You can use the policy feature in the Cloud Access Management (CAM) console to grant read/write permissions for TDMQ for Apache Pulsar resources that are owned by the root account and bound with tags to sub-accounts through tag-based authorization. The sub-accounts that are granted these permissions can gain control capabilities over resources under the corresponding tags.
Prerequisites
Sub-accounts have been created for employees by using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
At least one TDMQ for Apache Pulsar instance has been created.
At least one tag has been created. If no tag exists, you can create tags by referring to Configuring Resource Tags.
2. In the left sidebar, choose Policies, click Create a custom policy, and then select Authorize by Tag for the policy creation method.
3. In the visual policy generator, enter TDMQ in the Service field for filtering, and select Tencent Distributed Message Queue (tdmq) from the results.
4. Select All actions for Action. You can also select specific operations based on your business requirements.
Note:
The operation includes all APIs of the service. You can select "Whether tag-based authorization is supported" to check whether an API supports tag-based authorization.
Yes: The API supports tag-based authorization, which includes operation permissions for resources associated with corresponding tags.
No: The API does not support tag-based authorization.
To support authorization for multiple services, click Add in the upper-left corner to continue adding multiple authorization statements and configure authorization policies for other services.
5. In the Select a tag (resource_tag), select the tag keys and tag values bound to the cluster resources. You can select multiple tag keys and tag values.
6. In the Select Condition Key, select condition keys. You can select both condition keys resource_tag and request_tag, or select either of them.
7. Select Whether to grant permission "resource": "*" to APIs that do not support Tag. If you select this option, the APIs that do not support tags will include operation permissions for all resources.
8. Click Next and set the policy name. The policy name is automatically generated by the console. By default, the policy name is policygen, with a suffix number generated based on the creation date. You can customize the policy name.
9. Click Select User or Select User Group to select the users or user groups to which resource permissions need to be granted.
10. Click completed. The relevant sub-account will be able to control resources under the specified tag based on the policy.
