Access Control Overview

Last updated: 2019-07-25 18:35:20

PDF

If you use such services as Cloud Virtual Machine (CVM), VPC, and database in Tencent Cloud and these services are managed by different users who share your cloud account key, the following problems may exist:

  • Your key is shared by multiple users, which leads to a high risk of leakage.
  • You cannot limit the access permission of other users, which is easy to pose a security risk due to misoperation.

To avoid the above problems, you can use sub-accounts to allow different users to manage different services. By default, sub-accounts have no permission to use CVM or related resources. So it is necessary to create a policy to grant sub-accounts the permissions to use the resources they need.

Cloud Access Management (CAM) is a service package provided by Tencent Cloud, which is used to help customers manage the permissions to access resources under Tencent Cloud accounts in a secure way. By using CAM, you can create, manage and terminate users (or user groups), as well as determine which Tencent Cloud resources can be accessed and who can use them through identity management and policy management.

When using CAM, you can associate a policy to a user or a group of users. The policy can authorize or reject users to finish specified tasks using specified resources.

If you do not need to manage the access permission to CVM resources for sub-accounts, you can skip this chapter. This will not affect your understanding and usage of other parts in this document.

This feature is in Beta test for now. Submit a Ticket to apply for it.

Getting Started

CAM policy must authorize or reject users to perform one or more CVM operations. Meanwhile, it must specify the resources to work with (all resources, or part of resources for some operations). Policy can also contain conditions set for resource operations.

Some of CVM-based API operations support resource-level permissions, which means that you must specify all resources to use but cannot specify a specific resource for use when performing such API operations.

Task Link
Learn about the basic structure of the policy Policy Syntax
Define operations in the policy CVM Operations
Define resources in the policy CVM Resource Path
Limit the policy with conditions CVM Condition Keys
Resource-level permissions supported by CVM Resource-level Permissions Supported by CVM
CAM policy example CAM Policy Example