Help & Documentation>TDMQ for CKafka>Operation Guide>Obtaining Access Permission>Access Management (CAM)

Access Management (CAM)

Last updated: 2024-10-10 09:54:29

On this page:

Basic CAM Concepts

The root account authorizes sub-accounts by associating policies. The policy setting can be specific to the level of [API, Resource, User/User Group, Allow/Deny, and Condition].

Account

Root account: This account owns all Tencent Cloud resources and has unrestricted access to them.
Sub-account: Comprising sub-users and collaborators.
Sub-user: It is created and fully owned by a root account.
Collaborator: It has the identity of a root account. After it is added as a collaborator of the current root account, it becomes one of the sub-accounts of the current root account and can switch back to its root account identity.
Identity credentials: These include two types - login credentials and access certificates. Login credentials refer to the username and password, while access certificates refer to the cloud API keys (SecretId and SecretKey).

Resource and permission

Resource: An object that is operated in Tencent Cloud services, such as a CVM instance, a COS bucket, or a VPC instance.
Permission: It is an authorization that allows or forbids users to perform certain operations. By default, the root account has full access to all resources under the account, while a sub-account does not have access to any resources under its root account.
Policy: It is a syntax rule that defines and describes one or more permissions. The root account performs authorization by associating policies with users/user groups.

Documentation

Content
Document
Understand the relationship between policies and users
Understand the basic structure of policies
Check CAM-enabled products

Sample CAM Policy

Full access policy for CKafka

Grant a sub-user full access (including resource creation and management) to the CKafka service.
{
  "version": "2.0",
  "statement": [
    {
      "action": [
            "name/ckafka:*",
            "name/monitor:GetMonitorData"
      ],
      "resource": "*",
      "effect": "allow"
    }
  ]
}
You can also configure the system's full read/write policy to support this permission.
1. Log in to the Cloud Access Management Console
2. In the left sidebar, click Policies.
3. In the policy list, click Create Custom Policy.
4. In the pop-up window for selecting the policy creation method, choose Create by Policy Syntax.
5. Within the template type, search for "CKafka", select Message Service (CKafka) with full read-write access [QcloudCKafkaFullAccess], then click on Next.
6. Click Finish.

Read-only policy for a CKafka instance

1. Create a policy with the Policy Generator and grant permission for lists and product monitoring.
{
 "version": "2.0",
 "statement": [
     {
         "effect": "allow",
         "action": [
             "name/ckafka:ListInstance",
             "name/monitor:GetMonitorData"
         ],
         "resource": [
             "*"
         ]
     }
 ]
}
2. Grant read-only permission for a single instance.
Note
List* APIs don't support authentication at the resource level.
{
   "version": "2.0",
   "statement": [
       {
           "effect": "allow",
           "action": [
               "name/monitor:GetMonitorData",
               "name/ckafka:Get*"
           ],
           "resource": [
               "qcs::ckafka:gz::ckafkaId/uin/$createUin/$instanceId" 
           ]
       }
   ]
}
You can also configure the system's read-only policy to support this permission.
1. Log in to the Cloud Access Management Console
2. In the left sidebar, click Policies.
3. In the policy list, click Create Custom Policy.
4. In the pop-up window for selecting the policy creation method, choose Create by Policy Syntax.
5. Within the template type, search for "CKafka", select the Message Service (CKafka) read-only access policy [QcloudCkafkaReadOnlyAccess], and click on Next.
6. Click Finish.
中国站 - English