- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on the Rule-Based Audit Feature for Database Audit
- Announcement on Some APIs with CAM Authentication Integrated
- Announcement on Some APIs with CAM Authentication Integrated
- Notice on Elimination of Some Indicators in Event Alarms
- Commercial Billing for Database Proxy
- TencentDB for MySQL Audit Upgrade
- Added Authentication APIs
- API Authentication Upgrade
- TencentDB for MySQL API 2.0 Discontinuation
- Monitoring Module Upgrade in Shanghai Region
- Monitoring Metric Optimization
- Network Architecture Upgrade
- Change of APIs for Querying the Specifications of Purchasable Database Instances
- Replacement of Certain Old Database Proxy APIs
- Added Advanced Monitoring Metrics
- Change of Calculation Formula for Memory Utilization
- Monitoring Module Upgrade and Optimization in Guangzhou and Shanghai Regions
- Monitoring Module Upgrade
- Parameter Template and Instance Purchase Process Optimization
- Binlog Will Take up Disk Space
- User Tutorial
- Product Introduction
- Tencent Kernel TXSQL
- Overview
- Kernel Version Release Notes
- Functionality Features
- Performance Features
- Security Features
- Stability Features
- TXRocks Engine
- Purchase Guide
- Billing Overview
- Selection Guide
- Purchase Methods
- Renewal
- Payment Overdue
- Refund
- Pay-as-You-Go to Monthly Subscription
- Instance Adjustment Fee
- Backup Space Billing
- Database Audit Billing Overview
- Commercial Billing and Activity Description for Database Proxy
- Description of the Database Proxy Billing Cycle
- Viewing Bills
- Getting Started
- Database Audit
- MySQL Cluster Edition
- Operation Guide
- Use Limits
- Operation Overview
- Instance Management and Maintenance
- Instance Upgrade
- CPU Elastic Expansion
- Read-Only/Disaster Recovery Instances
- Database Proxy
- Account Management
- Database Management Center (DMC)
- Parameter Configuration
- Network and Security
- Backup and Rollback
- Data Migration
- Monitoring and Alarms
- Operation Logs
- Tag
- Practical Tutorial
- Usage Specifications of TencentDB for MySQL
- Configuring Automatic Application Reconnection
- Impact of Modifying MySQL Source Instance Parameters
- Limits on Automatic Conversion from MyISAM to InnoDB
- Creating VPCs for TencentDB for MySQL
- Enhancing Business Load Capacity with TencentDB for MySQL
- Setting up 2-Region-3-DC Disaster Recovery Architecture
- Improving TencentDB for MySQL Performance with Read/Write Separation
- Migrating Data from InnoDB to RocksDB with DTS
- Building LAMP Stack for Web Application
- Building Drupal Website
- Building All-Scenario High-Availability Architecture
- Calling MySQL APIs in Python
- White Paper
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Data Import APIs
- Rollback APIs
- Parameter APIs
- Making API Requests
- Instance APIs
- StopCpuExpand
- StartCpuExpand
- DescribeCpuExpandStrategy
- AddTimeWindow
- BalanceRoGroupLoad
- CloseWanService
- CreateRoInstanceIp
- DeleteTimeWindow
- DescribeCdbZoneConfig
- DescribeDBFeatures
- DescribeDBInstanceCharset
- DescribeDBInstanceConfig
- DescribeDBInstanceGTID
- DescribeDBInstanceInfo
- DescribeDBInstanceRebootTime
- DescribeDBSwitchRecords
- DescribeRoGroups
- DescribeRoMinScale
- DescribeTagsOfInstanceIds
- DescribeTimeWindow
- IsolateDBInstance
- ModifyAutoRenewFlag
- ModifyDBInstanceName
- ModifyDBInstanceProject
- ModifyDBInstanceVipVport
- ModifyInstanceTag
- ModifyNameOrDescByDpId
- ModifyRoGroupInfo
- ModifyTimeWindow
- OfflineIsolatedInstances
- OpenDBInstanceEncryption
- OpenDBInstanceGTID
- OpenWanService
- ReleaseIsolatedDBInstances
- RenewDBInstance
- RestartDBInstances
- StartReplication
- StopReplication
- SwitchDBInstanceMasterSlave
- SwitchDrInstanceToMaster
- SwitchForUpgrade
- UpgradeDBInstanceEngineVersion
- CreateDBInstance
- CreateDBInstanceHour
- DescribeDBInstances
- UpgradeDBInstance
- DescribeDBZoneConfig
- CreateDeployGroup
- DeleteDeployGroups
- DescribeDeployGroupList
- Database Proxy APIs
- AdjustCdbProxy
- AdjustCdbProxyAddress
- CloseCDBProxy
- CloseCdbProxyAddress
- CreateCdbProxy
- CreateCdbProxyAddress
- DescribeCdbProxyInfo
- DescribeProxyCustomConf
- DescribeProxySupportParam
- ModifyCdbProxyAddressDesc
- ModifyCdbProxyAddressVipAndVPort
- ModifyCdbProxyParam
- ReloadBalanceProxyNode
- SwitchCDBProxy
- UpgradeCDBProxyVersion
- Database Audit APIs
- Security APIs
- Task APIs
- Account APIs
- Backup APIs
- CreateBackup
- DeleteBackup
- DescribeBackupDownloadRestriction
