tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
TDMQ for CKafka
    Documentation
    Download PDF

    Getting Access Authorization

    Last updated: 2024-09-09 21:17:10
    Download PDF

      CAM Basic Concepts

      The root account authorizes sub-accounts by associating policies. These policies can be set with precision across various dimensions, including **[API, Resource, User/User Group, Allow/Deny, and Condition]**.

      Account System

      Root account: It owns all Tencent Cloud resources and can access any of its resources.
      Sub-account: It includes sub-users and collaborators.
      Sub-user: It is created and fully owned by a root account.
      Collaborator: It already has a root account identity and is added as a collaborator under another root account. This user then becomes a sub-account of the current root account but can switch back to their original root account identity.
      Identity credential: It includes login credentials and access certificates. Login credential refers to a user’s login name and password. Access certificate refers to TencentCloud API keys (SecretId and SecretKey).

      Resource and Permissions

      Resource: An object that is operated in Tencent Cloud Services, such as a CVM instance, a COS bucket, or a VPC instance.
      Permissions: It is an authorization that allows or forbids users to perform certain operations. By default, the root account has full access to all resources under the account, while a sub-account does not have access to any resources under its root account.
      Policy: It is a syntax rule that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.

      Using CKafka with Sub-Accounts

      When you use CKafka with sub-accounts, two types of permissions need to be granted:
      1. In the process of using CKafka, it involves accessing other cloud product resources of the user (VPC, CVM, etc.), such as viewing information about the availability zone where the user’s subnet is located. Therefore, sub-accounts need to be granted permissions to access other cloud products. For detailed operations, see Step 1: Granting the Sub-Account Permissions to Access Other Cloud Products .
      2. The sub-account also needs to obtain read and write permissions to use CKafka. For detailed operations, see Step 2: Granting the Sub-Account Permissions to Use CKafka .

      Step 1: Granting the Sub-Account Permissions to Access Other Cloud Products

      Creating a New Custom Policy to Access Other Cloud Products

      1. Log in to the CAM Console(https://console.tencentcloud.com/cam/overview!4169448268cee04eb156e3de8cf8c971) with the root account.
      2. In the left sidebar, select Policies , click Create Custom Policy .
      3. In the pop-up window for selecting policy creation method, select Create by Policy Syntax to enter the policy syntax creation page.
      4. On the Create by Policy Syntax page, select Policy Template , and click Next .
      5. You can see the interface table and policy syntax below to grant the sub-account appropriate permissions to other cloud products as needed, create the custom policy, fill in all information, and click Complete .
      The following cloud products are involved in CKafka usage, and the root account needs to separately authorize the sub-account to ensure the use of corresponding CKafka features. The custom policy should include the following cloud product API calls related to CKafka:
      Cloud Products
      API Name
      API Function
      Operations Affecting the TSE platform
      Cloud Virtual Machine (CVM)
      DescribeZones
      Querying Availability Zones
      It is used to view the availability zone of a subnet when the instance is created.
      Virtual Private Cloud (VPC)
      DescribeVpcs
      Query VPC list
      It is used to select the VPC of the instance access address when the instance is created.
      Virtual Private Cloud (VPC)
      DescribeSubnets
      Query VPC list
      It is used to select the subnet of the instance access address when the instance is created.
      TCOP (Monitor)
      GetMonitorData
      Obtain metric monitoring data
      It is used to view monitoring data in CKafka.
      TCOP (Monitor)
      DescribeDashboardMetricData
      Obtain metric monitoring data
      It is used to view monitoring data in CKafka.
      The policy syntax example is as follows:
         {
           "version": "2.0",
           "statement": [
             {
               "effect": "allow",
               "action": [
                 "vpc:DescribeVpcEx",
                 "vpc:DescribeSubnetEx",
                 "monitor:GetMonitorData",
                 "monitor:DescribeDashboardMetricData",
               ],
               "resource": [
                 "*"
               ]
             }
           ]
         }

      Associating the Custom Policy with the Sub-Account

      1. Log in to the CAM Console with the root account.
      2. On the left sidebar, click Policies to enter the policy management page.
      3. On the right side, click Custom Policy for filtering, find the custom policy created in Step 1.1, and click Associate User/User Group/Role in the Operation column.
      
      4. Select the sub-account to be granted these permissions, and click OK to complete the authorization.
      
      5. Click OK to complete the authorization. The policy will appear in the user's policy list.
      
      
      Step 2: Granting the Sub-Account Permissions to Use CKafka

      See the following documents for related operations:

      Granting Operation-Level Permissions to Sub-Accounts
      Granting Resource-Level Permissions to Sub-Accounts
      Granting Tag-Level Permissions to Sub-Accounts
      
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy