Overview
If you have purchased multiple types of Tencent Cloud resources which are grouped and managed by tag, you can grant employees of different teams permissions to use corresponding APIs by tag on an as-needed basis. This document uses a typical case to describe how to grant sub-accounts certain operation permissions of resources through tags.
Suppose that:
The company account CompanyExample
has a sub-account DevA
.
The company account CompanyExample
has a tag key-value pair test1&test1
.
The company account CompanyExample
wants to grant the sub-account DevA
the permission to restart CVM instances (cvm:RebootInstances) under the tag test1&test1
.
Directions
1. Log in to the CAM console with the company account CompanyExample
. 3. Select Blank Template under Select a template type and click Next to enter the Edit Policy page
4. On the Edit Policy page, fill out the following form:
Policy Name: the default value is policygen-current date
. We recommend you define a unique and meaningful policy name, such as cvm-RebootInstances
.
Description: write a description, which is optional.
Policy Content: copy and paste the following content. Here, cvm:RebootInstances
is the name of the API that needs to be authorized, and test1&test1
is the tag key-value pair that needs to be authorized.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cvm:RebootInstances"
],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:tag": [
"test1&test1"
]
}
}
}
]
}
5. Click Complete to create the policy, which will be displayed on the Policy List page.
6. Find the just created policy in the Policy List and click Associate in the Operation column on the right.
7. In the Associate with User/User Group window that pops up, search for and select the sub-account DevA
and click OK to complete the authorization.
The sub-account DevA
will have the permission to restart CVM instances under the test1&test1
tag.
문제 해결에 도움이 되었나요?