- DescribeBackupOverview
- DescribeBackupSummaries
- DescribeBinlogBackupOverview
- DescribeDataBackupOverview
- DescribeLocalBinlogConfig
- DescribeRemoteBackupConfig
- DescribeSlowLogs
- ModifyBackupDownloadRestriction
- ModifyLocalBinlogConfig
- ModifyRemoteBackupConfig
- DescribeBackups
- DescribeBackupConfig
- DescribeBackupDecryptionKey
- DescribeBackupEncryptionStatus
- DescribeBinlogs
- ModifyBackupConfig
- ModifyBackupEncryptionStatus
- Database APIs
- Monitoring APIs
- Log-related API
- Data Types
- Error Codes
- FAQs
- Service Agreement
- Reference
- Glossary
- Contact Us
- Preset Plugin List
- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on the Rule-Based Audit Feature for Database Audit
- Announcement on Some APIs with CAM Authentication Integrated
- Announcement on Some APIs with CAM Authentication Integrated
- Notice on Elimination of Some Indicators in Event Alarms
- Commercial Billing for Database Proxy
- TencentDB for MySQL Audit Upgrade
- Added Authentication APIs
- API Authentication Upgrade
- TencentDB for MySQL API 2.0 Discontinuation
- Monitoring Module Upgrade in Shanghai Region
- Monitoring Metric Optimization
- Network Architecture Upgrade
- Change of APIs for Querying the Specifications of Purchasable Database Instances
- Replacement of Certain Old Database Proxy APIs
- Added Advanced Monitoring Metrics
- Change of Calculation Formula for Memory Utilization
- Monitoring Module Upgrade and Optimization in Guangzhou and Shanghai Regions
- Monitoring Module Upgrade
- Parameter Template and Instance Purchase Process Optimization
- Binlog Will Take up Disk Space
- User Tutorial
- Product Introduction
- Tencent Kernel TXSQL
- Overview
- Kernel Version Release Notes
- Functionality Features
- Performance Features
- Security Features
- Stability Features
- TXRocks Engine
- Purchase Guide
- Billing Overview
- Selection Guide
- Purchase Methods
- Renewal
- Payment Overdue
- Refund
- Pay-as-You-Go to Monthly Subscription
- Instance Adjustment Fee
- Backup Space Billing
- Database Audit Billing Overview
- Commercial Billing and Activity Description for Database Proxy
- Description of the Database Proxy Billing Cycle
- Viewing Bills
- Getting Started
- Database Audit
- MySQL Cluster Edition
- Operation Guide
- Use Limits
- Operation Overview
- Instance Management and Maintenance
- Instance Upgrade
- CPU Elastic Expansion
- Read-Only/Disaster Recovery Instances
- Database Proxy
- Account Management
- Database Management Center (DMC)
- Parameter Configuration
- Network and Security
- Backup and Rollback
- Data Migration
- Monitoring and Alarms
- Operation Logs
- Tag
- Practical Tutorial
- Usage Specifications of TencentDB for MySQL
- Configuring Automatic Application Reconnection
- Impact of Modifying MySQL Source Instance Parameters
- Limits on Automatic Conversion from MyISAM to InnoDB
- Creating VPCs for TencentDB for MySQL
- Enhancing Business Load Capacity with TencentDB for MySQL
- Setting up 2-Region-3-DC Disaster Recovery Architecture
- Improving TencentDB for MySQL Performance with Read/Write Separation
- Migrating Data from InnoDB to RocksDB with DTS
- Building LAMP Stack for Web Application
- Building Drupal Website
- Building All-Scenario High-Availability Architecture
- Calling MySQL APIs in Python
- White Paper
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Data Import APIs
- Rollback APIs
- Parameter APIs
- Making API Requests
- Instance APIs
- StopCpuExpand
- StartCpuExpand
- DescribeCpuExpandStrategy
- AddTimeWindow
- BalanceRoGroupLoad
- CloseWanService
- CreateRoInstanceIp
- DeleteTimeWindow
- DescribeCdbZoneConfig
- DescribeDBFeatures
- DescribeDBInstanceCharset
- DescribeDBInstanceConfig
- DescribeDBInstanceGTID
- DescribeDBInstanceInfo
- DescribeDBInstanceRebootTime
- DescribeDBSwitchRecords
- DescribeRoGroups
- DescribeRoMinScale
- DescribeTagsOfInstanceIds
- DescribeTimeWindow
- IsolateDBInstance
- ModifyAutoRenewFlag
- ModifyDBInstanceName
- ModifyDBInstanceProject
- ModifyDBInstanceVipVport
- ModifyInstanceTag
- ModifyNameOrDescByDpId
- ModifyRoGroupInfo
- ModifyTimeWindow
- OfflineIsolatedInstances
- OpenDBInstanceEncryption
- OpenDBInstanceGTID
- OpenWanService
- ReleaseIsolatedDBInstances
- RenewDBInstance
- RestartDBInstances
- StartReplication
- StopReplication
- SwitchDBInstanceMasterSlave
- SwitchDrInstanceToMaster
- SwitchForUpgrade
- UpgradeDBInstanceEngineVersion
- CreateDBInstance
- CreateDBInstanceHour
- DescribeDBInstances
- UpgradeDBInstance
- DescribeDBZoneConfig
