Product Introduction

CAM Overview

Features

Scenarios

Basic Concepts

Use Limits

User Types

Purchase Guide

Getting Started

Creating Admin User

Creating and Authorizing Sub-account

Logging In to Console with Sub-account

User Guide

Overview

Users

Access Key

User Groups

Role

Identity Provider

Policies

Permissions Boundary

Troubleshooting

Downloading Security Analysis Report

CAM-Enabled Role

Overview

Compute

Container

Microservice

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Database SaaS Service

Networking

CDN and Acceleration

Network Security

Data Security

Application Security

Domains & Websites

Big Data

Middleware

Interactive Video Services

Real-Time Interaction

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

CAM-Enabled API

Overview

Compute

Edge Computing

Container

Distributed cloud

Microservice

Serverless

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Networking

CDN and Acceleration

Network Security

Endpoint Security

Data Security

Business Security

Application Security

Domains & Websites

Office Collaboration

Big Data

Voice Technology

Image Creation

Tencent Big Model

AI Platform Service

Natural Language Processing

Optical Character Recognition

Middleware

Communication

Interactive Video Services

Real-Time Interaction

Stream Services

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Education Sevices

Medical Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

Use Cases

Security Practical Tutorial

Multi-Identity Personnel Permission Management

Authorizing Certain Operations by Tag

Supporting Isolated Resource Access for Employees

Enterprise Multi-Account Permissions Management

Reviewing Employee Operation Records on Tencent Cloud

Implementing Attribute-Based Access Control for Employee Resource Permissions Management

During tag-based authentication, only tag key matching is supported

Business Use Cases

TencentDB for MySQL

CLB

CMQ

COS

CVM

VPC

VOD

Others

API Documentation

History

Introduction

API Category

Making API Requests

User APIs

Policy APIs

Role APIs

Identity Provider APIs

Data Types

Error Codes

FAQs

Role

Key

Others

CAM Users and Permissions

Glossary

Sub-Account Access Key Management

PDF

Focus Mode

Font Size

Last updated: 2025-04-29 10:29:09

Note:
To reduce the risk of key exposure, as of November 30, 2023, the function to query SecretKey for all root accounts and sub-accounts will be closed, which can only be kept at the time of creation. Please keep your SecretKey in time.
Operation Scenarios
Access keys, also known as API keys, are the security certificates required for user identity verification when accessing Tencent Cloud APIs. They are composed of both a SecretId and a SecretKey. If a user does not possess an API key, it is necessary to create one within the API key management system, otherwise, they will be unable to invoke the cloud API interface.
This document describes how to create, enable/disable and delete API keys as well as view API key information for sub-users and collaborators.
Note:
SecretId: Used to identify an API caller, similar to a username. A SecretId has a uniform prefix "IKID".
SecretKey: Used to verify the identity of an API caller, similar to a password.
Prerequisites
Log in to the CAM Console and go to User List. Find the sub-user or collaborator that needs to be configured and click Username to enter the user details page.
Directions
Creating an API Key for a Sub-Account
You can create an API key for a sub-user/collaborator. After the API key is created, the sub-user/collaborator can use APIs, SDKs, or other development tools to manage the resources under the root account within the scope of the configured permissions.
1. On the user details page, click API Keys to enter the API key management page.
2. On the API key management page, click Create Key.
﻿
3. In the pop-up window of Create SecretKey, the key you've created will be displayed. Please keep your SecretId and SecretKey well. As of November 30, 2023, the created keys will only provide the SecretKey when created, and can not be queried afterward.
﻿
Note:
Each sub-user/collaborator can have at most two API keys.
An API key is an important credential for creating TencentCloud API requests. For the security of your assets and services, please keep the keys private, change them regularly, and delete old keys promptly after creating new ones.
Viewing a Sub-Account API Key
You can view and copy the  SecretId  of a sub-user's/collaborator's API key. The sub-user/collaborator can use APIs, SDKs, or other development tools through  SecretId  and  SecretKey  within their permissions to manage resources under the root account.
1. On the user details page, click API Keys to enter the API key management page.
2. On the API key management page, perform the following operations to view and copy the  SecretId  of the API key. An API key is an important credential for creating Tencent Cloud API requests. For the security of your assets and services, please keep the keys private, change them regularly, and delete old keys promptly after creating new ones.
Note:
SecretId: this can be directly viewed in the Key column. Click
﻿
 to copy and save it.
SecretKey: click Show in the Key column. You will be able to view it after being authenticated. Click
﻿
 to copy and save it. (To reduce the risk of key exposure, as of November 30, 2023, the function to query SecretKey for all root accounts and sub-accounts will be closed, which can only be kept at the time of creation. Please keep your SecretKey in time.)
Disabling/Enabling a Sub-Account API Key
You can disable an API key of a sub-user/collaborator. Please do so with caution as Tencent Cloud will block all requests that use the API key after it is disabled.
1. On the user details page, click API Key to enter the API key management page.
2. On the API key management page, click Disable in the Operation column.
3. In the confirmation window that pops up, click Confirm to disable the access key.
Note:
You can click Enable in the Operation column to enable the key. After the key is enabled, the sub-account/collaborator can use APIs, SDKs, or other development tools to manage the resources under the root account within the scope of the configured permissions.
Deleting a Sub-Account API Key
1. On the user details page, click API Key to enter the API key management page.
2. On the API key management page, click Disable in the "Operation" column. If the API key that you want to delete has already been disabled, proceed to step 4.
3. In the confirmation window that pops up, click Confirm.
4. On the API key management page, click Delete in the "Operation" column to delete the API key.
Note:
Please note that an API key cannot be recovered once deleted.
API Key Access Record Description
1. 1. On the API Key Management page, click  More Access Records  in the operation column, as shown in the following figure:
 Note:
More Access Records: displays the latest 20 access records from the past 3 months, including both successful and failed calls. Due to the large volume of data, there may be a delay of about 1 hour.
Access records only log requests to the server. Regardless of whether a call is successful or has the necessary permissions, all attempts are recorded.
﻿
2. On the Key Access Records page on the right, view the details of key access records.
﻿
Last Access Time: displays the last time the key was used.
Related Documents
For more information on how to query sub-account information through the SecretId of an access key, please see Searching for Sub-users with Search Box and Searching for Collaborators with Search Box.