Cloud Object Storage
- Release Notes and Announcements
- Announcements
- Product Introduction
- Purchase Guide
- Billing Method
- Billable Items
- Metadata Acceleration Fees
- Data Processing Fees
- Getting Started
- Console Guide
- Bucket Management
- Domain Name Management
- Object Management
- Folder Management
- Monitoring Reports
- Data Processing
- Image Processing
- File Processing
- Media Processing
- Function Service
- Content Moderation
- Automatic Moderation
- Historical data moderation
- Data Processing Workflow
- User Tools
- COSBrowser
- COSCLI (Beta)
- Common Commands
- Online Auxiliary Tools
- Practical Tutorial
- Access Control and Permission Management
- Performance Optimization
- Data Migration
- Data Disaster Recovery and Backup
- Domain Name Management Practice
- Image Processing
- Audio/Video Practices
- Direct Data Upload
- Content Moderation
- Data Verification
- Big Data Practice
- Using COS in the Third-party Applications
- Developer Guide
- Creating Request
- Object
- Uploading Object
- Downloading Object
- Copying Objects
- Deleting Objects
- Data Management
- Lifecycle Management
- Data Disaster Recovery
- Versioning
- Using Versioning
- Cross-Bucket Replication
- Data Security
- Cloud Access Management
- Access Permission Configuration Description
- Access Control Overview
- Access Control Methods
- Access Policy Language
- Using CDN to Accelerate Access
- Batch Operation
- Performing Batch Operation
- Global Acceleration
- Data Workflow
- Data Lake Storage
- Cloud Native Datalake Storage
- Metadata Accelerator
- Big Data Security
- GooseFS
- Key Features
- Deployment Guide
- OPS Guide
- Logging Guide
- Data Processing
- Image Processing
- Media Processing
- Troubleshooting
- Resource Access Error
- API Documentation
- Service APIs
- Bucket APIs
- Basic Operations
- Access Control List (acl)
- Cross-Origin Resource Sharing (cors)
- Bucket Policy (policy)
- Hotlink Protection (referer)
- Static Website (website)
- Intelligent Tiering
- Bucket inventory(inventory)
- Cross-Bucket Replication(replication)
- Log Management(logging)
- Global Acceleration (Accelerate)
- Bucket Encryption (encryption)
- Custom Domain Name (Domain)
- Origin-Pull (Origin)
- Object APIs
- Basic Operations
- Access Control List (acl)
- Multipart Upload
- Batch Operation APIs
- Data Processing APIs
- Image Processing
- Basic Image Processing
- AI-Based Content Recognition
- Queue APIs
- Service Configuration
- Media Processing
- Media Screenshot API
- Media Information API
- Private M3U8 API
- File Processing
- File Transcoding
- Async Processing Job APIs
- Async Processing Queue APIs
- File Processing
- Hash Calculation
- File Decompression
- Multi-File Zipping
- Job and Workflow
- Workflow APIs
- Workflow Instance
- Job APIs
- Media Processing
- Canceling Media Processing Job
- Querying Media Processing Job
- Media Processing Job Callback
- Image Processing
- Submit Image Processing Job
- Canceling Image Processing Job
- Querying Image Processing Job
- Multi-Job Processing
- Submitting Multiple Jobs
- AI-Based Content Recognition
- Submitting Content Recognition Job
- Querying Content Recognition Job
- Content Recognition Job Callback
- Sync Media Processing
- Media Screenshot API
- Template APIs
- Media Processing
- Creating Media Processing Template
- Deleting Media Processing Template
- Querying Media Processing Template
- Updating Media Processing Template
- AI-Based Content Recognition
- Creating AI-Based Content Recognition Template
- Querying AI-Based Content Recognition Template
- Updating AI-Based Content Recognition Template
- Batch Job APIs
- Callback Content
- Appendix
- Content Moderation APIs
- Image Moderation
- Video Moderation
- Audio Moderation
- Text Moderation
- Submitting Virus Detection Job
- SDK Documentation
- Android SDK
- Object Operations
- Remote Disaster Recovery
- Cloud Access Management
- Data Verification
- Image Processing
- C SDK
- Object Operations
- Data Management
- Cloud Access Management
- Content Moderation
- Data Verification
- C++ SDK
- Cross-Region Disaster Recovery
- Data Management
- Cloud Access Management
- Data Verification
- Content Moderation
- .NET(C#) SDK
- Bucket Operations
- Object Operations
- Cross-Region Disaster Recovery
- Cloud Access Management
- Image Processing
- SDK for Flutter
- Object Operations
- Go SDK
- Bucket Operations
- Object Operations
- Cross-Region Disaster Recovery
- Cloud Access Management
- Data Verification
- File Processing
- Image Processing
- iOS SDK
- Object Operations
- Cross-region Disaster Recovery
- Cloud Access Management
- Image Processing
- Content Recognition
- Speech Recognition
- Java SDK
- Object Operations
- Cross-Region Disaster Recovery
- Cloud Access Management
- File Processing
- Media Processing
- AI-Based Content Recognition
- JavaScript SDK
- Object Operations
- File Processing
- Remote disaster-tolerant
- Data Management
- Cloud Access Management
- Data Verification
- Image Processing
- Node.js SDK
- Object Operations
- Remote disaster-tolerant
- Cloud Access Management
- Data Verification
- Image Processing
- PHP SDK
- Object Operations
- Bucket Operations
- Remote disaster-tolerant
- Cloud Access Management
- Image Processing
- Media Processing
- Document Processing
- File Processing
- Job APIs
- Template APIs
- Python SDK
- Object Operations
- Server-Side Encryption
- Cross-Region Disaster Recovery
- Cloud Access Management
- Content Recognition
- React Native SDK
- Object Operations
- Mini Program SDK
- Object Operations
- Remote disaster-tolerant
- Cloud Access Management
- Data Verification
- Content Moderation
- Image Processing
- FAQs
- Bucket Configuration
- Domain Names and CDN
- Object Operations
- Data Processing
- Related Agreements
- Appendices
- Historical version
DocumentationCloud Object StoragePractical TutorialAccess Control and Permission ManagementCAM Practices
CAM Practices
Last updated: 2024-03-25 15:11:18
Overview
Cloud Access Management (CAM) is a Tencent Cloud authentication and authorization service that helps you manage the access to your Tencent Cloud resources. You can manage authorized objects, resources, and operations and set policies to control access when granting permissions.
Features
Granting access to resources under the root account
You can grant the access to resources under your root account to other users, including sub-accounts and other root accounts, without sharing the identity credentials of your root account.
Granular permission management
Different access permissions of different resources can be granted to different users. For example, some sub-accounts can be granted the read access to a COS bucket, while some other sub-accounts or root accounts can be granted the write access to a COS object. Such resources, access permissions, and users can all be managed in batch.
Eventual consistency
CAM currently supports data sync across Tencent Cloud regions by copying policies. CAM policies can be modified timely, but it may take some time for those policies synced across regions to take effect. In addition, CAM uses cache (currently valid for one minute) to improve the performance, and any policy update does not take effect until the cache expires.
Use Cases
Enterprise sub-account permission management
Enterprises may need to grant the minimal access permission of their cloud resources to all kinds of employees. Assume that an enterprise owns many cloud resources (CVM/VPC/CDN instances, COS buckets/objects, etc.) and many employees (developers, testers, Ops engineers, etc.).
Developers and testers need the read/write permissions of project-specific cloud resources on development servers and test servers respectively, while Ops engineers are responsible for the purchase and daily operations of such servers. If the duty or project of an employee changes, the corresponding permissions should be terminated.
Cross-enterprise permission management
There are cases where enterprises may need to share their cloud resources. For example, enterprise A has many cloud resources and wants to focus on product R&D, so it outsources the operations of its cloud resources to enterprise B, and it needs to revoke all the granted permissions as soon as the outsourcing service contract is terminated.
Policy Syntax
A CAM policy consists of several elements and is used to describe specific information on authorization. Core elements include principal, action, resource, condition, and effect. For more information, see Overview.
Note:
There is no particular sequence in the description of policy syntax. However, note that the action element is case-sensitive.
If there are no particular conditions required, the condition element is optional.
You can define the principal element only through policy management APIs or policy syntax parameters but not in the console.
Core elements
Core Element | Description | Required |
version | Specifies the version of the policy syntax. Valid value: 2.0. | Yes |
principal | Describes the entity to be authorized by the policy, including users (developers, sub-accounts, anonymous users) and user groups | This element can be used only in policy management APIs and policy syntax parameters. |
statement | Describes the details of a permission or a permission set defined by other elements including effect, action, resource, and condition. One policy has only one statement. | Yes |
action | Describes the action to be allowed or denied, which can be an API operation or a set of API operations. This element is case-sensitive, such as name/cos:GetService. | Yes |
resource | Describes the resource to which the permission applies. A resource is described in a six-segment format. Detailed resource definitions vary by product. For more information on how to specify a resource, see the documentation of the product for which you are writing a resource statement. | Yes |
condition | Describes the condition for the policy to take effect. A condition consists of the operator, action key, and action value. A condition value may be time, IP address, etc. Some services allow you to specify additional values in a condition. | No |
effect | Describes whether the statement result is "allow" or "deny". | Yes |
Policy limits
Item | Upper Limit |
Number of user groups under a root account | 300 |
Number of sub-accounts under a root account | 1,000 |
Number of roles under a root account | 1,000 |
Number of user groups that a sub-account can be added to | 10 |
Number of root accounts with which a collaborator can be associated | 10 |
Number of sub-accounts in a user group | 100 |
Number of custom policies that can be created under a root account | 1,500 |
Number of policies that can be directly associated with a user, user group, or role | 200 |
Number of characters in a policy syntax | 4,096 |
Sample policy
The policy in this example allows the sub-account with ID 100000000011 under the root account with ID 100000000001 (APPID: 1250000000) to upload and download objects regarding the
examplebucket-bj bucket in Beijing region and the exampleobject object in the examplebucket-gz bucket in Guangzhou region, on condition that the access IP falls within the IP range 10.*.*.10/24.{"version": "2.0","principal": {"qcs": ["qcs::cam::uin/100000000001:uin/100000000011"]},"statement": [{"effect": "allow","action": ["name/cos:PutObject", "name/cos:GetObject"],"resource": ["qcs::cos:ap-beijing:uid/1250000000:examplebucket-bj-1250000000/*","qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-gz-1250000000/exampleobject"],"condition": {"ip_equal": {"qcs:ip": "10.*.*.10/24"}}}]}
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No