tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Message Queue
    Documentation
    Download PDF

    Setting Permissions in Console

    Last updated: 2024-12-18 16:03:47
    Download PDF

      Overview

      This document describes how to grant a user with CMQ permissions by taking write permissions for message consumption and batch message consumption of the CMQ queue model as an example.

      Permission Description

      After CAM is connected, a sub-account can only view lists by default without any other operation permissions (the sub-account key is used for console login). The sub-account can get access permission only after it is authorized by the root account in CAM.
      If the sub-account wants to view monitoring data in the console, it needs the permissions of Cloud Monitor APIs, which can be granted in CAM.

      Directions

      Creating a sub-user

      1. Log in to the CAM console, select Users > User List, and click Create User on the upper left corner.
      2. On the Create User page, you can choose Create Now or Custom Create to create a sub-user. For detailed directions, see Creating a Custom Sub-user.
      3. After successful creation, you can view the newly created sub-user in Users > User List.

      Creating a custom policy

      You can create a custom policy to grant the permissions of a specific API. The following takes the write permission (message consumption and batch message consumption) of CMQ queues as an example:
      1. Log in to the CAM console, go to Policies from the left sidebar, and click Create Custom Policy on the upper left corner.
      2. Select Create by Policy Generator in the pop-up dialog box.
      3. Provide the following information in the Visual Policy Generator tab.
      Service (required): select CmqQueue (cmqqueue) (if it is not found, please confirm whether you have activated the CMQ service).
      Action (required): select the actions you want to authorize.
      Resource (required): enter the six-segment description of the resource you want to authorize, for example, qcs::cmqqueue:bj:uin/1238423:queueName/uin/3232/myqueue. For more information, see Authorization of CAM-Enabled APIs.
      The first segment is always qcs.
      The second segment is empty.
      The third segment is the message queue type, which should be cmqqueue for queue model or cmqtopic for topic model.
      The fourth segment is the region information, such as gz, bj, or sh. If you want to specify all regions, leave this segment empty.
      The fifth segment is uin/{root account uin} of the root account.
      The sixth segment is the resource description, which should be queueName/uin/{creator Uin}/{queue name} for queue model or topicName/uin/{creator Uin}/{topic name} for topic model. You can find the creator Uin on the details page in the console or in the returned value of createUin of the GetQueueAttributes or GetTopicAttributes API.
      Condition (optional): set the conditions that must be met for the authorization to take effect for the sub-account. For more information, see Condition.
      
      4. Click Add Statement > Next to go to the policy editing page.
      5. On the policy editing page, set the policy name, add description, and confirm the policy content. The policy name and content are automatically generated by the console.
      Policy Name: policygen by default. The suffix number is generated based on the creation date and can be customized.
      Policy Content: corresponds to the service and actions selected in step 3. You can modify the content as needed.
      
      6. Click Done to complete the custom policy creation .
      7. In the policy list, select the target policy, click Associated Users/Groups in the Action column, select the users or user groups to associate, and click Confirm to complete the configuration.
      
      For more information about CAM policies, see Policy.
      Note:
      The list API permissions of CMQ are all enabled by default (i.e., you can view the specific resource lists in the CMQ console after logging in). You can use the permissions to control what resource content can be displayed.

      Authorizations of CAM-Enabled APIs

      List of APIs supporting authorization at resource level

      API Name
      API Description
      Resource Type
      Example of Resource Six-Segment Description
      ClearSubscriptionFilterTags
      Clears the message tags of a subscriber.
      Subscription API
      qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name}
      CreateSubscribe
      Creates a subscription API.
      Subscription API
      qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name}
      DeleteSubscribe
      Deletes a subscription.
      Subscription API
      qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name}
      ModifySubscriptionAttribute
      Modifies subscription attributes.
      Subscription API
      qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name}
      CreateTopic
      Creates a topic.
      Topic API
      qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name}
      DeleteTopic
      Deletes a topic.
      Topic API
      qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name}
      ModifyTopicAttribute
      Modifies topic attributes.
      Topic API
      qcs::cmqqueue:$region:uin/{root account uin}:topicName/uin/{creator Uin}/{topic name}
      ClearQueue
      Clears the messages in a queue.
      Queue API
      qcs::cmqqueue:$region:uin/{root account uin}:queueName/uin/{creator Uin}/{queue name}
      CreateQueue
      Creates a queue.
      Queue API
      qcs::cmqqueue:$region:uin/{root account uin}:queueName/uin/{creator Uin}/{queue name}
      DeleteQueue
      Deletes a queue.
      Queue API
      qcs::cmqqueue:$region:uin/{root account uin}:queueName/uin/{creator Uin}/{queue name}
      ModifyQueueAttribute
      Modifies queue attributes.
      Queue API
      qcs::cmqqueue:$region:uin/{root account uin}:queueName/uin/{creator Uin}/{queue name}

      List of APIs not supporting authorization at resource level

      API Name
      API Description
      Resource Type
      Example of Resource Six-Segment Description
      DescribeSubscriptionDetail
      Queries subscription details.
      Subscription API
      *
      DescribeTopicDetail
      Queries topic details.
      Topic API
      *
      DescribeDeadLetterSourceQueues
      Enumerates the source queues of a dead letter queue.
      Queue API
      *
      DescribeQueueDetail
      Enumerates queues.
      Queue API
      *
      RewindQueue
      Rewinds a queue.
      Queue API
      *
      UnbindDeadLetter
      Unbinds a dead letter queue.
      Queue API
      *
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy