tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Elasticsearch Service
    Documentation
    Download PDF

    CAM-Based Access Control Configuration

    Last updated: 2024-09-05 09:54:22
    Download PDF

      ES CAM Overview

      Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you securely manage and control access permissions to resources under your Tencent Cloud account. With CAM, you can create, manage, and terminate users (user groups) and use identities and policies to control user access to Tencent Cloud resources. For more information on CAM policies and usage, please see CAM Policy.

      ES CAM Policies

      General permission policy

      ES provides two general policies by default:
      Full access policy (QcloudElasticsearchServiceFullAccess), which grants a user permission to create and manage all ES cluster instances.
      Read-only access policy (QcloudElasticsearchServiceReadOnlyAccess), which grants a user permission to view ES cluster instances but not create, update, or delete them.
      You can log in to the Policy Management page, select "Elasticsearch Service" in "Service Type", and bind the default policies displayed in the list to accounts as needed.
      
      If the default policies cannot meet your requirements, you can click Create Custom Policy to customize the authorization.

      Custom permission policy

      Types of resources that can be authorized in ES include:
      Resource Type
      Resource Description
      instance
      qcs::es:$region:$account:instance/*
      Below describes the details of resource-level access control supported by each API:
      API Name
      Description
      Associated with Resource
      Resource Description
      Getting cluster list and information of individual clusters
      DescribeInstances
      Yes
      qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
      Creating cluster
      CreateInstance
      No
      *
      Updating cluster
      UpdateInstance
      Yes
      qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
      Restarting cluster
      RestartInstance
      Yes
      qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
      Deleting cluster
      DeleteInstance
      Yes
      qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
      Updating plugin
      UpdatePlugins
      Yes
      qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
      Supported regions include:
      Region
      Name
      Region ID
      South China
      Guangzhou
      ap-guangzhou
      East China
      Shanghai
      ap-shanghai
      Nanjing
      ap-nanjing
      North China
      Beijing
      ap-beijing
      Southwest China
      Chengdu
      ap-chengdu
      Chongqing
      ap-chongqing
      Hong Kong/Macao/Taiwan
      Hong Kong (China)
      ap-hongkong
      Southeast Asia Pacific
      Singapore
      ap-singapore
      South Asia Pacific
      Mumbai
      ap-mumbai
      Northeast Asia Pacific
      Seoul
      ap-seoul
      Tokyo
      ap-tokyo
      West US
      Silicon Valley
      na-siliconvalley
      East US
      Virginia
      na-ashburn
      Europe
      Frankfurt
      eu-frankfurt
      
      The syntax of a custom policy is as follows:
      {
          "version": "2.0",
          "statement": [
              {
                  "action": [
                      "Action"
                  ],
                  "resource": "Resource",
                  "effect": "Effect"
              }
          ]
      }
      Action: replace it with the operation to be allowed or denied.
      Resource: replace it with the resources that you want to authorize the user to manipulate.
      Effect: replace it with "allow" or "deny".
      ES currently supports access control management for all APIs except DescribeInstances. You can authorize a sub-account to perform various operations on a cluster under your account such as updating, restarting, and deleting.

      Custom permission sample

      To grant an account permission to update the specified cluster, use the following policy syntax:
      {
          "version": "2.0",
          "statement": [
               {
                  "action": [
                      "es:Describe*"
                  ],
                  "resource": [
                     "qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
                  ],
                  "effect": "allow"
              },
              {
                  "action": [
                      "vpc:Describe*",
                      "vpc:Inquiry*",
                      "vpc:Get*"
                  ],
                  "resource": "*",
                  "effect": "allow"
              },
              {
                  "action": [
                      "monitor:*",
                      "cam:ListUsersForGroup",
                      "cam:ListGroups",
                      "cam:GetGroup"
                  ],
                  "resource": "*",
                  "effect": "allow"
              },
              {
                  "action": [
                      "es:Update*"
                  ],
                  "resource": [
                      "qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
                  ],
                  "effect": "allow"
              }
          ]
      }
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy