International
中国站
Console
PrevNext
search by keyword

Recent Pages

Documentation
Cloud Log Service
    Documentation
    Download PDF

    CAM Access Authorization

    Last updated: 2020-06-30 15:22:59
    Download PDF

      Overview

      Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you securely manage and control access permissions to your Tencent Cloud resources. Using CAM, you can create, manage, and terminate users (groups), and control who can access and use your Tencent Cloud resources through identity and policy management. For more information and uses of CAM policies, see Policy.

      The root account can grant sub-accounts or collaborators permission to access specific cloud log service resources. For more information on resources, see Action List and Resource List.

      • It is recommended to grant the minimum permission required for an account to ensure security.
      • Actions marked with list indicate that the current user can view all resources rather than only some of the resources. For example, when a user has permission for the listTopic action, all log topic lists in the current logset rather than a partial list of log topics can be displayed. Otherwise, a user without permission for the listTopic action cannot view any log topics.

      Example

      Console scenario: all permissions for CLS

      Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to access and operate logs on the Cloud Log Service Console.

      The CAM authorization policy is as follows:

      {
    "version": "2.0",
    "statement": [
        {
            "action": [
                "cls:*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}

      Console scenario: read-only permission for logsets and log topics

      Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to perform the following operations on the Cloud Log Service Console:

      • View the root account logset list.
      • View basic information and the log topic list of the logset (abcd0000-abcd-abcd-abcd-abcd11110000) in the Shanghai region.
      • View basic information of the log topic (123e4567-e89b-12d3-a456-426655440000) in the current logset, including collection, index, and shipping configurations and shipping task lists.

      The CAM authorization policy is as follows:

      {
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:listLogset"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:logset/*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:list*",
                "cls:get*"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:logset/abcd0000-abcd-abcd-abcd-abcd11110000",
                "qcs::cls:ap-shanghai:uin/123456789:topic/123e4567-e89b-12d3-a456-426655440000"
            ]
        }
    ]
}

      Console scenario: read-only permission for server groups

      Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to perform the following operations on the CLS Console:

      • View the root account server group list.
      • View information about all server groups in the Shanghai region, including the server list and status.

      The CAM authorization policy is as follows:

      {
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:listMachineGroup",
                "cls:getMachineGroup",
                "cls:getMachineStatus"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:machinegroup/*"
            ]
        }
    ]
}

      Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to search the log topic (123e4567-e89b-12d3-a456-426655440000) in the Shanghai logset (abcd0000-abcd-abcd-abcd-abcd11110000) of the root account on the CLS Console.

      The CAM authorization policy is as follows:

      {
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:listLogset"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:logset/*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:listTopic"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:logset/abcd0000-abcd-abcd-abcd-abcd11110000"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:searchLog"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:logset/abcd0000-abcd-abcd-abcd-abcd11110000",
                "qcs::cls:ap-shanghai:uin/123456789:topic/123e4567-e89b-12d3-a456-426655440000"
            ]
        }
    ]
}

      Console scenario: permission for viewing log topic shipping tasks

      Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to view the shipping task (1234abcd-0000-0000-0000-1234abcd0000) in the log topic (123e4567-e89b-12d3-a456-426655440000) in the Shanghai logset (abcd0000-abcd-abcd-abcd-abcd11110000) of the root account on the CLS Console.

      The CAM authorization policy is as follows:

      {
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:listLogset"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:logset/*"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:listTopic"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:logset/abcd0000-abcd-abcd-abcd-abcd11110000"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:listShipper"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:topic/123e4567-e89b-12d3-a456-426655440000"
            ]
        },
        {
            "effect": "allow",
            "action": [
                "cls:listShipperTask"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:shipper/1234abcd-0000-0000-0000-1234abcd0000"
            ]
        }
    ]
}

      API scenario: write and download permission for log topics

      Description: the root account (UIN: 123456789) grants sub-accounts or collaborators permission to perform the following operations through the API:

      • Write data to the log topic (123e4567-e89b-12d3-a456-426655440000) of the root account.
      • Download data from the log topic (123e4567-e89b-12d3-a456-426655440000) of the root account.

      The CAM authorization policy is as follows:

      {
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cls:getCursor",
                "cls:downloadLog",
                "cls:pushLog"
            ],
            "resource": [
                "qcs::cls:ap-shanghai:uin/123456789:topic/123e4567-e89b-12d3-a456-426655440000"
            ]
        }
    ]
}

      Was this page helpful?

      Confirm

      Was this page helpful?

      • Not at all
      • Not very helpful
      • Somewhat helpful
      • Very helpful
      • Extremely helpful
      Send Feedback
      Hide
      Submit a TicketContact sales
      Help
      tencent
      Copyright © 2013-2020 Tencent Cloud. All Rights Reserved.
      Privacy PolicyTerms of ServiceCookie Policy