tencent cloud

Feedback

During tag-based authentication, only tag key matching is supported

Last updated: 2024-01-23 17:59:15
    This document describes how to grant your sub-account permission to all resources under a tag and how to grant your sub-account permission to bind only a tag key.
    Note:
    The resource_tag grants permission to all resources under a tag, while request_tag grants a sub-account permission to only bind a tag key. However, this does not take effect on the console lists and related APIs.

    Granting permission to all resources under a tag key (resource_tag)

    Overview

    If your organization has purchased multiple Tencent Cloud resources, and the resources are managed by tag groups, you may want to grant permission to all resources associated with a tag key (resource_tag).
    Suppose that:
    There is a sub-account Operator under the enterprise account CompanyExample.
    There is a tag key Operation under the enterprise account CompanyExample.
    The enterprise account CompanyExample wants to grant the sub-account Operator permission to all resources under the tag key Operation.

    Directions

    1. Log in to the CAM console with the enterprise account CompanyExample.
    2. On the Policies page, click Create Custom Policy and then Create by Policy Syntax.
    3. Select Blank Template under the Select a template type, then click Next to proceed to the editing policy page.
    
    
    
    4. On the editing policy page, fill in the following form:
    Policy Name: It defaults to policygen-current date. It is recommended to define a unique and meaningful policy name, such as Operator-resource_tag.
    Description: Optional, write it yourself.
    Policy Content: Copy the following content and fill it out. Among them, operation is the tag key name which can be Chinese or English and false is a fixed tag value.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": "*",
    "resource": "*",
    "condition": {
    "null_equal": {
    "qcs:resource_tag/operation": "false"
    }
    }
    }
    ]
    }
    5. Click Complete to create the policy. The newly created policy will be displayed on the policy list page.
    6. In the Policies List, search for the policy you just created, and then click Associate User/Group/Role in the operation column on the right.
    
    
    
    7. In the pop-up Associate User/Group/Role window, search for and select the sub-account Operator, then click OK to complete the permission. The Operator sub-account will possess all the permission under the Operation tag.
    
    
    

    Granting a sub-account permission to bind a tag Key (request_tag)

    Overview

    If your organization has purchased multiple Tencent Cloud resources, and the resources are managed by tag groups, you may want to grant permission to all resources associated with a tag key (request_tag).
    Suppose that:
    There is a sub-account Developer under the enterprise account CompanyExample.
    There is a tag key Development under the enterprise account CompanyExample.
    The enterprise account CompanyExample wants to grant the sub-account Developer permission to all resources under the tag key Development (request_tag).

    Directions

    1. Log in to the CAM console with the enterprise account CompanyExample.
    2. On the Policies page, click Create Custom Policy and then Create by Policy Syntax.
    3. Select Blank Template under the Select a template type, then click Next to proceed to the editing policy page.
    
    
    4. On the editing policy page, fill in the following form:
    Policy Name: It defaults to policygen-current date. It is recommended to define a unique and meaningful policy name, such as Developer-request_tag.
    Description: Optional, write it yourself.
    Policy Content: Copy the following content and fill it out. Among them, develop is the tag key name which can be Chinese or English and false is the fixed tag value.
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": "*",
    "resource": "*",
    "condition": {
    "null_equal": {
    "qcs:request_tag/develop": "false"
    }
    }
    }
    ]
    }
    
    5. Click Complete to create the policy. The newly created policy will be displayed on the policy list page.
    6. In the Policies List, search for the policy you just created, and then click Associate User/Group/Role in the operation column on the right.
    
    
    7. In the pop-up Associate User/Group/Role window, search for and select the sub-account Developer, and then click OK to complete the permission. The Developer sub-account will possess all the permission to bind the develop tag key.
    
    

    Associated documents

    If you want to understand how to associate resources with tags, please refer to Querying Resources by Tag.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support