You can create a custom policy, select the products and operations you need, and associate the policy with the user. After association, your sub-account will be able to manage the resources under the root account within the scope of permissions you set.
For more information on how to change a sub-user’s password, please see Resetting Login Passwords for Sub-Users. For more information on how to change a collaborator’s password, please see Account Password.
The read-only policy (ReadOnlyAccess) only covers read APIs of Tencent Cloud products where the authorization granularity is operation level or resource level. If you access service-level products or the write APIs of operation-level/resource-level products, the prompt for no access will be displayed. For the authorization granularity of Tencent Cloud products, please see CAM-Enabled Products.
Resources purchased by the sub-account are owned by the root account.
Fees incurred by the sub-account will be deducted from the balance of the root account.
Some of Tencent Cloud products are still in beta, and a few products do not support CAM yet. See CAM-Enabled Products to check whether and at what granularity you can manage permissions of a product in CAM.
If you want to use CAM to manage permissions of a product in beta, please submit a ticket.
You can implement fine-grained permissions management by using tags.
The following example describes how to allow a sub-account to view only part of the resources:
The enterprise account CompanyExample (ownerUin: 12345678) has a sub-account Developer. CompanyExample wants to allow the sub-account to view only part of its resources in the console.
For example, to allow the sub-account to view in the Console two CVM instances whose ID is ins-xxx1 and ins-xxx2 in the gz region:
{
"version": "2.0",
"statement": [
{
"action": [
"cvm:DescribeInstances"
],
"resource": ["qcs::cvm:gz::instance/ins-xxx1",
"qcs::cvm:gz::instance/ins-xxx2"
],
"effect": "allow"
}
]
}You can also grant the sub-account a wider permission, such as full access. To grant the sub-account full access to CVM instances in the Guangzhou region, create the following policy:
{
"version": "2.0",
"statement": [
{
"action": [
"cvm:*"
],
"resource": "qcs::cvm:gz::*",
"effect": "allow"
}
]
}The products that support read-only permission at the resource level include CVM, TencentDB for MySQL, and TKE.
Currently, other products do not support granting read-only access to specific resources. A sub-account either has the permission to view all the resources or has no permission to view any.
You can go to Roles in the CAM console, click the name of the desired role to go to the role detail page, and query in the Role Info area.
An API key is an important identity credential for making Tencent Cloud API requests. You can use APIs to manage resources under your Tencent Cloud account. For the security of your assets and services, store your keys safely and change them regularly.
The API key is the access key. For more information on how to view the root account API key, please see Root Account Access Key. For more information on how to view the sub-account API Key, please see Access Key.
| Service | Limiting Access via IP |
|---|---|
| TKE - CI | ✔ |
| TKE - Cluster | ✔ |
| CLB | ✔ |
| COS | ✔ |
| Dayu Anti-DDoS - Anti-DDoS Advanced | ✔ |
Was this page helpful?