tencent cloud

Calling TencentCloud API
Download PDF
Last updated: 2025-04-23 14:29:27
Calling TencentCloud API
Last updated: 2025-04-23 14:29:27
Download PDF

Overview

CloudApp provides a solution that allows application processes to call TencentCloud API in a secure and controlled way, thereby accessing or operating the customer's cloud resources. Commonly used scenarios include:
Cloud management software
Call public cloud SaaS to implement software features (such as SMS)
Automatic scaling
Verify software authorization


Directions

Claim a Permission Policy

Declare a permission policy in package.yaml to restrict the range of TencentCloud APIs that can be called by the application. When installing the installation package, the cloud application will generate a CAM policy based on the declared permission policy. Therefore, APIs not included in the declared permission policy have no invoke permission within the process.
# package.yaml
role:
  policy:
    version: "2.0"
    statement:
      - action:
          - cloudapp:VerifyLicense
          - cvm:DescribeInstances
        resource: "*"
        effect: allow

Claim a Role Used Variable

Declare a role used variable in variable.tf:
# variable.tf
variable "cloudapp_cam_role" {}

Inject the Assigned Role Name Into the Process

Cloud applications will provide the runtime role generated during application installation to the installation package via Terraform variables. The installation package needs to inject the role name variable cloudapp_cam_role into the environment variables or configuration files when declaring cloud resources. The following are examples of CVM and containers.
CVM Example
Container Example

Method 1: Inject Into Environment Variables

You can add environment variables in the user script declared on the CVM.
# deployment.tf
resource "tencentcloud_instance" "demo_cvm" {
  # Note: You need to bind the CAM role to the runtime role of the CVM instance.
  cam_role_name = var.cloudapp_cam_role
  user_data_raw = <<-EOT
#!/bin/bash
# Export the role name to the environment variable
export CLOUDAPP_CAM_ROLE=${var.cloudapp_cam_role} 
# The process starting can read the role name from the environment variable.
node main.js
  EOT
}

Method 2: Inject Into the Configuration File

Alternatively, you can inject the role name into the configuration file.
# deployment.tf
resource "tencentcloud_instance" "demo_cvm" {
  # Note: You need to bind the CAM role to the runtime role of the CVM instance.
  cam_role_name = var.cloudapp_cam_role
  user_data_raw = <<-EOT
#!/bin/bash
# Export the role name to the configuration file
echo "${var.cloudapp_cam_role}" >> /usr/local/.cloudapp_cam_role
# The process starting can read the role name from the configuration file /usr/local/.cloudapp_cam_role.
node main.js
  EOT
}

First: Import the Variable As a Chart Variable

First, in Terraform, declare the runtime role bound to the Worker's corresponding CVM. Meanwhile, pass the variable to Helm's Chart Values:
# <deployment.tf>
resource "tencentcloud_kubernetes_cluster" "tke-cluster1" {
  worker_config {
    # Other worker_config content is omitted here.
    cam_role_name = var.cloudapp_cam_role
  }
}
resource "cloudapp_helm_app" "helm_charts" {
  chart_values = {
    CAM_ROLE = var.cloudapp_cam_role # Inject the role name variable here.
  }
}

Method 1: Use the Chart Variable As a StatefulSet Environment Variable

Refer to the Chart variable in the workload in Helm Chart:
# <values.yaml>
# CAM role name, which is used to obtain a temporary key for calling the TencentCloud API, injected from the tf declaration
CAM_ROLE: ""

# <templates/statefulset.yaml>
kind: StatefulSet
spec:
    spec:
      containers:
        - name: "my-container"
          image: {{ quote .Values.SERVER_IMAGE }}
          env:
            # Assign CAM_ROLE to the container's environment variable
            - name: CAM_ROLE
              value: {{ quote .Values.CAM_ROLE }}
After the container starts, the environment variable CAM_ROLE will contain the role name.

Method 2: Write the Variable Into ConfigMap and Use It in StatefulSet

Declare a Configmap in Helm Chart and refer to it in the workload
# <values.yaml>
# CAM role name, which is used to obtain a temporary key for calling the TencentCloud API, injected from the tf declaration
CAM_ROLE: ""

# <configmap.yaml>
# Declare ConfigMap
kind: ConfigMap
metadata:
  name: cloudapp-config
data:
  .cloudapp_cam_role: {{ quote .Values.CAM_ROLE }}

# <templates/statefulset.yaml>
kind: StatefulSet
spec:
  template:
    spec:
      containers:
       - name: "my-container"
         image: {{ quote .Values.SERVER_IMAGE }}
         valueMounts:
         - name: cloudapp-cam-role
           mountPath: /usr/local/cloudapp
           subPath: .cloudapp_cam_role
      volumes:
      - name: cloudapp-cam-role
        configMap:
          name: cloudapp-config
After the container starts, the process can read the CAM role from /usr/local/cloudapp/.cloudapp_cam_role.

Get a Temporary Key for a Role

After obtaining the role name in the process, we can obtain the temporary key of the role through an HTTP request.
The CURL example of the request is as follows:
curl http://metadata.tencentyun.com/meta-data/cam/security-credentials/$CLOUDAPP_CAM_ROLE
The response results are as follows:
{
  "TmpSecretId": "(RESPONSED SECRET ID)",
  "TmpSecretKey": "(RESPONSED SECRET KEY)",
  "ExpiredTime": 1658866289,
  "Expiration": "2022-07-26T20:11:29Z",
  "Token": "(RESPONSED TOKEN)",
  "Code": "Success"
}

5. Calling TencentCloud API Using Temporary Key

Use the above temporary key to call the cloud API. The authentication credential for calling the cloud API must contain: SecretId, SecretKey, Token.
For the calling methods in different languages, please refer to the corresponding SDK documentation:
PHP
Python
Java
Go
.NET
Node.js
C++

Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback