You can grant a user the permission to view and use specific resources in the TencentDB console by using a CAM policy. The sample below shows how to allow a user to use certain policies in the console. Currently, you can configure TencentDB for MariaDB to support the CAM feature only by using the creation by policy syntax method.
Note:The API keyword of TencentDB for MariaDB in CAM is
mariadb
.
After the policy is created, associate it with a user/group. After the association is completed, use another browser (or server) to verify whether the sub-account/collaborator can work normally. If the policy syntax is written correctly, you can observe the following:
Note:
- To avoid mutual impact of multiple policies, we recommend you associate only one policy with a sub-account at a time.
- The change to account access permission will take effect within 1 minute.
To grant a user permission to create and manage TencentDB instances, implement the policy named QcloudMariaDBFullAccess
for the user.
The policy syntax is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"mariadb:*"
],
"resource": "*",
"effect": "allow"
}
]
}
To grant a user permission to view TencentDB instances but not create, delete, or modify them, implement the policy named QcloudMariaDBInnerReadOnlyAccess
for the user.
The policy syntax is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"mariadb:Describe*"
],
"resource": "*",
"effect": "allow"
}
]
}
The above policy achieves its goal by allowing the user to separately authorize the use of all operations beginning with "Describe" in TencentDB with the CAM policy.
Note:Because not all functional APIs are now supported, a limited number of operations may be excluded from CAM, which is normal.
To grant a user the permission to manipulate TencentDB instances in a specific region, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances in Guangzhou.
{
"version": "2.0",
"statement": [
{
"action": "mariadb:*",
"resource": "qcs::mariadb:ap-guangzhou::*",
"effect": "allow"
}
]
}
To grant a user the permission to manipulate TencentDB instances in a specific region, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances in Guangzhou and Chengdu.
{
"version": "2.0",
"statement": [
{
"action": "mariadb:*",
"resource": "qcs::mariadb:ap-guangzhou::*","qcs::mariadb:ap-chengdu::*",
"effect": "allow"
}
]
}
To grant a user the permission to manipulate a specific database, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instance "tdsql-xxx" in Guangzhou.
{
"version": "2.0",
"statement": [
{
"action": [
"mariadb:*"
],
"resource": "qcs::mariadb:ap-guangzhou::instance/tdsql-xxx",
"effect": "allow"
}
]
}
To grant a user the permission to manipulate TencentDB instances in batches, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances "tdsql-xxx" and "tdsql-yyy" in Guangzhou and "tdsql-zzz" in Beijing.
{
"version": "2.0",
"statement": [
{
"action": "mariadb:*",
"resource": ["qcs::mariadb:ap-guangzhou::instance/tdsql-xxx", "qcs::mariadb:ap-guangzhou::instance/tdsql-yyy", "qcs::mariadb:ap-beijing::instance/tdsql-zzz"],
"effect": "allow"
}
]
}
To grant a user the permission to manipulate TencentDB instances in batches, associate the following policy with the user. For example, the policy below allows the user to manipulate the TencentDB instances "tdsql-xxx" and "tdsql-yyy" in Guangzhou and "tdsql-zzz" in Beijing.
{
"version": "2.0",
"statement": [
{
"action": "mariadb:Describe*","mariadb:Create*",
"resource": ["qcs::mariadb:ap-guangzhou::instance/tdsql-xxx", "qcs::mariadb:ap-guangzhou::instance/tdsql-yyy", "qcs::mariadb:ap-beijing::instance/tdsql-zzz"],
"effect": "allow"
}
]
}
To deny a user permission to create TencentDB accounts, configure effect": "deny"
.
{
"version": "2.0",
"statement": [
{
"action": "mariadb:CreateAccount",
"resource": "*",
"effect": "deny"
}
]
}
If preset policies cannot meet your requirements, you can create custom policies as shown below:
{
"version": "2.0",
"statement": [
{
"action": [
"Action"
],
"resource": "Resource",
"effect": "Effect"
}
]
}
Was this page helpful?