CAM Policy

Last updated: 2019-08-21 15:05:56

PDF

CAM Introduction

Notes: API Gateway will be integrated with CAM on the evening of September 20th-21st. To avoid affecting existing customers, we will grant all API Gateway users’ accounts and sub-accounts QcloudAPIGWFullAccess permission before September 20th. This means that your sub-accounts and cross-accounts will have full management permissions to the existing services and APIs of API Gateway. This authorization does not affect other products. For granular management of the account's permission policy, you can refer to the following samples and modify them for your use.

Basic concepts

The root account authorizes sub-accounts by binding policies. The policy setting can be accurate to "API, Resource, User/User Group, Allow/Deny, Condition".

Account

Root account: As the fundamental owner of Tencent Cloud resources, root account acts as the basis for resource usage fee calculation and billing, and can be used to log in to Tencent Cloud services.
Sub-account: An account created by the root account, which has a specific ID and identity credential that can be used to log in to Tencent Cloud console. A root account can create multiple sub-accounts (users). A sub-account does not own any resources by default, and must be authorized by its root account.
Identity credential: Includes login credential and access certificate. Login credential refers to a user’s login name and password, while access certificate refers to the Cloud API key (SecretID and SecretKey).

Resources and permission

  • Resource: Resources are objects that the cloud services operate on, such as the CVM instance, COS bucket and VPC instance.
  • Permission*: Permission is an authorization to allow or forbid users to perform certain operations. By default, root account has full access to all resources under the account, while sub-accounts do not have access to any resources under its root account.
  • Policy*: Policy is the syntax rule used to define and describe one or more permissions. Root account performs authorization by associating policies with users/user groups.
Content Link
Relationship between policy and user Policy Management
Basic structure of policy Policy Syntax
More products that support CAM CAM-enabled Cloud Services

Click to learn more about CAM

API Gateway Resources

- qcs::APIgateway:_`region`_:uin/_`uin—id`_:service/_`serviceid`_
- qcs::APIgateway:_`region`_:uin/_`uin—id`_:service/_`serviceid`_/API/_`apiid`_
- qcs::APIgateway:_`region`_:uin/_`uin—id`_:usagePlan/_`usagePlanid`_
- qcs::APIgateway:_`region`_:uin/_`uin—id`_:secret/_`secretid`_
- qcs::APIgateway:_`region`_:uin/_`uin—id`_:IPStrategy/_`IPStrategyId`_
- qcs::APIgateway:_`region`_:uin/_`uin—id`_:logRule/_`logRuleId`_

All creation APIs are at account level, while other APIs are at resource level.

CAM Policy Examples

Full read-write policy for any API Gateway resources

The following policy statement gives the sub-user permission to fully manage (creating, managing, etc.) any API services.

{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "apigw:*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}

You can also configure the system's full read-write policy to support this permission.

Full management policy for single API Gateway service

The following policy statement gives the sub-user permission to fully manage (creating, managing, etc.) a specified API service:

{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "apigw:*"
            ],
            "resource":"qcs::apigw:ap-guangzhou:uin/{ownerUin}:service/service-id/API/api-id",
            "effect": "allow"
        }
    ]
}

Read-only policy for single API Gateway service

  1. Create a policy with policy generator, and grant the permissions to list information for all resources and product monitoring. The following policy statement will grant read-only permission to all resources of the account.

    {
     "version": "2.0",
     "statement": [
         {
             "action": [
                 "apigw:Describe*",
                 "apigw:GenerateApiDocument"
             ],
             "resource": "*",
             "effect": "allow"
         }
     ]
    }
  2. Grant read-only permission to a single API.

    {
     "version": "2.0",
     "statement": [
         {
             "action": [
                 "ckafka:Get*",
                 "ckafka:List*"
             ],
             "resource": "qcs::apigw:ap-guangzhou:uin/{ownerUin}:service/service-id/API/api-id",
             "effect": "allow"
         }
     ]
    }