Release Notes and Announcements

Release Notes

Broker Release Notes

Announcement

Product Introduction

Introduction and Selection of the TDMQ Product Series

What Is TDMQ for CKafka

Strengths

Scenarios

Technology Architecture

Product Series Introduction

Apache Kafka Version Support Description

Comparison with Apache Kafka

High Availability

Use Limits

Regions and AZs

Related Cloud Services

Billing

Billing Overview

Pricing

Billing Example

Changing from Postpaid by Hour to Monthly Subscription

Renewal

Viewing Consumption Details

Overdue Payments

Refund

Getting Started

Guide for Getting Started

Preparations

VPC Network Access

Public Domain Name Access

User Guide

Usage Process Guide

Configuring Account Permission

Creating Instance

Configuring Topic

Connecting Instance

Managing Messages

Managing Consumer Group

Managing Instance

Changing Instance Specification

Configuring Traffic Throttling

Configuring Elastic Scaling Policy

Configuring Advanced Features

Viewing Monitoring Data and Configuring Alarm Rules

Synchronizing Data Using CKafka Connector

Use Cases

Cluster Resource Assessment

Client Practical Tutorial

Log Integration

Open-Source Ecosystem Integration

Replacing Supporting Route (Old)

Migration Guide

Migration Solution Overview

Migrating Cluster Using Open-Source Tool

Troubleshooting

Topics

Clients

Messages

API Reference

History

Introduction

API Category

Making API Requests

Other APIs

ACL APIs

Instance APIs

Routing APIs

DataHub APIs

Topic APIs

Data Types

Error Codes

SDK Reference

SDK Overview

Java SDK

Python SDK

Go SDK

PHP SDK

C++ SDK

Node.js SDK

SDK for Connector

Security and Compliance

Permission Management

Network Security

Deletion Protection

Event Record

CloudAudit

FAQs

Instances

Topics

Consumer Groups

Client-Related

Network-Related

Monitoring

Messages

Agreements

CKafka Service Level Agreements

Glossary

Granting Access Permissions for Other Cloud Products to Sub-accounts

PDF

Focus Mode

Font Size

Last updated: 2026-01-20 16:52:39

When you use TDMQ for CKafka (CKafka), you may need to access other cloud product resources such as Virtual Private Cloud (VPC) and Cloud Virtual Machine (CVM) in specific scenarios, such as viewing the availability zone (AZ) information of user subnets. Therefore, the root account needs to grant sub-accounts appropriate call permissions for other cloud products based on actual requirements.
Prerequisites
A sub-account has been created for an employee using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
Operation Steps
Creating a Custom Policy for Accessing Other Cloud Products
1. Log in to the Cloud Access Management (CAM) console with a root account.
2. In the left sidebar, select Policies and click Create a custom policy. In the pop-up window for selecting a policy creation method, select Create according policy syntax to go to the Create by Policy Syntax page.
3. On the Create by Policy Syntax page, select Blank Template and click Next.
4. You can refer to the following API table and policy syntax to grant sub-accounts appropriate permissions to call other cloud products based on actual requirements, create a custom policy, and click Complete after specifying all information.
When CKafka is used, calls to the following cloud products are involved. The root account should grant specific permissions to sub-accounts to ensure that the sub-accounts can use CKafka features. The following table describes calls to other cloud products involved in CKafka in the custom policy.
Cloud Product
API Name
API Feature
Operations Affecting the Platform
CVM
DescribeZones
Queries AZs.
Viewing the AZ of a subnet when an instance is created
VPC
DescribeVpcs
Queries the VPC list.
Selecting the VPC to which the instance access address belongs when an instance is created
VPC
DescribeSubnets
Queries the VPC list.
Selecting the subnet to which the instance access address belongs when an instance is created
Tencent Cloud Observability Platform (TCOP)
(Monitor)
GetMonitorData
Pulls metric monitoring data.
Viewing monitoring data in CKafka
TCOP
(Monitor)
DescribeDashboardMetricData
Pulls metric monitoring data.
Viewing monitoring data in CKafka
TCOP
(Monitor)
DescribeBaseMetrics
Pulls the metric monitoring list.
Viewing the CKafka monitoring list
TCOP
(Monitor)
DescribeDashboardMetrics
Pulls metric monitoring dimensions.
Viewing monitoring dimensions in CKafka
TCOP
(Monitor)
DescribeMonitorProductByIds
Pulls monitoring configurations.
Querying the monitoring product list by ID
TCOP
(Monitor)
DescribeOneClickAlarmConfigs
Queries one-click alarm configuration.
Querying one-click alarm configuration
TCOP
(Monitor)
DescribeDashboardNamespaces
Pulls namespace data.
Querying Dashboard 2.0 namespace data
Tags
DescribeResourceTagsByResourceIds
Queries resource tags.
Viewing resource tags of a cluster
A policy syntax example is as follows:
     {
     "version": "2.0",
     "statement": [
       {
         "effect": "allow",
         "action": [
           "cvm:DescribeZones",
           "vpc:DescribeVpcs",
           "vpc:DescribeSubnets",
           "monitor:GetMonitorData",
           "monitor:DescribeDashboardMetricData",
           "monitor:DescribeBaseMetrics",
           "monitor:DescribeDashboardMetrics",
           "monitor:DescribeMonitorProductByIds",
           "monitor:DescribeOneClickAlarmConfigs",
           "monitor:DescribeDashboardNamespaces",
           "tag:DescribeResourceTagsByResourceIds",
         ],
         "resource": [
           "*"
         ]
       }
     ]
   }
Associating a Custom Policy with a Sub-account
1. On the Policy Management list page, click Custom Policy for filtering, find the created custom policy, and then click Associate User/Group/Role in the Operation column.
﻿
﻿
﻿
2. Select the sub-account to be granted this permission and click OK to complete the authorization.
﻿
﻿
﻿
3. On the User List page, click the name of the sub-account to go to the user details page. The policy will be displayed in the policy list of the user.
﻿
﻿
﻿
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

Cloud Product	API Name	API Feature	Operations Affecting the Platform
CVM	DescribeZones	Queries AZs.	Viewing the AZ of a subnet when an instance is created
VPC	DescribeVpcs	Queries the VPC list.	Selecting the VPC to which the instance access address belongs when an instance is created
VPC	DescribeSubnets	Queries the VPC list.	Selecting the subnet to which the instance access address belongs when an instance is created
Tencent Cloud Observability Platform (TCOP) (Monitor)	GetMonitorData	Pulls metric monitoring data.	Viewing monitoring data in CKafka
TCOP (Monitor)	DescribeDashboardMetricData	Pulls metric monitoring data.	Viewing monitoring data in CKafka
TCOP (Monitor)	DescribeBaseMetrics	Pulls the metric monitoring list.	Viewing the CKafka monitoring list
TCOP (Monitor)	DescribeDashboardMetrics	Pulls metric monitoring dimensions.	Viewing monitoring dimensions in CKafka
TCOP (Monitor)	DescribeMonitorProductByIds	Pulls monitoring configurations.	Querying the monitoring product list by ID
TCOP (Monitor)	DescribeOneClickAlarmConfigs	Queries one-click alarm configuration.	Querying one-click alarm configuration
TCOP (Monitor)	DescribeDashboardNamespaces	Pulls namespace data.	Querying Dashboard 2.0 namespace data
Tags	DescribeResourceTagsByResourceIds	Queries resource tags.	Viewing resource tags of a cluster

tencent cloud

TDMQ for CKafka

Granting Access Permissions for Other Cloud Products to Sub-accounts

Prerequisites

Operation Steps

Creating a Custom Policy for Accessing Other Cloud Products

Associating a Custom Policy with a Sub-account

Help and Support