Overview
Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you with the security management of access permissions for resources under your Tencent Cloud account. With CAM, you can create, manage, and terminate users or user groups, and can use identity and policy management to control the permissions other users have to use Tencent Cloud resources. Policies can be used to authorize or block the use of specified resources by users to complete specified tasks. When you use CAM, you can associate policies with a user or user group to perform permissions control.
TAT is connected with CAM for permission controlling.
Access Control Levels
TAT supports the access control by resources and tags.
Resource-level control: Specify a policy to assign a sub-account with permissions to a single resource. For details, see Creating Custom Policy.
Control by tags: Add tags to resources for access control
Preset Policies
Preset policy | Permissions granted |
QcloudTATReadOnlyAccess | TAT read-only permission |
QcloudTATFullAccess | TAT read/write permission |
Types of Manageable Resources
TAT supports resource-level authorization. You can grant a specified sub-account the API permission of a specified resource.
In CAM, the types of TAT resources that can be authorized are as follows:
Resource Type | Resource Description Method in Authorization Policy |
Remote command-related | qcs::tat:$region:$account:command/$commandId |
APIs supporting action-level authorization include:
API name | Description | Resource |
CreateCommand | Create a command | * |
APIs supporting resource-level authorization include:
API nameAPI description | Resource type | Resource (in six-segment format) |
DeleteCommandDelete a command | Command | qcs::tat:$region:$account:command/$commandId |
DescribeAutomationAgentsQuery the agent running status | CVM instances, Lighthouse instances | qcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId |
DescribeCommandsQuery a command | Command | qcs::tat:$region:$account:command/$commandId |
DescribeInvocationsQuery the execution result | Command | qcs::tat:$region:$account:command/$commandId |
DescribeInvocationTasksQuery the execution tasks | Command, CVM instances, Lighthouse instances | qcs::tat:$region:$account:command/$commandIdqcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId |
InvokeCommandInvoke a command | Command, CVM instances, Lighthouse instances | qcs::tat:$region:$account:command/$commandIdqcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId |
ModifyCommandModify a command | Command | qcs::tat:$region:$account:command/$commandId |
PreviewReplacedCommandContentQuery the command after rendering | Command | qcs::tat:$region:$account:command/$commandId |
RunCommandRun a command | Command, CVM instances, Lighthouse instances | qcs::tat:$region:$account:command/$commandIdqcs::cvm:$region:$account:instance/$instanceIdqcs::lighthouse:$region:$account:instance/$instanceId |
Examples
Check the examples below to learn about how to control permissions by using CAM.
Note:
Guangzhou region is used for all the examples below. Replace
$account with the Tencent Cloud root account of the user.Allow a user to modify and delete the command
cmd-xxxxxxxx{"version": "2.0","statement": [{"effect": "allow","resource": ["qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"],"action": ["tat:ModifyCommand","tat:DeleteCommand"]}]}
Allow a user to check the details of the command
cmd-xxxxxxxx{"version": "2.0","statement": [{"effect": "allow","resource": ["qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"],"action": ["tat:DescribeCommands"]}]}
Allow a user to check the result of the command
cmd-xxxxxxxx{"version": "2.0","statement": [{"effect": "allow","resource": ["qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"],"action": ["tat:DescribeInvocations","tat:DescribeInvocationTasks"]}]}
Disallow a user from executing the command
cmd-xxxxxxxx{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"],"action": ["tat:InvokeCommands"]}]}
Disallow a user from executing any commands
{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::tat:ap-guangzhou:$account:command/*"],"action": ["tat:InvokeCommand","tat:RunCommand"]}]}
Disallow a user from executing any commands on the CVM
ins-xxxxxxxx{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"],"action": ["tat:InvokeCommand","tat:RunCommand"]}]}
Disallow a user from executing commands on any CVMs
{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::cvm:ap-guangzhou:$account:instance/*"],"action": ["tat:InvokeCommand","tat:RunCommand"]}]}
Disallow a user from executing any commands on the Lighthouse instance
lhins-xxxxxxxx{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"],"action": ["tat:InvokeCommand","tat:RunCommand"]}]}
Disallow a user from executing commands on any Lighthouse instances
{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::lighthouse:ap-guangzhou:$account:instance/*"],"action": ["tat:InvokeCommand","tat:RunCommand"]}]}
Allow a user to execute the command
cmd-xxxxxxxx or cmd-yyyyyyyy on the CVM ins-xxxxxxxx{"version": "2.0","statement": [{"effect": "allow","resource": ["qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx","qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx","qcs::tat:ap-guangzhou:$account:command/cmd-yyyyyyyy"],"action": ["tat:InvokeCommand"]}]}
Allow a user to execute the command
cmd-xxxxxxxx or cmd-yyyyyyyy on the Lighthouse instance lhins-xxxxxxxx{"version": "2.0","statement": [{"effect": "allow","resource": ["qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx","qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx","qcs::tat:ap-guangzhou:$account:command/cmd-yyyyyyyy"],"action": ["tat:InvokeCommand"]}]}
Disallow a user from checking the command execution result on the CVM
ins-xxxxxxxx{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"],"action": ["tat:DescribeInvocationTasks"]}]}
Disallow a user from checking the command execution result on the Lighthouse instance
lhins-xxxxxxxx{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"],"action": ["tat:DescribeInvocationTasks"]}]}
Disallow a user from checking the Agent status on the CVM
ins-xxxxxxxx{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"],"action": ["tat:DescribeAutomationAgentStatus"]}]}
Disallow a user from checking the Agent status on the Lighthouse instance
lhins-xxxxxxxx{"version": "2.0","statement": [{"effect": "deny","resource": ["qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"],"action": ["tat:DescribeAutomationAgentStatus"]}]}
Yes
No
Was this page helpful?