tencent cloud

Feedback

SSL Certificate Service

Last updated: 2024-11-26 10:00:45

    Service roles and service-linked roles are predefined by Tencent Cloud services and, upon user authorization, the corresponding services can access and use resources by assuming these service-linked roles. This document provides detailed information on the use cases and associated authorization policies of these specific service-linked roles.

    Product Role Name Role Types Role Entity
    SSL Certification SSL_QCSLinkedRoleInCertificateWaf Service-Related Roles certificatewaf.ssl.cloud.tencent.com
    SSL Certification SSL_QCSLinkedRoleInCertificateDependence Service-Related Roles certificatedependence.ssl.cloud.tencent.com
    SSL Certification SSL_QCSLinkedRoleInReplaceLoadCertificate Service-Related Roles replaceloadcertificate.ssl.cloud.tencent.com
    SSL Certification SSL_QCSLinkedRoleInCertificateCloudMonitor Service-Related Roles certificatecloudmonitor.ssl.cloud.tencent.com
    SSL Certification SSL_QCSLinkedRoleInDescribeDeployedResources Service-Related Roles describedeployedresources.ssl.cloud.tencent.com

    SSL_QCSLinkedRoleInCertificateWaf

    Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForSSLLinkedRoleInCertificateWaf
    • Policy Information:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "waf:DescribeSpartaProtectionList",
                    "waf:DescribeSpartaProtectionInfo",
                    "waf:DescribeUserInstances",
                    "waf:DescribeUserQPS",
                    "waf:DescribePeakPoints",
                    "waf:AddSpartaProtection",
                    "waf:DeleteSpartaProtection",
                    "waf:ModifySpartaProtection",
                    "waf:ModifyProtectionStatus",
                    "waf:DescribeDomains"
                ],
                "resource": [
                    "*"
                ]
            }
        ]
    }
    

    SSL_QCSLinkedRoleInCertificateDependence

    Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForSSLLinkedRoleInCertificateDependence
    • Policy Information:
    {
        "statement": [
            {
                "action": [
                    "dnspod:CreateRecord",
                    "dnspod:DescribeDomain",
                    "dnspod:CreateDomain",
                    "dnspod:DescribeRecordList",
                    "dnspod:DeleteRecord",
                    "dnspod:DescribeDomain",
                    "dnspod:ModifyRecordStatus"
                ],
                "effect": "allow",
                "resource": "*"
            }
        ],
        "version": "2.0"
    }
    

    SSL_QCSLinkedRoleInReplaceLoadCertificate

    Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForSSLLinkedRoleInReplaceLoadCertificate
    • Policy Information:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "clb:ReplaceCertForLoadBalancers",
                    "waf:DescribeCertificatedDomain",
                    "waf:ModifyCertificatedDomain",
                    "live:DescribeLiveDomainsByCerts",
                    "live:ModifyLiveDomainCertBindings",
                    "antiddos:DescribeL7RulesBySSLCertId",
                    "antiddos:CreateL7RuleCerts",
                    "clb:DescribeLoadBalancerListByCertId",
                    "clb:DescribeLoadBalancers",
                    "clb:DescribeListeners",
                    "clb:ModifyListener",
                    "clb:ModifyDomainAttributes",
                    "clb:DescribeTaskStatus",
                    "cos:GetBucketDomain",
                    "cos:GetBucketDomainCertificate",
                    "cos:GetService",
                    "cos:PutBucketDomainCertificate",
                    "tke:DescribeClusters",
                    "tke:AcquireClusterAdminRole",
                    "tke:AcquireEKSClusterAdminRole",
                    "lighthouse:DescribeSupportHttpsInstances",
                    "lighthouse:InstallCertificate",
                    "lighthouse:DescribeInstallCertificateTasks",
                    "vod:DescribeVodDomainsByCertIds",
                    "vod:ModifyVodDomainCertBindings",
                    "vod:UpdateCertForVodDomains",
                    "clb:DescribeLoadBalancerCount",
                    "teo:ModifyHostsCertificateByHosts",
                    "teo:DescribeHostsByCertID",
                    "tcb:DescribeEnvs",
                    "tcb:DescribeCloudBaseGWService",
                    "tcb:DescribeHostingDomain",
                    "tcb:BindCloudBaseAccessDomain",
                    "tcb:CreateHostingDomain",
                    "tcb:ModifyCloudBaseAccessDomain",
                    "tcb:ModifyHostingDomain",
                    "tse:ModifyCloudNativeAPIGatewayCertificate",
                    "tse:DescribeCloudNativeAPIGatewayCertificates",
                    "tse:DescribeCloudNativeAPIGateways",
                    "cdn:DescribeCdnDomainsByCerts",
                    "cdn:UpdateDomainHttps",
                    "tcm:DescribeMeshList",
                    "tcm:DescribeIstioGatewayList",
                    "tcm:ModifyGatewayCert"
                ],
                "resource": [
                    "*"
                ]
            }
        ]
    }
    

    SSL_QCSLinkedRoleInCertificateCloudMonitor

    Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForSSLLinkedRoleInCertificateCloudMonitor
    • Policy Information:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "resource": [
                    "*"
                ],
                "action": [
                    "monitor:CreateAlarmPolicy",
                    "monitor:DeleteAlarmPolicy",
                    "monitor:DescribeAlarmPolicies",
                    "monitor:ModifyAlarmPolicyStatus",
                    "monitor:BindingPolicyObject",
                    "monitor:UnBindingPolicyObject",
                    "monitor:ModifyAlarmPolicyNotice",
                    "monitor:CreateAlarmNotice",
                    "monitor:DeleteAlarmNotices",
                    "monitor:ModifyAlarmNotice",
                    "monitor:DescribeAlarmNotices",
                    "monitor:UnBindingAllPolicyObject"
                ]
            }
        ]
    }
    

    SSL_QCSLinkedRoleInDescribeDeployedResources

    Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForSSLLinkedRoleInDescribeDeployedResources
    • Policy Information:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "clb:ReplaceCertForLoadBalancers",
                    "waf:DescribeCertificatedDomain",
                    "waf:ModifyCertificatedDomain",
                    "live:DescribeLiveDomainsByCerts",
                    "live:ModifyLiveDomainCertBindings",
                    "antiddos:DescribeL7RulesBySSLCertId",
                    "antiddos:CreateL7RuleCerts",
                    "clb:DescribeLoadBalancerListByCertId",
                    "cdn:UpdateDomainsCertificate",
                    "teo:DescribeHostsByCertID",
                    "teo:ModifyHostsCertificateByHosts"
                ],
                "resource": [
                    "*"
                ]
            }
        ]
    }
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support