During the use of MQTT, it may involve accessing other cloud product resources (VPC, CVM, etc.) of the visiting user, such as viewing the AZ information where the user subnet resides. Therefore, the root account needs to grant the sub-account appropriate API call permissions for other cloud products based on your actual needs.
Prerequisites
The Tencent Cloud root account has been used to create a sub-account for the employee. For detailed operations, see Creating Sub-account.
Operation Steps
Creating Custom Access Policy for Other Cloud Products
1. Log in with your root account to the CAM console.
2. Select Policies in the left sidebar, click Create a custom policy, select Create according policy syntax in the pop-up box for selecting policy creation method, and enter the policy syntax creation page.
3. On the policy syntax creation page, select Blank Template and click Next.
4. You can refer to the invoke interface table and policy syntax below, grant sub-account appropriate API call permission for other cloud products based on your actual needs, generate a custom policy, and click Complete after filling in all information.
During MQTT usage, calls to the following cloud products are involved. The root account needs to authorize sub-accounts for separate authorization to ensure MQTT feature usage. In a custom policy, calls to cloud products involved in MQTT are as follows:
Cloud Product
API name
API functions
Operations Affecting the Platform
Cloud Virtual Machine (CVM)
DescribeZones
Query Available Zones
View the Availability Zone of the Subnet when creating a cluster
Virtual Private Cloud (VPC)
DescribeVpcs
Query VPC List
Select the VPC to which the instance access address belongs when creating a cluster
Virtual Private Cloud (VPC)
DescribeSubnets
Query VPC List
Select the subnet to which the instance access address belongs when creating a cluster
Tencent Cloud Observability Platform (TCOP)
(Monitor)
GetMonitorData
Pulling metric monitoring data.
View Monitoring Data in MQTT
Tencent Cloud Observability Platform (TCOP)
(Monitor)
DescribeBaseMetrics
Pull metrics monitoring list
View MQTT monitoring list
Tencent Cloud Observability Platform (TCOP)
(Monitor)
DescribeDashboardMetrics
Pulling metric monitoring dimensions
View monitoring dimensions in MQTT
Tencent Cloud Observability Platform (TCOP)
(Monitor)
DescribeMonitorProductByIds
Pull monitoring configuration
Query monitoring product list by Id
Tencent Cloud Observability Platform (TCOP)
(Monitor)
DescribeOneClickAlarmConfigs
One-click alarm configuration details
One-click alarm configuration details
Resource tag (Tags)
DescribeResourceTagsByResourceIds
Querying resource tags
View resource tags of the cluster
Policy Syntax Example:
{
"version":"2.0",
"statement":[
{
"effect":"allow",
"action":[
"cvm:DescribeZones",
"vpc:DescribeVpcs",
"vpc:DescribeSubnets",
"monitor:GetMonitorData",
"monitor:DescribeBaseMetrics",
"monitor:DescribeDashboardMetrics",
"monitor:DescribeMonitorProductByIds",
"monitor:DescribeOneClickAlarmConfigs",
"tag:DescribeResourceTagsByResourceIds",
],
"resource":[
"*"
]
}
]
}
Associating Custom Policy with a Subaccount
1. On the policy management list page, click Custom Policy to filter, find the created custom policy, and click Associate User/User Group/Role in the Action column.
2. Select the sub-account to grant the permission, click OK to complete authorization.
3. On the User List page, click the subaccount name to enter the user details page. The policy will appear in the user's policy list.
