CAM-based Access Control

Last updated: 2019-10-24 15:17:24

PDF

LVB supports permission control via CAM, where you can manage your LVB domain names, configurations, and information of your account. You can create, manage, or terminate users/user groups and grant different API access permissions to different users/user groups for the purpose of identity management and policy control.

When using CAM, you can associate a policy with a user or user group to allow or forbid them to use specified resources to complete specified tasks.

Basic Concepts

  • Root account: It is a registered Tencent Cloud account.
  • Sub-user: It is created and fully owned by a root account.
  • Collaborator: It has the identity of a root account. After it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account.
  • User group: It is created for users with the same functions and can be associated with a policy for centralized authorization management.

For more information on the definitions and permission, see CAM Users.

Directions

Step 1. Create a user/user group

One or more users with specific roles and policies can be created under one root account. A sub-user has a specific ID and identity credential that can be used to log in to the Tencent Cloud Console for configuration. It also has API access permission. You can log in to the Tencent Cloud Console and go to CAM to create a user, as shown below:


For more information, see CAM Sub-users and User Groups.

Step 2. Add a policy to a user/user group

You can add policies and authorize users/user groups on the User/User Group Management and Policy Management pages. For more information, see Authorization Management.

  • Method 1: Go to the User/User Group page, select a user/user group, click Authorize in the "Operation" column, select the corresponding LVB policy, and click OK.

  • Method 2: Go to the Policy page, select the policy to be added, click Bind User/Group, select the user/user group, and click OK.

Policies that can be added include:

  1. Preset policy: Click "Policy" on the left sidebar to enter the Policy page, where you can query all current policies. LVB preset policies include QcloudLIVEFullAccess (read/write policy) and QcloudLIVEReadOnlyAccess (read-only policy).
  2. Custom policy: Go to the Policy page, click Create Custom Policy, and select Create by policy generator. For more information, see Custom Policies.

Example:
If you need to grant a user the permission to use the certificate adding API only for the specified domain name, follow the steps below:

  1. Create a domain name-level policy that allows access to the API and go to the Create by policy generator page.
  2. Enter relevant items, select Allow for Effect, LVB for Service, and DescribeLiveDomain for Action, and enter the domain name to be authorized in the Resource text box. Below is the policy syntax:
    qcs::${ApiModule}:${Region}:uin/:domain/${DomainName}
    Here:
    • ${ApiModule} is "live".
    • ${Region} is "ap-guangzhou".
    • uin is the account to be authorized. If this parameter is left empty, it indicates that the current account is authorized.
    • ${DomainName} is the domain name to be authorized.
      Example: Click Add Statement > Next > Create Policy to generate the qcs::live:ap-guangzhou::domain/cloud.tencent.com policy. Once generated, the policy can be associated with users/user groups by using the aforementioned two methods.

If you need to grant a sub-user the permission to use the API for all domain names, enter * in the Resource text box.

Step 3. Use a sub-account

You can use a sub-account identity (sub-account ID and password created by the root account) to call the authorized APIs (such as the "domain name list querying API") to get the corresponding LVB information (such as all domain names under the account).