If you need fine-grained permission management for MQTT resources, the following features can be achieved by Cloud Access Management (CAM):
User and permission assignment: Create independent users or roles for members of different functional departments based on enterprise organizational structure, and allocate exclusive security credentials (such as the console login password and cloud application programming interface (API) key) or request temporary security credentials to ensure secure and controllable access to MQTT resources.
Fine-grained permission control: Set differentiated access policies based on employee responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Account System Introduction
Capability differences between different account types and related reference documentation are as follows:
|
|
| Sub-user | Collaborator | Message Recipient |
Definition | Owns all Tencent Cloud resources and can access any of them. | Created by the root account and fully owned by the root account that created it. | Originally has the identity of a root account. After being added as a collaborator of the current root account, it becomes one of the sub-accounts, and is able to switch back to the root account identity. | Only has message receiving capabilities. |
Console Access | ✔ | ✔ | ✔ | - |
Programmatic Access | ✔ | ✔ | ✔ | - |
Policy Authorization | Owns all policies by default. | ✔ | ✔ | - |
Message Notification | ✔ | ✔ | ✔ | ✔ |
Reference Documentation | | | | |
Note:
To ensure the security of your Tencent Cloud account and cloud resource usage, you should avoid using the Tencent Cloud root account directly to operate resources unless necessary. Instead, you should create sub-accounts, assign them policies based on the principle of least privilege, and use these sub-accounts with limited permissions to operate your cloud resources.
Policies
Policies are syntax specifications for defining and describing one or more permissions. By default, the root account has access to all its resources, while the sub-account doesn't have access to any resources under the root account.
The root account can grant users/user groups the permissions to view and use specific resources by associating policies with them. Tencent Cloud policy types are divided into preset policies and custom policies.
Preset Policies
MQTT provides two preset policies for sub-accounts:
|
QcloudMQTTFullAccess | Full read/write access permissions, allowing sub-accounts to perform read and write operations in the product console. |
QcloudMQTTReadOnlyAccess | Read-only access permissions, allowing sub-accounts to view only relevant information in the console. |
Custom Policies
If the system permission policy cannot meet your requirements, you can create custom permission policies to implement minimum authorization. Policy settings can be precise to [API, resource, user/user group, allow/deny, condition] dimensions. Using custom permission policies helps achieve fine-grained permission control, which is an effective method to enhance resource access security.
Currently Tencent Cloud offers the following two flexible ways to create custom policies to meet different usage habits and requirements:
Visual view: Wizard-based operations are provided. Users can select elements such as cloud services, operations, resources, and conditions on pages without needing to understand the policy syntax. The system automatically generates policies, lowering the barrier to use.
JSON view: After you select a policy template, you can edit the policy content based on specific requirements. You can also directly write JSON-formatted policy content in the editor. This method is suitable for users with a specific technical background.
Custom Policy Example
The sub-account granted this permission policy can only query certificate details, the MQTT client list, and MQTT instance details for the instance mqtt-xxx.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"mqtt:DescribeClientList",
"mqtt:DescribeInstance",
"mqtt:DescribeCaCertificate"
],
"resource": [
"qcs::mqtt::uin/1000****5002:instance/mqtt-****"
]
}
]
}
Sub-account Authorization Operations
When using MQTT, sub-accounts need authorization in two aspects:
|
Access permissions for other cloud products | During the use of MQTT, it may be necessary to access other cloud product resources (Virtual Private Cloud (VPC), Cloud Virtual Machine (CVM), and so on) of the user, such as view information of the availability zone (AZ) where the user subnet resides. | |
Read/write permissions for MQTT resources | Obtain read/write permissions for MQTT resources. | |
Documentation
|
Understand the relationship between policies and users | |
Understand the basic policy structure | |
Learn about which other products support CAM | |