This document describes how to create a role via the CAM Console or CAM APIs. After being created, the role can manage resources under the root account within the scope of permissions.
Log in to the CAM Console and go to the Roles page.
Identity Provider refers to the identity providers you created. You can choose one from them as the role entity.
3. (Optional) You can configure whether the role is allowed to log in to the Tencent Cloud Console in the Console Access area. A role can access the Tencent Cloud Console programmatically by default.
4. (Optional) In the Conditions area, you can manage the conditions to be met before the identity provider can use the role.
Supported conditions are listed below:
- saml:aud: recipient. The URL of the endpoint to which SAML assertion is submitted. The value of this key comes from the SAML Recipient field in the assertion, instead of the Audience field.
- saml:iss: issuer (URN). The value of this key comes from the SAML Issuer field in the assertion.
- saml:sub: external account ID. This is the subject of the statement, which contains a value that uniquely identifies a user within the organization. The value of this key comes from the SAML NameID field in the assertion.
- saml:sub_type: external user type. The value of this key comes from the Format attribute in SAML NameID field in the assertion.
- For permission configuration, select the policies you want to grant the role from the policy list.
- Enter a name for the role. You can enter the description of the role in Description.
- Review the information and click Done to complete the creation.
You can create a role using CAM APIs in Tencent Cloud. Here we explain the process with a typical use case.
For example, Company A wants to outsource its OPS Engineer position to Company B. The person taking this position needs the access to all Company A’s CVM resources located in the Guangzhou region.
Company A's enterprise account CompanyExampleA (ownerUin:12345) creates a role and sets the role entity to Company B's enterprise account CompanyExampleB (ownerUin: 67890).
CompanyExampleA (ownerUin: 12345) calls the CreateRole
API to create a role with DevOpsRole
as the roleName
. The parameter policyDocument
(the role trust policy) is configured as follows:
{
"version": "2.0",
"statement": [
{
"action": "name/sts:AssumeRole",
"effect": "allow",
"principal": {
"qcs": ["qcs::cam::uin/67890:root"]
}
}
]
}
CompanyExampleA (ownerUin: 12345) needs to add permissions to the new role.
(1) CompanyExampleA (ownerUin: 12345) creates a new policy DevOpsPolicy
. The policy syntax is as follows:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": "cvm:*",
"resource": "qcs::cvm:ap-guangzhou::*"
}
]
}
(2) CompanyExampleA (ownerUin: 12345) calls AttachRolePolicy to associate the new policy with the role DevOpsRole
. Input parameters: policyName=DevOpsPolicy, roleName=DevOpsRole.
At this point, Company A's enterprise account CompanyExampleA (ownerUin: 12345) has created a new role and granted permissions to the role.
You need to create a SAML identity provider in CAM before you can create a role for it. For more information on how to create an SAML identity provider, see Creating SAML IdP.
Prepare a trust policy for the role to be created.
The fields in a trust policy are specified as follows:
- action: defines the API for which SAML Federation is allowed to use the role. Use
sts:AssumeRoleWithSAML
.- principal: defines the identity provider that is allowed to use the role. Use
{"federated": [ IdPArn ]}
string, such as"qcs::cam::uin/10001:saml-provider/idp_name"
.- condition: defines the conditions to be met before an identity provider can use the role.
{"StringEquals": {"SAML:aud": "https://intl.cloud.tencent.com/login/saml"}}
is used by default, specifying that only the identity providers whose SAML Federation endpoint is Tencent Cloud are allowed to use this role.
Sample trust policy:
{
"version": "2.0",
"statement": [
{
"action": "name/sts:AssumeRoleWithSAML",
"effect": "allow",
"principal": {
"federated": [
"qcs::cam::uin/10001:saml-provider/idp_name"
]
},
"condition": {
"string_equal": {
"saml:aud": "https://intl.cloud.tencent.com/login/saml"
}
}
}
]
}
Prepare permission policies for the role to be created. For more information on permission policies, see Policy.
Call the cam:CreateRole API to create a role for the identity provider.
Was this page helpful?