tencent cloud

Overview

This document describes how to grant a user with CMQ permissions by taking write permissions for message consumption and batch message consumption of the CMQ queue model as an example.

Permission Description

After CAM is connected, a sub-account can only view lists by default without any other operation permissions (the sub-account key is used for console login). The sub-account can get access permission only after it is authorized by the root account in CAM.

If the sub-account wants to view monitoring data in the console, it needs the permissions of Cloud Monitor APIs, which can be granted in CAM.

Directions

Creating a sub-user

1. Log in to the CAM console, select Users > User List, and click Create User on the upper left corner.
2. On the Create User page, you can choose Create Now or Custom Create to create a sub-user. For detailed directions, see Creating a Custom Sub-user.
3. After successful creation, you can view the newly created sub-user in Users > User List.

Creating a custom policy

You can create a custom policy to grant the permissions of a specific API. The following takes the write permission (message consumption and batch message consumption) of CMQ queues as an example:

1. Log in to the CAM console, go to Policies from the left sidebar, and click Create Custom Policy on the upper left corner.

2. Select Create by Policy Generator in the pop-up dialog box.

3. Provide the following information in the Visual Policy Generator tab.

   • Service (required): select CmqQueue (cmqqueue) (if it is not found, please confirm whether you have activated the CMQ service).
   • Action (required): select the actions you want to authorize.
   • Resource (required): enter the six-segment description of the resource you want to authorize, for example, qcs::cmqqueue:bj:uin/1238423:queueName/uin/3232/myqueue. For more information, see [Authorization of CAM-Enabled APIs](#Authorization of CAM-Enabled APIs).
     • The first segment is always qcs.
     • The second segment is empty.
     • The third segment is the message queue type, which should be cmqqueue for queue model or cmqtopic for topic model.
     • The fourth segment is the region information, such as gz, bj, or sh. If you want to specify all regions, leave this segment empty.
     • The fifth segment is uin/{root account uin} of the root account.
     • The sixth segment is the resource description, which should be queueName/uin/{creator Uin}/{queue name} for queue model or topicName/uin/{creator Uin}/{topic name} for topic model. You can find the creator Uin on the details page in the console or in the returned value of createUin of the GetQueueAttributes or GetTopicAttributes API.
   • Condition (optional): set the conditions that must be met for the authorization to take effect for the sub-account. For more information, see Condition.

   

4. Click Add Statement > Next to go to the policy editing page.

5. On the policy editing page, set the policy name, add description, and confirm the policy content. The policy name and content are automatically generated by the console.

   • Policy Name: policygen by default. The suffix number is generated based on the creation date and can be customized.
   • Policy Content: corresponds to the service and actions selected in step 3. You can modify the content as needed.

   

6. Click Done to complete the custom policy creation .

7. In the policy list, select the target policy, click Associated Users/Groups in the Action column, select the users or user groups to associate, and click Confirm to complete the configuration.
   

For more information about CAM policies, see Policy.

Note：

The list API permissions of CMQ are all enabled by default (i.e., you can view the specific resource lists in the CMQ console after logging in). You can use the permissions to control what resource content can be displayed.

Authorizations of CAM-Enabled APIs

List of APIs supporting authorization at resource level

List of APIs not supporting authorization at resource level