Authorization by Resource ID

Overview
This document describes how to grant permissions by resource ID to allow the sub-user cvmtest01 only to manage the resource-level APIs of ins-duglsqg0.
For more information, see overview >>
Policy Content
To grant permissions by resource ID to implement the above need, use the following policy content:
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cvm:*"
            ],
            "resource": [
                "qcs::cvm::uin/12345678:instance/ins-duglsqg0",// `12345678` is `UIN` of the root account
                "qcs::cvm::uin/12345678:image/img-eb30mz89"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "vpc:DescribeVpcEx",
                "vpc:DescribeNetworkInterfaces",
                "cvm:DescribeCbsStorages"
            ],
            "resource": [
                "*"
            ]
        }
    ]
}
Directions
Step 1. Use the admin account to create a policy and configure permissions
1. Log in to the CAM console with the admin account. On the Policy page, create a custom policy with the policy generator as instructed in Creating Custom Policy > Creating by policy generator.
 
﻿
﻿
Effect: Allowed
Service: CVM
Operation: All
Resource: Specific Resources > Add a custom six-segment resource description
Enter the resource prefixes instance and image and resource IDs ins-duglsqg0 and img-eb30mz89 respectively.
Note: 
How to determine the resource prefix: You can view the CVM six-segment resource description in CAM APIs supported by CVM.
In addition to CVM APIs, APIs of other Tencent Cloud products such as VPC will also be used on the CVM product page. In this example, you can skip them and directly generate the policy. However, during actual operations, you need to add such APIs as prompted in CAM.
2. Click Next, name the policy cvm-test01, and grant it to the sub-account cvmtest01.
3. Click Complete.
﻿
﻿
Step 2. Use the sub-account to log in and verify permissions
1. Log in to the CVM console with the sub-user account and enter the instance list page. The page prompts that DescribeVpcEx and relevant resource permissions of VPC are missing.
2. Contact the admin account to add such permissions to the policy as prompted.
Step 3. Use the admin account to adjust the policy content
1. Use the root account to find the DescribeVpcEx API in the list of CAM APIs supported by VPC and verify that the API is at the operation level.
2. On the Policy page in the CAM console, find the cvm-test01 policy and click its name to enter the policy details page.
3. In the policy syntax, click Edit and add API authorization to the policy details in the format of operation-level API authorization.
﻿
Before adding:
﻿
After adding:
﻿
﻿
4. Repeat step 2 to use the sub-account cvmtest01 to verify permissions again, and you can see that DescribeNetworkInterfaces and relevant resource access permissions of VPC are still missing. View the list of CAM APIs supported by VPC and verify that the DescribeNetworkInterfaces API is at the operation level. 
5. Repeat step 3 to adjust the policy content until the system no longer reports errors.
The eventual policy content is as follows:
﻿
﻿
Note: 
When writing a CAM policy, if you want to manipulate a specific resource, you need to separate the resource-level API authorization from operation-level API authorization, but you can put multiple operation-level APIs together.
Step 4. Verify the result
Use the sub-user cvmtest01 to verify the policy again, and the expected effect is achieved.
At this point, the sub-user cvmtest01 can start, shut down, restart, rename, and reset the password of the CVM instance.
﻿
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

tencent cloud

New User Offers

Next-Generation CDN：EdgeOne

Elasticsearch Service free trial

Free Tier

Tencent Cloud Startup Program

Special Offers

Lighthouse Special Offers

Cloud Object Storage Special Offers

Featured Products

New Products

Education

Tencent Cloud Online Education Solutions

Gaming

Gaming Solution

Game Media Solutions

E-commerce

E-commerce retail solutions

Audio & Video

Audio/Video Solution

LVB Recording Solution

Interactive Classroom Solution

Interactive Live Streaming Solution

Audio Chat Social Networking Solution

Financial Services

Financial Services Solution

Compute

Cloud Virtual Machine

Auto Scaling

Batch Compute

CVM Dedicated Host

Database

TencentDB for MySQL

TencentDB for Redis®

TencentDB for CTSDB

TDSQL for MySQL

Data Transfer Service

TencentDB for MongoDB

TencentDB for PostgreSQL

TencentDB for SQL Server

Video Service

Cloud Streaming Services

Video on Demand

Media Processing Service

Cloud Application Rendering

Cloud Contact Center

Game Multimedia Engine

Chat

Real-time Communication

Tencent Effect SDK

AI and Machine Learning

Image Creation Large Model

Face Fusion

eKYC

Optical Character Recognition

Video Creation Large Model

Industry Applications

Tencent HealthCare Omics Platform

Container and Middleware

TDMQ for CKafka

Serverless Cloud Function

Tencent Kubernetes Engine

Tencent Kubernetes Engine for Serverless

Networking

Cloud Load Balancer

Virtual Private Cloud

Direct Connect

Cloud Connect Network

NAT Gateway

VPN Connection

Bandwidth Package

Anycast Internet Acceleration

Elastic Network Interface

Flow Logs

Global Application Acceleration Platform

Security

Captcha

Cloud Workload Protection Platform

Data Security Governance Center

Key Management Service