You can use the policy feature in the Cloud Access Management (CAM) console to grant read/write permissions for TDMQ for CKafka (CKafka) resources that are owned by the root account and bound with tags to sub-accounts through tag-based authorization. The sub-accounts that are granted these permissions can gain control capabilities over resources under the corresponding tags.
Prerequisites
A sub-account has been created for an employee using the Tencent Cloud root account. For detailed operations, see Creating a Sub-account.
2. In the left sidebar, select Policies, click Create a custom policy, and select Authorize by Tag for the policy creation method.
3. In the visualized policy generator, enter ckafka in Service for filtering, select CKafka(ckafka) from the results, and select All Actions (*) for Action. You can also select the corresponding operations as needed.
Note:
All APIs of the services are included in the operations allowed. You can use Whether tag-based authorization is supported to filter APIs and check whether they support authorization by tag.
Yes: APIs support tag-based authorization and have the operation permissions for resources associated with the tags.
No: APIs that do not support tag-based authorization. In subsequent steps, you can choose whether to grant operation permissions for all resources to these APIs that do not support tag-based authorization.
To support authorization for multiple services, you can click Add in the upper-left corner to add multiple authorization statements and configure authorization policies for other services.
4. In the Select a Tag section, select the tag keys and tag values bound to the cluster resources. You can select multiple tag keys and tag values.
5. In the Select Condition Key section, select condition keys. You can select both resource_tag and request_tag, or select either one of them.
6. Determine whether to Whether to grant permission "resource": "*" to APIs that do not support Tag. If you select this option, APIs that do not support tags will have operation permissions for all resources.
7. Click Next and set the policy name. The policy name is automatically generated by the console and is set to policygen by default, with a suffix number generated based on the creation date. You can customize it.
8. Click Select User or Select User Group to select the users or user groups to be granted resource permissions.
9. Click Completed. The relevant sub-accounts can control resources under the specified tags based on the policy.
