In practical use of Tencent Cloud, we can utilize tags to define permissions through the ABAC authorization policy. Tags can be bound to CAM sub-users, roles, and specific cloud resources. Subsequently, permission policies can be defined, which use tag condition keys to grant permissions based on the tags of the requesting identity. When you control access to Tencent Cloud resources using tags, changes to teams and resources can be implemented with fewer modifications to the authorization policy, making operations more flexible.
This section will provide a detailed explanation on how to create a CAM role with tags for employees in CAM, as well as a permission policy that allows access to resources matching the role's attributes. When an employee makes a request to Tencent Cloud through this role, permissions will be granted based on whether the role's tags match the resource tags, thus allowing employees to view or operate only the resources necessary for their work.
Sample Code
Suppose in gaming company A, there are two projects: webpage and app. Employee m is a developer for the webpage project, and employee n is a developer for the app project. When creating the authorization policy, it is necessary to ensure that employees within different teams can access the resources required for their work, while also considering scalability for future company growth.
You can create authorization policies for products that support ABAC strategies by using resource tags and CAM role tags. When your employees wish to access Tencent Cloud through federated identities, their attributes will be applied to the role tags in Tencent Cloud. Subsequently, you can use ABAC to allow or deny access based on these attributes.
Based on the aforementioned projects and teams, we define the following tags:
game-project = web (corresponding to the web project)
game-project = app (corresponding to the app project)
web = dev (corresponding to web project developers)
app = dev (corresponding to the app developer)
How to Implement
1. Employees log in using IAM user credentials and then assume the CAM role of their respective team and project.
2. The same policy will be attached to roles of the same position, with permissions or denials implemented based on tags.
Verification Scenario
Assume there are two cloud servers, ins-78qewdr8 (tagged with game-project:app) and ins-7txjj4a6 (tagged with game-project:web), which belong to the app and webpage projects respectively.
Validation Point 1: After employees from different projects log in using different CAM sub-users, how can we ensure that each employee can only access the cloud servers under their respective projects?
Verification Point 2: Suppose there is a change in employee roles, and employee n also needs access to the webpage project. How can permissions be adjusted quickly?
Validation Point 3: Suppose the company adds a new H5 class project, how can we quickly grant employees permissions for the new project?
Instructions
Step 1: Create a Test CAM Sub-user
1. Create a custom policy named access-assume-role. The policy content is "Allow the assumption of ABAC roles when the tags of the assumed identity match the role tags."
Note
For detailed instructions on creating a CAM policy, please refer to Creating a Role.
{
"version":"2.0",
"statement":[
{
"effect":"allow",
"action":[
"sts:AssumeRole"
],
"resource":"*",
"condition":{
"for_any_value:string_equal":{
"qcs:resource_tag":[
"game&${qcs:principal_tag_value}"
]
}
}
},
{
"effect":"allow",
"action":[
"cam:ListUserTags",
"cam:ListLoginRoles"
],
"resource":[
"*"
]
}
]
}
2. Create CAM sub-users m-developer and n-sysmanager, bind the access-assume-role authorization policy to these sub-users, and attach the following tags to them.
Note
For detailed instructions on creating a CAM sub-user, please refer to Create Sub-User.
Sub-user Name
Associated Tags
m-developer
web=dev
n-developer
app=dev
Step 2: Create an ABAC policy
1. Create a custom policy named 'access-resource-project' (using the cvm product as an example). The policy content is as follows:
{
"version":"2.0",
"statement":[
{
"effect":"allow",
"action":"cvm:*",
"resource":"*",
"condition":{
"for_any_value:string_equal":{
"qcs:request_tag":[
"game-project&${qcs:principal_tag_key}"
]
}
}
},
{
"effect":"allow",
"action":"cvm:*",
"resource":"*",
"condition":{
"for_any_value:string_equal":{
"qcs:resource_tag":[
"game-project&${qcs:principal_tag_key}"
]
}
}
},
{
"effect":"allow",
"action":[
"vpc:DescribeVpcEx",
"vpc:DescribeSubnetEx",
"vpc:DescribeNetworkInterfaces",
"cvm:DescribeDiskSecurityConfigurations",
"cvm:DescribeCbsStorages",
"tag:DescribeTagKeys",
"tag:DescribeTagValues"
],
"resource":[
"*"
]
}
]
}
2. Create the role 'access-developer-role', associate it with the aforementioned policy, and bind the following tags.
Note
For detailed instructions on creating a CAM policy, please refer to Creating a Role.
CAM Role Name
Associated Tags
access-developer-role
game=dev
Step 3: Scenario Verification
Validation Point 1: After logging in with different sub-users, they can only access the CVMs under their respective projects.
1. Log in to the Tencent Cloud console as the sub-user m-developer. In the upper right corner of the console, click Switch Role under the account.
2. On the Switch Role page, select 'web' for the application (which is the tag value for sub-user m-developer), choose 'access-developer-role' for the role, and then click Switch Role.
3. Log in to the Tencent Cloud console as a role, and navigate to the CVM Instance page.
In the CVM product console, if you can only view ins-bepfpjr6 (tagged with game-project:web), then it meets the expectations.
4. Switch identity and log in to the Tencent Cloud Console as the sub-user n-developer. After logging in, switch roles, select app for the application, choose access-developer-role for the role, and set the display name as n-developer-app. Then click Switch Role.
5. Enter the Tencent Cloud console as a role, and navigate to the CVM Instance page.
In the CVM product console, if you can only view the cloud server ins-bepfpjr6 (tagged game-project:app), then it meets the expectations.
Verification Point 2: Suppose there is a job change and employee n also needs access to the webpage project. How should this be set up?
In the current scenario, all we need to do is add the tag app:web to the CAM sub-user n-developer corresponding to employee n in the user details of the Cloud Access Management Console.
1. Log in to the Tencent Cloud console as the sub-user n-developer. In the upper right corner of the console, click Switch Role under the account.
2. On the Switch Role page, select 'web' for the application, 'access-developer-role' for the role, and 'n-developer-web' for the alias. Then click Switch Role.
3. Log in to the Tencent Cloud console as a role and navigate to the CVM Instance page.
In the CVM product console, if you can only view the cloud server ins-7txjj4a6 (tagged game-project:web), then it meets the expectations.
Validation Point 3: Suppose the company adds a new H5 class project, how should the permission policy be adjusted to accommodate this?
After the company adds a new H5 project, if we need to increase the development permissions for the H5 project, there is no need to change the policy itself. We only need to:
1. Create a new sub-user for the colleagues developing the HTML5 project.
2. Bind the tags corresponding to the H5 project to the sub-user and associate it with the access-assume-role policy.