- CreateDeployGroup
- DeleteDeployGroups
- DescribeDeployGroupList
- Database Proxy APIs
- AdjustCdbProxy
- AdjustCdbProxyAddress
- CloseCDBProxy
- CloseCdbProxyAddress
- CreateCdbProxy
- CreateCdbProxyAddress
- DescribeCdbProxyInfo
- DescribeProxyCustomConf
- DescribeProxySupportParam
- ModifyCdbProxyAddressDesc
- ModifyCdbProxyAddressVipAndVPort
- ModifyCdbProxyParam
- ReloadBalanceProxyNode
- SwitchCDBProxy
- UpgradeCDBProxyVersion
- Database Audit APIs
- Security APIs
- Task APIs
- Account APIs
- Backup APIs
- CreateBackup
- DeleteBackup
- DescribeBackupDownloadRestriction
- DescribeBackupOverview
- DescribeBackupSummaries
- DescribeBinlogBackupOverview
- DescribeDataBackupOverview
- DescribeLocalBinlogConfig
- DescribeRemoteBackupConfig
- DescribeSlowLogs
- ModifyBackupDownloadRestriction
- ModifyLocalBinlogConfig
- ModifyRemoteBackupConfig
- DescribeBackups
- DescribeBackupConfig
- DescribeBackupDecryptionKey
- DescribeBackupEncryptionStatus
- DescribeBinlogs
- ModifyBackupConfig
- ModifyBackupEncryptionStatus
- Database APIs
- Monitoring APIs
- Log-related API
- Data Types
- Error Codes
- FAQs
- Service Agreement
- Reference
- Glossary
- Contact Us
- Preset Plugin List
Policy syntax
Policy syntax
CAM policy:
{"version":"2.0","statement":[{"effect":"effect","action":["action"],"resource":["resource"],"condition": {"key":{"value"}}}]}
version is required. Currently, only the value "2.0" is allowed.
statement describes the details of one or more permissions. This element contains a permission or permission set of other elements such as
effect, action, resource, and condition. One policy has only one statement.effect is required. It describes whether the declaration result is
allow or explicit deny.action is required. It specifies whether to allow or deny the operation. The operation can be an API (prefixed with "cdb:").
resource is required. It describes the details of authorization. A resource is described in a six-segment format. Detailed resource definitions vary by product.
condition is required. It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition.
Operations in TencentDB
Operations in TencentDB
In a TencentDB policy statement, you can specify any API operation from any service that supports TencentDB. APIs prefixed with
cdb: should be used for TencentDB, such as cdb:CreateDBInstance or cdb:CreateAccounts.To specify multiple operations in a single statement, separate them by comma.
"action":["cdb:action1","cdb:action2"]
You can also specify multiple operations by using a wildcard. For example, you can specify all operations beginning with "Describe" in the name.
"action":["cdb:Describe*"]
To specify all operations in TencentDB, use the
* wildcard."action":["cdb:*"]
Resources in TencentDB
Resources in TencentDB
Each CAM policy statement has its own applicable resources.
Resources are generally in the following format:
qcs:project_id:service_type:region:account:resource
project_id describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
service_type describes the product abbreviation such as
cdb.region describes the region information, such as
ap-guangzhou.account describes the root account of the resource owner, such as
uin/65xxx763.resource describes detailed resource information of each product, such as
instanceId/instance_id1 or instanceId/*.For example, you can specify a resource for a specific instance (cdb-k05xdcta) in a statement.
"resource":[ "qcs::cdb:ap-guangzhou:uin/65xxx763:instanceId/cdb-k05xdcta"]
You can also use the wildcard "*" to specify it for all instances that belong to a specific account.
"resource":[ "qcs::cdb:ap-guangzhou:uin/65xxx763:instanceId/*"]
If you want to specify all resources or a specific API operation does not support resource-level permission control, you can use the
* wildcard in the resource element."resource": ["*"]
To specify multiple resources in one policy, separate them by comma. In the following example, two resources are specified:
"resource":["resource1","resource2"]
The table below describes the resources that can be used by TencentDB and the corresponding resource description methods, where words prefixed with
$ are placeholders, region refers to a region, and account refers to an account ID.Resource | Resource Description Method in Authorization Policy |
Instance | qcs::cdb:$region:$account:instanceId/$instanceId |
VPC | qcs::vpc:$region:$account:vpc/$vpcId |
Security group | qcs::cvm:$region:$account:sg/$sgId |
Yes
No
Was this page helpful?