Introduction
If you have purchased different Tencent Cloud resources, you can use tags to group the resources for easy management. You can grant different sub-accounts management permissions by tags so that they can manage resources separately. This document takes a use case as an example to describe how to grant a sub-account the permission to manage separate Tencent Cloud resources by using tags.
Prerequisites
Suppose that:
- The enterprise account
CompanyExample
has two sub-accounts DevA
and DevB
.
- The ID of sub-account
DevA
is 12345
.
- The ID of sub-account
DevB
is 67890
.
- The enterprise account
CompanyExample
has two CVM instances whose IDs are ins-1
and ins-2
respectively.
- The enterprise account
CompanyExample
has two tag keys (test1
and test2
) and two tag values (test1
and test2
).
Directions
Tagging CVM instances
You can add tag keys and tag values to CVM instances ins-1
and ins-2
with the following steps to manage resources by tag.
Adding test1
tag key and test1
tag value to CVM instance ins-1
- Log in to the Tag Console, set the following filters to filter out the target CVM instance, and click Query Resource.
- Resource Type: type of the resource to be queried. Only products supporting tags can be queried. For more information, please see Products That Support Tags. In this example, select CVM instance.
- Region: region of the resource to be queried. In this example, select Beijing.
- Select the target CVM instance from the filtered results. In this example, we select CVM instance
ins-1
.
- Click Edit Tag Value.
- In the pop-up window, select the tag key and enter the tag value. In this example, the tag key and value are both
test1
.
- Click OK to add
test1
tag key and test1
tag value to CVM instance ins-1
.
Adding test2
tag key and test2
tag value to CVM instance ins-2
- Log in to the Tag Console, set the following filters to filter out the target CVM instance, and click Query Resource.
- Resource Type: type of the resource to be queried. Only products supporting tags can be queried. For more information, please see Products That Support Tags. In this example, we select CVM instance.
- Region: region of the resource to be queried. In this example, we select Beijing.
- Select the target CVM instance from the filtered results. In this example, we select CVM instance
ins-2
.
- Click Edit Tag Value.
- In the pop-up window, select the tag key and enter the tag value. In this example, the tag key and value are both
test2
.
- Click OK to add
test2
tag key and test2
tag value to CVM instance ins-2
.
Authorizing user by tag
You can grant sub-account DevA
management permission for tag key test1
and tag value test1
and grant sub-account DevB
tmanagement permission for tag key test2
and tag value test2
. They will then be able to manage tagged resources accordingly.
Granting sub-account DevA
management permission for tag key test1
and tag value test1
- Log in to the CAM Console and click Create Custom Policy in the top-left corner.
- In the creation method selection window that pops up, click Authorize by Tag to enter the authorization by tag page.
- Select the following information and click Next.
- Authorize User/User Group: check the user/user group to be authorized. In this example,
12345
is selected, which is the ID of sub-account DevA
.
- Tag Key: select the tag key to be authorized. In this example, we select tag key
test1
.
- Tag Value: select the tag value to be authorized. In this example, we select tag value
test1
.
- Resources: the management permission is granted by default.
- On the verification page, enter the policy name, verify the policy content, and click Done to grant sub-account
DevA
management permission for tag key test1
and tag value test1
.
Granting sub-account DevB
management permission for tag key test2
and tag value test2
- Log in to the CAM Console and click Create Custom Policy in the top-left corner.
- In the creation method selection window that pops up, click Authorize by Tag to enter the authorization by tag page.
- Select the following information and click Next.
- Authorize User/User Group: check the user/user group to be authorized. In this example,
67890
is selected, which is the ID of sub-account DevB
.
- Tag Key: select the tag key to be authorized. In this example, we select tag key
test2
.
- Tag Value: select the tag value to be authorized. In this example, we select tag value
test2
.
- Resources: the management permission is granted by default.
- On the verification page, enter the policy name, verify the policy content, and click Done to grant sub-account
DevB
management permission for tag key test2
and tag value test2
.
Managing new resources
Follow the instructions in Tagging CVM Instances to add tag keys and tag values to manage new resources.
Was this page helpful?