CAM-based Access Control Configuration

Last updated: 2020-08-24 14:56:02

    ES CAM Overview

    Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you securely manage and control access permissions to resources under your Tencent Cloud account. With CAM, you can create, manage, and terminate users (user groups) and use identities and policies to control user access to Tencent Cloud resources. For more information on CAM policies and usage, please see CAM Policy.

    ES CAM Policies

    General permission policy

    ES provides two general policies by default:

    • Full access policy (QcloudElasticsearchServiceFullAccess), which grants a user permission to create and manage all ES cluster instances.
    • Read-only access policy (QcloudElasticsearchServiceReadOnlyAccess), which grants a user permission to view ES cluster instances but not create, update, or delete them.

    You can log in to the Policy Management page, select "Elasticsearch Service" in "Service Type", and bind the default policies displayed in the list to accounts as needed.

    If the default policies cannot meet your requirements, you can click Create Custom Policy to customize the authorization.

    Custom permission policy

    Types of resources that can be authorized in ES include:

    Resource Type Resource Description
    instance qcs::es:$region:$account:instance/*

    Below describes the details of resource-level access control supported by each API:

    API Name Description Associated with Resource Resource Description
    Getting cluster list and information of individual clusters DescribeInstances Yes qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
    Creating cluster CreateInstance No *
    Updating cluster UpdateInstance Yes qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
    Restarting cluster RestartInstance Yes qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
    Deleting cluster DeleteInstance Yes qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}
    Updating plugin UpdatePlugins Yes qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId}

    Supported regions include:

    Region Name Region ID
    South China Guangzhou ap-guangzhou
    East China Shanghai ap-shanghai
    Nanjing ap-nanjing
    North China Beijing ap-beijing
    Southwest China Chengdu ap-chengdu
    Chongqing ap-chongqing
    Hong Kong/Macao/Taiwan Hong Kong (China) ap-hongkong
    Southeast Asia Pacific Singapore ap-singapore
    South Asia Pacific Mumbai ap-mumbai
    Northeast Asia Pacific Seoul ap-seoul
    Tokyo ap-tokyo
    West US Silicon Valley na-siliconvalley
    East US Virginia na-ashburn
    North America Toronto na-toronto
    Europe Frankfurt eu-frankfurt

    The syntax of a custom policy is as follows:

    {
        "version": "2.0",
        "statement": [
            {
                "action": [
                    "Action"
                ],
                "resource": "Resource",
                "effect": "Effect"
            }
        ]
    }
    • Action: replace it with the operation to be allowed or denied.
    • Resource: replace it with the resources that you want to authorize the user to manipulate.
    • Effect: replace it with "allow" or "deny".

    ES currently supports access control management for all APIs except DescribeInstances. You can authorize a sub-account to perform various operations on a cluster under your account such as updating, restarting, and deleting.

    Custom permission sample

    To grant an account permission to update the specified cluster, use the following policy syntax:

    {
        "version": "2.0",
        "statement": [
             {
                "action": [
                    "es:Describe*"
                ],
                "resource": [
                   "qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
                ],
                "effect": "allow"
            },
            {
                "action": [
                    "vpc:Describe*",
                    "vpc:Inquiry*",
                    "vpc:Get*"
                ],
                "resource": "*",
                "effect": "allow"
            },
            {
                "action": [
                    "monitor:*",
                    "cam:ListUsersForGroup",
                    "cam:ListGroups",
                    "cam:GetGroup"
                ],
                "resource": "*",
                "effect": "allow"
            },
            {
                "action": [
                    "es:Update*"
                ],
                "resource": [
                    "qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
                ],
                "effect": "allow"
            }
        ]
    }

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help