tencent cloud

Cloud Access Management

Product Introduction
CAM Overview
Features
Scenarios
Basic Concepts
Use Limits
User Types
Purchase Guide
Getting Started
Creating Admin User
Creating and Authorizing Sub-account
Logging In to Console with Sub-account
User Guide
Overview
Users
Access Key
User Groups
Role
Identity Provider
Policies
Permissions Boundary
Troubleshooting
Downloading Security Analysis Report
CAM-Enabled Role
Overview
Compute
Container
Microservice
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Database SaaS Service
Networking
CDN and Acceleration
Network Security
Data Security
Application Security
Domains & Websites
Big Data
Middleware
Interactive Video Services
Real-Time Interaction
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
CAM-Enabled API
Overview
Compute
Edge Computing
Container
Distributed cloud
Microservice
Serverless
Essential Storage Service
Data Process and Analysis
Data Migration
Relational Database
Enterprise Distributed DBMS
NoSQL Database
Database SaaS Tool
Networking
CDN and Acceleration
Network Security
Endpoint Security
Data Security
Business Security
Application Security
Domains & Websites
Office Collaboration
Big Data
Voice Technology
Image Creation
Tencent Big Model
AI Platform Service
Natural Language Processing
Optical Character Recognition
Middleware
Communication
Interactive Video Services
Real-Time Interaction
Stream Services
Media On-Demand
Media Process Services
Media Process
Cloud Real-time Rendering
Game Services
Education Sevices
Medical Services
Cloud Resource Management
Management and Audit Tools
Developer Tools
Monitor and Operation
More
Use Cases
Security Practical Tutorial
Multi-Identity Personnel Permission Management
Authorizing Certain Operations by Tag
Supporting Isolated Resource Access for Employees
Enterprise Multi-Account Permissions Management
Reviewing Employee Operation Records on Tencent Cloud
Implementing Attribute-Based Access Control for Employee Resource Permissions Management
During tag-based authentication, only tag key matching is supported
Business Use Cases
TencentDB for MySQL
CLB
CMQ
COS
CVM
VPC
VOD
Others
API Documentation
History
Introduction
API Category
Making API Requests
User APIs
Policy APIs
Role APIs
Identity Provider APIs
Data Types
Error Codes
FAQs
Role
Key
Others
CAM Users and Permissions
Glossary
DocumentationCloud Access ManagementUser GuideRoleResource-based Service Roles

Resource-based Service Roles

PDF
Focus Mode
Font Size
Last updated: 2024-01-23 17:52:00

Overview

A role is a virtual identity with an array of permissions. It serves to grant permissions of access to services, operations, and resources within Tencent Cloud to a role carrier. You can associate roles with cloud resources, allowing them to access other cloud product APIs based on Tencent Cloud Security Credential Service STS temporary keys (which can be periodically updated). Compared with direct control via persistent keys, this method further ensures the security of persistent keys under the account and allows more refined control and permission management via role association policies.

Advantages

After a CAM role is bound to cloud resources, the following features and advantages are bestowed:
Access Tencent Cloud's other cloud services through STS temporary keys. For more details, please refer to AssumeRole.
Assign roles with varying access policies to different resources, enabling differentiated access privileges across different cloud services, hence advocating precision granularity in permission control.
Be free from manually saving persistent keys within instances. Access rights can be swiftly altered and maintained by modifying the role's authorization.

Directions

Example: Binding a service role to a container instance

Scenario example: Allowing container instances to upload logs to the Cloud Log Service.
1. Create a policy, role-tke-cls.
(1) Enter the Tencent Cloud Console, and navigate to the Cloud Access Management > Policies page.
(2) Click Create Custom Policy, and customize a policy role-tke-cls.
(3) Customize a policy that allows log uploads (Note: different policies can be assigned to roles in different scenarios).

(4)The policy is created.
2. Create a role instance-role.
(1) Enter the Tencent Cloud Console, and navigate to the Cloud Access Management > Roles page.
(2) Click Create Role, and customize a role instance-role.
(3) Select Cloud Server (CVM) for the role carrier.

(4) The role is created.

3. Bind the role to the container instance.
(1) Enter the Tencent Cloud Console, and navigate to the Container Instance List page.
(2) Click New Instance. Set the container instance parameters based on your actual requirements.
(3) Select the pre-created role instance-role for the CAM role, and complete the binding.

Other Resource-based Service Roles

If you need to bind roles to your Tencent Kubernetes Engine - Container Instances, please refer to Binding a Role to a Container Instance. If you need to bind roles to your Serverless Cloud Function - Function Service, please refer to Role and Authorization. If you need to bind roles to your Cloud Server - Cloud Hosts, please refer to Managing Roles.

Previous Topic: Authorizing Sub-account with Role Assuming PolicyNext Topic: SSO Overview

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback