tencent cloud

Cloud Access Management

DocumentationCloud Access ManagementUse CasesSupporting Isolated Resource Access for EmployeesAuthorization by Tag

Authorization by Tag

PDF
Focus Mode
Font Size
Last updated: 2025-08-11 15:25:21

Overview

This document describes how to grant permissions by tag to allow the sub-user cvmtest01 only to manage the resource-level API permissions of ins-duglsqg0. For details, see Overview.

Policy Content

To grant permissions by tag as needed, you can use the following policy content:
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cvm:*",
                "vpc:DescribeVpcEx",
                "vpc:DescribeNetworkInterfaces"
            ],
            "resource": "*",
            "condition": {
                "for_any_value:string_equal": {
                    "qcs:resource_tag": [
                        "game&webpage"
                    ]
                }
            }
        }
    ]
}

Directions

Step 1. Create a policy and configure permissions

1. Log in to the CAM console with the admin account. On the Policies page, create a custom policy by tag as instructed in Creating Custom Policy > Authorizing by tag.


Authorized user: cvmtest01
Bound tag: game:webpage
Operation permissions: All CVM operation permissions and the DescribeVpcEx and DescribeNetworkInterfaces permissions of VPC. If you are not sure what other APIs are involved, see Authorization by Resource ID > Step 3.
2. Click Next and enter a policy name.
3. Click Save.



Step 2: Verify the result

1. Log in to the CVM console as the sub-user cvmtest01 and access the instance list page. Then the sub-user cvmtest01 can start, shut down, restart, rename, and reset the password of the CVM instance.


Previous Topic: Authorization by Resource IDNext Topic: Overview

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback