tencent cloud


Authorization by Resource ID

Last updated: 2024-01-23 17:59:15


    This document describes how to grant permissions by resource ID to allow the sub-user cvmtest01 only to manage the resource-level APIs of ins-duglsqg0. For more information, see overview >>

    Policy Content

    To grant permissions by resource ID to implement the above need, use the following policy content:
    "version": "2.0",
    "statement": [
    "effect": "allow",
    "action": [
    "resource": [
    "qcs::cvm::uin/12345678:instance/ins-duglsqg0",// `12345678` is `UIN` of the root account
    "effect": "allow",
    "action": [
    "resource": [


    Step 1. Use the admin account to create a policy and configure permissions

    1. Log in to the CAM console with the admin account. On the Policy page, create a custom policy with the policy generator as instructed in Creating Custom Policy > Creating by policy generator.
    Effect: Allowed
    Service: CVM
    Operation: All
    Resource: Specific Resources > Add a custom six-segment resource description
    Enter the resource prefixes instance and image and resource IDs ins-duglsqg0 and img-eb30mz89 respectively.
    How to determine the resource prefix: You can view the CVM six-segment resource description in CAM APIs supported by CVM.
    In addition to CVM APIs, APIs of other Tencent Cloud products such as VPC will also be used on the CVM product page. In this example, you can skip them and directly generate the policy. However, during actual operations, you need to add such APIs as prompted in CAM.
    2. Click Next, name the policy cvm-test01, and grant it to the sub-account cvmtest01.
    3. Click Complete.

    Step 2. Use the sub-account to log in and verify permissions

    1. Log in to the CVM console with the sub-user account and enter the instance list page. The page prompts that DescribeVpcEx and relevant resource permissions of VPC are missing.
    2. Contact the admin account to add such permissions to the policy as prompted.

    Step 3. Use the admin account to adjust the policy content

    1. Use the root account to find the DescribeVpcEx API in the list of CAM APIs supported by VPC and verify that the API is at the operation level.
    2. On the Policy page in the CAM console, find the cvm-test01 policy and click its name to enter the policy details page.
    3. In the policy syntax, click Edit and add API authorization to the policy details in the format of operation-level API authorization.
    Before adding:
    After adding:
    4. Repeat step 2 to use the sub-account cvmtest01 to verify permissions again, and you can see that DescribeNetworkInterfaces and relevant resource access permissions of VPC are still missing. View the list of CAM APIs supported by VPC and verify that the DescribeNetworkInterfaces API is at the operation level.
    5. Repeat step 3 to adjust the policy content until the system no longer reports errors. The eventual policy content is as follows:
    When writing a CAM policy, if you want to manipulate a specific resource, you need to separate the resource-level API authorization from operation-level API authorization, but you can put multiple operation-level APIs together.

    Step 4. Verify the result

    Use the sub-user cvmtest01 to verify the policy again, and the expected effect is achieved. At this point, the sub-user cvmtest01 can start, shut down, restart, rename, and reset the password of the CVM instance.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support