tencent cloud

Taking the example of specifying a user to have Write permission of Consume Message and Consume Messages in Batch for CMQ queue model, this document will demonstrate how to set CMQ permissions. The CAM permission management capability of CMQ is currently under a gray release. You can contact our technical support for help.

Note:
Before CAM is released, both the original collaborator account and sub-account can be used to log in to CMQ console, and the resource list for root account can be obtained (i.e. the list API permission. The root account key is used originally). After CAM is connected, sub-accounts do not have the permission to get the resource list for root accounts by default (the sub-account key is used for the console login), and sub-accounts can only have access to the list with the authorization by root accounts via CAM.

The operation performed in the Console is shown below:

Ⅰ. Creating a User

1. Visit the Users and Permissions Console and click "Create user".

2. If the user needs to log in to Tencent Cloud console or call Cloud APIs, you need to select "Allow login to Tencent Cloud", and fill in "QQ Number" as login credential.
   Note:
   We recommend that you use a QQ account not used for registration in Tencent Cloud for the sub-account (you don't need to top up for sub-accounts, as the CMQ charges will be deducted from the main account)
   Apply for a free QQ account >>
   

3. Associate policies for the user (policies specify the permissions, so the user can have the permissions which the policies specify when associating with the policies).
   

4. In the "User Management" list, you can view the sub-users you just added.
   

Ⅱ. Creating a Custom Policy

We can create a custom policy to enable the permissions of a specific API, for example, to specify the write permission of a specific CMQ Queue (Consume Message, Consume Messages in Batch).

1. Configure the service type and check "Queue Model".
   

2. Specify a specific API.
   

3. Specify a resource object.
   In the example, we specify the policy and use all of the existing and new Queues under the root account (including those created by the sub-account) as the associated objects.
   Note:
   Sub-accounts do not have the list API permission of CMQ by default (when you log in to CMQ console, you cannot see a list of specific resources in the console. You can consider whether to add the list permission for sub-accounts according to your actual needs)
   

Ⅲ. Associating with a Sub-user

Associate the created policy to a sub-user so that the sub-user will have the permissions of Consume Message and Consume Messages in Batch for all the Queue resources under the sub-user.

Ⅳ. Sub-user Login

After login with the sub-account, if you cannot find the corresponding resource, click in the upper right corner of the console to switch the developer account of collaborator.