- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Application Performance Management
- Mobile App Performance Monitoring
- Real User Monitoring
- Cloud Automated Testing
- Prometheus Monitoring
- Grafana
- EventBridge
- Quick Start
- Cloud Product Monitoring
- Tencent Cloud Service Metrics
- CVM
- TKE
- Microservice
- Networking
- CBS
- TencentDB
- TencentDB for SQL Server Monitoring Metrics
- TencentDB for MySQL Monitoring Metrics
- TencentDB for Redis Monitoring Metrics
- TencentDB for MongoDB Monitoring Metrics
- TencentDB for PostgreSQL Monitoring Metrics
- TDSQL-C for MySQL Monitoring Metrics
- TencentDB for TcaplusDB Monitoring Metrics
- TencentDB for MariaDB Monitoring Metrics
- TDSQL for MySQL Monitoring Metrics (Legacy)
- TDSQL for MySQL Monitoring Metrics
- SCF
- CKafka
- TDMQ
- CLB
- COS
- CFS
- CPM
- ECM
- CDN And EdgeOne
- Direct Connect
- GAAP
- CMQ
- Elasticsearch
- WAF
- CLS
- Data Analysis
- Operation Guide
- CVM Agents
- CM Connection to Grafana
- Troubleshooting
- Practical Tutorial
- Tencent Cloud Service Metrics
- Application Performance Management
- Product Introduction
- Access Guide
- Operation Guide
- Practical Tutorial
- Parameter Information
- FAQs
- Mobile App Performance Monitoring
- Tencent Cloud Real User Monitoring
- Product Introduction
- Operation Guide
- Connection Guide
- FAQs
- Cloud Automated Testing
- Prometheus Monitoring
- Product Introduction
- Access Guide
- Scrape Configuration Description
- Custom Monitoring
- EMR Integration
- Java Application Integration
- Go Application Integration
- Exporter Integration
- Elasticsearch Exporter Integration
- Kafka Exporter Integration
- MongoDB Exporter Integration
- PostgreSQL Exporter Integration
- NGINX Exporter Integration
- Redis Exporter Integration
- MySQL Exporter Integration
- Consul Exporter Integration
- Memcached Exporter Integration
- Apache Exporter Integration
- Integration with Other Exporters
- CVM Node Exporter
- Health Check
- Cloud Monitoring
- Read Cloud-Hosted Prometheus Instance Data via Remote Read
- Agent Self-Service Access
- Pushgateway Integration
- Instructions for Installing Components in the TKE Cluster
- Security Group Open Description
- Operation Guide
- Practical Tutorial
- Terraform
- FAQs
- Grafana
- Dashboard
- Alarm Management
- FAQs
- EventBridge
- Documentation Guide
- Related Agreements
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Alarm APIs
- DescribeAlarmPolicies
- DescribeAlarmMetrics
- DescribeAlarmHistories
- CreateAlarmPolicy
- DeleteAlarmPolicy
- DescribeAlarmPolicy
- ModifyAlarmPolicyStatus
- SetDefaultAlarmPolicy
- BindingPolicyObject
- UnBindingPolicyObject
- UnBindingAllPolicyObject
- ModifyAlarmPolicyCondition
- ModifyAlarmPolicyNotice
- ModifyAlarmPolicyTasks
- DescribeMonitorTypes
- DescribeAllNamespaces
- DescribeAlarmEvents
- DescribeBindingPolicyObjectList
- ModifyAlarmPolicyInfo
- DescribeConditionsTemplateList
- Notification Template APIs
- Monitoring Data Query APIs
- Legacy Alert APIs
- Prometheus Service APIs
- DescribePrometheusInstanceUsage
- DescribeServiceDiscovery
- CreateServiceDiscovery
- UpdateAlertRuleState
- UpdateAlertRule
- DescribeAlertRules
- DeleteAlertRules
- CreateAlertRule
- DescribePrometheusInstances
- UpgradeGrafanaDashboard
- UpdatePrometheusScrapeJob
- UpdatePrometheusAgentStatus
- UpdateExporterIntegration
- UninstallGrafanaDashboard
- UnbindPrometheusManagedGrafana
- TerminatePrometheusInstances
- ModifyPrometheusInstanceAttributes
- GetPrometheusAgentManagementCommand
- DestroyPrometheusInstance
- DescribePrometheusScrapeJobs
- DescribePrometheusAgents
- DescribeExporterIntegrations
- DeletePrometheusScrapeJobs
- DeleteExporterIntegration
- CreatePrometheusScrapeJob
- CreatePrometheusAgent
- CreateExporterIntegration
- BindPrometheusManagedGrafana
- UpdateRecordingRule
- DescribeRecordingRules
- DeleteRecordingRules
- CreateRecordingRule
- CreatePrometheusMultiTenantInstancePostPayMode
- DescribePrometheusZones
- Grafana Service APIs
- UpgradeGrafanaInstance
- UpdateSSOAccount
- UpdateGrafanaWhiteList
- UpdateGrafanaNotificationChannel
- UpdateGrafanaIntegration
- UpdateGrafanaEnvironments
- UpdateGrafanaConfig
- UpdateDNSConfig
- UninstallGrafanaPlugins
- ResumeGrafanaInstance
- ModifyGrafanaInstance
- InstallPlugins
- EnableSSOCamCheck
- EnableGrafanaSSO
- EnableGrafanaInternet
- DescribeSSOAccount
- DescribeInstalledPlugins
- DescribeGrafanaWhiteList
- DescribeGrafanaNotificationChannels
- DescribeGrafanaIntegrations
- DescribeGrafanaInstances
- DescribeGrafanaEnvironments
- DescribeGrafanaConfig
- DescribeDNSConfig
- DeleteSSOAccount
- DeleteGrafanaNotificationChannel
- DeleteGrafanaIntegration
- DeleteGrafanaInstance
- CreateSSOAccount
- CreateGrafanaNotificationChannel
- CreateGrafanaIntegration
- CreateGrafanaInstance
- CleanGrafanaInstance
- DescribeGrafanaChannels
- Event Center APIs
- TencentCloud Managed Service for Prometheus APIs
- CreatePrometheusTemp
- CreatePrometheusAlertPolicy
- CreatePrometheusClusterAgent
- CreatePrometheusGlobalNotification
- DeletePrometheusTemp
- DeletePrometheusTempSync
- DeletePrometheusAlertPolicy
- DeletePrometheusClusterAgent
- DescribePrometheusAgentInstances
- DescribePrometheusAlertPolicy
- DescribePrometheusInstanceDetail
- DescribePrometheusClusterAgents
- DescribePrometheusInstanceInitStatus
- DescribePrometheusGlobalConfig
- DescribePrometheusInstancesOverview
- DescribePrometheusGlobalNotification
- DescribePrometheusRecordRules
- DescribePrometheusTemp
- DescribePrometheusTempSync
- DescribePrometheusTargetsTMP
- ModifyPrometheusTemp
- ModifyPrometheusAgentExternalLabels
- ModifyPrometheusAlertPolicy
- ModifyPrometheusGlobalNotification
- RunPrometheusInstance
- DescribeClusterAgentCreatingProgress
- SyncPrometheusTemp
- Monitoring APIs
- Data Types
- Error Codes
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Application Performance Management
- Mobile App Performance Monitoring
- Real User Monitoring
- Cloud Automated Testing
- Prometheus Monitoring
- Grafana
- EventBridge
- Quick Start
- Cloud Product Monitoring
- Tencent Cloud Service Metrics
- CVM
- TKE
- Microservice
- Networking
- CBS
- TencentDB
- TencentDB for SQL Server Monitoring Metrics
- TencentDB for MySQL Monitoring Metrics
- TencentDB for Redis Monitoring Metrics
- TencentDB for MongoDB Monitoring Metrics
- TencentDB for PostgreSQL Monitoring Metrics
- TDSQL-C for MySQL Monitoring Metrics
- TencentDB for TcaplusDB Monitoring Metrics
- TencentDB for MariaDB Monitoring Metrics
- TDSQL for MySQL Monitoring Metrics (Legacy)
- TDSQL for MySQL Monitoring Metrics
- SCF
- CKafka
- TDMQ
- CLB
- COS
- CFS
- CPM
- ECM
- CDN And EdgeOne
- Direct Connect
- GAAP
- CMQ
- Elasticsearch
- WAF
- CLS
- Data Analysis
- Operation Guide
- CVM Agents
- CM Connection to Grafana
- Troubleshooting
- Practical Tutorial
- Tencent Cloud Service Metrics
- Application Performance Management
- Product Introduction
- Access Guide
- Operation Guide
- Practical Tutorial
- Parameter Information
- FAQs
- Mobile App Performance Monitoring
- Tencent Cloud Real User Monitoring
- Product Introduction
- Operation Guide
- Connection Guide
- FAQs
- Cloud Automated Testing
- Prometheus Monitoring
- Product Introduction
- Access Guide
- Scrape Configuration Description
- Custom Monitoring
- EMR Integration
- Java Application Integration
- Go Application Integration
- Exporter Integration
- Elasticsearch Exporter Integration
- Kafka Exporter Integration
- MongoDB Exporter Integration
- PostgreSQL Exporter Integration
- NGINX Exporter Integration
- Redis Exporter Integration
- MySQL Exporter Integration
- Consul Exporter Integration
- Memcached Exporter Integration
- Apache Exporter Integration
- Integration with Other Exporters
- CVM Node Exporter
- Health Check
- Cloud Monitoring
- Read Cloud-Hosted Prometheus Instance Data via Remote Read
- Agent Self-Service Access
- Pushgateway Integration
- Instructions for Installing Components in the TKE Cluster
- Security Group Open Description
- Operation Guide
- Practical Tutorial
- Terraform
- FAQs
- Grafana
- Dashboard
- Alarm Management
- FAQs
- EventBridge
- Documentation Guide
- Related Agreements
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Alarm APIs
- DescribeAlarmPolicies
- DescribeAlarmMetrics
- DescribeAlarmHistories
- CreateAlarmPolicy
- DeleteAlarmPolicy
- DescribeAlarmPolicy
- ModifyAlarmPolicyStatus
- SetDefaultAlarmPolicy
- BindingPolicyObject
- UnBindingPolicyObject
- UnBindingAllPolicyObject
- ModifyAlarmPolicyCondition
- ModifyAlarmPolicyNotice
- ModifyAlarmPolicyTasks
- DescribeMonitorTypes
- DescribeAllNamespaces
- DescribeAlarmEvents
- DescribeBindingPolicyObjectList
- ModifyAlarmPolicyInfo
- DescribeConditionsTemplateList
- Notification Template APIs
- Monitoring Data Query APIs
- Legacy Alert APIs
- Prometheus Service APIs
- DescribePrometheusInstanceUsage
- DescribeServiceDiscovery
- CreateServiceDiscovery
- UpdateAlertRuleState
- UpdateAlertRule
- DescribeAlertRules
- DeleteAlertRules
- CreateAlertRule
- DescribePrometheusInstances
- UpgradeGrafanaDashboard
- UpdatePrometheusScrapeJob
- UpdatePrometheusAgentStatus
- UpdateExporterIntegration
- UninstallGrafanaDashboard
- UnbindPrometheusManagedGrafana
- TerminatePrometheusInstances
- ModifyPrometheusInstanceAttributes
- GetPrometheusAgentManagementCommand
- DestroyPrometheusInstance
- DescribePrometheusScrapeJobs
- DescribePrometheusAgents
- DescribeExporterIntegrations
- DeletePrometheusScrapeJobs
- DeleteExporterIntegration
- CreatePrometheusScrapeJob
- CreatePrometheusAgent
- CreateExporterIntegration
- BindPrometheusManagedGrafana
- UpdateRecordingRule
- DescribeRecordingRules
- DeleteRecordingRules
- CreateRecordingRule
- CreatePrometheusMultiTenantInstancePostPayMode
- DescribePrometheusZones
- Grafana Service APIs
- UpgradeGrafanaInstance
- UpdateSSOAccount
- UpdateGrafanaWhiteList
- UpdateGrafanaNotificationChannel
- UpdateGrafanaIntegration
- UpdateGrafanaEnvironments
- UpdateGrafanaConfig
- UpdateDNSConfig
- UninstallGrafanaPlugins
- ResumeGrafanaInstance
- ModifyGrafanaInstance
- InstallPlugins
- EnableSSOCamCheck
- EnableGrafanaSSO
- EnableGrafanaInternet
- DescribeSSOAccount
- DescribeInstalledPlugins
- DescribeGrafanaWhiteList
- DescribeGrafanaNotificationChannels
- DescribeGrafanaIntegrations
- DescribeGrafanaInstances
- DescribeGrafanaEnvironments
- DescribeGrafanaConfig
- DescribeDNSConfig
- DeleteSSOAccount
- DeleteGrafanaNotificationChannel
- DeleteGrafanaIntegration
- DeleteGrafanaInstance
- CreateSSOAccount
- CreateGrafanaNotificationChannel
- CreateGrafanaIntegration
- CreateGrafanaInstance
- CleanGrafanaInstance
- DescribeGrafanaChannels
- Event Center APIs
- TencentCloud Managed Service for Prometheus APIs
- CreatePrometheusTemp
- CreatePrometheusAlertPolicy
- CreatePrometheusClusterAgent
- CreatePrometheusGlobalNotification
- DeletePrometheusTemp
- DeletePrometheusTempSync
- DeletePrometheusAlertPolicy
- DeletePrometheusClusterAgent
- DescribePrometheusAgentInstances
- DescribePrometheusAlertPolicy
- DescribePrometheusInstanceDetail
- DescribePrometheusClusterAgents
- DescribePrometheusInstanceInitStatus
- DescribePrometheusGlobalConfig
- DescribePrometheusInstancesOverview
- DescribePrometheusGlobalNotification
- DescribePrometheusRecordRules
- DescribePrometheusTemp
- DescribePrometheusTempSync
- DescribePrometheusTargetsTMP
- ModifyPrometheusTemp
- ModifyPrometheusAgentExternalLabels
- ModifyPrometheusAlertPolicy
- ModifyPrometheusGlobalNotification
- RunPrometheusInstance
- DescribeClusterAgentCreatingProgress
- SyncPrometheusTemp
- Monitoring APIs
- Data Types
- Error Codes
- Glossary
Description of Role Permissions Related to Service Authorization
Last updated: 2024-08-07 22:06:42
When you use TMP, in order to use related Tencent Cloud resources, you will encounter a variety of scenarios that require service authorization. The
CM_QCSRole service role is mainly involved in the process of using TMP. This document describes the details, scenarios, and steps of each authorization policy by role.The preset policies associated with the
CM_QCSRole role by default include the following:QcloudAccessForCMRoleInPromHostingService: TKE permission required by TMP.
Use Cases
After you successfully create a TMP instance, you need to monitor the services running on TKE. In order to integrate the TKE service more conveniently, you need to access TKE-related APIs. In this case, your authorization is required before TKE can be normally accessed to install basic monitoring components and get their running status information.
This role doesn't need to actively look for configuration. If its permission hasn't been granted, after you successfully create a TMP instance, the authorization page will automatically pop up when you enter the Integrate with TKE page for instance management.
Authorization Steps
Authorizing by root account
1. After you successfully create a TMP instance, an authorization window will pop up when you access the Integrate with TKE page, and you need to authorize Cloud Monitor permissions as shown below:
2. Click Authorize Now in the window.
3. On the CAM > Role Management page, click Grant, and the system will prompt that the authorization is successful.
Note:
This authorization window will appear only once. If you have already authorized, it will not appear again.
Granting permissions to sub-account
After the root account completes the above authorization operations and successfully creates the
CM_QCSRole role, the sub-account doesn't have permission to access it. The sub-account must be granted the PassRole permission by the root account before it can normally access TKE in TMP; otherwise, an error will be displayed when it accesses the TKE cluster list.When granting the
PassRole permission to your sub-account, please make sure that your sub-account has the following permissions:Permission Description | Granted Policy |
The sub-account needs to be granted access to CAM before granting the PassRole permission to the sub-account by the root account can take effect | QcloudCamReadOnlyAccess or QcloudCamFullAcces |
The Cloud Monitor policy depends on the Tencent Cloud service policy; therefore, before granting the PassRole permission to the sub-account, you need to make sure that the sub-account can normally access TKE resources |
To ensure that the above permissions are granted successfully, please grant the
cam:PassRole permission to the sub-account in the following steps.1. Use the root account or a sub-account with administrative permissions to create the following custom policy:
{"version": "2.0","statement": [{"effect": "allow","action": "cam:PassRole","resource": "qcs::cam::uin/${OwnerUin}:roleName/CM_QCSRole"}]}
2. After creation, associate the sub-account with the custom policy as instructed in CAM - Authorization Management.
After granting the sub-account the
cam:PassRole permission, access the Integrate with TKE page of the corresponding TMP instance, and an authorization window will pop up.
Yes
No
Was this page helpful?