When you use TDMQ for RocketMQ, you may need to access resources of other cloud products, such as Virtual Private Cloud (VPC) and Cloud Virtual Machine (CVM). For example, you need to view the availability zone (AZ) information of a subnet. Therefore, a root account should grant its sub-accounts appropriate permissions to call other cloud products as needed.
Prerequisites
A sub-account has been created for an employee using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
Operation Steps
Creating a Custom Policy for Accessing Other Cloud Products
2. In the left sidebar, select Policies and click Create a custom policy. In the pop-up window for selecting a policy creation method, select Create according by policy syntax to go to the Create by Policy Syntax page.
3. On the Create by Policy Syntax page, select Blank Template and click Next.
4. You can refer to the following API table and policy syntax to grant sub-accounts appropriate permissions to call other cloud products as needed, create a custom policy, and click Complete after specifying all information.
When TDMQ for RocketMQ is used, calls to the following cloud products are involved. The root account should grant specific permissions to sub-accounts to ensure that the sub-accounts can use TDMQ for RocketMQ features. The following table describes calls to other cloud products involved in TDMQ for RocketMQ in the custom policy.
Cloud Product
API Name
API Feature
Role in TDMQ for RocketMQ
CVM
DescribeZones
Queries AZs.
Views the AZ of a subnet when an instance is created.
VPC
DescribeVpcs
Queries the VPC network list.
Selects the VPC network to which the instance access address belongs when an instance is created.
VPC
DescribeSubnets
Queries the VPC network list.
Selects the subnet to which the instance access address belongs when an instance is created.
Tencent Cloud Observability Platform (TCOP)
(Monitor)
GetMonitorData
Pulls metric monitoring data.
Views monitoring data in TDMQ for RocketMQ.
TCOP
(Monitor)
DescribeDashboardMetricData
Pulls metric monitoring data.
Views monitoring data in TDMQ for RocketMQ.
TCOP
(Monitor)
DescribeBaseMetrics
Pulls the metric monitoring list.
Views the TDMQ for RocketMQ monitoring list.
TCOP
(Monitor)
DescribeDashboardMetrics
Pulls metric monitoring dimensions.
Views monitoring dimensions in TDMQ for RocketMQ.
TCOP
(Monitor)
DescribeMonitorProductByIds
Pulls monitoring configurations.
Queries the monitoring product list by ID.
Tags
DescribeResourceTagsByResourceIds
Queries resource tags
Views resource tags of a cluster.
A policy syntax example is as follows:
{
"version":"2.0",
"statement":[
{
"effect":"allow",
"action":[
"cvm:DescribeZones",
"vpc:DescribeVpcs",
"vpc:DescribeSubnets",
"monitor:GetMonitorData",
"monitor:DescribeDashboardMetricData",
"monitor:DescribeBaseMetrics",
"monitor:DescribeDashboardMetrics",
"monitor:DescribeMonitorProductByIds",
"monitor:DescribeOneClickAlarmConfigs",
"tag:DescribeResourceTagsByResourceIds",
],
"resource":[
"*"
]
}
]
}
Associating a Custom Policy with a Sub-account
1. On the Policy Management page, click Custom Policy to filter out custom policies, locate the created custom policy, and click Associate User/Group/Role in the operation column.
2. Select the sub-account to be granted this permission and click OK to complete the authorization.
3. On the User List page, click the sub-account name to go to the user details page. The policy is displayed in the user's policy list.
