- User Guide
- Release Notes
- Product Introduction
- Purchase Guide
- ES Kernel Enhancement
- Getting Started
- Data Application Guide
- Elasticsearch Guide
- Best Practices
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- UpdateInstance
- RestartInstance
- DescribeInstances
- DeleteInstance
- CreateInstance
- DescribeInstanceOperations
- DescribeInstanceLogs
- UpgradeLicense
- UpgradeInstance
- UpdatePlugins
- RestartNodes
- RestartKibana
- UpdateRequestTargetNodeTypes
- GetRequestTargetNodeTypes
- DescribeViews
- UpdateDictionaries
- UpdateIndex
- DescribeIndexMeta
- DescribeIndexList
- DeleteIndex
- CreateIndex
- Data Types
- Error Codes
- FAQs
- Service Level Agreement
- Glossary
- New Version Introduction
- User Guide
- Release Notes
- Product Introduction
- Purchase Guide
- ES Kernel Enhancement
- Getting Started
- Data Application Guide
- Elasticsearch Guide
- Best Practices
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- UpdateInstance
- RestartInstance
- DescribeInstances
- DeleteInstance
- CreateInstance
- DescribeInstanceOperations
- DescribeInstanceLogs
- UpgradeLicense
- UpgradeInstance
- UpdatePlugins
- RestartNodes
- RestartKibana
- UpdateRequestTargetNodeTypes
- GetRequestTargetNodeTypes
- DescribeViews
- UpdateDictionaries
- UpdateIndex
- DescribeIndexMeta
- DescribeIndexList
- DeleteIndex
- CreateIndex
- Data Types
- Error Codes
- FAQs
- Service Level Agreement
- Glossary
- New Version Introduction
ES CAM Overview
Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you securely manage and control access permissions to resources under your Tencent Cloud account. With CAM, you can create, manage, and terminate users (user groups) and use identities and policies to control user access to Tencent Cloud resources. For more information on CAM policies and usage, please see CAM Policy.
ES CAM Policies
General permission policy
ES provides two general policies by default:
- Full access policy (QcloudElasticsearchServiceFullAccess), which grants a user permission to create and manage all ES cluster instances.
- Read-only access policy (QcloudElasticsearchServiceReadOnlyAccess), which grants a user permission to view ES cluster instances but not create, update, or delete them.
You can log in to the Policy Management page, select "Elasticsearch Service" in "Service Type", and bind the default policies displayed in the list to accounts as needed.
If the default policies cannot meet your requirements, you can click Create Custom Policy to customize the authorization.
Custom permission policy
Types of resources that can be authorized in ES include:
| Resource Type | Resource Description |
|---|---|
| instance | qcs::es:$region:$account:instance/* |
Below describes the details of resource-level access control supported by each API:
| API Name | Description | Associated with Resource | Resource Description |
|---|---|---|---|
| Getting cluster list and information of individual clusters | DescribeInstances | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
| Creating cluster | CreateInstance | No | * |
| Updating cluster | UpdateInstance | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
| Restarting cluster | RestartInstance | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
| Deleting cluster | DeleteInstance | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
| Updating plugin | UpdatePlugins | Yes | qcs::es:${Region}:uin/${ownerUin}:instance/${instanceId} |
Supported regions include:
| Region | Name | Region ID |
|---|---|---|
| South China | Guangzhou | ap-guangzhou |
| East China | Shanghai | ap-shanghai |
| Nanjing | ap-nanjing |
|
| North China | Beijing | ap-beijing |
| Southwest China | Chengdu | ap-chengdu |
| Chongqing | ap-chongqing |
|
| Hong Kong/Macao/Taiwan | Hong Kong (China) | ap-hongkong |
| Southeast Asia Pacific | Singapore | ap-singapore |
| South Asia Pacific | Mumbai | ap-mumbai |
| Northeast Asia Pacific | Seoul | ap-seoul |
| Tokyo | ap-tokyo |
|
| West US | Silicon Valley | na-siliconvalley |
| East US | Virginia | na-ashburn |
| North America | Toronto | na-toronto |
| Europe | Frankfurt | eu-frankfurt |
The syntax of a custom policy is as follows:
{
"version": "2.0",
"statement": [
{
"action": [
"Action"
],
"resource": "Resource",
"effect": "Effect"
}
]
}
- Action: replace it with the operation to be allowed or denied.
- Resource: replace it with the resources that you want to authorize the user to manipulate.
- Effect: replace it with "allow" or "deny".
ES currently supports access control management for all APIs except DescribeInstances. You can authorize a sub-account to perform various operations on a cluster under your account such as updating, restarting, and deleting.
Custom permission sample
To grant an account permission to update the specified cluster, use the following policy syntax:
{
"version": "2.0",
"statement": [
{
"action": [
"es:Describe*"
],
"resource": [
"qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
],
"effect": "allow"
},
{
"action": [
"vpc:Describe*",
"vpc:Inquiry*",
"vpc:Get*"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"monitor:*",
"cam:ListUsersForGroup",
"cam:ListGroups",
"cam:GetGroup"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"es:Update*"
],
"resource": [
"qcs::es:ap-guangzhou:uin/$uin:instance/$instanceID"
],
"effect": "allow"
}
]
}
Yes
No
Was this page helpful?