In actual usage within Tencent Cloud, we can define permissions using TAGs through ABAC authorization policies. TAGs are attached to CAM sub-users, roles, and specific cloud resources. Subsequently, permission policies can be defined. These policies use TAG condition keys to grant permissions based on the TAGs of the requesting identity. When you control access to Tencent Cloud resources using TAGs, you can change teams and resources by simply modifying the authorization policies, enjoying greater flexibility.
This document describes how to create a CAM role with a TAG in CAM for employees, along with a policy that grants permissions based on the attributes of the role to access resources matching their TAG. When the employee initiates a request to Tencent Cloud through this role, permissions are granted based on whether the TAG of the role matches the resource TAG. In this case, employees are authorized to view or operate resources needed for their work only.
Usage Examples
Assume in gaming company A, there are two projects, webpage and app, where employee M is a developer for the webpage project and employee N is a developer for the app project. When creating the authorization policy, it is essential to ensure that employees within different teams can access the resources imperative for their work, while also considering the scalability for the company's future growth.
You can create an authorization policy for products that support ABAC policy through the use of resource TAGs and CAM role TAGs. When your employees wish to access Tencent Cloud through combined identities, their attributes will be applied to the role TAGs within Tencent Cloud. Subsequently, ABAC can be used to either approve or reject the access based on these attributes.
For the marker condition keys that are supported in the authorization policy, please refer to Conditions.
Based on the above projects and teams, we define the following TAGs:
game-project = web (Corresponding to the webpage project)
game-project = app (Corresponding to the app project)
web = dev (Corresponding to the webpage project developers)
app = dev (Corresponding to the app project developers)
game=dev (Corresponding to the webpage/app project developers)
How It Works
1. Employees log in using the CAM user credentials and then assume the CAM role for their respective teams and projects.
2. Attach the same policy to roles of similar positions, employing TAGs to approve or reject operations.
Verification Scenario
Assume there are two CVMs, ins-78qewdr8(TAG game-project:app) and ins-7txjj4a6(TAG game-project:web), that belong to the app and webpage projects, respectively.
Verification point 1: How to ensure that different employees can only access the CVMs under their own projects after logging in with different CAM sub-users.
Verification point 2: Assume there is a position change and employee n also requires the permissions of the webpage project. How to adjust permissions quickly.
Verification Point 3: Suppose the company has added a new H5 type project. How to quickly grant permissions for the new project to the employees.
Directions
Step 1: Create a TEST-IMAGE CAM sub-user.
1. Create a customized policy named "access-assume-role". The policy content is "Allow assuming ABAC role when the identity's TAG matches role's TAG".
Description
For detailed steps on how to create a CAM policy, please refer to Creating Role.
{
"version":"2.0",
"statement":[
{
"effect":"allow",
"action":[
"sts:AssumeRole"
],
"resource":"*",
"condition":{
"for_any_value:string_equal":{
"qcs:resource_tag":[
"game&${qcs:principal_tag_value}"
]
}
}
},
{
"effect":"allow",
"action":[
"cam:ListUserTags",
"cam:ListLoginRoles"
],
"resource":[
"*"
]
}
]
}
2. Create the CAM sub-users m-developer and n-developer, bind them with the "access-assume-role" authorization policy, and associate the following TAGs with these sub-users.
Description
For a detailed guide on how to create CAM sub-users, please refer to Creating Sub-User.
Sub-user Name
Associated TAG
m-developer
web=dev
n-developer
app=dev
Step 2: Create an ABAC Policy
1. Customize a policy named 'access-resource-project' (using the cvm product as an example). The policy content is as follows:
{
"version":"2.0",
"statement":[
{
"effect":"allow",
"action":"cvm:*",
"resource":"*",
"condition":{
"for_any_value:string_equal":{
"qcs:request_tag":[
"game-project&${qcs:principal_tag_key}"
]
}
}
},
{
"effect":"allow",
"action":"cvm:*",
"resource":"*",
"condition":{
"for_any_value:string_equal":{
"qcs:resource_tag":[
"game-project&${qcs:principal_tag_key}"
]
}
}
},
{
"effect":"allow",
"action":[
"vpc:DescribeVpcEx",
"vpc:DescribeSubnetEx",
"vpc:DescribeNetworkInterfaces",
"cvm:DescribeDiskSecurityConfigurations",
"cvm:DescribeCbsStorages",
"tag:DescribeTagKeys",
"tag:DescribeTagValues"
],
"resource":[
"*"
]
}
]
}
The 'game-project' is associated with the key and value of TAG bound to ${qcs:principal_tag_key}, identifying the values related to a specific TAG key within the project.
2. Create the role 'access-developer-role', associate the above policy and bind the following TAG.
Description
For detailed steps on how to create a CAM policy, please refer to Creating Roles.
CAM Role Name
Associated TAG
access-developer-role
game=dev
Step 3: Verify the scenario.
Verification Point 1: After the login with various sub-users, only the CVMs under the corresponding project can be accessed.
1. Log in to the Tencent Cloud console with the sub-user m-developer. In the upper-right corner of the console, click Switch Role.
2. On the Switch Role page, select access-developer-role for the Role Name, then click Switch Role.
3. Upon logging into the Tencent Cloud console as a role, navigate to the Instances page in CVM. If you are only able to view lhins-g224g4p7 in the CVM Product Console, then it meets the expectation.
4. Change the identity and log in to the Tencent Cloud console with the sub-user n-developer. After logging in, switch roles, and select access-developer-role for the Role Name. The name is displayed as n-developer-app. Then click Switch Role.
5. Access the Tencent Cloud console as a role, proceed to the CVM Instances page. In the CVM product console, if you are only able to view the cloud server ins-78qewdr8 (tagged as game-project:app), then it meets the expectation.
Verification Point 2: Assume a change in job role and employee n also requires permissions for the webpage project, how should this be set up?
In the current scenario, we can simply add the TAG app:web to the CAM sub-user n-developer corresponding to employee n in the user details of the CAM Console.
1. Log in to the Tencent Cloud console as the sub-user n-developer, and in the upper-right corner of the console, click Switch Role under the account.
2. On the switch role page, select 'web' for the application, 'access-developer-role' for the role, and 'n-developer-web' for the alias. Then click Switch Role.
3. Access the Tencent Cloud console as a role's and navigate to the CVM Instances page. If you are only able to view the CVM lhins-g224g4p7 in the CVM product console, then it meets the expectation.
Verification Point 3: Assume the company has added a new H5 type project, how should the permission policy be adjusted to fit this?
After the H5 project is added, if there is a need to grant development permissions for the H5 project, it does not require changes to the existing policy itself; all required includes:
1. Create new sub-users for colleagues engaged in developing the H5 project.
2. Bind the sub-user with the corresponding TAG for the H5 project and associate it to the access-assume-role policy.
