tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
API Gateway
    Documentation
    Download PDF

    CAM Policy

    Last updated: 2023-12-22 09:54:39
    Download PDF

      CAM Introduction

      Basic concepts

      The root account authorizes sub-accounts by binding policies. The policy setting can be accurate to "API, Resource, User/User Group, Allow/Deny, Condition".

      Account

      Root account: As the fundamental owner of Tencent Cloud resources, root account acts as the basis for resource usage fee calculation and billing, and can be used to log in to Tencent Cloud services.
      Sub-account: An account created by the root account, which has a specific ID and identity credential that can be used to log in to Tencent Cloud console. A root account can create multiple sub-accounts (users). A sub-account does not own any resources by default, and must be authorized by its root
      account.Identity credential: Includes login credential and access certificate. Login credential refers to a user’s login name and password, while access certificate refers to the Cloud API key (SecretID and SecretKey).

      Resources and permission

      Resource: Resources are objects that the cloud services operate on, such as the CVM instance, COS bucket and VPC instance.
      Permission : Permission is an authorization to allow or forbid users to perform certain operations. By default, root account has full access to all resources under the account, while sub-accounts do not have access to any resources under its root account.
      Policy : Policy is the syntax rule used to define and describe one or more permissions. Root account performs authorization by associating policies with users/user groups.
      Content
      Link
      Relationship between policy and user
      Basic structure of policy
      More products that support CAM
      Click to learn more about CAM

      API Gateway Resources

      - qcs::APIgateway:_`region`_:uin/_`uin—id`_:service/_`serviceid`_
      - qcs::APIgateway:_`region`_:uin/_`uin—id`_:service/_`serviceid`_/API/_`apiid`_
      - qcs::APIgateway:_`region`_:uin/_`uin—id`_:usagePlan/_`usagePlanid`_
      - qcs::APIgateway:_`region`_:uin/_`uin—id`_:secret/_`secretid`_
      - qcs::APIgateway:_`region`_:uin/_`uin—id`_:IPStrategy/_`IPStrategyId`_
      - qcs::APIgateway:_`region`_:uin/_`uin—id`_:logRule/_`logRuleId`_
      All creation APIs are at account level, while other APIs are at resource level.

      CAM Policy Examples

      Full read-write policy for any API Gateway resources

      The following policy statement gives the sub-user permission to fully manage (creating, managing, etc.) any API services.
      {
          "version": "2.0",
          "statement": [
              {
                  "action": [
                      "apigw:*"
                  ],
                  "resource": "*",
                  "effect": "allow"
              }
          ]
      }
      You can also configure the system's full read-write policy to support this permission.
      
      
      

      Full management policy for single API Gateway service

      The following policy statement gives the sub-user permission to fully manage (creating, managing, etc.) a specified API service:
      {
          "version": "2.0",
          "statement": [
              {
                  "action": [
                      "apigw:*"
                  ],
                  "resource":"qcs::apigw:ap-guangzhou:uin/{ownerUin}:service/service-id/API/api-id",
                  "effect": "allow"
              }
          ]
      }

      Read-only policy for single API Gateway service

      1. Create a policy with policy generator, and grant the permissions to list information for all resources and product monitoring. The following policy statement will grant read-only permission to all resources of the account.
      {
       "version": "2.0",
       "statement": [
           {
               "action": [
                   "apigw:Describe*",
                   "apigw:GenerateApiDocument"
               ],
               "resource": "*",
               "effect": "allow"
           }
       ]
      }
      2. Grant read-only permission to a single API.
      {
       "version": "2.0",
       "statement": [
           {
               "action": [
                   "ckafka:Get*",
                   "ckafka:List*"
               ],
               "resource": "qcs::apigw:ap-guangzhou:uin/{ownerUin}:service/service-id/API/api-id",
               "effect": "allow"
           }
       ]
      }
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy