Scenario
You can use Access to manage (Cloud Access Management,CAM) policy to let users have Permission who views and uses specific resources in the Cloud Virtual Machine (Cloud Virtual Machine,CVM) console. This document provides Permission examples of viewing and using specific resources to guide users on how to use policies for specific parts of the console.
Operation Examples
Full read-write policy for CVMs
If you want the user to have Permission who creates and manages the CVM instance, you can use a policy named: QcloudCVMFullAccess for that user. The strategy is achieved by allowing users to operate on all resources in CVM, VPC (Virtual Private Cloud), CLB (Cloud Load Balance) and MONITOR, respectively.
Detailed procedure is shown below:
Refer to Authorization Management To authorize the default policy QcloudCVMFullAccess to the user
Read-only policy for CVMs
If you want the user to have Permission to query the CVM instance, but not Permission to create, delete, and switch the machine, you can use the policy named QcloudCVMInnerReadOnlyAccess for the user. This strategy is achieved by allowing the user to have actions on all actions starting with the word "Describe" and all actions starting with the word "Inquiry" in the following action CVM, Permission. The specific steps are as follows:
Refer to Authorization Management To authorize the default policy QcloudCVMInnerReadOnlyAccess to the user
Read-only policy for CVM-related resources
To allow a user to only query CVM instances and relevant resources (VPC, Load Balance), without granting him/her the permissions to create, delete, start/shut down the instances, implement the policy named QcloudCVMReadOnlyAccess.
All operations starting with "Describe" and "Inquiry" in CVM.
All operations starting with "Describe", "Inquiry" and "Get" in VPC.
All operations starting with "Describe" in Load Balance.
- All operations in the monitor.
Detailed procedure is shown below:
Refer to Authorization Management To authorize the default policy QcloudCVMReadOnlyAccess to the user
Policy for elastic cloud disks
If you want users to view HDD cloud disk information in the CVM console and have Permission who created HDD cloud disk and used HDD cloud disk, you can first add the following actions to your policy, and then apply the policy Associate to the user.
CreateCbsStorages: Create a cloud disk.
AttachCbsStorages: Mount the specified elastic cloud disk to the specified CVM.
DetachCbsStorages: Unmount the specified elastic cloud disk.
ModifyCbsStorageAttributes: Modify the name or the project ID of the specified cloud disk.
DescribeCbsStorages: Query the details of a cloud disk.
DescribeInstancesCbsNum: Query the number of elastic cloud disks that have been mounted to a CVM and the maximum number of elastic cloud disks that are allowed to be mounted to the CVM.
RenewCbsStorage: Renew the specified elastic cloud disk.
ResizeCbsStorage: Expand the capacity of specified elastic cloud disk.
Detailed procedure is shown below:
- According to Policy To create a custom policy that can view the information of HDD cloud disk in the CVM console, such as creating HDD cloud disk and using HDD cloud disk and other Permission.
The policy content can be set by referring to the following policy syntax:
{
"version":"2.0",
"statement": [
{
"effect": "allow",
"action":
"name/cvm:CreateCbsStorages",
"name/cvm:AttachCbsStorages",
"name/cvm:DetachCbsStorages",
"name/cvm:ModifyCbsStorageAttributes",
"name/cvm:DescribeCbsStorages"
],
"resource":
"qcs::cvm::uin/1410643447:*"
]
}
]
}- Locate the created policy, and in the actions column of the policy row, click Associate user / Group.
- In the pop-up Associate user / user Group window, select the user / group you need to authorize, and click OK.
Policy for security groups
If you want the user to be able to view and use the security group in the CVM console, you can add the following action to your policy, and then apply the policy Associate to that user.
DeleteSecurityGroup: Delete a security group.
ModifySecurityGroupPolicys: Replace all the policies of a security group.
ModifySingleSecurityGroupPolicy: Modify a single policy of a security group.
CreateSecurityGroupPolicy: Create a security group policy.
DeleteSecurityGroupPolicy: Delete a security group policy.
ModifySecurityGroupAttributes: Modify the attributes of a security group.
Detailed procedure is shown below:
- According to Policy To create a custom policy that allows users to create, delete, modify security groups, and other Permission in the CVM console
The policy content can be set by referring to the following policy syntax:
{
"version":"2.0",
"statement":
{
"action":
"name/cvm:ModifySecurityGroupPolicys",
"name/cvm:ModifySingleSecurityGroupPolicy",
"name/cvm:CreateSecurityGroupPolicy",
"name/cvm:DeleteSecurityGroupPolicy"
],
"resource":
"effect":"allow",
}
]
}- Locate the created policy, and in the actions column of the policy row, click Associate user / Group.
