Help & DocumentationCloud Access ManagementBusiness Use CaseCVM-related CasesAuthorizing Sub-account Read-only Access to CVM-related Resources

Authorizing Sub-account Read-only Access to CVM-related Resources

Last updated: 2019-05-10 10:57:40

PDF

Authorizing a sub-account with read-only permission of CVM resources

A sub-account Developer under the enterprise account CompanyExample (ownerUin is 12345678) requires query permission for CVM instances and resources (VPC and CLB) of the CVM service under the enterprise account CompanyExample. But the sub-account is not allowed to create, delete, and start/stop CVM instances.

Solution A:

The enterprise account CompanyExample directly authorizes the preset policy QcloudCVMReadOnlyAccess to the sub-account Developer. For more information on authorization, please see Authorization Management.

Solution B:

Step 1: Create the following policy using policy syntax

{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "cvm:Describe*",
                "cvm:Inquiry*"
            ],
            "resource": "*",
            "effect": "allow"
        },
        {
            "action": [
                "vpc:Describe*",
                "vpc:Inquiry*",
                "vpc:Get*"
            ],
            "resource": "*",
            "effect": "allow"
        },
        {
            "action": [
                "clb:Describe*"
            ],
            "resource": "*",
            "effect": "allow"
        },
        {
            "effect": "allow",
            "action": "monitor:*",
            "resource": "*"
        }
    ]
}

Step 2: Authorize the policy to the sub-account. For more information on authorization, please see Authorization Management.