Using a Role

Last updated: 2019-05-10 09:54:17


You can use roles by calling CAM APIs in Tencent Cloud. The following example shows how to call the API to use roles.

For example, Company A wants to outsource its OPS Engineer position to Company B. The person who works on this position at Company B requires full access to all resources in Company A's CVM located in Guangzhou.

Company A's enterprise account CompanyExampleA (ownerUin: 12345) creates a role and sets Company B's enterprise account CompanyExampleB (ownerUin: 67890) as the role entity. CompanyExampleA then calls the API CreateRole to create a role named DevOpsRole and gives permissions to DevOpsRole. For more information, see Creating a role using API.

After being granted the role, CompanyExampleB wants its sub-account DevB to do this job. So CompanyExampleB authorizes DevB to assume DevOpsRole which is owned by CompanyExampleA. For more information, see Assigning Role Policy to a Sub-Account.

After creating the role, granting permissions to the role and assigning the role assuming policy to the sub-account, sub-account DevB can use the role.

  1. Call the API AssumeRole to apply for temporary credentials for the role DevOpsRole. Input parameters are as follows:
  2. The API is successfully called and the following result is returned:
     "credentials": {
         "sessionToken": "5e776c4216ff4d31a7c74fe194a978a3ff2a42864",
         "tmpSecretId": "AKIDcAZnqgar9ByWq6m7ucIn8LNEuY2MkPCl",
         "tmpSecretKey": "VpxrX0IMCpHXWL0Wr3KQNCqJix1uhMqD"
     "expiredTime": 1506433269,
     "expiration": "2018-09-26T13:41:09Z"
  3. After roleDevB gets the role temporary credentials, it now can perform operations within the scope of its permissions during the validity period of the temporary credentials . For example, roleDevB is allowed to view the CVM list via API, replace the values of SecretId and SecretKey with the values of tmpSecretId and tmpSecretKey when calling the API DescribeInstances, and set the Token in Common Parameters to the value of sessionToken. CompanyExampleB can also apply for the role's temporary credentials to work with CompanyExampleA's resources.

    If CompanyExampleA wants to terminate the authorization to CompanyExampleB, it can delete the role DevOpsRole.