Scenario
You can grant a user the permission to view and use specific resources in the Cloud Virtual Machine (CVM) Console by using a Cloud Access Management (CAM) policy. This document provides examples of granting permissions to view and use specified resources, guiding users on how to apply specific policies within the console.
Sample:
Full read/write policy for CVM
If you want a user to have the permission to create and manage CVM instances, you can apply the
QcloudCVMFullAccess policy to that user. This policy grants the user the ability to operate on all resources within CVM, VPC (Virtual Private Cloud), CLB (Cloud Load Balance), and MONITOR.
Follow these steps:
Refer to Authorization Management and grant the preset policy QcloudCVMFullAccess to the user.Read-only policy for CVM
If you want a user to have the permission to query CVM instances but not create, delete, or power on/off, you can apply the
QcloudCVMInnerReadOnlyAccess policy to that user. This policy grants the user the ability to perform all operations starting with the word Describe and all operations starting with the word Inquiry within CVM.
Follow these steps:
Refer to Authorization Management and grant the preset policy QcloudCVMInnerReadOnlyAccess to the user.Read-only policy for CVM-related resources
If you want a user to have the permission to query CVM instances and related resources (VPC, CLB) but not to create, delete, or power on/off instances, you can apply the
QcloudCVMReadOnlyAccess policy to that user. This policy grants the user the ability to perform the following operations:All operations in CVM that begin with the word Describe and all operations that begin with the word Inquiry.
All operations in VPC that begin with the word Describe, all operations that start with the word "Inquiry", and all operations that commence with the word Get.
All operations in CLB that start with the word Describe.
All operations in the Cloud Monitor.
Follow these steps:
Refer to Authorization Management and grant the preset policy
QcloudCVMReadOnlyAccess to the user.Elastic Cloud Disk-related policies
To allow a user to view, create, and use cloud disks on the CVM console, add the following operations to your policy and associate the policy with the user.
CreateCbsStorages: Create cloud disks.
AttachCbsStorages: Mount the specified elastic cloud disk to the designated cloud server.
DetachCbsStorages: Detach the specified elastic cloud disk.
ModifyCbsStorageAttributes: Modify the name or project ID of the specified cloud disk.
DescribeCbsStorages: Retrieve detailed information about cloud disks.
DescribeInstancesCbsNum: Query the number of elastic cloud disks mounted on the CVM and the total number of elastic cloud disks that can be mounted.
RenewCbsStorage: Renew the specified elastic cloud disk.
ResizeCbsStorage: Scale up the specified elastic cloud disk.
The detailed steps are as follows:
1. Based on Policy, create a custom policy that allows viewing cloud disk information in the CVM Console, as well as other permissions such as creating and using cloud disks.
You can refer to the following policy syntax for setting the policy content:
{"version": "2.0","statement":[{"effect": "allow","action": ["name/cvm:CreateCbsStorages","name/cvm:AttachCbsStorages","name/cvm:DetachCbsStorages","name/cvm:ModifyCbsStorageAttributes","name/cvm:DescribeCbsStorages"],"resource": ["qcs::cvm::uin/1410643447:*"]}]}
2. Locate the created policy and click Associate User/Group in the Operation column.
3. In the Associate User/User Group window that pops up, select the user/group you want to authorize and click Confirm.
Security Group-related Policies
If you want a user to have the ability to view and use security groups within the CVM Console, add the following actions to your policy and then associate the policy with the user.
DeleteSecurityGroup: Delete a security group.
ModifySecurityGroupPolicys: Replace all security group policies.
ModifySingleSecurityGroupPolicy: Modify a single security group policy.
CreateSecurityGroupPolicy: Create a security group policy.
DeleteSecurityGroupPolicy: Delete security group policy.
ModifySecurityGroupAttributes: Modify security group attributes.
The detailed steps are as follows:
1. Create a custom policy according to Policy that allows users to have permissions such as creating, deleting, and modifying security groups in the CVM Console.
The policy content can be set by referring to the following policy syntax:
{"version": "2.0","statement":[{"action": ["name/cvm:ModifySecurityGroupPolicys","name/cvm:ModifySingleSecurityGroupPolicy","name/cvm:CreateSecurityGroupPolicy","name/cvm:DeleteSecurityGroupPolicy"],"resource": "*","effect": "allow"}]}
2. Locate the created policy and click Associate User/Group in the Operation column.
3. In the Associate User/User Group window that pops up, select the user/group you want to authorize and click Confirm.
Elastic IP address-related policies
If you want a user to have the permission to view and use Elastic IP addresses in the CVM Console, you can first add the following actions to your policy and then associate the policy with the user.
AllocateAddresses: Assign addresses to VPC or CVM.
AssociateAddress: Associate an elastic IP address with an instance or a network interface.
DescribeAddresses: View Elastic IP addresses in the CVM Console.
DisassociateAddress: Disassociate an elastic IP address from an instance or network interface.
ModifyAddressAttribute: Modify the attributes of an Elastic IP address.
ReleaseAddresses: Disassociate elastic IP addresses.
The detailed steps are as follows:
1. Create a custom policy as instructed in Policy.
This policy grants the user the permission to view Elastic IP addresses in the CVM Console, assign them to instances, and associate them, but not to modify the attributes of Elastic IP addresses, disassociate them, or release them. The policy content can be set by referring to the following policy syntax:
{"version": "2.0","statement":[{"action": ["name/cvm:DescribeAddresses","name/cvm:AllocateAddresses","name/cvm:AssociateAddress"],"resource": "*","effect": "allow"}]}
2. Locate the created policy and click Associate User/Group in the Operation column.
3. In the Associate User/User Group window that pops up, select the user/group you want to authorize and click Confirm.
Policy for granting user permission to manipulate a specific CVM
To grant a user the permission to perform specific CVM operations, you can associate the following policy with the user. The steps are as follows:
1. Create a custom policy as instructed in Policy.
This policy grants the user the permission to operate on the CVM instance with ID
ins-1 located in the Guangzhou region. The policy content can be set by referring to the following policy syntax:{"version": "2.0","statement":[{"action": "cvm:*","resource": "qcs::cvm:ap-guangzhou::instance/ins-1","effect": "allow"}]}
2. Locate the created policy and click Associate User/Group in the Operation column.
3. In the Associate User/User Group window that pops up, select the user/group you want to authorize and click Confirm.
Policy for granting user permission to manipulate CVM in a specific region
To grant a user the permission to operate CVM instances in a specific region, you can associate the following policy with the user. The steps are as follows:
1. Create a custom policy as instructed in Policy.
This policy grants the user the permission to operate on CVM instances in the Guangzhou region. The policy content can be set by referring to the following policy syntax:
{"version": "2.0","statement":[{"action": "cvm:*","resource": "qcs::cvm:ap-guangzhou::*","effect": "allow"}]}
2. Locate the created policy and click Associate User/Group in the Operation column.
3. In the Associate User/User Group window that pops up, select the user/group you want to authorize and click Confirm.
Granting a sub-account full permissions for CVMs with the exception of billing
Suppose there is a sub-account (Developer) under the enterprise account (CompanyExample, ownerUin is 12345678). This sub-account needs to have full management permissions for the enterprise account's CVM service (such as creating, managing, and all other operations), but not payment permissions (can place orders but cannot pay).
We can implement this through the following two solutions:
Solution A
The enterprise account
CompanyExample directly grants the preset policy QcloudCVMFullAccess to the sub-account Developer. For the authorization method, please refer to Authorization Management.Option B
1. Create a Custom Policy based on the following policy syntax:
{"version": "2.0","statement":[{"effect": "allow","action": "cvm:*","resource": "*"}]}
2. Grant this policy to the sub-account. For the authorization method, please refer to Authorization Management.
Grant sub-account the permission to manage projects
Assume that the enterprise account, CompanyExample, with ownerUin of 12345678, has a sub-account, Developer, and CompanyExample wants to allow the sub-account to manage the resources of a project on the console.
The detailed steps are as follows:
1. Create a custom project management policy based on business permissions.
For more information, please refer to Policy.
2. Refer to Authorization Management and grant the custom policy you created to the sub-account.
If the sub-account encounters permission issues while managing projects, such as viewing snapshots, images, VPC, or Elastic Public IP, you can grant the sub-account the preset policies
QcloudCVMAccessForNullProject, QcloudCVMOrderAccess, and QcloudCVMLaunchToVPC. For granting permissions, please refer to Authorization Management.Custom Policy
If you find that the preset policy does not meet your requirements, you can achieve your goal by creating a custom policy.
For specific steps, please refer to Policy.
For more CVM-related policy syntax, see Authorization Policy Syntax.