Overview
This document describes how to grant permissions by tag to allow the sub-user cvmtest01
only to manage the resource-level API permissions of ins-duglsqg0
.
For details, see Overview. Policy Content
To grant permissions by tag as needed, you can use the following policy content:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cvm:*",
"vpc:DescribeVpcEx",
"vpc:DescribeNetworkInterfaces"
],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"game&webpage"
]
}
}
}
]
}
Directions
Authorized user: cvmtest01
Bound tag: game:webpage
Operation permissions: All CVM operation permissions and the DescribeVpcEx
and DescribeNetworkInterfaces
permissions of VPC. If you are not sure what other APIs are involved, see Authorization by Resource ID > Step 3. 2. Click Next and enter a policy name.
Step 2: Verify the result
1. Log in to the CVM console as the sub-user cvmtest01
and access the instance list page.
Then the sub-user cvmtest01
can start, shut down, restart, rename, and reset the password of the CVM instance.
Was this page helpful?