tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
TDMQ for CKafka
    Documentation
    Download PDF

    CAM

    Last updated: 2024-01-09 14:49:39
    Download PDF

      Basic CAM Concepts

      The root account authorizes sub-accounts by associating policies. The policy setting can be specific to the level of [API, Resource, User/User Group, Allow/Deny, and Condition].

      Account

      Root account: It owns all Tencent Cloud resources and can access any of its resources.
      Sub-account: It includes sub-users and collaborators.
      Sub-user: It is created and fully owned by a root account.
      Collaborator: It has the identity of a root account. After it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account and can switch back to its root account identity.
      Identity credential: It includes login credentials and access certificates. Login credential refers to a user's login name and password. Access certificate refers to Tencent Cloud API keys (SecretId and SecretKey).

      Resource and permission

      Resource: An object that is operated in Tencent Cloud services, such as a CVM instance, a COS bucket, or a VPC instance.
      Permission: It is an authorization that allows or forbids users to perform certain operations. By default, a root account has full access to all resources under it, while a sub-account does not have access to any resources under its root account.
      Policy: It is a syntax rule that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.

      Relevant Documents

      Content
      Document
      Understand the relationship between policies and users
      Understand the basic structure of policies
      Check CAM-enabled products

      Sample CAM Policy

      Full access policy for CKafka

      Grant a sub-user full access (including resource creation and management) to the CKafka service.
      {
        "version": "2.0",
        "statement": [
          {
            "action": [
                  "name/ckafka:*",
                  "name/monitor:GetMonitorData"
            ],
            "resource": "*",
            "effect": "allow"
          }
        ]
      }
      You can also configure the system's full read/write policy to support this permission.
      1. Log in to the CAM console.
      2. Click Policies on the left sidebar.
      3. In the policy list, click Create Custom Policy.
      4. In the Select Policy Creation Method pop-up window, select Create by Policy Syntax.
      5. In Template Type, search for CKafka, select QcloudCKafkaFullAccess (full access to CKafka), and click Next.
      6. Click Complete.

      Read-only policy for a CKafka instance

      1. Create a policy with the Policy Generator and grant permission for listing operations and product monitoring.
      {
       "version": "2.0",
       "statement": [
           {
               "effect": "allow",
               "action": [
                   "name/ckafka:ListInstance",
                   "name/monitor:GetMonitorData"
               ],
               "resource": [
                   "*"
               ]
           }
       ]
      }
      2. Grant read-only access to the specified instance.
      Note:
      List* APIs don't support authentication at the resource level.
      {
         "version": "2.0",
         "statement": [
             {
                 "effect": "allow",
                 "action": [
                     "name/monitor:GetMonitorData",
                     "name/ckafka:Get*"
                 ],
                 "resource": [
                     "qcs::ckafka:gz::ckafkaId/uin/$createUin/$instanceId" 
                 ]
             }
         ]
      }
      You can also configure the system's read-only policy to support this permission.
      1. Log in to the CAM console.
      2. Click Policies on the left sidebar.
      3. In the policy list, click Create Custom Policy.
      4. In the Select Policy Creation Method pop-up window, select Create by Policy Syntax.
      5. In Template Type, search for CKafka, select QcloudCkafkaReadOnlyAccess (read-only access to CKafka), and click Next.
      6. Click Complete.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy