Access Control Overview

Last updated: 2020-02-25 10:57:15


If you use such services as Cloud Virtual Machine (CVM), VPC, and database in Tencent Cloud which are managed by different users who share your cloud account key, the following problems may exist:

  • Your key is shared by multiple users, leading to high risk of compromise.
  • You cannot control the access permissions of other users, which poses a security risk due to potential accidental operations.

At this time, you can avoid the above problems by implementing different people to manage different services through sub-accounts. By default, sub-accounts do not have the right to use CVM or Permission of CVM-related resources. Therefore, we need to create a policy to allow sub-accounts to use the resources they need or Permission.

Tencent Cloud CAM is a web service that helps customers securely manage and control access to their Tencent Cloud resources. CAM provides identity management and policy management for you to create, manage or terminate users (groups), and to control who is allowed to access and use your Tencent Cloud resources.

When you use CAM, you can associate the policy with a user or a group of users Associate. The policy can authorize or deny users to use specified resources to complete the specified job. For more basic information about CAM policies, please refer to the Policy Syntax . For more information about the use of CAM policies, please refer to the Policy .

If you do not need to manage the access permission to CLB resources for sub-accounts, you can skip this chapter. This will not affect your understanding and usage of other parts in the documentation.

Getting Started

A CAM policy must authorize or deny the use of one or more TencentDB operations. At the same time, it must specify the resources that can be used for the operations (which can be all resources or partial resources for certain operations). A policy can also include the conditions set for the manipulated resources.

Some of CVM-based API operations support resource-level permissions, which means that you must specify all resources to use but cannot specify a specific resource for use when performing such API operations.

Task Link
Understand the basic structure of policy Policy Syntax
Define actions in the policy Operation of CVM
Define resources in a policy Resource path of CVM
Use conditions to restrict policies Conditional key of CVM
Resource-level permissions supported by CVM Resource-level Permissions Supported by CVM
Console sample Console Sample