This document introduces the related instructions and operations for setting CAM verification for accounts through the console.
Note:
If you need to enable CAM verification for your account, please submit a work order to apply for white-list usage.
Supported Regions
This feature is currently supported in the following regions: Shanghai, Guangzhou.
Background
In scenarios where cloud databases are used, it is usually necessary to create independent accounts and passwords for the database and grant access and operation permissions to corresponding users. This method of account management is relatively complex and prone to security issues such as account and password leaks. Based on the above background, TencentDB for SQL Server supports enabling CAM verification for accounts. By connecting Tencent Cloud Platform sub-accounts with database accounts and adding CAM credential authentication, it simplifies the complexity of account permission management, enhances database security, and improves account management efficiency.
Operation scenarios
If users have higher security requirements, they can bind CAM with database account verification through this feature. Users can obtain the corresponding password when making a request to access the database, thereby enhancing its security. We suggest enabling CAM verification in the following two scenarios.
When using CAM authentication as a temporary, personal access mechanism to the database.
Only use CAM authentication for workloads that can be easily retried.
Notes
As far as possible, use long connections to access the database.
Before enabling CAM verification, you need to configure the relevant CAM permission rules in advance.
After enabling CAM verification, modifying the password is not supported.
After disabling CAM verification, CAM credentials cannot be used to access the database. Therefore, a new password needs to be entered when disabling CAM verification.
Feature Limits
It is recommended that no more than 10 accounts enable CAM verification within a single instance.
After enabling CAM verification, resetting the password for the account is not supported.
Only accounts with a single host address are supported to enable the CAM verification feature.
Duplicate activation of the CAM verification feature is not supported for the same account name.
The root account does not support enabling the CAM verification feature.
Prerequisites
Created SQL Server Instance.
A ticket has been submitted to request usage of this feature.
The instance is running.
Step 1: Configure CAM Permission Rules
Before using the CAM verification feature for the account, users need to configure the relevant CAM permission rules.
Policy Content
{"statement": [{"action": ["cam:BuildDataFlowAuthToken"],"effect": "allow","resource": ["qcs::cam::uin/<user uin>:resourceUser/<instance ID>/<account name>",]}],"version": "2.0"}
<user uin>: Replace with the actual account ID.
<instance ID>: Replace with the actual instance ID to be authorized.
<account name>: Replace with the actual account name to be authorized.
Directions
1. Log in to the CAM console with an admin account. On the Policy page, create a custom policy using the policy generator (refer to Creating Custom Policies with the Policy Generator).
Effect: allowed
Service: CAM (cam)
Action: Other Actions - BuildDataFlowAuthToken
Resource: Specific Resource - Add a Six-Segment Resource Description
Fill in the resource: <instance ID>/<account name>
2. Click Next, name your custom policy, and assign the policy to the target sub-account.
3. Click Complete to complete the authorization.
Step 2: Enable CAM Verification
There are two scenarios for enabling CAM verification: enabling CAM verification when creating an account and enabling CAM verification for an existing account. You can follow the steps below for each scenario.
1. Log in to SQL Server Console.
2. In the instance list, click Instance ID or Operation column's Manage to enter the instance management page.
3. On the instance management page, select Account Management > Create Account. Fill in the relevant information in the pop-up window, and after confirming that everything is correct, click OK
Note:
For operations to create different permission accounts, please refer to Account Management. The steps for enabling CAM verification are introduced below.
Enable CAM Verification: Toggle the "Enable CAM Verification" button, read the important reminder in the popup, and then click OK.
4. The account successfully enabled with CAM verification is displayed as shown below.
1. Log in to SQL Server Console.
2. In the instance list, click Instance ID or Operation column's Manage to enter the instance management page.
3. On the instance management page, select Account Management.
4. On the account management page, find the target account and in its operation column, click Enable CAM Verification.
5. Read the important reminder in the popup, and then click OK.
6. The account successfully enabled with CAM verification is displayed as shown below.
Step 3: In the application, call the code to get the password
After the account has the relevant CAM Permission Specification and CAM Verification is enabled, users can use Java and other codes to call and get the password in the application to connect to the database instance.
1. In the Tencent Cloud Console, query the APPID on the Account Information page.
2. In the CAM Console > API Key Management, obtain the SecretID and SecretKey.
3. Use the following code in the application.
<dependency><groupId>com.tencentcloudapi</groupId><artifactId>tencentcloud-dbauth-sdk-java</artifactId><version>1.0.3</version></dependency>
Indirect dependencies: tencentcloud-sdk-java version 3.1.1039 and above.
<dependency><groupId>com.tencentcloudapi</groupId><artifactId>tencentcloud-sdk-java</artifactId><version>3.1.1039</version></dependency>
Example of calling the code to get the password
package com.tencentcloud.dbauth;import com.tencentcloudapi.common.Credential;import com.tencentcloud.dbauth.model.GenerateAuthenticationTokenRequest;import com.tencentcloudapi.common.exception.TencentCloudSDKException;import com.tencentcloudapi.common.profile.ClientProfile;import com.tencentcloudapi.common.profile.HttpProfile;public class GenerateDBAuthentication {public static void main(String[] args) {// Definition of Authentication Token parameterString region = "<Instance Region>";String instanceId = "<Instance ID>";String userName = "<Account Name>";// Get credentials from Environment VariablesCredential credential = new Credential(System.getenv("<TENCENTCLOUD_SECRET_ID>"), System.getenv("<TENCENTCLOUD_SECRET_KEY>"));System.out.println(getAuthToken(region, instanceId, userName, credential));}public static String getAuthToken(String region, String instanceId, String userName, Credential credential) {try {// (Optional) Instantiate an HTTP optionHttpProfile httpProfile = new HttpProfile();httpProfile.setEndpoint("cam.tencentcloudapi.com");// (Optional) Instantiate a client optionClientProfile clientProfile = new ClientProfile();clientProfile.setHttpProfile(httpProfile);// Build GenerateAuthenticationTokenRequestGenerateAuthenticationTokenRequest tokenRequest = GenerateAuthenticationTokenRequest.builder().region(region).credential(credential).userName(userName).instanceId(instanceId).clientProfile(clientProfile) // `clientProfile` is optional.build();return DBAuthentication.generateAuthenticationToken(tokenRequest);} catch (TencentCloudSDKException e) {e.printStackTrace();}return "";}}
<Instance Region>: Replace with the region where your instance is located. Example: ap-guangzhou.
<instance ID>: Replace with the instance ID to be accessed.
<account name>: Replace with the actual account name used to log in.
<TENCENTCLOUD_SECRET_ID>: Replace with the SecretID obtained from the CAM console.
<TENCENTCLOUD_SECRET_KEY>: Replace with the SecretKey obtained from the CAM console.
Step 4: Use the identity token to connect to TencentDB for SQL Server
Note:
Using the JDBC driver is the standard way for Java programs to connect to a relational database. For detailed JDBC driver installation and connection methods, refer to Using the JDBC driver.
After obtaining the AuthToken in Step 3, you can use the identity token to connect to TencentDB for SQL Server. The following connection command is an example of using JDBC to connect to the database.
String connectionUrl = "jdbc:sqlserver://localhost:1433;databaseName=<Database Name>;user=<Account Name>;password=<Password>;encrypt=false;";Connection con = DriverManager.getConnection(connectionUrl);
<Database Name>: Replace with the database name you need to access.
<Account Name>: Replace with the account name you used to log in.
<Password>: Replace with the AuthToken obtained in Step 3.
Appendix 1: Refresh Password
When the account enables the CAM verification feature, the password can be updated by performing a refresh password operation. If the account's rotation cycle is set to change the password every 12 hours, you can immediately refresh the password before the rotation cycle is reached.
Note:
Note that after refreshing the password, the current login credentials will become invalid. Observe the database access status to confirm it meets expectations.
1. Log in to SQL Server Console.
2. In the instance list, click Instance ID or Operation column's Manage to enter the instance management page.
3. On the instance management page, select Account Management
4. On the Account Management page, find the target account, and in its actions column, click Refresh Password.
5. In the pop-up window, read the risk warning and click OK.
Appendix 2: Disable CAM Verification
Note:
After disabling CAM verification, you cannot obtain access credentials through CAM. Please update the password promptly.
1. Log in to SQL Server Console.
2. In the instance list, click Instance ID or Operation column's Manage to enter the instance management page.
3. On the instance management page, select Account Management
4. On the Account Management page, find the target account, and in its actions column, click Disable CAM Verification.
5. In the pop-up window, enter the new password, confirm the password, and click OK.
Appendix 3: Error Codes
If the returned result contains an Error field, it indicates that the API call has failed. For a description of error codes, see Error Codes.
The error codes related to the CMD verification feature of TencentDB for SQL Server are as follows:
Common Error Codes
Error code | Description |
AuthFailure.InvalidAuthorization | The Authorization in the request header does not meet Tencent Cloud standards. |
AuthFailure.InvalidSecretId | Invalid key (not TencentCloud API key type). |
AuthFailure.MFAFailure | MFA error. |
AuthFailure.SecretIdNotFound | The key does not exist. Please check in the Console whether the key has been deleted or disabled. If the status is normal, please check whether the key is entered correctly. Make sure there are no spaces before or after. |
AuthFailure.SignatureExpire | Signature expired. The time difference between the timestamp and the server time must not exceed five minutes. Please check whether the local time is synchronized with the standard time. |
AuthFailure.SignatureFailure | Signature error. There is an error in the signature calculation. Please refer to the documentation of the signature method in the calling method to check the signature calculation process. |
AuthFailure.TokenFailure | Token error. |
AuthFailure.UnauthorizedOperation |
Business Error Codes
Error code | Description |
FailedOperation.BuildAuthToken | Exception in generating AuthToken. |
FailedOperation.FlowAuthIllegal | Credential operation failed. |