Environment-level Access Control
CloudBase provides environment-level and operation-level access control capabilities for management-side SDK calls (e.g., @cloudbase/node-sdk), allowing keys to be restricted to performing only specific operations on designated environments as needed.
That is, different permissions can be assigned to different access keys (SecretId/SecretKey), enabling control over resource access permissions.
This capability is based on Tencent Cloud's unified Access Management CAM, so a certain understanding of CAM-related capabilities is required.
This capability applies to the initialization of management-side SDKs by explicitly specifying access keys, as shown in the following @cloudbase/node-sdk example:
const app = tcb.init({
secretId: "your_secret_id",
secretKey: "your_secret_key",
});
Note: The permission policies described below apply to the CloudBase management-side SDK, therefore, they only describe how to assign permissions required for the management-side SDK. For access permissions related to the CloudBase console and Cloud API, additional permission policies for console access are required, and generally, predefined policies can be granted to relevant users.
Operation Steps
- Create Policy: Console -> Access Management -> Policies -> Create Policy -> Create Policy by Policy Syntax or Tags -> Blank Template -> Fill in the policy configuration -> Submit
- Attach Policy: Attach the policy to account/sub-account/user group/collaborator
- Obtain Credentials: Create and obtain credentials through the console or Cloud API
- Use Credentials: Initialize the management-side SDK with access credentials to access and manage cloud resources in the environment.
The steps above are primarily used for access control by creating policies in the Tencent Cloud console and attaching them to accounts/sub-accounts/user groups/collaborators.
Create Policy
Policy defines and describes one or more permission rules through policy syntax. The policy includes permission control for resources and operations, for example, the permission to invoke cloud functions in a TCB environment.
After attaching the policy to account/sub-account/user group/collaborator, the access keys of the relevant entities will have the corresponding permissions. For more information, please refer to Permissions and Policies.
CloudBase supports access control through both environment and tag approaches. The following is an example of creating a policy using policy syntax.
Please refer to Resoures & Actions for the Resoures & Actions required in the policy.
1. Policy for access control by Tag
Policies created in this way will be applied to one or more resources (environments) with a specific tag. When the tag is modified, the corresponding permissions will be updated accordingly.
The following policy grants full permissions (tcb:*) for all operations on resources with the Tag env:development.
Note: You need to create tags first, then set resource tags. TCB environment tag management is located on the environment details page - resource purchase page - basic configuration. For creating tags, please refer to: https://console.cloud.tencent.com/tag/taglist
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["tcb:*"],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"env&development" // Tag key: env = Tag Value: production
]
}
}
}
]
}
The following policy grants permission to invoke cloud functions (tcb:InvokeFunction) to resources with the env=development tag.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["tcb:InvokeFunction"],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"env&development" // Tag key: env = Tag Value: production
]
}
}
}
]
}
For more information about tags, please refer to:
2. Policy for access control by EnvID
Policies created in this way will be applied to resources in the resource field list.
The following policy grants permissions for all operations (tcb:*) on resources in the resource field list.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["tcb:*"],
"resource": [
"qcs::tcb:::env/${your-env-id}",
"qcs::tcb:${region}::env/${your-env-id}"
]
}
]
}
The following policy grants permission to invoke cloud functions (tcb:InvokeFunction) to resources in the resource field list.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["tcb:InvokeFunction"],
"resource": [
"qcs::tcb:::env/${your-env-id}",
"qcs::tcb:${region}::env/${your-env-id}"
]
}
]
}
Obtain the key
After creating the policy, you can grant it to account/sub-account/user group/collaborator. The associated access keys (SecretId/SecretKey) will then have restricted permissions to the Resources and Actions described in the policy.
You can obtain access token through the following 3 methods.
1. Obtain Sub-account/Collaborator Access Credentials via Console
You can create or obtain permanent access credentials at Access Management -> User Management -> User List -> Sub-user Details -> API Keys.
This method is suitable for assigning access permissions for relevant resources to sub-accounts, with long validity periods for access keys.
Refer to the documentation: Create a sub-account and grant permissions
This method requires pre-creating policies and sub-accounts/collaborators, and granting the policies to the sub-accounts/collaborators.
2. Obtain temporary access credentials by assuming a role via sts:AssumeRole
This method creates temporary access credentials via the Tencent Cloud CAM API interface. It requires first creating a role, granting the relevant permission policy to that role to enable it to possess the relevant permissions, and subsequently, the access credentials created through this role also possess the relevant permissions.
Refer to the documentation: Apply to Assume a Role
This method requires pre-creating policies and roles.
3. Obtain federated identity temporary access credentials via sts:GetFederationToken
This method creates temporary access credentials via the Tencent Cloud CAM API interface. It does not require pre-creating a role, but necessitates passing a policy each time the interface is called to create access credentials, thereby assigning a key with the relevant permissions.
Refer to the documentation: Obtain Federated Identity Temporary Access Credentials
This method does not require pre-creating policies and roles.
Use the key
The following @cloudbase/node-sdk sample:
const app = tcb.init({
secretId: "your_secret_id",
secretKey: "your_secret_key",
});
Authentication Passed
Authentication passed will enable normal access to resources in the corresponding environment.
Authentication Failed SIGN_PARAM_INVALID
The following is an example of authentication failure. The error message indicates that authentication failed due to lack of tcb:InvokeFunction operation permission. After granting a policy containing tcb:InvokeFunction permission to account/sub-account/user group/collaborator, reacquire the access key to pass authentication.
{
"code": "SIGN_PARAM_INVALID",
"message": "you are not authorized to perform operation (tcb:InvokeFunction)"
}
Resoures & Actions
Resoure
Used to describe resources, corresponding to the TCB environment.
Format: qcs::tcb:${Region}::env/${EnvId}, which describes an environment resource.
Example:
["qcs::tcb:::env/${your-env-id}"]
Action
Used to describe operations, specifying which operations are available for a resource (Resoure).
| Action | Description |
|---|---|
tcb:InvokeFunction | Invoke cloud function |
tcb:InsertDocument | Insert data |
tcb:DeleteDocument | Delete data |
tcb:UpdateDocument | Update data |
tcb:QueryDocument | Query data |
tcb:AggregateDocument | Aggregate data |
tcb:RunTransaction | Run transactions. Performing CURD and other operations within a transaction requires granting permissions for the corresponding operations. |
tcb:ExplainQuery | Query analysis |
tcb:GetFileAuthority | Get file authority information |
tcb:GetDownloadUrl | Get file download URL |
tcb:DeleteFile | Delete file |
tcb:UploadFile | Upload file |
tcb:QueryUserInfo | Get user information |
Note: The above only includes the
Actionused in the management-side SDK, and does not include theActioninvolved in the interface permission control for the console and Cloud API.