Authorizing Sub-Accounts to Access CI Services

Last updated: 2020-07-10 17:01:13

    Cloud Infinite (CI) provides a suite of data processing services, among which CI storage is based on COS. Therefore, for a sub-account to use all CI services, it must be granted necessary read/write permissions both for CI and COS.
    Granting CI operation permissions to a sub-account involves three steps: Create a Sub-Account and Grant CI Permissions, Grant COS permissions to the Sub-Account, and Use the Sub-Account to Process Data.

    Note:


    A sub-account may need the following permissions to view data or change settings in the CI console:

    Operation Permission
    Create a bucket cos:PutBucket permission for COS bucket
    Unbind a bucket cos:DeleteBucket permission for COS bucket
    View feature configuration cos:GetBucket permission for COS bucket
    Modify feature configuration cos:PutObject permission for COS bucket

    Step 1. Create a Sub-Account and Grant CI Permissions

    You can create a sub-account in CAM Console and grant CI access permissions for it. The specific procedure is as follows:

    1. Log in to CAM Console. In the left sidebar, choose Users > User List.

    2. In the user list page, click Create User.

    3. Click Custom Create to open the Select Type page.

    4. Click Access to resources and receive messages > Next to enter the Enter user info page.

    5. Enter user information. Here, you can create multiple sub-users, set the access type and console password, or perform other operations.

    6. Click Next to set user permissions. Choose Select policies from the policy list, and then QcloudCIFullAccess for full CI access from the policy list. Click Next.

    7. After confirming that the information is correct, click OK to create the sub-account.

    Step 2. Grant COS Permissions to the Sub-Account

    To grant COS resource access permissions to the sub-account, associate a preset policy with it as follows:

    1. Log in to CAM Console. In the left sidebar, choose Users > User List.
    2. In the user list page, find the sub-user that you just created, and click Grant Permission under Operation.
    3. In the policy list, select the appropriate permission policy, and click OK to associate it with the sub-user

    You can also grant COS permissions to a sub-account using a custom policy. For more information, see the Authorization Management document and policy examples.

    Step 3. Use the Sub-Account to Process Data

    To use a sub-account to process data, you need the APPID of the root account and the SecretId and SecretKey of the sub-account.

    1. Log in to CAM Console with your root account. In the left sidebar, choose Users > User List.
    2. Click on the name of the sub-account whose SecretId and SecretKey you want.
    3. Select the API Key tab where you can get the SecretId and SecretKey.

    You can also get the API Key from the CAM console using a sub-account by granting it CAM read permission.