- Product Introduction
- Purchase Guide
- User Guide
- Best Practices
- Business Use Cases
- TencentDB for MySQL Cases
- CLB Cases
- CMQ Cases
- COS Cases
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM Cases
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC Cases
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD Cases
- Other Cases
- API Documentation
- Introduction
- API Category
- Making API Requests
- Policy APIs
- Role APIs
- DeleteRolePermissionsBoundary
- CreateServiceLinkedRole
- AttachRolePolicy
- DescribeSafeAuthFlag
- DeleteServiceLinkedRole
- CreateRole
- DeleteRole
- DescribeRoleList
- DetachRolePolicy
- GetServiceLinkedRoleDeletionStatus
- GetRole
- PutRolePermissionsBoundary
- ListAttachedRolePolicies
- UpdateAssumeRolePolicy
- UpdateRoleConsoleLogin
- UpdateRoleDescription
- Identity Provider APIs
- User APIs
- STS APIs
- Data Types(STS)
- Data Types(CAM)
- Error Codes
- FAQs
- Glossary
- Product Introduction
- Purchase Guide
- User Guide
- Best Practices
- Business Use Cases
- TencentDB for MySQL Cases
- CLB Cases
- CMQ Cases
- COS Cases
- Authorizing Sub-account Full Access to COS Resources under the Account
- Authorizing Sub-account Full Access to Specific Directory
- Authorizing Sub-account Read-only Access to Files in Specific Directory
- Authorizing Sub-account Read/Write Access to Specific File
- Authorizing Sub-account Read-only Access to COS Resources
- Authorizing a Sub-account Read/Write Access to All Files in Specified Directory Except Specified Files
- Authorizing Sub-account Read/Write Access to Files with Specified Prefix
- Authorizing Another Account Read/Write Access to Specific Files
- Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File
- CVM Cases
- Authorizing Sub-account Full Access to CVMs
- Authorizing Sub-account Read-only Access to CVMs
- Authorizing Sub-account Read-only Access to CVM-related Resources
- Authorizing Sub-account Access to Perform Operations on CBSs
- Authorizing Sub-account Access to Perform Operations on Security Groups
- Authorizing Sub-account Access to Perform Operations on EIPs
- Authorizing Sub-account Access to Perform Operations on Specific CVM
- Authorizing Sub-account Access to Perform Operations on CVMs in Specific Region
- Authorizing Sub-account Full Access to CVMs Except Payment
- VPC Cases
- Authorizing Sub-account Read-only Access to VPCs
- Authorizing Sub-account Access to Perform Operations on Specific VPC and Resources of This VPC
- Authorizing Sub-account Access to Perform Operations on VPC Except on Routing Table
- Authorizing Sub-account Access to Perform Operations on VPN
- Authorizing Sub-account Full Access to VPCs
- Authorizing a Sub-account Full Access to VPCs Except Payment
- VOD Cases
- Other Cases
- API Documentation
- Introduction
- API Category
- Making API Requests
- Policy APIs
- Role APIs
- DeleteRolePermissionsBoundary
- CreateServiceLinkedRole
- AttachRolePolicy
- DescribeSafeAuthFlag
- DeleteServiceLinkedRole
- CreateRole
- DeleteRole
- DescribeRoleList
- DetachRolePolicy
- GetServiceLinkedRoleDeletionStatus
- GetRole
- PutRolePermissionsBoundary
- ListAttachedRolePolicies
- UpdateAssumeRolePolicy
- UpdateRoleConsoleLogin
- UpdateRoleDescription
- Identity Provider APIs
- User APIs
- STS APIs
- Data Types(STS)
- Data Types(CAM)
- Error Codes
- FAQs
- Glossary
Introduction
This document describes how to create a policy to resolve a fault by referencing the fault report. After the fault is resolved, the sub-account will be able to manage the resources of the root account within the scope of the newly configured permissions.
Example
When a sub-account associated with the QcloudCVMReadOnlyAccess policy attempts to reinstall a CVM instance, the following error will be reported:
If you want to authorize the sub-account to proceed with this operation, you can reference this error message to create and associate a custom policy.
Directions
- Login to the CAM Console and go to Policies. Click Create Custom Policy.
- In the selection window that pops up, click Create by Policy Generator.
- Fill in the following information in the Select Service and Action page. See the following image for reference:
- Effect (required): select whether or not the action is allowed. In this example, select Allow.
- Service (required): select the product based on the abbreviation to authorize. In this example, it is CVM corresponding to
cvmin theoperationfield of the error message.- Action (required): select the action to authorize. In this example, select ResetInstance corresponding to the
operationfield of the error message.- Resource (required): enter the resource description in the six-segment format. In this example, copy and enter
qcs:id/1158313:cvm:ap-guangzhou:uin/2159973417:instance/instance/ins-esuithv2corresponding to theresourcefield of the error message.- Condition (optional): set the conditions that must be met for the permission to take effect, such as a specified access IP. In this example, leave it empty.
- Click Add Statement > Next to enter the policy editor page.
- You can set the policy name, add remarks, and confirm the policy content on this page. The policy name and content are automatically generated by the console.
- The policy name is
policygensuffixed with the creation time by default, which is customizable. - The policy content corresponds to the service and actions selected in step 3. You can modify them as needed.
- The policy name is
- Click Create Policy to complete the creation of custom policy by using the policy generator.
- Authorize the sub-account as instructed in Authorization Management. After authorization, the sub-account will be granted the needed permission, and the fault will be resolved.
Was this page helpful?