tencent cloud

TencentCloud Managed Service for Prometheus

Product Introduction
Overview
Strengths
Use Cases
Concepts
Use Limits
Features
Service Regions
Purchase Guide
Billing Overview
Pay-as-You-Go (Postpaid)
Free Trial Introduction
Managed Collector Billing Introduction
Archive Storage Billing Introduction
Purchase Methods
Payment Overdue
Getting Started
Integration Guide
Scrape Configuration Description
Custom Monitoring
EMR Integration
Java Application Integration
Go Application Integration
Exporter Integration
Nacos Integration
Common Exporter
Health Check
Instructions for Installing Components in the TKE Cluster
Cloud Monitoring
Non-Tencent Cloud Host Monitoring
Read Cloud-Hosted Prometheus Instance Data via Remote Read
Agent Self-Service Access
Pushgateway Integration
Security Group Open Description
Operation Guide
Instance
TKE
Integration Center
Data Multi-Write
Recording Rule
Instance Diagnosis
Archive Storage
Alerting Rule
Tag
Access Control
Grafana
API Guide
TKE Metrics
Resource Usage and Billing Overview
Practical Tutorial
Migration from Self-Built Prometheus
Custom Integration with CVM
TKE Monitoring
Enabling Public Network Access for TKE Serverless Cluster
Connecting TMP to Local Grafana
Enabling Public Network Access for Prometheus Instances
Configuring a Public Network Address for a Prometheus Instance
Terraform
Terraform Overview
Managing Prometheus Instances Using Terraform
Managing the Integration Center of Prometheus Instances Using Terraform
Collecting Container Monitoring Data Using Terraform
Configuring Alarm Policies Using Terraform
FAQs
Basic Questions
Integration with TKE Cluster
Product Consulting
Use and Technology
Cloud Monitor FAQs
Service Level Agreement
TMP Policy
Privacy Policy
Data Processing And Security Agreement
DocumentationTencentCloud Managed Service for PrometheusOperation GuideAccess ControlDescription of Role Permissions Related to Service Authorization

Description of Role Permissions Related to Service Authorization

PDF
Focus Mode
Font Size
Last updated: 2024-01-29 16:01:55
When you use TMP, in order to use related Tencent Cloud resources, you will encounter a variety of scenarios that require service authorization. The CM_QCSRole service role is mainly involved in the process of using TMP. This document describes the details, scenarios, and steps of each authorization policy by role.
The preset policies associated with the CM_QCSRole role by default include the following:
QcloudAccessForCMRoleInPromHostingService: TKE permission required by TMP.

Use Cases

After you successfully create a TMP instance, you need to monitor the services running on TKE. In order to integrate the TKE service more conveniently, you need to access TKE-related APIs. In this case, your authorization is required before TKE can be normally accessed to install basic monitoring components and get their running status information.
This role doesn't need to actively look for configuration. If its permission hasn't been granted, after you successfully create a TMP instance, the authorization page will automatically pop up when you enter the Integrate with TKE page for instance management.

Authorization Steps

Authorizing by root account

1. After you successfully create a TMP instance, an authorization window will pop up when you access the Integrate with TKE page, and you need to authorize Cloud Monitor permissions as shown below:
2. Click Authorize Now in the window.
3. On the CAM > Role Management page, click Grant, and the system will prompt that the authorization is successful.
Note:
This authorization window will appear only once. If you have already authorized, it will not appear again.

Granting permissions to sub-account

After the root account completes the above authorization operations and successfully creates the CM_QCSRole role, the sub-account doesn't have permission to access it. The sub-account must be granted the PassRole permission by the root account before it can normally access TKE in TMP; otherwise, an error will be displayed when it accesses the TKE cluster list.
When granting the PassRole permission to your sub-account, please make sure that your sub-account has the following permissions:
Permission Description
Granted Policy
The sub-account needs to be granted access to CAM before granting the PassRole permission to the sub-account by the root account can take effect
QcloudCamReadOnlyAccess or QcloudCamFullAcces
The Cloud Monitor policy depends on the Tencent Cloud service policy; therefore, before granting the PassRole permission to the sub-account, you need to make sure that the sub-account can normally access TKE resources
For more information, please see Permission Management
To ensure that the above permissions are granted successfully, please grant the cam:PassRole permission to the sub-account in the following steps.
1. Use the root account or a sub-account with administrative permissions to create the following custom policy:
{
 "version": "2.0",
 "statement": [
     {
         "effect": "allow",
         "action": "cam:PassRole",
         "resource": "qcs::cam::uin/${OwnerUin}:roleName/CM_QCSRole"
     }
 ]
}
2. After creation, associate the sub-account with the custom policy as instructed in CAM - Authorization Management. After granting the sub-account the cam:PassRole permission, access the Integrate with TKE page of the corresponding TMP instance, and an authorization window will pop up.
Previous Topic: Granting PolicyNext Topic: Grafana

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback