tencent cloud

SSL Certificate Service
Download PDF
Last updated: 2025-12-04 09:16:50
SSL Certificate Service
Last updated: 2025-12-04 09:16:50
Download PDF

Service roles and service-linked roles are predefined by Tencent Cloud services and, upon user authorization, the corresponding services can access and use resources by assuming these service-linked roles. This document provides detailed information on the use cases and associated authorization policies of these specific service-linked roles.

Product Role Name Role Types Role Entity
SSL Certification SSL_QCSLinkedRoleInCertificateWaf Service-Related Roles certificatewaf.ssl.cloud.tencent.com
SSL Certification SSL_QCSLinkedRoleInCertificateDependence Service-Related Roles certificatedependence.ssl.cloud.tencent.com
SSL Certification SSL_QCSLinkedRoleInReplaceLoadCertificate Service-Related Roles replaceloadcertificate.ssl.cloud.tencent.com
SSL Certification SSL_QCSLinkedRoleInCertificateCloudMonitor Service-Related Roles certificatecloudmonitor.ssl.cloud.tencent.com
SSL Certification SSL_QCSLinkedRoleInDescribeDeployedResources Service-Related Roles describedeployedresources.ssl.cloud.tencent.com

SSL_QCSLinkedRoleInCertificateWaf

Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForSSLLinkedRoleInCertificateWaf
  • Policy Information:
    {
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "action": [
              "waf:DescribeSpartaProtectionList",
              "waf:DescribeSpartaProtectionInfo",
              "waf:DescribeUserInstances",
              "waf:DescribeUserQPS",
              "waf:DescribePeakPoints",
              "waf:AddSpartaProtection",
              "waf:DeleteSpartaProtection",
              "waf:ModifySpartaProtection",
              "waf:ModifyProtectionStatus",
              "waf:DescribeDomains"
          ],
          "resource": [
              "*"
          ]
      }
  ]
}

SSL_QCSLinkedRoleInCertificateDependence

Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForSSLLinkedRoleInCertificateDependence
  • Policy Information:
    {
  "statement": [
      {
          "action": [
              "dnspod:CreateRecord",
              "dnspod:DescribeDomain",
              "dnspod:CreateDomain",
              "dnspod:DescribeRecordList",
              "dnspod:DeleteRecord",
              "dnspod:DescribeDomain",
              "dnspod:ModifyRecordStatus"
          ],
          "effect": "allow",
          "resource": "*"
      }
  ],
  "version": "2.0"
}

SSL_QCSLinkedRoleInReplaceLoadCertificate

Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForSSLLinkedRoleInReplaceLoadCertificate
  • Policy Information:
    {
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "action": [
              "clb:ReplaceCertForLoadBalancers",
              "waf:DescribeCertificatedDomain",
              "waf:ModifyCertificatedDomain",
              "live:DescribeLiveDomainsByCerts",
              "live:ModifyLiveDomainCertBindings",
              "antiddos:DescribeL7RulesBySSLCertId",
              "antiddos:CreateL7RuleCerts",
              "clb:DescribeLoadBalancerListByCertId",
              "clb:DescribeLoadBalancers",
              "clb:DescribeListeners",
              "clb:ModifyListener",
              "clb:ModifyDomainAttributes",
              "clb:DescribeTaskStatus",
              "cos:GetBucketDomain",
              "cos:GetBucketDomainCertificate",
              "cos:GetService",
              "cos:PutBucketDomainCertificate",
              "tke:DescribeClusters",
              "tke:AcquireClusterAdminRole",
              "tke:AcquireEKSClusterAdminRole",
              "lighthouse:DescribeSupportHttpsInstances",
              "lighthouse:InstallCertificate",
              "lighthouse:DescribeInstallCertificateTasks",
              "vod:DescribeVodDomainsByCertIds",
              "vod:ModifyVodDomainCertBindings",
              "vod:UpdateCertForVodDomains",
              "clb:DescribeLoadBalancerCount",
              "teo:ModifyHostsCertificateByHosts",
              "teo:DescribeHostsByCertID",
              "tcb:DescribeEnvs",
              "tcb:DescribeCloudBaseGWService",
              "tcb:DescribeHostingDomain",
              "tcb:BindCloudBaseAccessDomain",
              "tcb:CreateHostingDomain",
              "tcb:ModifyCloudBaseAccessDomain",
              "tcb:ModifyHostingDomain",
              "tse:ModifyCloudNativeAPIGatewayCertificate",
              "tse:DescribeCloudNativeAPIGatewayCertificates",
              "tse:DescribeCloudNativeAPIGateways",
              "cdn:DescribeCdnDomainsByCerts",
              "cdn:UpdateDomainHttps",
              "tcm:DescribeMeshList",
              "tcm:DescribeIstioGatewayList",
              "tcm:ModifyGatewayCert",
              "tdmq:ModifyRabbitMQCertificate",
              "tdmq:DescribeRabbitMQInstanceByCertificateId",
              "mqtt:DescribeInstanceListForSSL",
              "mqtt:BindServerCertificate",
              "mqtt:UnbindServerCertificate",
              "mqtt:ReplaceServerCertificate",
              "ga2:DescribeCertBindInstances",
              "ga2:ReplaceListenerAdditionalCert",
              "ga2:CreateListenerAdditionalCert",
              "ga2:DescribeTaskResult",
              "scf:ListCustomDomains",
              "scf:UpdateCustomDomain"
          ],
          "resource": [
              "*"
          ]
      }
  ]
}

SSL_QCSLinkedRoleInCertificateCloudMonitor

Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForSSLLinkedRoleInCertificateCloudMonitor
  • Policy Information:
    {
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "resource": [
              "*"
          ],
          "action": [
              "monitor:CreateAlarmPolicy",
              "monitor:DeleteAlarmPolicy",
              "monitor:DescribeAlarmPolicies",
              "monitor:ModifyAlarmPolicyStatus",
              "monitor:BindingPolicyObject",
              "monitor:UnBindingPolicyObject",
              "monitor:ModifyAlarmPolicyNotice",
              "monitor:CreateAlarmNotice",
              "monitor:DeleteAlarmNotices",
              "monitor:ModifyAlarmNotice",
              "monitor:DescribeAlarmNotices",
              "monitor:UnBindingAllPolicyObject"
          ]
      }
  ]
}

SSL_QCSLinkedRoleInDescribeDeployedResources

Use Cases: The current role is the SSL service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
Authorization Polices

  • Policy Name: QcloudAccessForSSLLinkedRoleInDescribeDeployedResources
  • Policy Information:
    {
  "version": "2.0",
  "statement": [
      {
          "effect": "allow",
          "action": [
              "clb:ReplaceCertForLoadBalancers",
              "waf:DescribeCertificatedDomain",
              "waf:ModifyCertificatedDomain",
              "live:DescribeLiveDomainsByCerts",
              "live:ModifyLiveDomainCertBindings",
              "antiddos:DescribeL7RulesBySSLCertId",
              "antiddos:CreateL7RuleCerts",
              "clb:DescribeLoadBalancerListByCertId",
              "cdn:UpdateDomainsCertificate",
              "teo:DescribeHostsByCertID",
              "teo:ModifyHostsCertificateByHosts"
          ],
          "resource": [
              "*"
          ]
      }
  ]
}
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback