tencent cloud

TencentDB for MongoDB

Release Notes and Announcements
Release Notes
Announcements
User Guide
Product Introduction
Overview
Strengths
Use Cases
Cluster Architecture
Product Specifications
Features
Regions and AZs
Terms
Service Regions and Service Providers
Purchase Guide
Billing Overview
MongoDB Pricing
Billing Formula
Payment Overdue
Backup Space Billing
Configuration Adjustment Billing
Getting Started
Quickly Creating an Instance
Connecting to a TencentDB for MongoDB Instance
Reading/Writing Database
Operation Guide
Access Management
Instance Management
Node Management
Version Upgrade
Network Configuration
Monitoring
Backup and Rollback
Database Audit
Data Security
SSL Authentication
Log Management
Database Management
Multi-AZ Deployment
Disaster Recovery/Read-Only Instances
Parameter Configuration
Recycle Bin
Task Management
Performance Optimization
Data Migration Guide
Practical Tutorial
Optimizing Indexes to Break Through Read/Write Performance Bottlenecks
Troubleshooting Mongos Load Imbalance in Sharded Cluster
Considerations for Using Shard Clusters
Sample of Reading and Writing Data in MongoDB Instance
Methods for Importing and Exporting Data Based on CVM Connected with MongoDB
What to Do for Errors of Repeated Instance Creation and Deletion of Databases with the Same Names?
Troubleshooting MongoDB Connection Failures
Shard Removal Task: Guide for Confirming the Progress and Troubleshooting Issues
Performance Fine-Tuning
Ops and Development Guide
Development Specifications
Command Support in Sharded Cluster v3.2
Command Support in v3.6
Development Ops
Troubleshooting
Increased Slow Queries
Number of Connections Exceeding Limit
API Documentation
History
Introduction
API Category
Making API Requests
Instance APIs
Backup APIs
Account APIs
Other APIs
Task APIs
Introduction
Data Types
Error Codes
Instance Connection
Shell Connection Sample
PHP Connection Sample
Node.js Connection Sample
Java Connection Sample
Python Connection Sample
Python Read/Write Sample
Go Connection Sample
PHP Reconnection Sample
Product Performance
Test Environment
Test Method
Test Result
FAQs
Cost
Features
Sharded Cluster
Instance
Rollback and Backup
Connection
Data Migration
Others
Service Agreement
Service Level Agreement
Terms of Service
Glossary
Contact Us
ドキュメントTencentDB for MongoDBOperation GuideAccess ManagementAuthorization Policy Syntax

Authorization Policy Syntax

PDF
フォーカスモード
フォントサイズ
最終更新日: 2025-08-08 15:52:23
A policy is a syntactic specification of a user permission set, which accurately describes the authorized resource set, operation set, and authorization conditions.

CAM Policy Syntax

{     
        "version":"2.0", 
        "statement": 
        [ 
           { 
              "effect":"effect", 
              "action":["action"], 
              "resource":["resource"], 
               "condition": {"key":{"value"}} 
           } 
       ] 
}
The following table describes policy statements.
Parameter
Subparameter
Required
Description
version
N/A
Yes
Currently, only the value 2.0 is allowed.
statement
effect
Yes
It describes the result of a statement. The result can be "allow" or an "explicit deny".
action
Yes
It describes the allowed or denied operation which can be an API or a feature set (a set of specific APIs prefixed with permid).
resource
Yes
It describes the details of authorization. All resources can be described in the six-segment format. Each service has its own resources and detailed resource definition.
condition
Yes
It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. A condition value may be the time, IP address, etc. Some services allow you to specify additional values in a condition.
Note:
The statement element describes the details of one or more permissions. This element contains a permission or permission set of other elements such as effect, action, resource, and condition. One policy has only one statement.

Defining an action

In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with mongodb: should be used for TencentDB for MongoDB, such as mongodb:BackupDBInstance or mongodb:CreateAccountUser. To specify multiple operations in a single statement, separate them by comma:
"action":["mongodb:action1","mongodb:action2"]
You can also specify multiple operations by using a wildcard. For example, you can specify all operations beginning with "Describe" in the name as shown below:
"action":["mongodb:Describe*"]
If you want to specify all operations in MongoDB, use a wildcard "*" as shown below:
"action":["mongodb:*"]

