tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Serverless Cloud Function
    Documentation
    Download PDF

    Account and Permission Configuration

    Last updated: 2024-12-02 19:27:44
    Download PDF
      Currently, Serverless Framework can deploy a project properly only with the relevant role permissions in the SLS_QcsRole role under the account. This role contains the policies for products that are used in deployment with Serverless Framework. You can configure the permissions for a root account or sub-account.

      Root Account Permission Configuration

      Currently, you can grant permissions by configuring the account key. As the root account has the permissions to create roles and bind policies, you can associate it with SLS_QcsRole for Serverless Framework access in the following way:

      Authorization through account key configuration

      If you want to configure persistent environment variables/key information so that you do not need to deploy them by scanning the code every time, you can create a .env file under the project directory and save the SecretId and SecretKey information.
      # .env
      TENCENT_SECRET_ID=123  // Your `SecretId` 
      TENCENT_SECRET_KEY=123 // Your `SecretKey`
      Serverless Framework will check whether the user is in Mainland China by default during deployment. If your development environment is outside Mainland China and you want to use Serverless Framework in the Mainland China edition, you can add the following configuration in the .env file to start the Mainland China edition by default, which provides an interactive quick deployment process (for more information, please see Getting Started).
      # .env
      TENCENT_SECRET_ID=123
      TENCENT_SECRET_KEY=123
      SERVERLESS_PLATFORM_VENDOR=tencent
      Note:
      If you don't have a Tencent Cloud account yet, please sign up first.
      If you already have a Tencent Cloud account, you can get SecretId and SecretKey in API Key Management.

      Sub-account Permission Configuration

      If you want to grant a sub-account the permission to deploy by scanning code, you need to ensure that the sub-account has permissions to create roles and bind role policies. You can add the preset policy QcloudCamRoleFullAccess or QcloudCamSubaccountsAuthorizeRoleFullAccess to the sub-account.
      You can also add SLS_QcsRole by using the root account in the CAM Console to grant access to Serverless Framework resources. The role entity is sls.cloud.tencent.com, which includes the following policy permissions:
      QcloudCDNFullAccess
      QcloudTCBFullAccess
      QcloudSLSFullAccess
      QcloudSSLFullAccess
      QcloudCKafkaFullAccess
      QcloudMonitorFullAccess
      QcloudVPCFullAccess
      QcloudCOSFullAccess
      QcloudAPIGWFullAccess
      QcloudSCFFullAccess
      After the creation is successful, the root account needs to bind the following two policies to the sub-account:
      1. Call permission policy of a specified role
      2. API permission policy of Serverless Framework

      Granting sub-account permission to call specified role

      1. On the CAM User List page, select the target sub-account and click the username to enter the user details page.
      2. Click Associate Policy. On the policy adding page, click Select policies from the policy list.
      3. Click Create Custom Policy > Create by Policy Syntax > Blank Template and enter the following content. Be sure to replace the role parameter with your own uin (account ID):
      {
       "version": "2.0",
       "statement": [
           {
               "action": [
                   "cam:PassRole"
               ],
               "resource": [
                   "qcs::cam::uin/000000000000:roleName/SLS_QcsRole"
               ],
               "effect": "allow"
           }
       ]
      }
      4. Click OK to grant the sub-account the permission to manipulate SLS_QcsRole.

      Granting sub-account permission to use APIs of Serverless Framework

      Two authorization methods are provided below for your reference:

      Method 1. Grant the sub-account permission to manipulate all Serverless Framework resources

      1. On the CAM User List page, select the target sub-account and click the username to enter the user details page.
      2. Click Associate Policy. On the policy adding page, click Select policies from the policy list.
      3. Search for and associate with QcloudSLSFullAccess and click Next.
      4. Click OK to grant the sub-account the permission to manipulate all Serverless Framework resources. The policy syntax is as follows:
      {
       "version": "2.0",
       "statement": [
           {
               "action": [
                   "sls:*"
               ],
               "resource": "*",
               "effect": "allow"
           }
       ]
      }

      Method 2. Grant the sub-account permission to manipulate specific Serverless Framework resources

      You can allow a sub-account to manipulate only specific Serverless Framework resources in the following steps:
      1. On the CAM User List page, select the target sub-account and click the username to enter the user details page.
      2. Click Associate Policy. On the policy adding page, click Select policies from the policy list.
      3. Click Create Custom Policy, create a custom policy based on the policy syntax, and associate it to the user. The sample policy syntax is as shown below:
      {
       "version": "2.0",
       "statement": [
           {
               "action": [
                   "sls:*"
               ],
               "resource": "qcs::sls:ap-guangzhou::appname/${appname}/stagename/${stagename}",
               "effect": "allow"
           }
       ]
      }
      After the configuration is completed, the sub-account will have the permission to manipulate serverless applications only under ${appname} and ${stagename}.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy