tencent cloud


Granting Tag-Level Permissions to Sub-Accounts

Last updated: 2024-01-09 14:45:02


    This document describes how to use the root account to authorize sub-accounts at the tag level. After successful authorization, the sub-accounts will have the capability to control a certain resource under the authorized tag.


    You must have a Tencent Cloud root account and have activated the Cloud Access Management (CAM) service.
    Your root account must have at least one sub-account, and you have completed the authorization as instructed in Getting Access Authorization.
    You must have at least one CKafka cluster instance.
    You must have at least one tag, if you don’t have one, you can go to the Tag console > Tag List to create a new one.


    By using the policy feature in the CAM console, you can grant a sub-account full access to the tagged CKafka resources owned by the root account through the tag authorization. The following describes the detailed steps for granting the sub-account access to CKafka resources by tag

    Step 1. Bind tags to resources

    1. Log in to the CKafka console with root account, and enter the instance list page.
    2. Select the target instance, click Edit Tag in the upper left corner, and bind the resource tag to the instance.

    Step 2. Authorize by Tag

    1. Log in to the CAM console and click Policies on the left sidebar.
    2. Click Create Custom Policy > Authorize by Tag.
    3. In the visual policy generator, enter CKafka in Service to filter, and select CKafka (ckafka). Then, select All actions in Action, and you can also select the action type as needed.
    4. Click Next and enter a policy name as needed.
    5. Click Select Users or Select User Groups to select the users or user groups that need to be granted resource permissions.
    6. Click Complete. The sub-account can control the resources under the specified tag according to the policy.

    Managing Resource Tags

    You can also manage resource tags in a unified manner in the Tag console. The detailed operations are as follows.
    1. Log in to the Tag console.
    2. Select Resource Tag in the left navigation bar, select query conditions as needed, and select CKafka > ckafka-instance in Resource type.
    3. Click Query Resources.
    4. Select the required resources in the result and click Edit Tag to bind or unbind tags in batches.

    Other authorization methods

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support