简介
Cloud Mate 通过 访问管理(Cloud Access Management,CAM) 对子账号进行授权。用户可以通过 CAM 创建、管理和销毁用户(组),并使用身份管理和策略管理控制其他用户使用腾讯云资源的权限,CAM 策略的详细信息及使用方式请参见 CAM 策略 文档。
预设权限策略
日志服务预设两条权限策略,可满足最基本的权限管理需求。
Cloud Mate 读写权限(QcloudCloudmateFullAccess):具备 Cloud Mate 所有功能及所有资源的权限,例如新建空间、新建场景、编辑 MCP、删除知识库等。
Cloud Mate 只读权限(QcloudCloudmateReadOnlyAccess):仅具备数据查看权限,不能执行新建、编辑或删除类型的操作。
自定义权限策略
按标签授权
用户仅可访问具有指定标签的空间 Workspace、MCP、知识库、场景等,参考的步骤如下:
2. 在 Cloud Mate 中为您的 空间 Workspace、MCP、知识库、场景 绑定标签。您可在新建/编辑以上资源时配置标签,如下图。
3. 在 CAM 策略 中配置如下策略,并绑定相关的用户。
{"statement": [{"action": ["cloudmate:*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["您的标签key&您的标签value"]}},"effect": "allow","resource": ["*"]},{"action": ["cloudmate:CreateWorkspace","cloudmate:CheckAssumeRole","cloudmate:DescribeMCPServiceTools","cloudmate:DescribeWorkspaceMCPTools","cloudmate:SmartDiagnosis"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
按指定空间(WorkSpace)授权
仅可访问指定空间和空间下的资源,例如 MCP、知识库、场景等。
{"statement": [{"action": ["cloudmate:*"],"effect": "allow","resource": ["qcs::cloudmate::uin/您的uin:workspace/您的空间1的ID","qcs::cloudmate::uin/您的uin:workspace/您的空间1的ID/*","qcs::cloudmate::uin/您的uin:workspace/您的空间2的ID","qcs::cloudmate::uin/您的uin:workspace/您的空间2的ID/*"]},{"action": ["cloudmate:CheckAssumeRole","cloudmate:DescribeMCPServiceTools","cloudmate:DescribeWorkspaceMCPTools","cloudmate:SmartDiagnosis"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
MCP 鉴权
对于官方提供的 CLS 日志服务、腾讯云可观测平台(即将上线)MCP,需要您通过鉴权之后,方可通过 MCP 来访问您的数据。
如您选择通过 Secret_Id、Secret_Key 进行鉴权,可参考如下步骤:
2. 为该子账号绑定访问策略,策略参考如下:
日志服务:您选择通过 Secret_Id、Secret_Key 对日志服务 MCP 进行鉴权时,可为子账号绑定如下访问策略。
{"statement": [{"action": ["cls:EstimateRebuildIndexTask","cls:GetAccount","cls:GetAlarm","cls:GetAlarmLog","cls:GetChart","cls:GetClsService","cls:GetDashboard","cls:GetDeliverFunction","cls:GetFastAnalysis","cls:GetHistogram","cls:GetLog","cls:GetResource","cls:SearchCosRechargeInfo","cls:SearchDashboardSubscribe","cls:SearchLog","cls:ShowContext","cls:pullLogs","cls:searchLog","cls:CreateExport","cls:DeleteExport","cls:downloadLog","cls:ListAlarm","cls:ListChart","cls:ListDashboard","cls:get*","cls:list*","cls:Check*","cls:Describe*","cls:Query*","cls:GetMetricLabelValues","cls:GetMetricSeries","cls:MetricsQuery*","cls:MetricsLabel*","cls:MetricsSeries*","cls:Chat*"],"effect": "allow","resource": ["*"]},{"action": ["region:DescribeRegions"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
可观测平台(即将上线):您选择通过 Secret_Id、Secret_Key 对可观测平台 MCP 进行鉴权时,可为子账号绑定如下访问策略。
{"statement": [{"action": ["monitor:Describe*","monitor:Get*"],"effect": "allow","resource": ["*"]}],"version": "2.0"}
