tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
TencentDB for MongoDB
    Documentation
    Download PDF

    Authorization Permission Policy

    Last updated: 2022-04-12 14:56:14
    Download PDF

      Permissions of Tencent Cloud root accounts and sub-accounts are separated. You can grant sub-accounts different permissions as needed, which avoids security risks caused by exposure of your Tencent Cloud account key.

      Granting Sub-account permission policy

      Background

      Company A activates the TencentDB for MongoDB service and wants its team members to manipulate the involved resources. For security or trust considerations, it doesn't want to directly disclose its Tencent Cloud account key to the team members; instead, it wants to create corresponding sub-accounts for them, which can manipulate resources only with authorization by its root account and don't require separate usage calculation and billing, as all fees are charged to its Tencent Cloud account. It also wants to be able to revoke or delete the operation permissions of sub-accounts at any time.

      Directions

      Step 1. Create a sub-account user

      You can create a sub-account user through the console or an API.

      • Log in to the CAM console and enter the User List page to create a user. For detailed directions, see Creating Sub-user.
      • Create a sub-user and configure permissions for them by calling the AddUser API with an access key. For more information, see AddUser.

      (Optional) Step 2. Create a custom permission policy

      1. On the Policies page in the CAM console, search for a target policy by policy name in the search box in the top-right corner.
      2. If the permission policy does not exist, you need to customize one. For detailed directions, see Creating Custom Policy.

      Step 3. Assign the permission policy to the sub-account

      • On the Policies page in the CAM console, find the target permission policy and associate it with the target sub-account. For detailed directions, see Authorization Management.
      • On the User List page in the CAM console, find the target sub-account and associate them with the target policy. For detailed directions, see Authorization Management.

      References

      Logging in to console

      You can let your team members use a sub-account to log in to the Tencent Cloud console and access TencentDB for MongoDB. For detailed directions, see Logging in to Console with Sub-account.

      Modifying sub-account

      You can view and modify the information of a sub-account as instructed in User Information.

      Deleting sub-account

      You can revoke or delete the operation permissions of a sub-account as instructed in Deleting Sub-Users.

      Granting Permission Policy Across Tencent Cloud Accounts

      Background

      Company A activates TencentDB for MongoDB and wants company B to have part of the permissions of its TencentDB for MongoDB operations, such as monitoring, instance read/write, and slow query operation. Company B wants to have a sub-account to take care of such businesses. In this case, company A can authorize the root account of company B to access TencentDB for MongoDB resources through a role. For the specific concept and use cases of role, see Role Overview.

      Directions

      Step 1. Company A creates a role for company B

      1. Log in to the CAM console and go to the Roles page.
      2. Click Create Role. In the Select role entity window, select Tencent Cloud Account
      3. On the Create Custom Role page, create a role.
        a. On the Enter role entity info page, select Other root account as Tencent Cloud account, enter the root account of company B as Account ID, set other parameters as prompted, and click Next.
        b. On the Configure role policy page, select the target policy and click Next.
        c. On the Review page, enter a role name such as DevOpsRole in the Role Name box, review the selected policy, and click Done.

      Step 2. Company B grants a sub-account the permission to assume the role

      1. On the Policies page in the CAM console, click Create Custom Policy.

      2. In the Select Policy Creation Method window, select Create by Policy Syntax.

      3. On the Create by Policy Syntax page, create a policy.
        a. In the Select a template type section, select Blank Template and click Next.
        b. On the Edit Policy page, enter a policy name such as sts:AssumeRole in the Policy Name input box.
        c. In Policy Content, set the policy content according to the policy syntax and click Done as follows:

        {
"version": "2.0",
"statement": [
{
    "effect": "allow",
    "action": ["name/sts:AssumeRole"],
    "resource": ["qcs::cam::uin/12345:RoleName/DevOpsRole"]
}
]
}

      4. Return to the Policies page, find the created custom policy, and click Associate Users/Groups in the Operation column.

      5. Associate the custom policy with the sub-account of company B and click OK.

      Step 3. Company B uses the sub-account to access Tencent Cloud resources through the role

      1. Log in to the console with the sub-account of company B and select Switch Role in the profile photo drop-down list.
      2. On the role switch page, enter the root account of company A and role name to switch to the role of company A.

      References

      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      tencent
      Copyright © 2013-2022 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy