Overview
This document describes how to grant permissions by resource ID to allow the sub-user cvmtest01
only to manage the resource-level APIs of ins-duglsqg0
.
For more information, see overview >> Policy Content
To grant permissions by resource ID to implement the above need, use the following policy content:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cvm:*"
],
"resource": [
"qcs::cvm::uin/12345678:instance/ins-duglsqg0",
"qcs::cvm::uin/12345678:image/img-eb30mz89"
]
},
{
"effect": "allow",
"action": [
"vpc:DescribeVpcEx",
"vpc:DescribeNetworkInterfaces",
"cvm:DescribeCbsStorages"
],
"resource": [
"*"
]
}
]
}
Directions
Effect: Allowed
Service: CVM
Operation: All
Resource: Specific Resources > Add a custom six-segment resource description
Enter the resource prefixes instance
and image
and resource IDs ins-duglsqg0
and img-eb30mz89
respectively.
Note:
How to determine the resource prefix: You can view the CVM six-segment resource description in CAM APIs supported by CVM.
In addition to CVM APIs, APIs of other Tencent Cloud products such as VPC will also be used on the CVM product page. In this example, you can skip them and directly generate the policy. However, during actual operations, you need to add such APIs as prompted in CAM.
2. Click Next, name the policy cvm-test01
, and grant it to the sub-account cvmtest01
.
Step 2. Use the sub-account to log in and verify permissions
1. Log in to the CVM console with the sub-user account and enter the instance list page. The page prompts that DescribeVpcEx
and relevant resource permissions of VPC are missing. 2. Contact the admin account to add such permissions to the policy as prompted.
Step 3. Use the admin account to adjust the policy content
1. Use the root account to find the DescribeVpcEx
API in the list of CAM APIs supported by VPC and verify that the API is at the operation level.
2. On the Policy page in the CAM console, find the cvm-test01
policy and click its name to enter the policy details page. 3. In the policy syntax, click Edit and add API authorization to the policy details in the format of operation-level API authorization.
Before adding:
After adding:
4. Repeat step 2 to use the sub-account cvmtest01
to verify permissions again, and you can see that DescribeNetworkInterfaces
and relevant resource access permissions of VPC are still missing. View the list of CAM APIs supported by VPC and verify that the DescribeNetworkInterfaces
API is at the operation level. 5. Repeat step 3 to adjust the policy content until the system no longer reports errors.
The eventual policy content is as follows:
Note:
When writing a CAM policy, if you want to manipulate a specific resource, you need to separate the resource-level API authorization from operation-level API authorization, but you can put multiple operation-level APIs together.
Step 4. Verify the result
Use the sub-user cvmtest01
to verify the policy again, and the expected effect is achieved.
At this point, the sub-user cvmtest01
can start, shut down, restart, rename, and reset the password of the CVM instance.
Was this page helpful?