You can grant a user the permission to view and use specific resources in the TencentDB Console by using a CAM policy. The sample below shows how to allow a user to use certain policies in the console.
As TDSQL was formerly known as DCDB, its API keyword in CAM is "dcdb".
After the policy is created, associate it with a user/group. After the association is completed, use another browser (or server) to verify whether the sub-account/collaborator can work normally. If the policy syntax is written correctly, you can observe the following:
To avoid mutual impact of multiple policies, it is recommended to associate only one policy with a sub-account at a time.
The change to account access permission will take effect within 1 minute.
To grant a user permission to create and manage TencentDB instances, implement the policy named QcloudDCDBFullAccess
for the user.
The policy syntax is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"dcdb:*"
],
"resource": "*",
"effect": "allow"
}
]
}
To grant a user permission to view TencentDB instances but not create, delete, or modify them, implement the policy named QcloudDCDBInnerReadOnlyAccess
for the user.
The policy syntax is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"dcdb:Describe*"
],
"resource": "*",
"effect": "allow"
}
]
}
The above policy achieves its goal by allowing the user to separately authorize the use of all operations beginning with "Describe" in TencentDB with the CAM policy.
As not all functional APIs are covered in the beta test, you may see that a small number of operations are not included in CAM, which is normal.
To grant a user the permission to manipulate TencentDB instances in a specific region, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances in Guangzhou.
{
"version": "2.0",
"statement": [
{
"action": "dcdb:*",
"resource": "qcs::dcdb:ap-guangzhou::*",
"effect": "allow"
}
]
}
To grant a user the permission to manipulate TencentDB instances in multiple specific region, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances in Guangzhou and Chengdu.
{
"version": "2.0",
"statement": [
{
"action": "dcdb:*",
"resource": "qcs::dcdb:ap-guangzhou::*","qcs::dcdb:ap-chengdu::*",
"effect": "allow"
}
]
}
To grant a user the permission to manipulate a specific database, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instance "dcdb-xxx" in Guangzhou.
{
"version": "2.0",
"statement": [
{
"action": [
"dcdb:*"
],
"resource": "qcs::dcdb:ap-chengdu::instance/dcdb-fwr62n3i",
"effect": "allow"
}
]
}
To grant a user the permission to manipulate TencentDB instances in batches, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances "dcdb-xxx" and "dcdb-yyy" in Guangzhou and "dcdb-zzz" in Beijing.
{
"version": "2.0",
"statement": [
{
"action": "dcdb:*",
"resource": ["qcs::dcdb:ap-guangzhou::instance/dcdb-xxx", "qcs::dcdb:ap-guangzhou::instance/dcdb-yyy", "qcs::dcdb:ap-beijing::instance/dcdb-zzz"],
"effect": "allow"
}
]
}
To grant a user the permission to manipulate TencentDB instances in batches, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances "dcdb-xxx" and "dcdb-yyy" in Guangzhou and "dcdb-zzz" in Beijing.
{
"version": "2.0",
"statement": [
{
"action": "dcdb:Describe*","dcdb:Create*",
"resource": ["qcs::dcdb:ap-guangzhou::instance/dcdb-xxx", "qcs::dcdb:ap-guangzhou::instance/dcdb-yyy", "qcs::dcdb:ap-beijing::instance/dcdb-zzz"],
"effect": "allow"
}
]
}
For all currently supported APIs, please see the list at the end of this document.
To deny a user permission to create TencentDB accounts, configure "effect": "deny"
.
{
"version": "2.0",
"statement": [
{
"action": "dcdb:CreateAccount",
"resource": "*",
"effect": "deny"
}
]
}
If preset policies cannot meet your requirements, you can create custom policies as shown below:
{
"version": "2.0",
"statement": [
{
"action": [
"Action"
],
"resource": "Resource",
"effect": "Effect"
}
]
}
Operation Name | API Name | Effective in Console After Configuration |
---|---|---|
Querying the upgrade price of an instance | DescribeDCDBUpgradePrice | No |
Renewing an instance | RenewDCDBInstance | No |
Querying the renewal price of an instance | DescribeDCDBRenewalPrice | No |
Scaling an instance | UpgradeDCDBInstance | No |
Viewing the instance list | DescribeDCDBInstances | Yes |
Getting the log list | DescribeDBLogFiles | Yes |
Initializing instances | InitDCDBInstances | No |
Creating an account | CreateAccount | Yes |
Querying the account list | DescribeAccounts | Yes |
Deleting an account | DeleteAccount | Yes |
Setting account permission | GrantAccountPrivileges | Yes |
Querying account permission | DescribeAccountPrivileges | Yes |
Copying account permission | CopyAccountPrivileges | No |
Modifying database account remarks | ModifyAccountDescription | No |
Resetting account password | ResetAccountPassword | Yes |
Viewing database parameters | DescribeDBParameters | No |
Modifying database parameters | ModifyDBParameters | No |
Cloning an account | CloneAccount | Yes |
Getting SQL logs | DescribeSqlLogs | No |
Was this page helpful?