- In the pop-up Associate user / user Group window, select the user / group you need to authorize, and click OK.
Policy for EIPs
If you want the user to view and use the elastic IP address in the CVM console, you can add the following action to your policy first, and then apply the policy Associate to the user.
AllocateAddresses: Assign an EIP to VPC or CVM.
AssociateAddress: Associate an EIP to an instance or a network interface.
DescribeAddresses: View EIPs in the CVM console.
DisassociateAddress: Disassociate an EIP from an instance or a network interface.
ModifyAddressAttribute: Modify the attributes of an EIP.
ReleaseAddresses: Release an EIP.
Detailed procedure is shown below:
- Policy management
This policy allows users to view the elastic IP address in the CVM console and give its Assign to the instance and compare it to Associate, but cannot modify the attributes of the elastic IP address, cancel Associate of the elastic IP address, or release Permission of the elastic IP address. The policy content can be set by referring to the following policy syntax:
{
"version":"2.0",
"statement":
{
"action":
"name/cvm:DescribeAddresses",
"name/cvm:AllocateAddresses",
"name/cvm:AssociateAddress"
],
"resource":
"effect":"allow",
}
]
}- Locate the created policy, and in the actions column of the policy row, click Associate user / Group.
- In the pop-up Associate user / user Group window, select the user / group you need to authorize, and click OK.
Policy for authorizing users to perform operations on specific CVMs
If you want to authorize a user to have a specific CVM operation, Permission, you can apply the following policy Associate to that user. The specific steps are as follows:
- Policy management
This policy allows users to operate on a CVM instance whose ID is ins-1, and whose region is Guangzhou. The policy content can be set by referring to the following policy syntax:
{
"version":"2.0",
"statement":
{
"action": "cvm:*",
"resource":[ "qcs::cdb:ap-guangzhou:uin/653339763:instanceId/*"]
"effect":"allow",
}
]
}- Locate the created policy, and in the actions column of the policy row, click Associate user / Group.
- In the pop-up Associate user / user Group window, select the user / group you need to authorize, and click OK.
Policy for authorizing users to perform operations on the CVMs in a specific region
If you want to authorize the user to have the operation of CVM in a specific region, Permission, you can apply the following policy Associate to that user. The specific steps are as follows:
- Policy management
This policy allows users to operate on CVM machines in Guangzhou region, Permission. The policy content can be set by referring to the following policy syntax:
{
"version":"2.0",
"statement":
{
"action": "cvm:*",
"resource": "qcs::cvm:ap-guangzhou::*"
"effect":"allow",
}
]
}- Locate the created policy, and in the actions column of the policy row, click Associate user / Group.
- In the pop-up Associate user / user Group window, select the user / group you need to authorize, and click OK.
Granting a sub-account full permissions for CVMs with the exception of billing
Suppose that there is a sub-account (Developer), under the enterprise account (CompanyExample,ownerUin is 12345678). The sub-account needs to have all the management Permission (such as creation, management, etc.) for the CVM service of the enterprise account, but does not include payment for Permission (orders can be placed but cannot be paid).
We can achieve this through the following two scenarios:
- Option A
The CompanyExample enterprise account directly authorizes the preset policy QcloudCVMFullAccess to the Developer sub-account. For more information about authorization, see Authorization Management . - Option B
- Create a Custom Policy .
{
"version":"2.0",
"statement":
{
"effect":"allow",
"action": "cvm:*",
"resource":
}
]
}- Authorize the policy to the sub-account. For more information on authorization, see Authorization Management .
The sub-account is granted to have the operation of project management, Permission.
Suppose that under the enterprise account (CompanyExample,ownerUin is 12345678), there is a sub-account (Developer), that needs to manage resources on the console based on the project authorization sub-account.
Detailed procedure is shown below:
- Create a custom strategy for project management according to the business Permission.
- Authorize the policy to the sub-account. For more information on authorization, see Authorization Management .
If a sub-account is not prompted by Permission when doing project management, such as viewing snapshot, Image, VPC, elastic public network IP and other products without Permission, you can authorize the default policies of sub-account QcloudCVMAccessForNullProject, QcloudCVMOrderAccess and QcloudCVMLaunchToVPC. Please refer to the authorization method. Authorization Management .
Custom policy
If you feel that the preset policy does not meet your requirements, you can do so by creating a custom policy.
For detailed directions, see Creating a Cluster .
For more policy syntax related to CVM, please refer to Authorization policy syntax .
