Basic CAM Concepts
The root account authorizes sub-accounts by associating policies. The policy setting can be specific to the level of [API, Resource, User/User Group, Allow/Deny, and Condition].
Account
Root account: It owns all Tencent Cloud resources and can access any of its resources.
Sub-account: It includes sub-users and collaborators.
Sub-user: It is created and fully owned by a root account.
Collaborator: It has the identity of a root account. After it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account and can switch back to its root account identity.
Identity credential: It includes login credentials and access certificates. Login credential refers to a user's login name and password. Access certificate refers to Tencent Cloud API keys (SecretId
and SecretKey
).
Resource and permission
Resource: An object that is operated in Tencent Cloud services, such as a CVM instance, a COS bucket, or a VPC instance.
Permission: It is an authorization that allows or forbids users to perform certain operations. By default, a root account has full access to all resources under it, while a sub-account does not have access to any resources under its root account.
Policy: It is a syntax rule that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.
Relevant Documents
|
Understand the relationship between policies and users | |
Understand the basic structure of policies | |
Check CAM-enabled products | |
Sample CAM Policy
Full access policy for CKafka
Grant a sub-user full access (including resource creation and management) to the CKafka service.
{
"version": "2.0",
"statement": [
{
"action": [
"name/ckafka:*",
"name/monitor:GetMonitorData"
],
"resource": "*",
"effect": "allow"
}
]
}
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Policy Syntax.
5. In Template Type, search for CKafka, select QcloudCKafkaFullAccess (full access to CKafka), and click Next.
6. Click Complete.
Read-only policy for a CKafka instance
1. Create a policy with the Policy Generator and grant permission for listing operations and product monitoring.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/ckafka:ListInstance",
"name/monitor:GetMonitorData"
],
"resource": [
"*"
]
}
]
}
2. Grant read-only access to the specified instance.
Note:
List* APIs don't support authentication at the resource level.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/monitor:GetMonitorData",
"name/ckafka:Get*"
],
"resource": [
"qcs::ckafka:gz::ckafkaId/uin/$createUin/$instanceId"
]
}
]
}
You can also configure the system's read-only policy to support this permission. 3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Policy Syntax.
5. In Template Type, search for CKafka, select QcloudCkafkaReadOnlyAccess (read-only access to CKafka), and click Next.
6. Click Complete.
문제 해결에 도움이 되었나요?