CAM Basic Concepts
The root account authorizes sub-accounts by associating policies. These policies can be set with precision across various dimensions, including **[API, Resource, User/User Group, Allow/Deny, and Condition]**.
Account System
Root account: It owns all Tencent Cloud resources and can access any of its resources.
Sub-account: It includes sub-users and collaborators.
Sub-user: It is created and fully owned by a root account.
Collaborator: It already has a root account identity and is added as a collaborator under another root account. This user then becomes a sub-account of the current root account but can switch back to their original root account identity.
Identity credential: It includes login credentials and access certificates. Login credential refers to a user’s login name and password. Access certificate refers to TencentCloud API keys (SecretId and SecretKey).
Resource and Permissions
Resource: An object that is operated in Tencent Cloud Services, such as a CVM instance, a COS bucket, or a VPC instance.
Permissions: It is an authorization that allows or forbids users to perform certain operations. By default, the root account has full access to all resources under the account, while a sub-account does not have access to any resources under its root account.
Policy: It is a syntax rule that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.
Using CKafka with Sub-Accounts
When you use CKafka with sub-accounts, two types of permissions need to be granted:
1. In the process of using CKafka, it involves accessing other cloud product resources of the user (VPC, CVM, etc.), such as viewing information about the availability zone where the user’s subnet is located. Therefore, sub-accounts need to be granted permissions to access other cloud products. For detailed operations, see Step 1: Granting the Sub-Account Permissions to Access Other Cloud Products . Step 1: Granting the Sub-Account Permissions to Access Other Cloud Products
Creating a New Custom Policy to Access Other Cloud Products
1. Log in to the CAM Console(https://console.tencentcloud.com/cam/overview!4169448268cee04eb156e3de8cf8c971) with the root account.
2. In the left sidebar, select Policies , click Create Custom Policy .
3. In the pop-up window for selecting policy creation method, select Create by Policy Syntax to enter the policy syntax creation page.
5. You can see the interface table and policy syntax below to grant the sub-account appropriate permissions to other cloud products as needed, create the custom policy, fill in all information, and click Complete .
The following cloud products are involved in CKafka usage, and the root account needs to separately authorize the sub-account to ensure the use of corresponding CKafka features. The custom policy should include the following cloud product API calls related to CKafka:
|
Cloud Virtual Machine (CVM) | DescribeZones | Querying Availability Zones | It is used to view the availability zone of a subnet when the instance is created. |
Virtual Private Cloud (VPC) | DescribeVpcs | Query VPC list | It is used to select the VPC of the instance access address when the instance is created. |
Virtual Private Cloud (VPC) | DescribeSubnets | Query VPC list | It is used to select the subnet of the instance access address when the instance is created. |
TCOP (Monitor) | GetMonitorData | Obtain metric monitoring data | It is used to view monitoring data in CKafka. |
TCOP (Monitor) | DescribeDashboardMetricData | Obtain metric monitoring data | It is used to view monitoring data in CKafka. |
The policy syntax example is as follows:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"vpc:DescribeVpcEx",
"vpc:DescribeSubnetEx",
"monitor:GetMonitorData",
"monitor:DescribeDashboardMetricData",
],
"resource": [
"*"
]
}
]
}
Associating the Custom Policy with the Sub-Account
2. On the left sidebar, click Policies to enter the policy management page.
3. On the right side, click Custom Policy for filtering, find the custom policy created in Step 1.1, and click Associate User/User Group/Role in the Operation column.
4. Select the sub-account to be granted these permissions, and click OK to complete the authorization.
5. Click OK to complete the authorization. The policy will appear in the user's policy list. Step 2: Granting the Sub-Account Permissions to Use CKafka
See the following documents for related operations:
문제 해결에 도움이 되었나요?