tencent cloud

Marketplace

DocumentaçãoMarketplace

Defining Application Permission Policies

Download
Modo Foco
Tamanho da Fonte
Última atualização: 2026-05-11 16:09:53

Overview

Marketplace supports software processes in runtime roles invoking TencentCloud API. By defining the permission policy for the role, it enables fine-grained control over the cloud permissions of the processes, meeting customer requirements for permission management. Typical scenarios:
Verify the status of the software LICENSE.
Access COS buckets in application, with access limited to specified buckets (such as the bucket selected during user installation).
Perform inspections on running resources in application and restart faulty nodes automatically.

Solution Description

Define the permission policy syntax in the package.yaml file, and you can control the application's permission scope.

Declaration Method

Declare the permission policy in the package.yaml file through role.policy. The syntax is consistent with the CAM permission policy. For details, see CAM Permission Policy Syntax Structure. The following is an example:
args:
  - name: app_cos
    label: select bucket
    widget: cos-bucket-select

role:
  policy:
    version: "2.0"
    statement:
      # Permission 1: support LICENSE verification
      - action:
          - cloudapp:DescribeLicense
        resource: "*"
        effect: allow
      
      # Permission 2: Support restarting CVM under the application instance tag
      - action:
          - cvm:RebootInstances
        resource: "*"
        condition:
          "for_any_value:string_equal":
             "qcs:tag":
                - "CloudappId&${var.cloudapp_id}"
        effect: "allow"
      
      # Permission 3: Support access to the selected COS storage bucket during installation
      - action:
          - "cos:*"
        resource:
          - "qcs::cos:${var.app_cos.region}:uid/${var.app_cos.app_id}:${var.app_cos.bucket}/*"
          - "qcs::cos:${var.app_cos.region}:uid/${var.app_cos.app_id}:${var.app_cos.bucket}/"
        effect: allow
Note:
The permission policy declared via role.policy follows the "What You See Is What You Get" principle, and all privileges of the runtime role must be explicitly declared in package.yaml.

Use Variables in Policy Syntax

Supports the use of two types of variables in policy: system variable and installation parameters. In the above example:
In the example of permission 2, the var.cloudapp_id system variable is used to implement tag authorization.
In the example of permission 3, the var.app_cos installation parameters are used to implement resource-level authorization.

Upgrade to the New Policy Syntax

Note:
The new permission policy generation scheme will be backward compatible, and the permissions originally declared via scopes.cloudAPI will remain effective.
The new permission declaration syntax provides more granular permission control. It is strongly recommended that you upgrade to the new declaration syntax and declare permission policies by using role.policy.
The original version declares the permissions of the runtime role through scopes.cloudAPI. An example is as follows:
scopes:
  cloudAPI:
    - cvm:DescribeInstances
The above declaration grammar after upgrading is as follows:
role:
  policy:
    version: "2.0"
    statement:
      - action:
          - cvm:DescribeInstances
          - cloudapp:DescribeLicense 
        resource: "*"
        effect: allow
Need to pay attention during the upgrade process:
In older versions, the cloudapp:DescribeLicense interface is automatically added to the permission policy without explicit declaration. In the new version, the permissions of the runtime role only include explicitly declared interfaces. You need to explicitly declare role.policy in cloudapp:DescribeLicense, otherwise the application cannot integrate with License.
The Marketplace License check interface has been upgraded. If the verification interface within the application has been upgraded, declare DescribeLicense. If the application is still using the VerifyLicense interface, continue to declare it as VerifyLicense.
After using the new syntax, the original scopes.cloudAPI field needs to be deleted.

Complete Example

You can refer to the demonstration instructions of Custom Application Permission Policy.

Próximo: Política de privacidade

Ajuda e Suporte

Esta página foi útil?

comentários