Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you securely manage and control access permissions to resources under your Tencent Cloud account. With CAM, you can create, manage, and terminate users (user groups) and use identities and policies to control user access to Tencent Cloud resources. For more information on CAM policies and usage, please see CAM Policy.
ES provides two general policies by default:
You can log in to the Policy Management page, select "Elasticsearch Service" in "Service Type", and bind the default policies displayed in the list to accounts as needed.
If the default policies cannot meet your requirements, you can click Create Custom Policy to customize the authorization.
Types of resources that can be authorized in ES include:
Resource Type | Resource Description |
---|---|
instance | qcs::es:$region:$account:instance/* |
Below describes the details of resource-level access control supported by each API:
API Name | Description | Associated with Resource | Resource Description |
---|---|---|---|
Getting cluster list and information of individual clusters | DescribeInstances | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
Creating cluster | CreateInstance | No | * |
Updating cluster | UpdateInstance | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
Restarting cluster | RestartInstance | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
Deleting cluster | DeleteInstance | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
Updating plugin | UpdatePlugins | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
Supported regions include:
Region | Name | Region ID |
---|---|---|
South China | Guangzhou | ap-guangzhou |
East China | Shanghai | ap-shanghai |
Nanjing | ap-nanjing |
|
North China | Beijing | ap-beijing |
Southwest China | Chengdu | ap-chengdu |
Chongqing | ap-chongqing |
|
Hong Kong/Macao/Taiwan | Hong Kong (China) | ap-hongkong |
Southeast Asia Pacific | Singapore | ap-singapore |
South Asia Pacific | Mumbai | ap-mumbai |
Northeast Asia Pacific | Seoul | ap-seoul |
Tokyo | ap-tokyo |
|
West US | Silicon Valley | na-siliconvalley |
East US | Virginia | na-ashburn |
North America | Toronto | na-toronto |
Europe | Frankfurt | eu-frankfurt |
The syntax of a custom policy is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"Action"
],
"resource": "Resource",
"effect": "Effect"
}
]
}
ES currently supports access control management for all APIs except DescribeInstances
. You can authorize a sub-account to perform various operations on a cluster under your account such as updating, restarting, and deleting.
To grant an account permission to update the specified cluster, use the following policy syntax:
{
"version": "2.0",
"statement": [
{
"action": [
"es:Describe*"
],
"resource": [
"qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
],
"effect": "allow"
},
{
"action": [
"vpc:Describe*",
"vpc:Inquiry*",
"vpc:Get*"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"monitor:*",
"cam:ListUsersForGroup",
"cam:ListGroups",
"cam:GetGroup"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"es:Update*"
],
"resource": [
"qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
],
"effect": "allow"
}
]
}
Was this page helpful?