tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Cloud Automation Tools
    Documentation
    Download PDF

    Cloud Access Management

    Last updated: 2022-05-23 15:27:20
    Download PDF

      Overview

      Cloud Access Management (CAM) is a web-based Tencent Cloud service that helps you with the security management of access permissions for resources under your Tencent Cloud account. With CAM, you can create, manage, and terminate users or user groups, and can use identity and policy management to control the permissions other users have to use Tencent Cloud resources. Policies can be used to authorize or block the use of specified resources by users to complete specified tasks. When you use CAM, you can associate policies with a user or user group to perform permissions control.

      TAT is connected with CAM for permission controlling.

      Access Control Levels

      TAT supports the access control by resources and tags.

      • Resource-level control: Specify a policy to assign a sub-account with permissions to a single resource. For details, see Creating Custom Policy.
      • Control by tags: Add tags to resources for access control

      Preset Policies

      Preset policy Permissions granted
      QcloudTATReadOnlyAccess TAT read-only permission
      QcloudTATFullAccess TAT read/write permission

      Types of Manageable Resources

      TAT supports resource-level authorization. You can grant a specified sub-account the API permission of a specified resource.

      In CAM, the types of TAT resources that can be authorized are as follows:

      Resource Type Resource Description Method in Authorization Policy
      Remote command-related qcs::tat:$region:$account:command/$commandId

      APIs supporting action-level authorization include:

      API name Description Resource
      CreateCommand Create a command *

      APIs supporting resource-level authorization include:

      API name
      API description      		 Resource type Resource (in six-segment format)
      DeleteCommand
      Delete a command      		 Command qcs::tat:$region:$account:command/$commandId
      DescribeAutomationAgents
      Query the agent running status      		 CVM instances, Lighthouse instances qcs::cvm:$region:$account:instance/$instanceId
      qcs::lighthouse:$region:$account:instance/$instanceId
      DescribeCommands
      Query a command      		 Command qcs::tat:$region:$account:command/$commandId
      DescribeInvocations
      Query the execution result      		 Command qcs::tat:$region:$account:command/$commandId
      DescribeInvocationTasks
      Query the execution tasks      		 Command, CVM instances, Lighthouse instances qcs::tat:$region:$account:command/$commandId
      qcs::cvm:$region:$account:instance/$instanceId
      qcs::lighthouse:$region:$account:instance/$instanceId
      InvokeCommand
      Invoke a command      		 Command, CVM instances, Lighthouse instances qcs::tat:$region:$account:command/$commandId
      qcs::cvm:$region:$account:instance/$instanceId
      qcs::lighthouse:$region:$account:instance/$instanceId
      ModifyCommand
      Modify a command      		 Command qcs::tat:$region:$account:command/$commandId
      PreviewReplacedCommandContent
      Query the command after rendering      		 Command qcs::tat:$region:$account:command/$commandId
      RunCommand
      Run a command      		 Command, CVM instances, Lighthouse instances qcs::tat:$region:$account:command/$commandId
      qcs::cvm:$region:$account:instance/$instanceId
      qcs::lighthouse:$region:$account:instance/$instanceId

      Examples

      Check the examples below to learn about how to control permissions by using CAM.

      Note:

      Guangzhou region is used for all the examples below. Replace $account with the Tencent Cloud root account of the user.

      • Allow a user to modify and delete the command cmd-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "allow",
         "resource": [
             "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
         ],
         "action": [
             "tat:ModifyCommand",
             "tat:DeleteCommand"
         ]
     }
 ]
}

      • Allow a user to check the details of the command cmd-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "allow",
         "resource": [
             "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
         ],
         "action": [
             "tat:DescribeCommands"
         ]
     }
 ]
}

      • Allow a user to check the result of the command cmd-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "allow",
         "resource": [
             "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
         ],
         "action": [
             "tat:DescribeInvocations",
             "tat:DescribeInvocationTasks"
         ]
     }
 ]
}

      • Disallow a user from executing the command cmd-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx"
         ],
         "action": [
             "tat:InvokeCommands"
         ]
     }
 ]
}

      • Disallow a user from executing any commands

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::tat:ap-guangzhou:$account:command/*"
         ],
         "action": [
             "tat:InvokeCommand",
             "tat:RunCommand"
         ]
     }
 ]
}

      • Disallow a user from executing any commands on the CVM ins-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"
         ],
         "action": [
             "tat:InvokeCommand",
             "tat:RunCommand"
         ]
     }
 ]
}

      • Disallow a user from executing commands on any CVMs

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::cvm:ap-guangzhou:$account:instance/*"
         ],
         "action": [
             "tat:InvokeCommand",
             "tat:RunCommand"
         ]
     }
 ]
}

      • Disallow a user from executing any commands on the Lighthouse instance lhins-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"
         ],
         "action": [
             "tat:InvokeCommand",
             "tat:RunCommand"
         ]
     }
 ]
}

      • Disallow a user from executing commands on any Lighthouse instances

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::lighthouse:ap-guangzhou:$account:instance/*"
         ],
         "action": [
             "tat:InvokeCommand",
             "tat:RunCommand"
         ]
     }
 ]
}

      • Allow a user to execute the command cmd-xxxxxxxx or cmd-yyyyyyyy on the CVM ins-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "allow",
         "resource": [
             "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx",
             "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx",
             "qcs::tat:ap-guangzhou:$account:command/cmd-yyyyyyyy"
         ],
         "action": [
             "tat:InvokeCommand"
         ]
     }
 ]
}

      • Allow a user to execute the command cmd-xxxxxxxx or cmd-yyyyyyyy on the Lighthouse instance lhins-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "allow",
         "resource": [
             "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx",
             "qcs::tat:ap-guangzhou:$account:command/cmd-xxxxxxxx",
             "qcs::tat:ap-guangzhou:$account:command/cmd-yyyyyyyy"
         ],
         "action": [
             "tat:InvokeCommand"
         ]
     }
 ]
}

      • Disallow a user from checking the command execution result on the CVM ins-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"
         ],
         "action": [
             "tat:DescribeInvocationTasks"
         ]
     }
 ]
}

      • Disallow a user from checking the command execution result on the Lighthouse instance lhins-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"
         ],
         "action": [
             "tat:DescribeInvocationTasks"
         ]
     }
 ]
}

      • Disallow a user from checking the Agent status on the CVM ins-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::cvm:ap-guangzhou:$account:instance/ins-xxxxxxxx"
         ],
         "action": [
             "tat:DescribeAutomationAgentStatus"
         ]
     }
 ]
}

      • Disallow a user from checking the Agent status on the Lighthouse instance lhins-xxxxxxxx

        {
 "version": "2.0",
 "statement": [
     {
         "effect": "deny",
         "resource": [
             "qcs::lighthouse:ap-guangzhou:$account:instance/lhins-xxxxxxxx"
         ],
         "action": [
             "tat:DescribeAutomationAgentStatus"
         ]
     }
 ]
}
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2023 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy