Creating a Policy Based on Fault Reports

Last updated: 2021-06-07 09:37:36


    This document describes how to create a policy to resolve a fault by referencing the fault report. After the fault is resolved, the sub-account will be able to manage the resources of the root account within the scope of the newly configured permissions.


    When a sub-account associated with the QcloudCVMReadOnlyAccess policy attempts to reinstall a CVM instance, the following error will be reported:

    If you want to authorize the sub-account to proceed with this operation, you can reference this error message to create and associate a custom policy.


    1. Login to the CAM Console and go to Policies. Click Create Custom Policy.
    2. In the selection window that pops up, click Create by Policy Generator.
    3. Fill in the following information in the Select Service and Action page. See the following image for reference:
    • Effect (required): select whether or not the action is allowed. In this example, select Allow.
    • Service (required): select the product based on the abbreviation to authorize. In this example, it is CVM corresponding to cvm in the operation field of the error message.
    • Action (required): select the action to authorize. In this example, select ResetInstance corresponding to the operation field of the error message.
    • Resource (required): enter the resource description in the six-segment format. In this example, copy and enter qcs:id/1158313:cvm:ap-guangzhou:uin/2159973417:instance/instance/ins-esuithv2 corresponding to the resource field of the error message.
    • Condition (optional): set the conditions that must be met for the permission to take effect, such as a specified access IP. In this example, leave it empty.
    1. Click Add Statement > Next to enter the policy editor page.
    2. You can set the policy name, add remarks, and confirm the policy content on this page. The policy name and content are automatically generated by the console.
      • The policy name is policygen suffixed with the creation time by default, which is customizable.
      • The policy content corresponds to the service and actions selected in step 3. You can modify them as needed.
    3. Click Create Policy to complete the creation of custom policy by using the policy generator.
    4. Authorize the sub-account as instructed in Authorization Management. After authorization, the sub-account will be granted the needed permission, and the fault will be resolved.