Authorizing by using custom policies

This document describes how to configure custom policies in Tencent Kubernetes Engine (TKE) and grant sub-accounts specific permissions. Reference this document to create custom policies that best fit your business requirements.
Policy Syntax Description
The following figure shows the structure of the policy syntax.
﻿
﻿
action: indicates an API.
resource: indicates a resource.
Note: 
 You can define the policy syntax on your own, or create a custom policy by using the policy generator in CAM. You can configure a custom policy based on the following example.
Configuring a Sub-account's Administrative Permissions for a Single TKE Cluster
Use tags to grant full permissions for a batch of clusters to a sub-account
Configuring TKE API Permissions
This section describes multiple features, their sub-features, corresponding Tencent Cloud APIs, APIs for indirect calls, resource levels for permission control, and Action fields of clusters and node modules.
Cluster modules
The following table describes the mappings between features and APIs.
  Feature 
Sub-feature
Corresponding Tencent Cloud API
API for Indirect Calls
Resource Level for Permission Control
Action Field
Creating an empty cluster
Selecting a Kubernetes version
Selecting a runtime component
Selecting a VPC
Setting a container network
Selecting a custom image
Setting IPVS
tke:CreateCluster
cam:GetRole account:DescribeUserData account:DescribeWhiteList tag:GetTagKeys cvm:GetVmConfigQuota vpc:DescribeVpcEx cvm:DescribeImages
API-level permissions are required for creating a cluster.
VPC-level permissions are required for obtaining a VPC list.
"tke:CreateCluster", "cam:GetRole", "tag:GetTagKeys", "cvm:GetVmConfigQuota", "vpc:DescribeVpcEx", "cvm:DescribeImages"
Using an existing CVM to create a managed cluster
Creating an empty cluster to include features
Using an existing CVM as a node
Mounting a security group
Mounting a data disk
Enabling automatic adjustment
﻿
cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs
API-level permissions are required for creating a cluster.
CVM-level permissions are required for obtaining a CVM list.
"tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs"
Using an existing CVM to create a self-deployed cluster
Creating an empty cluster to include features
Using an existing CVM as a node
Using an existing CVM as Control Plane & ETCD
Mounting a security group
Mounting a data disk
Enabling automatic adjustment
﻿
cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs
API-level permissions are required for creating a cluster.
VPC-level permissions are required for obtaining a VPC list.
CVM-level permissions are required for obtaining a CVM list.
"tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs"
Automatically creating a CVM to create a managed cluster
Creating an empty cluster to include features
Purchasing a CVM as a node
Mounting a security group
Mounting a data disk
Enabling automatic adjustment
﻿
cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages
API-level permissions are required for creating a cluster.
VPC-level permissions are required for obtaining a VPC list.
"cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster"
Automatically creating a CVM to create a self-deployed cluster
Creating an empty cluster to include features
Purchasing a CVM as a node
Purchasing a CVM as Control Plane & ETCD
Mounting a security group
Mounting a data disk
Enabling automatic adjustment
﻿
cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages
API-level permissions are required for creating a cluster.
VPC-level permissions are required for obtaining a VPC list.
"cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster"
Querying a cluster list
-
tke:DescribeClusters
-
Cluster-level permissions are required for obtaining a cluster list.
"tke:DescribeClusters"
Displaying cluster credentials
-
tke:DescribeClusterSecurity
-
Cluster-level permissions are required for displaying cluster credentials.
"tke:DescribeClusterSecurity"
Enabling/Disabling the private network/Internet access URL of a cluster
Creating an Internet access port for a managed cluster
Creating a cluster access port
Modifying security policies for the Internet access port of a managed cluster
Querying the Internet access port enabling status of a managed cluster
Deleting the Internet access port of a managed cluster
Deleting a cluster access port
tke:CreateClusterEndpointVip tke:CreateClusterEndpoint tke:ModifyClusterEndpointSP tke:DescribeClusterEndpointVipStatus tke:DescribeClusterEndpointStatus tke:DeleteClusterEndpointVip tke:DeleteClusterEndpoint
-
Cluster-level permissions are required for enabling or disabling cluster access.
-
Deleting a cluster
-
tke:DeleteCluster
tke:DescribeClusterInstances tke:DescribeInstancesVersion tke:DescribeClusterStatus
Cluster-level permissions are required for deleting a cluster.
"tke:DescribeClusterInstances", "tke:DescribeInstancesVersion", "tke:DescribeClusterStatus", "tke:DeleteCluster"
Node modules
The following table describes the mappings between features and APIs.
  Feature 
Sub-feature
Corresponding Tencent API
API for Indirect Calls
Resource Level for Permission Control
Action Field
Adding an existing node
Adding an existing node to a cluster
Resetting a data disk
Setting a security group
tke:AddExistedInstances
cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs cvm:ModifyInstancesAttribute tke:DescribeClusters
Cluster-level permissions are required for adding an existing node.
CVM-level permissions are required for obtaining a CVM list.
"cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs", "tke:DescribeClusters", "tke:AddExistedInstances"
Creating a node
Creating a node and adding it to a cluster
Resetting a data disk
Setting a security group
tke:CreateClusterInstances
cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages tke:DescribeClusters
Cluster-level permissions are required for creating a node.
"cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:DescribeClusters"
Node list
Viewing a cluster node list
tke:DescribeClusterInstances
cvm:DescribeInstances tke:DescribeClusters
Cluster-level permissions are required for viewing a node list.
CVM-level permissions are required for obtaining a CVM list.
"cvm:DescribeInstances", "tke:DescribeClusters", "tke:DescribeClusterInstances"
Deleting a node
-
tke:DeleteClusterInstances
cvm:TerminateInstances tke:DescribeClusters
Cluster-level permissions are required for viewing a node list.
CVM-level permissions are required for obtaining a CVM list.
The termination policy of a node is required for terminating the node.
"cvm:TerminateInstances", "tke:DescribeClusters", "tke:DeleteClusterInstances"
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Feature	Sub-feature	Corresponding Tencent Cloud API	API for Indirect Calls	Resource Level for Permission Control	Action Field
Creating an empty cluster	Selecting a Kubernetes version Selecting a runtime component Selecting a VPC Setting a container network Selecting a custom image Setting IPVS	tke:CreateCluster	cam:GetRole account:DescribeUserData account:DescribeWhiteList tag:GetTagKeys cvm:GetVmConfigQuota vpc:DescribeVpcEx cvm:DescribeImages	API-level permissions are required for creating a cluster. VPC-level permissions are required for obtaining a VPC list.	"tke:CreateCluster", "cam:GetRole", "tag:GetTagKeys", "cvm:GetVmConfigQuota", "vpc:DescribeVpcEx", "cvm:DescribeImages"
Using an existing CVM to create a managed cluster	Creating an empty cluster to include features Using an existing CVM as a node Mounting a security group Mounting a data disk Enabling automatic adjustment			cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs	API-level permissions are required for creating a cluster. CVM-level permissions are required for obtaining a CVM list.	"tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs"
Using an existing CVM to create a self-deployed cluster	Creating an empty cluster to include features Using an existing CVM as a node Using an existing CVM as Control Plane & ETCD Mounting a security group Mounting a data disk Enabling automatic adjustment			cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs	API-level permissions are required for creating a cluster. VPC-level permissions are required for obtaining a VPC list. CVM-level permissions are required for obtaining a CVM list.	"tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs"
Automatically creating a CVM to create a managed cluster	Creating an empty cluster to include features Purchasing a CVM as a node Mounting a security group Mounting a data disk Enabling automatic adjustment			cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages	API-level permissions are required for creating a cluster. VPC-level permissions are required for obtaining a VPC list.	"cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster"
Automatically creating a CVM to create a self-deployed cluster	Creating an empty cluster to include features Purchasing a CVM as a node Purchasing a CVM as Control Plane & ETCD Mounting a security group Mounting a data disk Enabling automatic adjustment			cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages	API-level permissions are required for creating a cluster. VPC-level permissions are required for obtaining a VPC list.	"cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster"
Querying a cluster list	-	tke:DescribeClusters	-	Cluster-level permissions are required for obtaining a cluster list.	"tke:DescribeClusters"
Displaying cluster credentials	-	tke:DescribeClusterSecurity	-	Cluster-level permissions are required for displaying cluster credentials.	"tke:DescribeClusterSecurity"
Enabling/Disabling the private network/Internet access URL of a cluster	Creating an Internet access port for a managed cluster Creating a cluster access port Modifying security policies for the Internet access port of a managed cluster Querying the Internet access port enabling status of a managed cluster Deleting the Internet access port of a managed cluster Deleting a cluster access port	tke:CreateClusterEndpointVip tke:CreateClusterEndpoint tke:ModifyClusterEndpointSP tke:DescribeClusterEndpointVipStatus tke:DescribeClusterEndpointStatus tke:DeleteClusterEndpointVip tke:DeleteClusterEndpoint	-	Cluster-level permissions are required for enabling or disabling cluster access.	-
Deleting a cluster	-	tke:DeleteCluster	tke:DescribeClusterInstances tke:DescribeInstancesVersion tke:DescribeClusterStatus	Cluster-level permissions are required for deleting a cluster.	"tke:DescribeClusterInstances", "tke:DescribeInstancesVersion", "tke:DescribeClusterStatus", "tke:DeleteCluster"

