This document describes how to grant your sub-account permission to all resources under a tag and how to grant your sub-account permission to bind only a tag key.
Note:
The resource_tag
grants permission to all resources under a tag, while request_tag
grants a sub-account permission to only bind a tag key. However, this does not take effect on the console lists and related APIs.
Granting permission to all resources under a tag key (resource_tag)
Overview
If your organization has purchased multiple Tencent Cloud resources, and the resources are managed by tag groups, you may want to grant permission to all resources associated with a tag key (resource_tag).
Suppose that:
There is a sub-account Operator
under the enterprise account CompanyExample
.
There is a tag key Operation under the enterprise account CompanyExample
.
The enterprise account CompanyExample
wants to grant the sub-account Operator
permission to all resources under the tag key Operation.
Directions
1. Log in to the CAM console with the enterprise account CompanyExample
. 3. Select Blank Template under the Select a template type, then click Next to proceed to the editing policy page.
4. On the editing policy page, fill in the following form:
Policy Name: It defaults to policygen-current date
. It is recommended to define a unique and meaningful policy name, such as Operator-resource_tag
.
Description: Optional, write it yourself.
Policy Content: Copy the following content and fill it out. Among them, operation
is the tag key name which can be Chinese or English and false
is a fixed tag value.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": "*",
"resource": "*",
"condition": {
"null_equal": {
"qcs:resource_tag/operation": "false"
}
}
}
]
}
5. Click Complete to create the policy. The newly created policy will be displayed on the policy list page.
6. In the Policies List, search for the policy you just created, and then click Associate User/Group/Role in the operation column on the right. 7. In the pop-up Associate User/Group/Role window, search for and select the sub-account Operator
, then click OK to complete the permission.
The Operator
sub-account will possess all the permission under the Operation tag.
Granting a sub-account permission to bind a tag Key (request_tag)
Overview
If your organization has purchased multiple Tencent Cloud resources, and the resources are managed by tag groups, you may want to grant permission to all resources associated with a tag key (request_tag).
Suppose that:
There is a sub-account Developer
under the enterprise account CompanyExample
.
There is a tag key Development under the enterprise account CompanyExample
.
The enterprise account CompanyExample
wants to grant the sub-account Developer
permission to all resources under the tag key Development (request_tag).
Directions
1. Log in to the CAM console with the enterprise account CompanyExample
. 3. Select Blank Template under the Select a template type, then click Next to proceed to the editing policy page.
4. On the editing policy page, fill in the following form:
Policy Name: It defaults to policygen-current date
. It is recommended to define a unique and meaningful policy name, such as Developer-request_tag
.
Description: Optional, write it yourself.
Policy Content: Copy the following content and fill it out. Among them, develop
is the tag key name which can be Chinese or English and false
is the fixed tag value.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": "*",
"resource": "*",
"condition": {
"null_equal": {
"qcs:request_tag/develop": "false"
}
}
}
]
}
5. Click Complete to create the policy. The newly created policy will be displayed on the policy list page.
6. In the Policies List, search for the policy you just created, and then click Associate User/Group/Role in the operation column on the right.
7. In the pop-up Associate User/Group/Role window, search for and select the sub-account Developer
, and then click OK to complete the permission.
The Developer
sub-account will possess all the permission to bind the develop tag key.
Associated documents
Was this page helpful?