Tencent Cloud EventBridge uses Tencent Cloud Access Management (CAM) to manage permissions. CAM is a permission and access management service that helps you securely manage the access permissions to resources under your Tencent Cloud account. With CAM, you can create, manage and terminate users and user groups and use identity and policy management to control user access to Tencent Cloud resources. Before using EventBridge, you need to activate it on the product page. This document describes how to activate and use EventBridge.
Directions
1. Log in to the EventBridge console and activate the service and create a role as prompted (these operations must be performed with the root account).
2. (Optional) Log in to the CAM console to assign permission to the sub-account.
3. After creating a service role, you can use the EventBridge features to create relevant resources.
Access Management
Activating EventBridge
If this is the first time that you use EventBridge with your root account, according to CAM requirements, you need to enable the EventBridge service role EB_QCSRole and grant permissions related to the service role to call other services. To do so, go to the EventBridge console and grant permissions as instructed:
Granting permissions to sub-account
Note:
Before a sub-account can use EventBridge, you need to log in to the CAM console with the root account to check whether the EB_QCSRole role is created successfully. If not, create the role and grant permissions to it according to Grant permissions with the root account. Otherwise, the sub-account cannot use the EventBridge console properly nor call other resources on the cloud via EventBridge.
1. Log in to the CAM console with the root account, select a corresponding sub-account, and select Associate Policy.
2. Select Select policies from the policy list > Create Custom Policy.
3. Select Create by Policy Syntax > Blank Template. Enter the policy name and enter the following syntax content in Policy Content:
{
"version":"2.0",
"statement":[
{
"effect":"allow",
"action":[
"apigw:DescribeServicesStatus",
"apigw:DescribeApi",
"apigw:DescribeService",
"apigw:CreateService",
"cam:ListGroups",
"cam:DescribeSubAccountContacts",
"cam:GetRole",
"cam:GetGroup",
"scf:ListNamespaces",
"scf:ListFunctions",
"scf:ListVersionByFunction",
"scf:ListAliases",
"scf:CreateFunction",
"scf:GetFunction",
"tdmq:CreateSubscription",
"tdmq:ResetMsgSubOffsetByTimestamp",
"tdmq:DescribeClusters",
"tdmq:DescribeEnvironments",
"tdmq:DescribeTopics",
"tdmq:DescribeSubscriptions",
"ckafka:DescribeInstanceAttributes",
"ckafka:DescribeInstances",
"ckafka:DescribeTopic",
"ckafka:DescribeRoute",
"cls:DescribeTopics",
"cls:DescribeLogsets",
"cls:SearchLog",
"cls:DescribeLogsets",
"cls:DescribeTopics",
"monitor:GetMonitorData",
"monitor:DescribeAlarmNotices",
"cam:CreateRole",
"cloudaudit:*",
"dts:DescribeSubscribes",
"es:DescribeInstances",
"tag:DescribeTagKeys",
"tag:DescribeTagValues"
],
"resource":"*"
}
]
}
4. Bind the custom policy and the preset policy QcloudEBFullAccess with the sub-account. Then the sub-account can use the service properly.
