CAM Access Authorization

Last updated: 2020-06-30 15:22:59

    Overview

    Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you securely manage and control access permissions to your Tencent Cloud resources. Using CAM, you can create, manage, and terminate users (groups), and control who can access and use your Tencent Cloud resources through identity and policy management. For more information and uses of CAM policies, see Policy.

    The root account can grant sub-accounts or collaborators permission to access specific cloud log service resources. For more information on resources, see Action List and Resource List.

    • It is recommended to grant the minimum permission required for an account to ensure security.
    • Actions marked with list indicate that the current user can view all resources rather than only some of the resources. For example, when a user has permission for the listTopic action, all log topic lists in the current logset rather than a partial list of log topics can be displayed. Otherwise, a user without permission for the listTopic action cannot view any log topics.

    Example

    Console scenario: all permissions for CLS

    Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to access and operate logs on the Cloud Log Service Console.

    The CAM authorization policy is as follows:

    {
        "version": "2.0",
        "statement": [
            {
                "action": [
                    "cls:*"
                ],
                "resource": "*",
                "effect": "allow"
            }
        ]
    }

    Console scenario: read-only permission for logsets and log topics

    Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to perform the following operations on the Cloud Log Service Console:

    • View the root account logset list.
    • View basic information and the log topic list of the logset (abcd0000-abcd-abcd-abcd-abcd11110000) in the Shanghai region.
    • View basic information of the log topic (123e4567-e89b-12d3-a456-426655440000) in the current logset, including collection, index, and shipping configurations and shipping task lists.

    The CAM authorization policy is as follows:

    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "cls:listLogset"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:logset/*"
                ]
            },
            {
                "effect": "allow",
                "action": [
                    "cls:list*",
                    "cls:get*"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:logset/abcd0000-abcd-abcd-abcd-abcd11110000",
                    "qcs::cls:ap-shanghai:uin/123456789:topic/123e4567-e89b-12d3-a456-426655440000"
                ]
            }
        ]
    }

    Console scenario: read-only permission for server groups

    Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to perform the following operations on the CLS Console:

    • View the root account server group list.
    • View information about all server groups in the Shanghai region, including the server list and status.

    The CAM authorization policy is as follows:

    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "cls:listMachineGroup",
                    "cls:getMachineGroup",
                    "cls:getMachineStatus"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:machinegroup/*"
                ]
            }
        ]
    }

    Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to search the log topic (123e4567-e89b-12d3-a456-426655440000) in the Shanghai logset (abcd0000-abcd-abcd-abcd-abcd11110000) of the root account on the CLS Console.

    The CAM authorization policy is as follows:

    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "cls:listLogset"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:logset/*"
                ]
            },
            {
                "effect": "allow",
                "action": [
                    "cls:listTopic"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:logset/abcd0000-abcd-abcd-abcd-abcd11110000"
                ]
            },
            {
                "effect": "allow",
                "action": [
                    "cls:searchLog"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:logset/abcd0000-abcd-abcd-abcd-abcd11110000",
                    "qcs::cls:ap-shanghai:uin/123456789:topic/123e4567-e89b-12d3-a456-426655440000"
                ]
            }
        ]
    }

    Console scenario: permission for viewing log topic shipping tasks

    Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to view the shipping task (1234abcd-0000-0000-0000-1234abcd0000) in the log topic (123e4567-e89b-12d3-a456-426655440000) in the Shanghai logset (abcd0000-abcd-abcd-abcd-abcd11110000) of the root account on the CLS Console.

    The CAM authorization policy is as follows:

    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "cls:listLogset"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:logset/*"
                ]
            },
            {
                "effect": "allow",
                "action": [
                    "cls:listTopic"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:logset/abcd0000-abcd-abcd-abcd-abcd11110000"
                ]
            },
            {
                "effect": "allow",
                "action": [
                    "cls:listShipper"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:topic/123e4567-e89b-12d3-a456-426655440000"
                ]
            },
            {
                "effect": "allow",
                "action": [
                    "cls:listShipperTask"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:shipper/1234abcd-0000-0000-0000-1234abcd0000"
                ]
            }
        ]
    }

    API scenario: write and download permission for log topics

    Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to perform the following operations through the API:

    • Write data to the log topic (123e4567-e89b-12d3-a456-426655440000) of the root account.
    • Download data from the log topic (123e4567-e89b-12d3-a456-426655440000) of the root account.

    The CAM authorization policy is as follows:

    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "cls:getCursor",
                    "cls:downloadLog",
                    "cls:pushLog"
                ],
                "resource": [
                    "qcs::cls:ap-shanghai:uin/123456789:topic/123e4567-e89b-12d3-a456-426655440000"
                ]
            }
        ]
    }

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help