Feature	Sub-feature	Corresponding Tencent API	API for Indirect Calls	Resource Level for Permission Control	Action Field
Adding an existing node	Adding an existing node to a cluster Resetting a data disk Setting a security group	tke:AddExistedInstances	cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs cvm:ModifyInstancesAttribute tke:DescribeClusters	Cluster-level permissions are required for adding an existing node. CVM-level permissions are required for obtaining a CVM list.	"cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs", "tke:DescribeClusters", "tke:AddExistedInstances"
Creating a node	Creating a node and adding it to a cluster Resetting a data disk Setting a security group	tke:CreateClusterInstances	cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages tke:DescribeClusters	Cluster-level permissions are required for creating a node.	"cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:DescribeClusters"
Node list	Viewing a cluster node list	tke:DescribeClusterInstances	cvm:DescribeInstances tke:DescribeClusters	Cluster-level permissions are required for viewing a node list. CVM-level permissions are required for obtaining a CVM list.	"cvm:DescribeInstances", "tke:DescribeClusters", "tke:DescribeClusterInstances"
Deleting a node	-	tke:DeleteClusterInstances	cvm:TerminateInstances tke:DescribeClusters	Cluster-level permissions are required for viewing a node list. CVM-level permissions are required for obtaining a CVM list. The termination policy of a node is required for terminating the node.	"cvm:TerminateInstances", "tke:DescribeClusters", "tke:DeleteClusterInstances"

tencent cloud

New User Offers

Next-Generation CDN：EdgeOne

Elasticsearch Service Special Offers

Free Tier

Tencent Cloud Startup Program

Special Offers

Lighthouse Special Offers

Cloud Object Storage Special Offers

Featured Products

New Products

Education

Tencent Cloud Online Education Solutions

Gaming

Gaming Solution

Game Media Solutions

Financial Services

Financial Services Solution

Audio & Video

Audio/Video Solution

LVB Recording Solution

Interactive Classroom Solution

Interactive Live Streaming Solution

Audio Chat Social Networking Solution

Real Estate

Tencent Cloud LinkBase(Weiling)

E-commerce

E-commerce retail solutions

Compute

Cloud Virtual Machine

Auto Scaling

Batch Compute

CVM Dedicated Host

Database

TencentDB for MySQL

TencentDB for Redis®

TencentDB for CTSDB

TDSQL for MySQL

Data Transfer Service

TencentDB for MongoDB

TencentDB for PostgreSQL

TencentDB for SQL Server

TencentDB for TcaplusDB

Video Service

Cloud Streaming Services

Video on Demand

Media Processing Service

Cloud Application Rendering

Cloud Contact Center

Game Multimedia Engine

Chat

Real-time Communication

Tencent Effect SDK

AI and Machine Learning

Image Creation Large Model

Face Fusion

eKYC

Optical Character Recognition

Video Creation Large Model

Industry Applications

Tencent HealthCare Omics Platform

Container and Middleware

TDMQ for CKafka

Serverless Cloud Function

Tencent Kubernetes Engine

Tencent Kubernetes Engine for Serverless

Networking

Cloud Load Balancer

Virtual Private Cloud

Direct Connect

Cloud Connect Network

NAT Gateway

VPN Connection

Bandwidth Package

Anycast Internet Acceleration

Elastic Network Interface

Flow Logs

Global Application Acceleration Platform

Security

Captcha