Creating a policy based on fault reports
Last updated: 2019-12-03 14:47:52PDF
This document describes how to resolve faults by referencing the fault reports to create a policy. After the fault is resolved, the sub-account will be able to manage the resources of the root account within the scope of the newly configured permissions.
When a sub-account associated with the QcloudCVMReadOnlyAccess policy attempts to reinstall a CVM, the following error is reported:
If you want to authorize the sub-account to proceed with this operation, you can reference this error information to create and associate a custom policy.
- Login to the CAM Console and go to Policies. Click Create Custom Policy.
- Click Create by Policy Generator.
- Fill in the following information in the Select Service and Action page. See the following image for reference:
- Effect (required): Select whether or not the action is allowed. In this example, select Allow.
- Service (required): Select the product to authorize the permission for. In this example, it will be CVM referenced in the operation field of the error.
- Action (required): Select the action. In this example, select ResetInstance as referenced in the operation field of the error.
- Resource (required): Enter the resource description in the six-part format. In this example, copy and enter qcs:id/1158313:cvm:ap-guangzhou:uin/2159973417:instance/instance/ins-esuithv2 as seen in the error.
- Condition (optional): Set the conditions that are required for the permissions to be effective, such as a specified access IP. This is left blank for this example.
- Click Add Statement>Next to go to the policy editor page.
- In the policy editor page, you can edit the policy name and add notes. Verify the policy content. The policy name and content are automatically generated by the console.
- The policy name is
policygenby default. The suffix number is generated based on the creation date. This is customizable.
- The content of the policy corresponds to the service and action selected in Step 3. You can modify this according to your business needs.
- The policy name is
- Click Create Policy to complete the creation of the custom policy by using the policy generator.
- For more information on sub-account authorizations, see Authorization Management. After authorization, the sub-account will be granted the needed permissions, resolving the fault.