To perform fine-grained permission management for TDMQ for RocketMQ resources, you can use Cloud Access Management (CAM) to achieve the following features:
User and permission assignment: Create independent users or roles for members of different functional departments based on the organizational structure of the enterprise. Assign dedicated security credentials (such as the console login password and cloud API key) or request temporary security credentials to ensure secure and controlled access to TDMQ for RocketMQ resources.
Fine-grained permission control: Set differentiated access policies based on employees' responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Account System Introduction
The following table describes the capability differences among different account types and relevant reference documentation.
|
|
| Sub-user | Collaborator | Message Recipient |
Definition | It has all Tencent Cloud resources and can access any of its resources. | It is created by the root account and fully owned by the root account. | It has the root account identity. When it is added as a collaborator of a root account, it becomes one of the sub-accounts of the root account. It can switch back to its root account identity. | It can only receive messages. |
Console access | ✔ | ✔ | ✔ | - |
Programmatic access | ✔ | ✔ | ✔ | - |
Policy authorization | By default, it owns all policies. | ✔ | ✔ | - |
Message notification | ✔ | ✔ | ✔ | ✔ |
Documentation | | | | |
Note:
To ensure the security of your Tencent Cloud account and cloud resource usage, avoid using the Tencent Cloud root account to operate resources unless necessary. Instead, create sub-accounts, assign them policies based on the principle of least privilege, and use these sub-accounts with limited permissions to operate your cloud resources.
Policies
A policy is used to define and describe the syntax specifications for one or more permissions. By default, the root account has access permissions for all resources under it, but sub-accounts do not have access permissions for any resources under the root account.
The root account can grant permissions to view and use specific resources to users or user groups by associating policies with them. The policy types of Tencent Cloud are classified into preset policies and custom policies.
Preset Policies
TDMQ for RocketMQ provides two types of preset policies for sub-accounts.
|
4.x | QcloudTDMQFullAccess | Full read/write permissions, allowing sub-accounts to perform read and write operations in the product console. |
| QcloudTDMQReadOnlyAccess | Read-only permissions, allowing sub-accounts only to view relevant information in the console. |
5.x | QcloudTrocketFullAccess | Full read/write permissions, allowing sub-accounts to perform read and write operations in the product console. |
| QcloudTrocketReadOnlyaccess | Read-only permissions, allowing sub-accounts only to view relevant information in the console. |
Custom Policies
If system permission policies do not meet your requirements, you can create custom permission policies to achieve least privilege. Policy settings can be precisely specified to the API, resource, user/user group, allow/deny, and condition dimensions. Custom permission policies help achieve fine-grained permission control and effectively enhance resource access security.
Tencent Cloud provides the following two methods for creating custom policies to flexibly meet different usage habits and requirements:
Visual view: Wizard-based operations are provided. Users can select elements such as cloud services, operations, resources, and conditions on pages without needing to understand the policy syntax. The system automatically generates policies, lowering the barrier to use.
JSON view: After you select a policy template, you can edit the policy content based on specific requirements. You can also directly write JSON-formatted policy content in the editor. This method is suitable for users with a specific technical background.
Custom policy example
The sub-accounts that are granted this permission policy only have console and API permissions to query the instance details, consumer group details, and messages of the instance named mp-xxx.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"trocket:DescribeConsumerGroup",
"trocket:DescribeInstance",
"trocket:DescribeMessage"
],
"resource": [
"qcs::trocket::uin/1000****1002:instance/rmq-xxxx"
]
}
]
}
Granting Permissions to a Sub-account
When a sub-account uses TDMQ for RocketMQ, permissions need to be granted in two aspects:
|
Access permissions for other cloud products | Permissions to access resources of other cloud products, such as Virtual Private Cloud (VPC) and Cloud Virtual Machine (CVM), during the use of TDMQ for RocketMQ, for example, to view the information about the availability zone (AZ) to which the subnet of the user belongs. | |
Read/Write permissions for TDMQ for RocketMQ resources | Permissions to read data from or write data to TDMQ for RocketMQ resources. | |
Documentation
|
Understanding the relationship between policies and users | |
Understanding the basic policy structure | |
Understanding the products that support CAM | |