The root account authorizes sub-accounts by binding policies. The policy setting can be specific to the level of API, Resource, User/User Group, Allow/Deny, and Condition.
Click here to view more CAM documents >>
Document Description | Link |
---|---|
Relationship between policy and user | Policy Management |
Basic policy structure | Policy Syntax |
More CAM-compatible products | List of Tencent Cloud CAM-compatible Products |
Granting a sub-user full permission to manage CKafka services (creating, managing, etc.).
{
"version": "2.0",
"statement": [
{
"action": [
"name/ckafka:*",
"name/monitor:GetMonitorData"
],
"resource": "*",
"effect": "allow"
}
]
}
You can also configure the system’s full read/write policy to support this permission.
Create a policy with the Policy Generator and grant permission for lists and product monitoring.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/ckafka:ListInstance",
"name/monitor:GetMonitorData"
],
"resource": [
"*"
]
}
]
}
Grant read-only permission for a single instance.
Note:
List* API does not support authentication at the resource level.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/monitor:GetMonitorData",
"name/ckafka:Get*"
],
"resource": [
"qcs::ckafka:gz::ckafkaId/uin/$createUin/$instanceId"
]
}
]
}
You can also configure the system’s read-only policy to support this permission.
Was this page helpful?