Log in to the CAM Console with the root account, select the target sub-user in the user list, and click Authorize.
In the pop-up dialog box, select a preset policy and click OK to complete the authorization.
CAM policy:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
effect
, action
, resource
, and condition
. One policy has only one statement
.
You can use DMC policy statements to authorize any API operations for any services that support DMC. To authorize DMC operations, please specify the APIs prefixed with "dmc:", such as "dmc:DescribeSlowLogTopSqls" and "dmc:DescribeSlowLogTimeSeriesStats".
To specify multiple operations in a single statement, separate them with commas as shown below:
"action":["dmc:action1","dmc:action2"]
You can also specify multiple operations using a wildcard. For example, you can specify all operations whose names begin with "Describe" as shown below:
"action":["dmc:Describe*"]
To specify all DMC operations, use the wildcard (*) as shown below:
"action":["dmc:*"]
Each CAM policy statement for DMC is resource-specific. DMC allows you to operate TencentDB resources added to DMC.
The format is shown below:
qcs:project_id:service_type:region:account:resource
For example, you can specify an instance (dmc-k05xdcta) in the statement as shown below:
"resource":[ "qcs::dmc:ap-guangzhou:uin/65xxx763:instance/dmc-k05xdcta"]
You can also use the wildcard (*) to specify all instances that belong to a specific account as shown below:
"resource":[ "qcs::dmc:ap-guangzhou:uin/65xxx763:instance/*"]
If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the wildcard (*) in the resource
element as shown below:
"resource": ["*"]
To specify multiple resources in a single statement, separate them with commas. In the following example, we specified two resources:
"resource":["resource1","resource2"]
The table below describes the resources that can be used by TencentDB and the corresponding resource description methods, where words prefixed with "$" are placeholders, "region" refers to a region, and "account" refers to an account ID.
Resource | Resource Description Method in Access Policies |
---|---|
Instance | qcs::dmc:$region:$account:instance/$instanceId |
Was this page helpful?