Note
You need to check whether the root account has the QcloudAccessForCFGLinkedRoleInChaos
permission on the Role page. If not, please complete authorization according to Preset Policy in Service Authorization and Role Permissions; otherwise sub-users cannot normally use the CFG console or call other cloud resources through CFG. Creating Sub-users and Granting All Operation Permissions to CFG
Step 1: Create a Sub-user with the Root Account
1. Log in to the CAM Console and choose Users > User List in the left sidebar. 2. On the User List page, choose Create User > Custom Creation to enter the New Sub-user page.
3. In the Select Type step, select Access Resources and Receive Messages, and click Next.
4. In the Fill in User Information step, you can create sub-users in batches, set access methods and console passwords, etc. Please set as required and then click Next.
5. On the Set User Permissions page, select different methods as required to set permissions for the created sub-users, and click Next to save the settings. You can modify relevant permission settings later. There are three ways to set permissions:
Add sub-users to an existing user group or a new user group.
Copy existing user permissions.
Authorize from the policy list.
6. On the Review Information and Permissions page, click Complete after confirming that the information is correct to complete the custom creation of sub-user operations.
Step 2: Create a Custom Policy
2. On the Policies page, choose Create Custom Policy > Create by Policy Syntax to enter the Creation page.
3. Select CFG for the template type, select QcloudCFGFullAccess, and click Next.
4. Refer to the following authorization syntax to achieve the effect of allowing sub-accounts to operate all functions of CFG and permitting CFG roles to manage corresponding resources. For details, see CFG Role Description. {
"version": "2.0",
"statement": [
{
"action": "cfg:*",
"resource": "*",
"effect": "allow"
},
{
"effect": "allow",
"action": "cam:PassRole",
"resource": "qcs::cam::uin/${OwnerUin}:role/tencentcloudServiceRoleName/CFG_QCSLinkedRoleInChaos"
}
]
}
Step 3: Associate the Policy with Users/User Groups
1. On the Policies page, click Associate User/User Group/Role on the right side of the New Policy tab. A dialog box will pop up. 2. Select the user you want to associate with, and click OK to complete association. You can also switch between users or user groups for selection.
Step 4: Add CAM Read-only Permissions to the Sub-user
2. On the User List page, select the sub-user to set permissions for, and enter the User Details page.
3. On the User Details page, click Associate Policy to enter the Associate Policy page.
4. In the Set User Permissions step, select Link Policy from Policy List, check QcloudCamReadOnlyAccess, and click Next.
5. In the Review User Permissions step, click Confirm to complete the authorization of CAM read-only access permissions to the sub-user. After the above operations are completed, CFG can obtain the existing permissions of the root account through the sub-user and complete the authentication process.
Step 5: Authorize CAM to the Sub-user
After completing the above settings, users can log in to the sub-account to view permissions.
Log in to CAM Console, and select Overview on the left sidebar to enter the overview page, where the sub-user login address can be viewed. Create sub-users and grant certain CFG operation permissions to them.
Step 1: Create a Sub-user with the Root Account
1. Log in to the CAM Console and choose Users > User List in the left sidebar. 2. On the User List page, select Create User > Custom Creation to enter the New Sub-user page.
3. In the Select Type step, select Access Resources and Receive Messages, and then click Next.
4. In the Fill in User Information step, you can create sub-users in batches, set access methods and console passwords, etc. Please set as required and then click Next.
5. On the Set User Permissions page, select different methods as required to set permissions for the created sub-users, and click Next to save the settings. You can modify relevant permission settings later. There are three ways to set permissions:
Add sub-users to an existing user group or a new user group.
Copy existing user permissions.
Authorize from the policy list.
6. On the Review Information and Permissions page, click Complete after confirming that the information is correct to complete the custom creation of sub-user operations.
Step 2: Create a Custom Policy
2. On the Policies page, choose Create Custom Policy > Create by Policy Syntax to enter the Creation page.
3. Select CFG for the template type and select QcloudCFGFullAccess
, and then click Next.
4. Refer to the following authorization syntax to achieve the effect of allowing sub-accounts to operate all functions of CFG and permitting CFG roles to manage corresponding resources. For details, see <1>CFG Role Description.
{
"version": "2.0",
"statement": [
{
"action": "cfg:*",
"resource": "*",
"effect": "allow"
},
{
"effect": "allow",
"action": "cam:PassRole",
"resource": "qcs::cam::uin/${OwnerUin}:role/tencentcloudServiceRoleName/CFG_QCSLinkedRoleInChaos"
}
]
}
Note
The resource description in resource needs to be replaced with the ID of the root account.
Step 3: Associate the Policy with Users/User Groups
1. On the Policies page, click Associate User/User Group/Role on the right side of the New Policy tab. A dialog box will pop up. 2. Select the user you want to associate with, and click OK to complete association. You can also switch between users or user groups for selection.
Step 4: Add CAM Read-only Permissions to the Sub-user
2. On the User List page, select the sub-user to set permissions for, and enter the User Details page.
3. On the User Details page, click Associate Policy to enter the Associate Policy page.
4. In the Set User Permissions step, select Link Policy from Policy List, check QcloudCamReadOnlyAccess, and click Next.
5. In the Review User Permissions step, click Confirm to complete the authorization of CAM read-only access permission to the sub-user. After the above operations are completed, CFG can obtain the existing permissions of the root account through the sub-user and complete the authentication process.
Step 5: End
After completing the above settings, users can log in to the sub-account to view permissions. Select Overview on the left sidebar to enter the overview page, where the sub-user login address can be viewed. Note
Once the policy takes effect, the current sub-account can view all function names, but can only operate and view details of functions within the resource.
Example
Note
The following example shows only the usage of CAM and the process of completing a CFG chaos engineering experiment. During operations, replace OwnerUin with the root account's UIN.
{
"version": "2.0",
"statement": [
{
"action": "cfg:*",
"resource": "*",
"effect": "allow"
},
{
"effect": "allow",
"action": "cam:PassRole",
"resource": "qcs::cam::uin/${OwnerUin}:role/tencentcloudServiceRoleName/CFG_QCSLinkedRoleInChaos"
},
{
"action": [
"tag:DescribeTagKeys",
"tag:DescribeTagValues",
"tag:DescribeResourceTagsByResourceIds",
"tag:AttachResourcesTag",
"tag:ModifyResourcesTagValue",
"tag:DetachResourcesTag"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"monitor:DescribeAlarmPolicies"
],
"resource": "*",
"effect": "allow"
}
]
}
Was this page helpful?