tencent cloud

Feedback

Sub-users and Authorization

Last updated: 2024-12-02 20:11:42
    Note:
    The root account needs to check on the Role page whether the SCF_QcsRole policy is associated, and if not, grant the permissions as instructed in Service Authorization in Role and Authorization; otherwise, sub-users will not be able to use the SCF console and call other Tencent Cloud resources through SCF.

    Creating a Sub-user and Granting it All SCF Permissions

    Step 1. Create a sub-user by using the root account

    1. Log in to the CAM console and select Users > User List on the left sidebar.
    2. On the User List page, select Create User > Custom to enter the Create Sub-User page.
    3. In the User Type step, after selecting Access Resources and Receive Messages, click Next to enter the user information.
    4. Enter and confirm the information as prompted and click Complete.
    Note:
    For more information, see Creating Sub-User.

    Step 2. Create a custom policy

    1. Log in to the CAM console. Click Create Custom Policy in the top-left corner.
    2. In the pop-up window, click Create by Policy Generator to go to the Edit Policy page.
    3. Select the service in the Visual Policy Generator, enter the following information, and edit an authorization statement.
    Effect: Allow
    Service: SCF
    Action: All
    Resource Description: *
    **Condition (optional)**: Empty
    4. After editing the policy authorization statement, click Next to enter the Associate User/User Group/Role page.
    5. On the Associate User/User Group/Role page, add the policy name and description, and you can associate users, user groups, or roles for quick authorization at the same time.
    6. Click Complete to complete the custom policy creation.

    Step 3. Add CAM read-only permissions for the sub-user

    1. Log in to the CAM console and enter the User List page.
    2. Locate the sub-user you want to grant permission to.
    3. Click Authorize in the Operation column on the right.
    4. In the Associate Policy pop-up window, select QcloudCamReadOnlyAccess.
    5. Click OK.

    Completion

    After the settings above are configured, you can log in to the sub-account to view the permissions. Log in to the CAM console and select Overview on the left sidebar to access the overview page and view the sub-user login address.

    Creating a Sub-user and Granting it Certain SCF Permissions

    Step 1. Create a sub-user by using the root account

    1. Log in to the CAM console and select Users > User List on the left sidebar.
    2. On the User List page, select Create User > Custom to enter the Create Sub-User page.
    3. In the User Type step, after selecting Access Resources and Receive Messages, click Next to enter the user information.
    4. Enter and confirm the information as prompted and click Complete.
    Note:
    For more information, see Creating Sub-User.

    Step 2. Create a custom policy

    1. Log in to the CAM console. Click Create Custom Policy in the top-left corner.
    2. In the pop-up window, click Create by Policy Generator to go to the Edit Policy page.
    3. Copy the code of the sample policy in SCF Policy Syntax and edit the policy content in Edit Policy > JSON.
    Note:
    The resource description in resource needs to be replaced with the ID of the root account and the names of the functions under it. The region needs to be the same as that of the functions.
    4. Click Next to enter the Associate User/User Group/Role page.
    5. On the Associate User/User Group/Role page, add the policy name and description, and you can associate users, user groups, or roles for quick authorization at the same time.
    6. Click Complete to complete the custom policy creation.

    Step 3. Add CAM read-only permissions for the sub-user

    1. Log in to the CAM console and enter the User List page.
    2. Locate the sub-user you want to grant permission to.
    3. Click Authorize in the Operation column on the right.
    4. In the Associate Policy pop-up window, select QcloudCamReadOnlyAccess.
    5. Click OK.

    Completion

    After the settings above are configured, you can log in to the sub-account to view the permissions. Click Overview on the left sidebar to access the overview page and view the sub-user login address.
    Note:
    After the policy takes effect, the current sub-account will be able to see all the function names but will only be able to operate on and view the functions listed in resource.
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support