tencent cloud

All product documents
Cloud Access Management
DocumentationCloud Access ManagementPractical TutorialDuring tag-based authentication, only tag key matching is supported
During tag-based authentication, only tag key matching is supported
Download PDF
Last updated: 2024-01-23 17:59:15
During tag-based authentication, only tag key matching is supported
Last updated: 2024-01-23 17:59:15
Download PDF
This document describes how to grant your sub-account permission to all resources under a tag and how to grant your sub-account permission to bind only a tag key.
Note:
The resource_tag grants permission to all resources under a tag, while request_tag grants a sub-account permission to only bind a tag key. However, this does not take effect on the console lists and related APIs.

Granting permission to all resources under a tag key (resource_tag)

Overview

If your organization has purchased multiple Tencent Cloud resources, and the resources are managed by tag groups, you may want to grant permission to all resources associated with a tag key (resource_tag).
Suppose that:
There is a sub-account Operator under the enterprise account CompanyExample.
There is a tag key Operation under the enterprise account CompanyExample.
The enterprise account CompanyExample wants to grant the sub-account Operator permission to all resources under the tag key Operation.

Directions

1. Log in to the CAM console with the enterprise account CompanyExample.
2. On the Policies page, click Create Custom Policy and then Create by Policy Syntax.
3. Select Blank Template under the Select a template type, then click Next to proceed to the editing policy page.



4. On the editing policy page, fill in the following form:
Policy Name: It defaults to policygen-current date. It is recommended to define a unique and meaningful policy name, such as Operator-resource_tag.
Description: Optional, write it yourself.
Policy Content: Copy the following content and fill it out. Among them, operation is the tag key name which can be Chinese or English and false is a fixed tag value.
     {
     "version": "2.0",
      "statement": [
        {
            "effect": "allow",
            "action": "*",
            "resource": "*",
            "condition": {
                "null_equal": {
                    "qcs:resource_tag/operation": "false"
                }
            }
        }
      ]
     }
5. Click Complete to create the policy. The newly created policy will be displayed on the policy list page.
6. In the Policies List, search for the policy you just created, and then click Associate User/Group/Role in the operation column on the right.



7. In the pop-up Associate User/Group/Role window, search for and select the sub-account Operator, then click OK to complete the permission. The Operator sub-account will possess all the permission under the Operation tag.




Granting a sub-account permission to bind a tag Key (request_tag)

Overview

If your organization has purchased multiple Tencent Cloud resources, and the resources are managed by tag groups, you may want to grant permission to all resources associated with a tag key (request_tag).
Suppose that:
There is a sub-account Developer under the enterprise account CompanyExample.
There is a tag key Development under the enterprise account CompanyExample.
The enterprise account CompanyExample wants to grant the sub-account Developer permission to all resources under the tag key Development (request_tag).

Directions

1. Log in to the CAM console with the enterprise account CompanyExample.
2. On the Policies page, click Create Custom Policy and then Create by Policy Syntax.
3. Select Blank Template under the Select a template type, then click Next to proceed to the editing policy page.


4. On the editing policy page, fill in the following form:
Policy Name: It defaults to policygen-current date. It is recommended to define a unique and meaningful policy name, such as Developer-request_tag.
Description: Optional, write it yourself.
Policy Content: Copy the following content and fill it out. Among them, develop is the tag key name which can be Chinese or English and false is the fixed tag value.
     {
     "version": "2.0",
      "statement": [
        {
            "effect": "allow",
            "action": "*",
            "resource": "*",
            "condition": {
                "null_equal": {
                    "qcs:request_tag/develop": "false"
                }
            }
        }
      ]
     }

5. Click Complete to create the policy. The newly created policy will be displayed on the policy list page.
6. In the Policies List, search for the policy you just created, and then click Associate User/Group/Role in the operation column on the right.


7. In the pop-up Associate User/Group/Role window, search for and select the sub-account Developer, and then click OK to complete the permission. The Developer sub-account will possess all the permission to bind the develop tag key.



Associated documents

If you want to understand how to associate resources with tags, please refer to Querying Resources by Tag.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Contact Us
Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

Submit a Ticket
7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon