When you use TDMQ for CKafka (CKafka), you may need to access other cloud product resources such as Virtual Private Cloud (VPC) and Cloud Virtual Machine (CVM) in specific scenarios, such as viewing the availability zone (AZ) information of user subnets. Therefore, the root account needs to grant sub-accounts appropriate call permissions for other cloud products based on actual requirements.
Prerequisites
A sub-account has been created for an employee using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
Operation Steps
Creating a Custom Policy for Accessing Other Cloud Products
2. In the left sidebar, select Policies and click Create a custom policy. In the pop-up window for selecting a policy creation method, select Create according policy syntax to go to the Create by Policy Syntax page.
3. On the Create by Policy Syntax page, select Blank Template and click Next.
4. You can refer to the following API table and policy syntax to grant sub-accounts appropriate permissions to call other cloud products based on actual requirements, create a custom policy, and click Complete after specifying all information.
When CKafka is used, calls to the following cloud products are involved. The root account should grant specific permissions to sub-accounts to ensure that the sub-accounts can use CKafka features. The following table describes calls to other cloud products involved in CKafka in the custom policy.
Cloud Product
API Name
API Feature
Operations Affecting the Platform
CVM
DescribeZones
Queries AZs.
Viewing the AZ of a subnet when an instance is created
VPC
DescribeVpcs
Queries the VPC list.
Selecting the VPC to which the instance access address belongs when an instance is created
VPC
DescribeSubnets
Queries the VPC list.
Selecting the subnet to which the instance access address belongs when an instance is created
Tencent Cloud Observability Platform (TCOP)
(Monitor)
GetMonitorData
Pulls metric monitoring data.
Viewing monitoring data in CKafka
TCOP
(Monitor)
DescribeDashboardMetricData
Pulls metric monitoring data.
Viewing monitoring data in CKafka
TCOP
(Monitor)
DescribeBaseMetrics
Pulls the metric monitoring list.
Viewing the CKafka monitoring list
TCOP
(Monitor)
DescribeDashboardMetrics
Pulls metric monitoring dimensions.
Viewing monitoring dimensions in CKafka
TCOP
(Monitor)
DescribeMonitorProductByIds
Pulls monitoring configurations.
Querying the monitoring product list by ID
TCOP
(Monitor)
DescribeOneClickAlarmConfigs
Queries one-click alarm configuration.
Querying one-click alarm configuration
TCOP
(Monitor)
DescribeDashboardNamespaces
Pulls namespace data.
Querying Dashboard 2.0 namespace data
Tags
DescribeResourceTagsByResourceIds
Queries resource tags.
Viewing resource tags of a cluster
A policy syntax example is as follows:
{
"version":"2.0",
"statement":[
{
"effect":"allow",
"action":[
"cvm:DescribeZones",
"vpc:DescribeVpcs",
"vpc:DescribeSubnets",
"monitor:GetMonitorData",
"monitor:DescribeDashboardMetricData",
"monitor:DescribeBaseMetrics",
"monitor:DescribeDashboardMetrics",
"monitor:DescribeMonitorProductByIds",
"monitor:DescribeOneClickAlarmConfigs",
"monitor:DescribeDashboardNamespaces",
"tag:DescribeResourceTagsByResourceIds",
],
"resource":[
"*"
]
}
]
}
Associating a Custom Policy with a Sub-account
1. On the Policy Management list page, click Custom Policy for filtering, find the created custom policy, and then click Associate User/Group/Role in the Operation column.
2. Select the sub-account to be granted this permission and click OK to complete the authorization.
3. On the User List page, click the name of the sub-account to go to the user details page. The policy will be displayed in the policy list of the user.
