You can use Cloud Access Management (CAM) policies to manage user access to resources using the Cloud Virtual Machine (CVM) console. This document provides examples to help you understand how to use the pre-defined CAM policies using the CVM console.
If you want to allow a user to create and manage CVM instances, associate the user with the policy named QcloudCVMFullAccess. This policy is designed to grant users the permissions to access all the resources in CVM, Virtual Private Cloud (VPC), Cloud Load Balancer (CLB), and Cloud Monitor.
The detailed steps are as follows:
Refer to Authorization Management for instructions on how to grant the preset policy QcloudCVMFullAccess to a user.
If you want to allow a user to only query, but not create, delete or start/shutdown CVM instances, associate the user with the policy named QcloudCVMInnerReadOnlyAccess. This policy is designed to grant users the permissions to perform all operations starting with "Describe" and "Inquiry" in CVM. The detailed steps are as follows:
Refer to Authorization Management for instructions on how to grant the preset policy QcloudCVMInnerReadOnlyAccess to a user.
If you want to to allow a user to only query, but not create, delete or start/shut down CVM instances and associated resources (VPC and CLB), associate the user with the policy named QcloudCVMReadOnlyAccess. This policy is designed to grant users the permissions to perform the following operations:
The detailed steps are as follows:
Refer to Authorization Management for instructions on how to grant the preset policy QcloudCVMReadOnlyAccess to a user.
If you want to allow a user to view, create, and use cloud disks on the CVM console, add the following operations to your policy and associate the policy with the user.
The detailed steps are as follows:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/cvm:CreateCbsStorages",
"name/cvm:AttachCbsStorages",
"name/cvm:DetachCbsStorages",
"name/cvm:ModifyCbsStorageAttributes",
"name/cvm:DescribeCbsStorages"
],
"resource": [
"qcs::cvm::uin/1410643447:*"
]
}
]
}
To allow a user to view and use security groups on the CVM console, add the following operations to your policy, and associate the policy with the user.
The detailed steps are as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"name/cvm:ModifySecurityGroupPolicys",
"name/cvm:ModifySingleSecurityGroupPolicy",
"name/cvm:CreateSecurityGroupPolicy",
"name/cvm:DeleteSecurityGroupPolicy"
],
"resource": "*",
“effect": "allow"
}
]
}
If you want to allow a user to view and use EIPs on the CVM console, add the following operations to your policy, and associate the policy with the user.
The detailed steps are as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"name/cvm:DescribeAddresses",
"name/cvm:AllocateAddresses",
"name/cvm:AssociateAddress"
],
"resource": "*",
“effect": "allow"
}
]
}
If you want to authorize a user to perform operations on a specific CVM, associate the following policy with the user. The detailed steps are as follows:
{
"version": "2.0",
"statement": [
{
"action": "cvm:*",
"resource": "qcs::cvm:ap-guangzhou::instance/ins-1",
“effect": "allow"
}
]
}
If you want to authorize a user to perform operations on the CVMs in a specific region, associate the following policy with the user. The detailed steps are as follows:
{
"version": "2.0",
"statement": [
{
"action": "cvm:*",
"resource": "qcs::cvm:ap-guangzhou::*",
“effect": "allow"
}
]
}
Assume that the account CompanyExample, whose ownerUin is 12345678, has a sub-account called Developer. Developer requires full management permissions (including all operations such as creation and management) for the CVM instance, except payment, which means Developer can make orders but cannot pay for them.
You can do this by using one of the following two solutions:
{
"version": "2.0",
"statement":[
{
"effect": "allow",
"action": "cvm:*",
"resource": "*"
}
]
}
Assume that the enterprise account, CompanyExample, with ownerUin of 12345678, has a sub-account called Developer. The owner of CompanyExample wants to allow Developer to manage projects, including assigning and removing resources, on the console.
The detailed steps are as follows:
If preset policies cannot meet your requirements, you can create custom policies.
For detailed instructions, refer to Policies.
For more information on CVM policy syntax, refer to Authorization Policy Syntax.
Was this page helpful?