tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
TencentDB for SQL Server
    Documentation
    Download PDF

    Setting Account CAM Verification

    Last updated: 2024-07-25 13:25:29
    Download PDF
      This document introduces the instructions and operations for setting account CAM verification through the console.
      Note:
      If you need to enable account CAM verification, submit a ticket to apply for the allowlist features.

      Background

      In scenarios where cloud databases are used, it is often necessary to create separate accounts and passwords for the databases and grant access and operation permissions to corresponding users. This method of account management is complex and prone to security issues such as account and password leaks. Based on this background, TencentDB for SQL Server supports the CAM verification feature for accounts. By connecting sub-accounts of Tencent Cloud platform with database accounts and adding CAM credential authentication, the complexity of account permission management is simplified, therefore enhancing database security and account management efficiency.

      Overview

      If you have high security requirements, you can use this feature to bind CAM with database accounts for verification. You can obtain the corresponding password when requesting to access the database, thereby enhancing database security. It is recommended that CAM verification be enabled in the following two scenarios.
      Using CAM verification as a verification mechanism for temporary, individual access to the database.
      Using CAM verification as a verification mechanism only for workloads that can be easily retried.

      Notes

      Use long connections to access the database whenever possible.
      Before enabling CAM verification, ensure that the related CAM permission rules are configured in advance.
      After enabling CAM verification, you will not be able to change the password.
      After disabling CAM verification, you will not be able to obtain access credentials through CAM. Therefore, you need to enter a new password when disabling CAM verification.

      Feature Limits

      It is recommended to enable CAM verification for no more than 10 accounts within a single instance.
      After CAM verification is enabled, the password reset operation for this account is not supported.
      Only an account with a single server address is supported to enable CAM verification.
      CAM verification cannot be enabled repeatedly for the same account.
      The root account does not support CAM verification.

      Prerequisites

      The TencentDB for SQL Server instance has been created.
      The ticket has been submitted to apply for this feature.
      The instance is running.

      Step 1: Configure CAM permission rules

      Before using the CAM verification feature with the account, you need to configure the related CAM permission rules.

      Policy Content

      {
          "statement": [
              {
                  "action": [
                      "cam:BuildDataFlowAuthToken"
                  ],
                  "effect": "allow",
                  "resource": [
                      "qcs::cam::uin/<User uin>:resourceUser/<Instance ID>/<Username>",
                  ]
              }
          ],
          "version": "2.0"
      }
      <User uin>: Replace with the actual account ID.
      <Instance ID>: Replace with the actual instance ID to be authorized.
      <Username>: Replace with the actual username to be authorized.

      Operation Instructions

      1. Log in to the CAM console with the admin account. On the Policies page, create a custom policy using the Policy Generator (refer to Creating Custom Policy).
      
      Effect: Allow
      Service: TencentDB for SQL Server (sqlserver)
      Action: All actions
      Resource: Specific resources > Add a six-segment resource description
      Fill in the following items respectively: Resource prefix: instanceid and Resource ID: specific instance ID, as well as Resource prefix: user and Resource ID: specific username.
      Note:
      Method of determining the resource prefix: In the CAM-supported interfaces for TencentDB for SQL Server, there is a corresponding six-segment resource description. For details, refer to TencentDB for SQL Server CAM-supported interfaces.
      2. Click Next, name your custom policy, and assign the policy to the target sub-account.
      3. Click Complete to finish the authorization.

      Step 2: Enable CAM verification

      There are two scenarios for enabling CAM verification: enabling CAM verification when creating an account and enabling CAM verification for an existing account. You can follow the steps below for each scenario.
      Scenario 1: Enabling CAM verification when creating an account
      Scenario 2: Enabling CAM verification for an existing account
      1. Log in to the TencentDB for SQL Server console.
      2. In the instance list, click Instance ID or click Manage in the Operation column to enter the instance management page.
      3. On the instance management page, choose Account Management > Create Account, enter relevant information in the pop-up window, and click OK after confirmation.
      Note:
      For detailed steps on creating an account with different permissions, refer to Account Management. The following describes the steps related to enabling CAM verification.
      Enable CAM verification: Turn on the switch for "Enable CAM verification", read the important notice in the pop-up window, and click OK.
      1. Log in to the TencentDB for SQL Server console.
      2. In the instance list, click Instance ID or click Manage in the Operation column to enter the instance management page.
      3. On the instance management page, choose Account Management.
      4. On the account management page, find the target account and click Enable CAM Verification in its operations column.
      5. Read the important notice in the pop-up window, and then click OK.

      Step 3: Obtain the password through code calling in the application

      Once the account has the relevant CAM permission specifications and CAM verification is enabled, you can obtain the password through code calling in Java or other languages in the application to connect to the database instance.
      1. In the Tencent Cloud console, query the APPID of the account on the Account Information page.
      
      2. Obtain the SecretID and SecretKey in CAM Console > API Key Management.
      3. Use the following code in the application.
      <dependency>
      <groupId>com.tencentcloudapi</groupId>
      <artifactId>tencentcloud-dbauth-sdk-java</artifactId>
      <version>1.0.3</version>
      </dependency>
      Example of obtaining the password through code calling
      package com.tencentcloud.dbauth;
      import com.tencentcloudapi.common.Credential;
      import com.tencentcloud.dbauth.model.GenerateAuthenticationTokenRequest;
      import com.tencentcloudapi.common.exception.TencentCloudSDKException;
      
      public class GenerateDBAuthentication {
      
          public static void main(String[] args) {
              // Define the parameters for the authentication token.
              String region = "<Instance region>";
              String instanceId = "<Instance ID>";
              String userName = "<Account Name>";
              // Get the credentials from the environment variables.
              Credential credential = new Credential(System.getenv("<TENCENTCLOUD_SECRET_ID>"), System.getenv("<TENCENTCLOUD_SECRET_KEY>"));
      
              System.out.println(getAuthToken(region, instanceId, userName, credential));
          }
      
          public static String getAuthToken(String region, String instanceId, String userName, Credential credential) {
              try {
                  // Build a GenerateAuthenticationTokenRequest.
                  GenerateAuthenticationTokenRequest tokenRequest = GenerateAuthenticationTokenRequest.builder()
                          .region(region)
                          .credential(credential)
                          .userName(userName)
                          .instanceId(instanceId)
                          .build();
      
                  return DBAuthentication.generateAuthenticationToken(tokenRequest);
      
              } catch (TencentCloudSDKException e) {
                  e.printStackTrace();
              }
              return "";
          }
      }
      <Instance region>: Replace with the region of the instance you need to access, for example, ap-guangzhou.
      <Instance ID>: Replace with the ID of the instance you need to access.
      <Username>: Replace with the actual username to log in.
      <TENCENTCLOUD_SECRET_ID>: Replace with the SecretID obtained from the CAM console.
      <TENCENTCLOUD_SECRET_KEY>: Replace with the SecretKey obtained from the CAM console.

      Step 4: Use the identity token to connect to TencentDB for SQL Server

      Note:
      Using the JDBC driver for connection is the standard way for Java programs to connect to relational databases. Detailed installation and connection methods for the JDBC driver can be found in Using the JDBC Driver.
      After obtaining the identity token AuthToken in Step 3, you can use it to connect to TencentDB for SQL Server. The following connection command is an example for connecting to the database using JDBC.
      String connectionUrl = "jdbc:sqlserver://localhost:1433;databaseName=<Database name>;user=<Username>;password=<Password>;encrypt=false;";
      Connection con = DriverManager.getConnection(connectionUrl);
      <Database name>: Replace with the name of the database you need to access.
      <Username>: Replace with the actual username to log in.
      <Password>: Replace with the AuthToken obtained in Step 3.

      Appendix 1: Resetting Password

      When the CAM verification feature is enabled for the account, you can update the password through the password reset operation. If the account is set to change the password every 12 hours, you can immediately update the password before the rotation cycle is reached by performing the password reset operation.
      Note:
      Note that the current login credentials will become invalid after the password is reset. You need to check whether the database access status meets expectations.
      1. Log in to the TencentDB for SQL Server console.
      2. In the instance list, click Instance ID or click Manage in the Operation column to enter the instance management page.
      3. On the instance management page, choose Account Management.
      4. On the account management page, find the target account and click Reset Password in its operations column.
      5. Read the risk warning in the pop-up window, and then click OK.

      Appendix 2: Disabling CAM Verification

      Note:
      After disabling CAM verification, you will not be able to obtain access credentials through CAM. Please update your password promptly.
      1. Log in to the TencentDB for SQL Server console.
      2. In the instance list, click Instance ID or click Manage in the Operation column to enter the instance management page.
      3. On the instance management page, choose Account Management.
      4. On the account management page, find the target account and click Disable CAM Verification in its operations column.
      5. In the pop-up window, enter the new password and confirm the password, and then click OK.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy