tencent cloud

Feedback

CAM-Based Access Control Configuration

Last updated: 2024-09-05 09:54:22

    ES CAM Overview

    Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you securely manage and control access permissions to resources under your Tencent Cloud account. With CAM, you can create, manage, and terminate users (user groups) and use identities and policies to control user access to Tencent Cloud resources. For more information on CAM policies and usage, please see CAM Policy.

    ES CAM Policies

    General permission policy

    ES provides two general policies by default:
    Full access policy (QcloudElasticsearchServiceFullAccess), which grants a user permission to create and manage all ES cluster instances.
    Read-only access policy (QcloudElasticsearchServiceReadOnlyAccess), which grants a user permission to view ES cluster instances but not create, update, or delete them.
    You can log in to the Policy Management page, select "Elasticsearch Service" in "Service Type", and bind the default policies displayed in the list to accounts as needed.
    
    If the default policies cannot meet your requirements, you can click Create Custom Policy to customize the authorization.

    Custom permission policy

    Types of resources that can be authorized in ES include:
    Resource Type
    Resource Description
    instance
    qcs::es:$region:$account:instance/*
    Below describes the details of resource-level access control supported by each API:
    API Name
    Description
    Associated with Resource
    Resource Description
    Getting cluster list and information of individual clusters
    DescribeInstances
    Yes
    qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
    Creating cluster
    CreateInstance
    No
    *
    Updating cluster
    UpdateInstance
    Yes
    qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
    Restarting cluster
    RestartInstance
    Yes
    qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
    Deleting cluster
    DeleteInstance
    Yes
    qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
    Updating plugin
    UpdatePlugins
    Yes
    qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
    Supported regions include:
    Region
    Name
    Region ID
    South China
    Guangzhou
    ap-guangzhou
    East China
    Shanghai
    ap-shanghai
    Nanjing
    ap-nanjing
    North China
    Beijing
    ap-beijing
    Southwest China
    Chengdu
    ap-chengdu
    Chongqing
    ap-chongqing
    Hong Kong/Macao/Taiwan
    Hong Kong (China)
    ap-hongkong
    Southeast Asia Pacific
    Singapore
    ap-singapore
    South Asia Pacific
    Mumbai
    ap-mumbai
    Northeast Asia Pacific
    Seoul
    ap-seoul
    Tokyo
    ap-tokyo
    West US
    Silicon Valley
    na-siliconvalley
    East US
    Virginia
    na-ashburn
    Europe
    Frankfurt
    eu-frankfurt
    
    The syntax of a custom policy is as follows:
    {
    "version": "2.0",
    "statement": [
    {
    "action": [
    "Action"
    ],
    "resource": "Resource",
    "effect": "Effect"
    }
    ]
    }
    Action: replace it with the operation to be allowed or denied.
    Resource: replace it with the resources that you want to authorize the user to manipulate.
    Effect: replace it with "allow" or "deny".
    ES currently supports access control management for all APIs except DescribeInstances. You can authorize a sub-account to perform various operations on a cluster under your account such as updating, restarting, and deleting.

    Custom permission sample

    To grant an account permission to update the specified cluster, use the following policy syntax:
    {
    "version": "2.0",
    "statement": [
    {
    "action": [
    "es:Describe*"
    ],
    "resource": [
    "qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
    ],
    "effect": "allow"
    },
    {
    "action": [
    "vpc:Describe*",
    "vpc:Inquiry*",
    "vpc:Get*"
    ],
    "resource": "*",
    "effect": "allow"
    },
    {
    "action": [
    "monitor:*",
    "cam:ListUsersForGroup",
    "cam:ListGroups",
    "cam:GetGroup"
    ],
    "resource": "*",
    "effect": "allow"
    },
    {
    "action": [
    "es:Update*"
    ],
    "resource": [
    "qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
    ],
    "effect": "allow"
    }
    ]
    }
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support