-yyyyyyyy on the CVM ins-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "resource": [
              "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx",
              "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx",
              "qcs::tat:ap-guangzhou:$account:command/cmd-yyyyyyyy"
          ],
          "action": [
              "tat:InvokeCommand"
          ]
      }
  ]
}
Allow a user to execute the command cmd-xxxxxxxx or cmd-yyyyyyyy on the Lighthouse instance lhins-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "resource": [
              "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx",
              "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx",
              "qcs::tat:ap-guangzhou:$account:command/cmd-yyyyyyyy"
          ],
          "action": [
              "tat:InvokeCommand"
          ]
      }
  ]
}
Disallow a user from checking the command execution result on the CVM ins-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"
          ],
          "action": [
              "tat:DescribeInvocationTasks"
          ]
      }
  ]
}
Disallow a user from checking the command execution result on the Lighthouse instance lhins-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"
          ],
          "action": [
              "tat:DescribeInvocationTasks"
          ]
      }
  ]
}
Disallow a user from checking the Agent status on the CVM ins-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"
          ],
          "action": [
              "tat:DescribeAutomationAgentStatus"
          ]
      }
  ]
}
Disallow a user from checking the Agent status on the Lighthouse instance lhins-xxxxxxxx
{
  "version": "2.0",
  "statement": [
      {
          "effect": "deny",
          "resource": [
              "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"
          ],
          "action": [
              "tat:DescribeAutomationAgentStatus"
          ]
      }
  ]
}

Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Contact Us
Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

Submit a Ticket
7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon