tencent cloud

$0 14-Day TrialExperience EdgeOne for acceleration and security protection!

Feedback

Tencent Kubernetes Engine

Using TKE Preset Policy Authorization

Last updated: 2024-12-11 18:50:30
This document describes the preset policies offered by Tencent Kubernetes Engine (TKE). It shows you how to associate sub-accounts with preset policies to grant specific permissions. You can use this document as a reference to configure preset policies that are in line with your particular business needs.

TKE Preset Policies

You can grant relevant permissions to sub-accounts by using the following preset policies:
Policy
Description
QcloudTKEFullAccess
This policy grants full read/write access permissions for TKE, including permissions for TKE and related CVMs, CLBs, VPCs, monitors, and user groups.
QcloudTKEInnerFullAccess
This policy grants full access permission for TKE. However, since TKE involves the use of many products, we recommend configuring QcloudTKEFullAccess.
QcloudTKEReadOnlyAccess
This policy grants read-only permission for TKE.
The following preset policies are used to grant permissions for specific TKE services. We do not recommend associating the following preset policies with a sub-account:
Policy
Description
QcloudAccessForCODINGRoleInAccessTKE
This policy grants the relevant TKE permissions for the Coding service.
QcloudAccessForIPAMDofTKERole
This policy grants the relevant ENI permissions for the TKE service.
QcloudAccessForIPAMDRoleInQcloudAllocateEIP
This policy grants the relevant EIP permissions for the TKE service.
QcloudAccessForTKERole
This policy grants the relevant CVM, Tag, CLB, and CLS permissions for the TKE service.
QcloudAccessForTKERoleInCreatingCFSStorageclass
This policy grants the relevant CFS permissions for the TKE service.
QcloudAccessForTKERoleInOpsManagement
This policy associates the TKE service role (TKE_QCSRole) so that TKE can access other Tencent Cloud services, including CLS.

Associating Sub-accounts with Preset Policies

When setting user permissions during the creation of a sub-account, you can associate preset policies with the sub-account by direct association or association via group.

Direct association

By directly associating your sub-account with a policy, the sub-account obtains the permissions contained in the policy. The direct association process is outlined below:
1. Log in to the CAM console and select Users -> User List on the left sidebar.
2. On the User List page, find the target sub-account and click Grant Permission in the Operation column.
3. On the Associate Policies page, select the policies that you want to associate.
4. Click OK.

Association via group

By adding your sub-account to a user group, the sub-account automatically obtains the permissions that are associated with the user group. To disassociate the sub-account from the policies of the group, you simply need to remove the sub-account from the user group. The group association process is outlined below:
1. Log in to the CAM console and select Users -> User List on the left sidebar.
2. On the User List page, find the target sub-account and choose More -> Add to Group in the Operation column.
3. On the Add to Group page, select the target user group.
4. Click OK.

Logging in to the sub-account for verification

Log in to the TKE console to verify that the features corresponding to the associated policies can be used and/or accessed properly. If so, this indicates that the sub-account was successfully authorized.
Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon