Skip to main content

Environment-level Access Control

CloudBase provides environment-level and operation-level access control capabilities for management-side SDK calls (e.g., @cloudbase/node-sdk), allowing keys to be restricted to performing only specific operations on designated environments as needed.

That is, different permissions can be assigned to different access keys (SecretId/SecretKey), enabling control over resource access permissions.

This capability is based on Tencent Cloud's unified Access Management CAM, so a certain understanding of CAM-related capabilities is required.

This capability applies to the initialization of management-side SDKs by explicitly specifying access keys, as shown in the following @cloudbase/node-sdk example:

const app = tcb.init({
secretId: "your_secret_id",
secretKey: "your_secret_key",
});

Note: The permission policies described below apply to the CloudBase management-side SDK, therefore, they only describe how to assign permissions required for the management-side SDK. For access permissions related to the CloudBase console and Cloud API, additional permission policies for console access are required, and generally, predefined policies can be granted to relevant users.

Operation Steps

  1. Create Policy: Console -> Access Management -> Policies -> Create Policy -> Create Policy by Policy Syntax or Tags -> Blank Template -> Fill in the policy configuration -> Submit
  2. Attach Policy: Attach the policy to account/sub-account/user group/collaborator
  3. Obtain Credentials: Create and obtain credentials through the console or Cloud API
  4. Use Credentials: Initialize the management-side SDK with access credentials to access and manage cloud resources in the environment.

The steps above are primarily used for access control by creating policies in the Tencent Cloud console and attaching them to accounts/sub-accounts/user groups/collaborators.

Create Policy

Policy defines and describes one or more permission rules through policy syntax. The policy includes permission control for resources and operations, for example, the permission to invoke cloud functions in a TCB environment.

After attaching the policy to account/sub-account/user group/collaborator, the access keys of the relevant entities will have the corresponding permissions. For more information, please refer to Permissions and Policies.

CloudBase supports access control through both environment and tag approaches. The following is an example of creating a policy using policy syntax.

Please refer to Resoures & Actions for the Resoures & Actions required in the policy.

1. Policy for access control by Tag

Policies created in this way will be applied to one or more resources (environments) with a specific tag. When the tag is modified, the corresponding permissions will be updated accordingly.

The following policy grants full permissions (tcb:*) for all operations on resources with the Tag env:development.

Note: You need to create tags first, then set resource tags. TCB environment tag management is located on the environment details page - resource purchase page - basic configuration. For creating tags, please refer to: https://console.cloud.tencent.com/tag/taglist

{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["tcb:*"],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"env&development" // Tag key: env = Tag Value: production
]
}
}
}
]
}

The following policy grants permission to invoke cloud functions (tcb:InvokeFunction) to resources with the env=development tag.

{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["tcb:InvokeFunction"],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"env&development" // Tag key: env = Tag Value: production
]
}
}
}
]
}

For more information about tags, please refer to:

2. Policy for access control by EnvID

Policies created in this way will be applied to resources in the resource field list.

The following policy grants permissions for all operations (tcb:*) on resources in the resource field list.

{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["tcb:*"],
"resource": [
"qcs::tcb:::env/${your-env-id}",
"qcs::tcb:${region}::env/${your-env-id}"
]
}
]
}

The following policy grants permission to invoke cloud functions (tcb:InvokeFunction) to resources in the resource field list.

{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["tcb:InvokeFunction"],
"resource": [
"qcs::tcb:::env/${your-env-id}",
"qcs::tcb:${region}::env/${your-env-id}"
]
}
]
}

Obtain the key

After creating the policy, you can grant it to account/sub-account/user group/collaborator. The associated access keys (SecretId/SecretKey) will then have restricted permissions to the Resources and Actions described in the policy.

You can obtain access token through the following 3 methods.

1. Obtain Sub-account/Collaborator Access Credentials via Console

You can create or obtain permanent access credentials at Access Management -> User Management -> User List -> Sub-user Details -> API Keys.

This method is suitable for assigning access permissions for relevant resources to sub-accounts, with long validity periods for access keys.

Refer to the documentation: Create a sub-account and grant permissions

This method requires pre-creating policies and sub-accounts/collaborators, and granting the policies to the sub-accounts/collaborators.

2. Obtain temporary access credentials by assuming a role via sts:AssumeRole

This method creates temporary access credentials via the Tencent Cloud CAM API interface. It requires first creating a role, granting the relevant permission policy to that role to enable it to possess the relevant permissions, and subsequently, the access credentials created through this role also possess the relevant permissions.

Refer to the documentation: Apply to Assume a Role

This method requires pre-creating policies and roles.

3. Obtain federated identity temporary access credentials via sts:GetFederationToken

This method creates temporary access credentials via the Tencent Cloud CAM API interface. It does not require pre-creating a role, but necessitates passing a policy each time the interface is called to create access credentials, thereby assigning a key with the relevant permissions.

Refer to the documentation: Obtain Federated Identity Temporary Access Credentials

This method does not require pre-creating policies and roles.

Use the key

The following @cloudbase/node-sdk sample:

const app = tcb.init({
secretId: "your_secret_id",
secretKey: "your_secret_key",
});

Authentication Passed

Authentication passed will enable normal access to resources in the corresponding environment.

Authentication Failed SIGN_PARAM_INVALID

The following is an example of authentication failure. The error message indicates that authentication failed due to lack of tcb:InvokeFunction operation permission. After granting a policy containing tcb:InvokeFunction permission to account/sub-account/user group/collaborator, reacquire the access key to pass authentication.

{
"code": "SIGN_PARAM_INVALID",
"message": "you are not authorized to perform operation (tcb:InvokeFunction)"
}

Resoures & Actions

Resoure

Used to describe resources, corresponding to the TCB environment.

Format: qcs::tcb:${Region}::env/${EnvId}, which describes an environment resource.

Example:

["qcs::tcb:::env/${your-env-id}"]

Action

Used to describe operations, specifying which operations are available for a resource (Resoure).

ActionDescription
tcb:InvokeFunctionInvoke cloud function
tcb:InsertDocumentInsert data
tcb:DeleteDocumentDelete data
tcb:UpdateDocumentUpdate data
tcb:QueryDocumentQuery data
tcb:AggregateDocumentAggregate data
tcb:RunTransactionRun transactions. Performing CURD and other operations within a transaction requires granting permissions for the corresponding operations.
tcb:ExplainQueryQuery analysis
tcb:GetFileAuthorityGet file authority information
tcb:GetDownloadUrlGet file download URL
tcb:DeleteFileDelete file
tcb:UploadFileUpload file
tcb:QueryUserInfoGet user information

Note: The above only includes the Action used in the management-side SDK, and does not include the Action involved in the interface permission control for the console and Cloud API.