tencent cloud

Tencent Cloud Elastic Microservice

Release Notes and Announcements
Announcements
Release Notes
Product Introduction
Overview
Strengths
Scenarios
Purchase Guide
Billing Overview
Product Pricing
Overdue Policies
Getting Started
Step 1. Get the Access Permission
Step 2. Create an Environment
Step 3. Create an Application
Step 4. Deploy the Application
Operation Guide
Environment Management
Application Management
Permission Management
View Change Record
Practical Tutorial
Use of GitHub Actions in TEM
Hosting a Static Website
Public Network Access of TEM Applications
TEM Application Access to Public Network (Through API Gateway)
TEM Application Failure Troubleshooting Guide
Quick Access to TEM Application Through API Gateway
Java Application Fine-Tuning
Migration from Java 8 to Java 11
API Documentation
History
Introduction
API Category
Making API Requests
Environment APIs
ModifyIngress
Resource APIs
Application APIs
Service APIs
RollingUpdateApplicationByVersion
Access Policy APIs
Configuration file APIs
Log collecting APIs
Scaling Rule APIs
Application Version APIs
Other APIs
Workload APIs
Data Types
Error Codes
FAQs
TEM Configuration
Contact Us
Glossary
TEM Policy
Privacy Policy
Data Privacy and Security Agreement
DocumentationTencent Cloud Elastic MicroserviceGetting StartedStep 1. Get the Access PermissionAccess Acquisition by Sub-account

Access Acquisition by Sub-account

PDF
Focus Mode
Font Size
Last updated: 2024-01-09 12:00:35

Basic CAM Concepts

A root account authorizes sub-accounts by binding policies. The policy settings can be specific to the level of API, Resource, User/User Group, Allow/Deny, and Condition.

User type

Root account: A root accounts owns all the resources in Tencent Cloud and can access any of these resources.
Sub-account: Sub-accounts include sub-users, WeCom sub-users, collaborators, and message recipients.
For detailed definitions of the root account and sub-accounts and descriptions of their features, see User Types.

Resources and Permissions

Resource: An object that Tencent Cloud services operate on, such as a CVM instance, a COS bucket, or a VPC instance.
Permission: An authorization to allow or forbid users to perform certain operations. By default, a root account has full access to all resources under the account, while a sub-account does not have access to any resources under its root account.
Policy: Syntax rule to define and describe one or more permissions. A root account performs authorization by associating policies with users/user groups.

Using TEM with a Sub-account

To allow a sub-account such as collaborator to use TEM, you need to complete the following authorization operations:
1. To pass a role and its policies to TEM, the user must have the permission to pass roles to the service, i.e., the PassRole policy must be created. For detailed directions, see Granting the PassRole policy.
2. The permission to use TEM is required. You can grant the target sub-account the QcloudTEMFullAccess or QcloudTEMReadOnlyAccess policy to grant it full or read-only access to TEM. For detailed directions, see Granting the permission to use TEM.
3. TEM may call other Tencent Cloud products when used, so the root account needs to authorize the target sub-account accordingly. For more information, see Granting permissions to access other Tencent Cloud products.

Granting the PassRole policy

Step 1. Create policies

1. Log in to the CAM console.
2. On the left sidebar, click Policies to enter the policy management page.
3. Click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, click Create by Policy Syntax.
5. On the Create by Policy Syntax page, select Blank Template and click Next.
6. Enter the policy name and content and click Create Policy. Use the root account or a sub-account with admin permissions to create the following two custom policies:
Access to resources of Tencent Cloud products other than CLS:
{
     "version": "2.0",
     "statement": {
             "effect": "allow",
             "action": "cam:PassRole",
             "resource": "qcs::cam::uin/${OwnerUin}:role/tencentcloudServiceRoleName/TEM_QCSLinkedRoleInAccessCluster"
     }
}
Access to CLS resources:
{
     "version": "2.0",
     "statement": {
             "effect": "allow",
             "action": "cam:PassRole",
             "resource": "qcs::cam::uin/${OwnerUin}:role/tencentcloudServiceRoleName/TEM_QCSLinkedRoleInTEMLog"
     }
}
Here, ${OwnerUin} is the root account ID, which can be obtained on the Account Info page in the console.

Step 2. Bind the policies to the user

1. On the left sidebar, click User > User List to enter the user management page.
2. Select the target user and click Authorize in the Operation column.
3. Filter the policies created in step 1 in the Policy List.
4. Click OK to bind the policies, which will be displayed in the Policy List of the user.

Granting the permission to use TEM

Full access policy

Grant a sub-user full access (including resource creation and management) to the TEM service.
{
    "version": "2.0",
    "statement": [
        {
            "action": "tem:*",
            "resource": "*",
            "effect": "allow"
        }
    ]
}
You can also configure the system's full read/write policy to support this permission.
1. Log in to the CAM console.
2. Click Policies on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Syntax.
5. In Template Type, search for "tem", select QcloudTEMFullAccess (full access to TEM), and click Next.
6. Click Complete.
Subsequent operation: Bind the created policy to the target user.

Read-only policy

Grant a sub-user read-only access to the TEM service.
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "tem:Describe*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}
You can also configure the system's read-only policy to support this permission.
1. Log in to the CAM console.
2. Click Policies on the left sidebar.
3. In the policy list, click Create Custom Policy.
4. In the Select Policy Creation Method pop-up window, select Create by Syntax.
5. In Template Type, search for "tem", select QcloudTEMReadOnlyAccess (read-only access to TEM), and click Next.
6. Click Create Policy.

Granting permissions to access other Tencent Cloud products

TEM may call the following Tencent Cloud products when used, so the root account needs to authorize the target sub-account separately to ensure that the sub-account can use TEM product features normally:
Below is the sample code for authorization:
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cam:DescribeRoleList",
                "cvm:DescribeSecurityGroups",
                "vpc:DescribeVpcEx",
                "vpc:DescribeSubnetEx",
                "tse:DescribeSREInstances",
                "cls:DescribeLogsets",
                "cls:DescribeTopics",
                "cfs:DescribeCfsFileSystems",
                "ssl:DescribeCertificate",
                "tcr:DescribeRepositoryOwnerPersonal",
                "tcr:DescribeRepositories",
                "tcr:DescribeInstances",
                "tcr:DescribeInternalEndpoints",
                "tcr:CreateInstanceToken"
            ],
            "resource":[
                "*"
            ]
        }
    ]
}

Previous Topic: Access Acquisition by Root AccountNext Topic: Step 2. Create an Environment

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback