You can use the policy feature in the Cloud Access Management (CAM) console to grant sub-accounts access permissions for TDMQ for CKafka (CKafka) resources owned by the root account. The sub-accounts that are granted these permissions can use the resources. This document describes how to grant permissions for the resources of a cluster to a sub-account. The operation steps for other resource types are similar.
Prerequisites
A sub-account has been created for an employee using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
At least one CKafka instance has been created.
Operation Steps
Step 1: Obtaining the ID of a CKafka Cluster
1. Log in to the CKafka console by using the root account, and click an existing cluster instance ID to go to the details page.
2. On the Basic Info tab, the ID field is the ID of the current CKafka cluster.
2. In the left sidebar, select Policies, click Create a custom policy, and select Create by Policy Builder for the policy creation method.
3. In the visualized policy generator, keep Effect as Allow, enter ckafka in Service for filtering, and select CKafka (ckafka) from the results.
4. Select All Actions (Ckafka:*) for Action. You can also select your desired operation types.
Note:
Certain APIs do not support resource authentication temporarily. For the APIs that support resource authentication, those displayed on the console page shall prevail.
5. In the Resource section, select Specific resources, and locate the ckafkaId resource type. You can check Any resource of this type (authorize all cluster resources) on the right, or click Add a six-segment resource description (authorize specific cluster resources). In the pop-up sidebar dialog box, enter the cluster ID in the Resource Prefix field.
6. In the Condition section, select whether to specify the source IP address based on actual business requirements. After a source IP address is specified, access to the specified operation is allowed only when requests come from the specified IP address.
7. Click Next and set the policy name. The policy name is automatically generated by the console and is set to policygen by default, with a suffix number generated based on the creation date. You can customize it.
8. Click Select User or Select User Group to select the users or user groups to be granted resource permissions.
9. Click completed. The sub-account granted resource permissions can access relevant resources.
