tencent cloud

TencentDB for MongoDB

DokumentasiTencentDB for MongoDBOperation GuideAccess ManagementAuthorization Policy Syntax

Authorization Policy Syntax

PDF
Mode fokus
Ukuran font
Terakhir diperbarui: 2026-04-17 17:28:39
Policy is a syntax specification for user permission sets, which can precisely describe the set of authorized resources, the set of operations, and the authorization conditions.

CAM Policy Syntax

{     
        "version":"2.0", 
        "statement": 
        [ 
           { 
              "effect":"effect", 
              "action":["action"], 
              "resource":["resource"], 
               "condition": {"key":{"value"}} 
           } 
       ] 
}
The explanations for each statement in the policy syntax are as shown in the table below.
Parameter Name
Sub-parameter
Required or Not
Parameter Description
version
None.
Yes
Currently only the value "2.0" is allowed.
statement
effect
Yes
Indicates whether the result of the statement is "allow" or "explicit deny". This includes two scenarios: allow and deny (explicit deny).
action
Yes
Used to describe allowed or denied actions. Actions can be APIs or feature sets (specific groups of APIs described using permid prefixes).
resource
Yes
The specific data of authorization is described. Resources are described in a six-segment format, and the resource definition details vary by product.
condition
Yes
Describes the conditions under which a policy takes effect. Conditions consist of an operator, a key, and a value. Condition values may include time, IP addresses, and so on. Some services allow you to specify other values in conditions.
Note:
statement is used to describe detailed information about one or more permissions. This element includes permissions or permission sets for multiple other elements such as effect, action, resource, and condition. A policy has one and only one statement element.

Define action.

In CAM policy statements, you can specify any API operation from any service that supports CAM. For MongoDB, use APIs prefixed with mongodb:, such as mongodb:BackupDBInstance or mongodb:CreateAccountUser. When specifying multiple operations in a single statement, separate them with commas as shown below:
"action":["mongodb:action1","mongodb:action2"]
You can also use wildcards to specify multiple operations. For example, you can specify all operations that start with the word Describe, as shown below:
"action":["mongodb:Describe*"]
If you want to specify all operations in MongoDB, use the * wildcard as follows:
"action":["mongodb:*"]

Define resource.

Each CAM policy statement has its own resources that apply to it. The general format of resource paths is as follows:
qcs:project_id:service_type:region:account:resource
project_id: It describes the project information. It is only for compatibility with early CAM logic and does not need to be filled in.
service_type: The product abbreviation, such as mongodb.
region: It indicates regional information, such as bj.
account: The root account information of the resource owner, such as uin/12345678.
resource: Specific resource details of each product, such as instance/instance_id or instance/*.
You can specify the resource in the statement using a specific instance (cmgo-aw6g1g0z), as shown in the following example:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/cmgo-aw6g1g0z"]
You can also use the * wildcard to specify all instances belonging to a specific account, as shown in the following example:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/*"]
If you want to specify all resources, or if a specific API operation does not support resource-level permissions, use the * wildcard in the resource element, as shown below:
"resource":["*"]
If you want to specify multiple resources in one instruction, separate them with commas. The following is an example of specifying two resources:
"resource":["resource1","resource2"]
MongoDB can use resources and their corresponding description methods, as shown in the following table. Words prefixed with $ are placeholders, where region refers to the region and account refers to the account ID.
Resource Type
Description method for resources in the authorization policy
Instances
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
VPC
qcs::vpc:$region:$account:vpc/$vpcId
Bind a security group.
qcs::cvm:$region:$account:sg/$sgId

TencentDB for MongoDB system default permission policy

TencentDB for MongoDB supports the following system permission policies.
Purpose of Policy
Description
QcloudMongoDBFullAccess
Administrative permissions for TencentDB for MongoDB: The sub-account granted this permission has permissions equivalent to those of the Tencent Cloud account, which means full operation permissions for both the console and API.
QcloudMongoDBReadOnlyAccess
Read-only permission: The sub-account authorized with this permission only has read-only permission for all resources of the Tencent Cloud account and does not have operation permissions of the console and API.
The system permission policy QcloudMongoDFullAccess is as follows:
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "monitor:GetMonitorData",
                "monitor:DescribeBaseMetrics",
                "mongodb:*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}
The system permission policy QcloudMongoDBReadOnlyAccess is as follows:
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "monitor:GetMonitorData",
                "monitor:DescribeBaseMetrics",
                "mongodb:Describe*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}

TencentDB for MongoDB custom permission policy

TencentDB for MongoDB currently supports custom permission policies for the following resource-level permissions.
Note:
For cloud database API operations not listed in the table below, it indicates that the cloud database API operation does not support resource-level permissions. For cloud database API operations that do not support resource-level permissions, you can still grant users permission to use the operation, but the resource element in the policy statement must be specified as *.
action name
Description
resource description
BackupDBInstance
Back up the database instance.
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
CreateAccountUser
Creating an Account
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
CreateDBInstanceHour
Creating a TencentDB for MongoDB Instance (Pay-as-You-Go)
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DeleteAccountUser
Delete Account
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeAccountUsers
Query Account User Information
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeBackupAccess
Obtain instance backup download authorization
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeBackupRules
Obtaining Cloud Database Instance Backup Rules
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeClientConnections
Obtain Client Connections
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeDBBackups
Querying the Backup Task List of an Instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeDBInstances
List Database Instances
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeInstanceDB
Query the database and table information of an instance.
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeSlowLog
Obtain slow log information
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeSlowLogPattern
Obtain slow log statistics
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeSpecInfo
Queries the sales specifications of cloud databases
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
ExchangeInstance
The temporary instance replaces the original instance.
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
IsolateDBInstance
Isolate cloud database instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
ModifyDBInstanceSpec
Adjusts the cloud database instance configurations
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
OfflineIsolatedDBInstance
Decommission the isolated cloud database instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RemoveCloneInstance
Deleting a temporary instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RenameInstance
Rename the instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RenewInstance
Renew the cloud database instance.
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
ResizeOplog
Adjusts the oplog size of the instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RestartInstance
Instance restart
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RestoreDBInstance
Restore the database instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetAccountUserPrivilege
Set user permissions
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetAutoRenew
Enabling Auto-Renewal
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetBackupRules
Configure backup rules
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetInstanceFormal
Set the temporary instance as a permanent instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetInstanceMaintenance
Set the instance maintenance period
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetPassword
Set Password
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetReadOnlyToNormal
Promote the read-only instance to a regular instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
TerminateDBInstanceHour
Terminate a Pay-As-You-Go Instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
UpgradeDBInstanceHour
Upgrading a pay-as-you-go instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId

Custom Permission Policy Example

Grant the account operation permissions to perform CreateDBInstance and CreateAccountUser on instance cmgo-aw6g****. Example:
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "mongodb:CreateDBInstance",
                "mongodb:CreateAccountUser"
            ],
            "resource": [
                "qcs::mongodb::uin/100001540306:instanceId/cmgo-aw6g****"
            ],
            "condition": {
                "ip_equal": {
                    "qcs:ip": [
                        "10.0.0.4"
                    ]
                }
            }
        }
    ]
}

Creating a Custom Permission Policy

For specific operations, please log in to the CAM console's Policy page and refer to Create Custom Policy to perform the operations.
Topik sebelumnya: OverviewTopik selanjutnya: Authorization Permission Policy

Bantuan dan Dukungan

Apakah halaman ini membantu?

masukan