Known Issues
If you use multiple cloud platform services, such as Cloud Virtual Machine, Virtual Private Cloud and CloudDB, managed by different people but sharing your cloud account tokens, you might face the issues:
The risk of your key being compromised is high since multiple users are sharing it.
You cannot restrict access for other users, which may lead to misoperations and potential security risks.
Solution
You can mitigate the above issues by using sub-accounts to assign different users to manage different services. By default, sub-accounts do not have permission to use cloud services or access related resources. Therefore, you need to create policies to grant sub-accounts access to the resources or permissions they require.
Cloud Access Management (CAM) is a web service provided by Tencent Cloud that helps users securely manage access permissions for resources under their Tencent Cloud accounts. With CAM, you can create, manage, and terminate users (or groups) and control which Tencent Cloud resources specific users can access through identity and policy management. When using CAM, you can associate policies with a user or a group of users. Policies can grant or deny permissions for users to access specific resources and perform designated tasks. For more fundamental information on CAM policies, see Policy Syntax. If you do not need to manage DMC-related resource access for sub-accounts, you can skip this section. Skipping these parts will not affect your understanding or use of the rest of the document.
Quick Start
A CAM policy should grant or deny permission for one or more DMC operations and should specify the resources that can be used for these operations (which can include all resources or, for certain operations, specific resources). The policy may also include conditions for operating on the resources.
Notes:
It is recommended to use CAM policies to manage DMC resources and authorize DMC operations. The user experience remains unchanged for existing sub-project permissions, but it is not recommended to continue using sub-project permissions for resource management and operation authorization.
DMC currently does not support setting related enforcement conditions.
|
Basic Policy Structure | |
Defining Operations in the Policy | |
Defining Resources in the Policy | |
Supported resource-level permissions | |