Defining a resource

Each CAM policy statement has its own applicable resources. Resource paths are generally in the following format:
qcs:project_id:service_type:region:account:resource
Project_id describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
service_type describes the product abbreviation, such as mongodb.
region describes the region information, such as bj.
account describes the root account of the resource owner, such as uin/12345678.
resource describes the detailed resource information of each product, such as instance/instance_id or instance/*.
You can set resource to an instance ID (cmgo-aw6g1g0z) in a statement as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/cmgo-aw6g1g0z"]
You can also use the wildcard "*" to specify all instances that belong to a specific account as shown below:
"resource":[ "qcs::mongodb:bj:uin/12345678:instance/*"]
If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the wildcard "*" in the resource element as shown below:
"resource":["*"]
If you want to specify multiple resources in a single command, separate them by comma. In the following example, two resources are specified:
"resource":["resource1","resource2"]
The table below describes the resources that can be used by MongoDB and the corresponding resource description methods, where words prefixed with $ are placeholders, region refers to a region, and account refers to an account ID.
Resource Type
Resource Description Method in Authorization Policy
Instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
VPC
qcs::vpc:$region:$account:vpc/$vpcId
Security Group
qcs::cvm:$region:$account:sg/$sgId

Default Permission Policy of TencentDB for MongoDB

TencentDB for MongoDB supports the following system permission policies.
Policy Name
Note
QcloudMongoDBFullAccess
TencentDB for MongoDB management permission. A Tencent Cloud sub-account granted with this permission has the same permissions as the root account, including all permissions of console and API operations.
QcloudMongoDBReadOnlyAccess
Read-only permission. A Tencent Cloud sub-account granted with this permission has only the read-only permission of all resources under the Tencent Cloud root account but not operation permissions of the console and APIs.
The system permission policy QcloudMongoDFullAccess is as follows:
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "monitor:GetMonitorData",
                "monitor:DescribeBaseMetrics",
                "mongodb:*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}
The system permission policy QcloudMongoDBReadOnlyAccess is as follows:
{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "monitor:GetMonitorData",
                "monitor:DescribeBaseMetrics",
                "mongodb:Describe*"
            ],
            "resource": "*",
            "effect": "allow"
        }
    ]
}

Custom Permission Policy of TencentDB for MongoDB

Currently, TencentDB for MongoDB supports custom policies for the following resource-level permissions.
Note:
TencentDB API operations not listed here do not support resource-level permissions. You can still authorize a user to perform such a TencentDB API operation, but you must specify * as the resource element of the policy statement.
Action Name
Permission Description
Resource Description
BackupDBInstance
Backs up a database instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
CreateAccountUser
Creates an account
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
CreateDBInstanceHour
Creates a pay-as-you-go TencentDB for MongoDB instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DeleteAccountUser
Deletes an account
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeAccountUsers
Queries the user information of an account
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeBackupAccess
Gets the permission to download an instance backup
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeBackupRules
Gets the backup rules of a TencentDB instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeClientConnections
Gets the number of client connections
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeDBBackups
Queries the list of backups of an instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeDBInstances
Queries the list of database instances
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeInstanceDB
Queries the collection/database information of an instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeSlowLog
Gets the slow log information
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeSlowLogPattern
Gets the slow log statistics
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
DescribeSpecInfo
Queries purchasable instance specifications
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
ExchangeInstance
Replaces the original instance with a temp instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
IsolateDBInstance
Isolates a TencentDB instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
ModifyDBInstanceSpec
Adjusts the configurations of a TencentDB instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
OfflineIsolatedDBInstance
Deactivates an isolated TencentDB instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RemoveCloneInstance
Deletes a temp instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RenameInstance
Renames an instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RenewInstance
Renews a TencentDB instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
ResizeOplog
Adjusts the oplog size of an instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RestartInstance
Restarts an instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
RestoreDBInstance
Restores a database instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetAccountUserPrivilege
Sets user permissions
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetAutoRenew
Sets auto-renewal
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetBackupRules
Sets backup rules
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetInstanceFormal
Promotes a temp instance to the primary instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetInstanceMaintenance
Sets the instance maintenance time
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetPassword
Sets password
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
SetReadOnlyToNormal
Promotes a read-only instance to the primary instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
TerminateDBInstanceHour
Terminates a pay-as-you-go instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId
UpgradeDBInstanceHour
Upgrades a pay-as-you-go instance
qcs::mongodb:$region:$account:instance/*
qcs::mongodb:$region:$account:instance/$instanceId


Custom permission policy example

If you want to grant an account the CreateDBInstance and CreateAccountUser permissions on the "cmgo-aw6g****" instance, you can create a policy as follows:
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "mongodb:CreateDBInstance",
                "mongodb:CreateAccountUser"
            ],
            "resource": [
                "qcs::mongodb::uin/100001540306:instanceId/cmgo-aw6g****"
            ],
            "condition": {
                "ip_equal": {
                    "qcs:ip": [
                        "10.0.0.4"
                    ]
                }
            }
        }
    ]
}

Creating a custom permission policy

You can create a custom policy on the Policies page in the CAM console. For detailed directions, see Creating Custom Policy.
前の記事へ: Overview次の記事へ: Authorization Permission Policy

ヘルプとサポート

この記事はお役に立ちましたか?

フィードバック