To perform fine-grained permission management for TDMQ for CKafka (CKafka) resources, you can use Cloud Access Management (CAM) to achieve the following features:
User and permission assignment: Based on the enterprise organizational structure, independent users or roles are created for members of different functional departments, and dedicated security credentials (such as the console login password and cloud API key) or temporary credentials are assigned to ensure secure and controlled access to CKafka resources.
Fine-grained permission control: Set differentiated access policies based on employee responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Account System Introduction
The capability differences between different account types and the reference documentation are as follows:
|
|
| Sub-user | Collaborator | Message Recipient |
Definition | It owns all Tencent Cloud resources and can access any of its resources. | It is created by the root account and fully owned by the root account that created the sub-user. | It has the root account identity. When it is added as a collaborator of a root account, it becomes one of the sub-accounts of the root account. It can switch back to its root account identity. | It can only receive messages. |
Console access | ✔ | ✔ | ✔ | - |
Programmatic access | ✔ | ✔ | ✔ | - |
Policy authorization | By default, it owns all policies. | ✔ | ✔ | - |
Message notification | ✔ | ✔ | ✔ | ✔ |
Reference Documentation | | | | |
Note:
To ensure the security of your Tencent Cloud account and cloud resource usage, avoid using the Tencent Cloud root account directly to operate resources unless necessary. Instead, create sub-accounts, assign them policies based on the principle of least privilege, and use these sub-accounts with limited permissions to operate your cloud resources.
Policies
Policies are used to define and describe the syntax rules for one or more permissions. By default, the root account has access permissions for all resources under it, while its sub-accounts have no access permissions for any resources under it.
The root account can grant users/user groups the permission to view and use specific resources by associating policies with them. Tencent Cloud policies are categorized into preset policies and custom policies.
Preset Policies
CKafka provides two preset policies for sub-accounts:
|
QcloudCKafkaFullAccess | Full read/write access permissions, which allow you to perform read/write operations in the product console. |
QcloudCkafkaReadOnlyAccess | Read-only access permissions, which allow you to view related information in the console only. |
Custom Policies
If the system permission policy cannot meet your requirements, you can create a custom permission policy to achieve least privilege. Policy settings can be precisely controlled at the API, [resources, users/user groups, allow/deny, conditions] dimensions. Using custom permission policies helps achieve fine-grained control of permissions and is an effective means to enhance resource access security.
Currently, Tencent Cloud provides the following two flexible custom policy creation methods to meet different usage habits and requirements:
Visual view: Wizard-based operations are provided. Users can select elements such as cloud services, operations, resources, and conditions on pages without needing to understand the policy syntax. The system automatically generates policies, lowering the barrier to use.
JSON view: After you select a policy template, you can edit the policy content based on specific requirements. You can also directly write JSON-formatted policy content in the editor. This method is suitable for users with a specific technical background.
Custom Policy Example
In the following example, the sub-account with UIN 1000*****002 will have permissions to obtain instance specification configurations, query instance version information, and query messages for the instance ckafka-test in the Guangzhou region via both the console and APIs.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"ckafka:DescribeCkafkaTypeConfigs",
"ckafka:DescribeCkafkaVersion",
"ckafka:FetchMessageByOffset"
],
"resource": [
"qcs::ckafka:ap-guangzhou:uin/1000*****002:ckafkaId/ckafka-test"
]
}
]
}
Sub-account Authorization Operations
When a sub-account uses CKafka, permissions need to be granted in two aspects:
|
Permissions to access other cloud products | During the use of CKafka, access to other cloud product resources such as Virtual Private Cloud VPC and Cloud Virtual Machine (CVM) is required. For example, a sub-account needs to view the information about the AZ to which the subnet of the user belongs. | |
Read/Write permissions for CKafka resources | Read/Write permissions for CKafka resources are required. | |
Documentation
|
Understand the relationship between policies and users. | |
Understand the basic structure of a policy. | |
Understand which other products support CAM. | |