Tencent Cloud Sub-account Mode

Applicable Scenarios

Provide isolated AI development environments for employees. Each employee gets a Tencent Cloud sub-account with independent isolation and can log in to the Tencent Cloud console.

Implementation Pattern

This article describes one possible reference implementation. The sub-account mode can be implemented in various ways, for example:

• Develop cloud functions + web pages + authentication on the management environment to automatically assign sub-accounts and resources
• Manually create sub-accounts and distribute resources via local scripts

Both approaches are valid reference implementations. Enterprises can choose the implementation method that best fits their tech stack and operational processes.

Core problem this solves: Give enterprise employees individually isolated CloudBase environments. Employees can log in to the Tencent Cloud console with their sub-account to manually inspect and manage resources — ideal for internal enterprise scenarios where resource visibility and manual control are required.

Onboarding Flow

Sub-account mode onboarding has two steps:

Step 1: Provision and manage CloudBase environments

Use Tencent Cloud APIs to create sub-accounts for employees, provision CloudBase environments, and configure permission policies.

→ See Environment & Resource Management API

Step 2: Connect MCP / Skill to Agent

Configure the sub-account API key or CloudBase API Key into the employee's Agent tool MCP. Employees can then operate their own CloudBase environment directly from the Agent.

→ See the "Configure MCP and Skill" section below

---

Solution Overview

Provide enterprises with a unified AI development resource management platform. Independent CloudBase environments and AI assistant servers are allocated for each employee, achieving:

• Unified resource allocation: Enterprise administrators allocate independent CloudBase environments and servers for employees through the management environment
• Fully isolated resources: Each employee has an independent CloudBase environment and server, without interference from others
• Out-of-the-box AI capabilities: Each server comes pre-installed with the OpenClaw AI assistant, with CloudBase integration configured
• Fine-grained permission control: Employees can only access their own resources and cannot accidentally operate on others' environments
• Unified management view: Enterprises can view all resource usage, with controllable costs
• Manageable and auditable by humans: Employees can log in to the Tencent Cloud console via sub-accounts to manually manage/inspect cloud resources

---

Overall Architecture

---

Core Process

---

Configure Permission Policy

Configure a CAM permission policy for each sub-account so it can only access its own CloudBase environment. The ${...} values in the following policy template are placeholders that must be replaced.

Policy Template

Click to view the complete policy template JSON

{
  "statement": [
    {
      "action": [
        "cam:CreateRole",
        "cam:AttachRolePolicy",
        "cam:ListAttachedRolePolicies",
        "cam:UpdatePolicy",
        "cam:CreateServiceLinkedRole",
        "cam:DescribeServiceLinkedRole",
        "cam:GetRole",
        "cdn:TcbCheckResource",
        "organization:DescribeCloudApplicationToMember",
        "tcbr:DescribeArchitectureType",
        "tcbr:DescribeUserServiceTermsRecord",
        "lowcode:GetUserCertifyInfo",
        "lowcode:DescribeUserCompositeGroupsList",
        "lowcode:DescribeWedaWxBind",
        "lowcode:GetMaxAppNum",
        "lowcode:DescribeApps",
        "tcb:CheckTcbService",
        "tcb:DescribePackages",
        "tcb:DescribeEnvLimit",
        "tcb:DescribeBillingInfo",
        "tcb:DescribeExtensionsInstalled",
        "tcb:DescribeExtensions",
        "tcb:DescribeCloudBaseRunAdvancedConfiguration",
        "tcb:DescribePostPackage",
        "tcb:DescribeICPResources",
        "tcb:DescribeExtensionUpgrade",
        "tcb:DescribeMonitorMetric",
        "tcb:DescribeLowCodeUserQuotaUsage",
        "tcb:DescribeEnvStatistics",
        "tcb:DescribeLowCodeEnvQuotaUsage",
        "tcb:CheckFeaturePermission",
        "tcb:DescribeCommonBillingResources",
        "tcb:DescribeCommonBillingPackages",
        "tcb:DescribeExtraPackages",
        "tcb:DescribeAgentList",
        "tcb:DescribeTenant",
        "tcb:GetCliTokenList",
        "tcb:CreateCliToken",
        "tcb:GetTemplateAPIsList",
        "tcb:GetApisGroupAndList",
        "tcb:GetUserKeyList",
        "tcb:DescribeEnvBacklogs",
        "tcb:DescribeEnvRestriction",
        "tcb:DescribeUserPromotionalActivity",
        "tcb:DescribeFeaturePermissions",
        "tcb:RefreshAuthDomain",
        "tcb:DescribeActivityInfo",
        "tcb:DescribeTcbAccountInfo",
        "tcb:DescribeAIModels",
        "tcb:DescribeOperationAppTemplates",
        "tcb:DescribeSolutionList",
        "tcb:DescribeCloudBaseRunBaseImages",
        "tcb:DescribeBuildServiceList",
        "tcb:DeleteTable",
        "tcb:CreateTable",
        "tcb:DescribeTable",
        "tcb:DescribeTables",
        "tcb:ListTables",
        "tcb:RunCommands",
        "tcb:UpdateTable",
        "tcb:UpdateItem",
        "tcb:QueryRecords",
        "tcb:PutItem",
        "tcb:ModifyNameSpace",
        "tcb:DeleteItem",
        "tcb:CountRecords",
        "tcb:DescribeRestoreTime",
        "tcb:RestoreTCBTables",
        "tcb:DescribeRestoreTask",
        "tcb:DescribeRestoreTables",
        "tcb:CreateFunction",
        "tcb:UpdateFunctionCode",
        "tcb:UpdateFunctionIncrementalCode",
        "tcb:GetFunctionLogsStatus",
        "tcb:GetFunctionLogDetail",
        "tcb:GetFunctionLogs",
        "ssl:DescribeCertificate",
        "ssl:DescribeCertificateDetail",
        "ssl:DescribeCertificates",
        "cdn:PurgeUrlsCache",
        "tcr:DescribeInstances",
        "vpc:DescribeSubnets",
        "vpc:DescribeVpcLimits",
        "vpc:DescribeRouteTable",
        "lowcode:DescribePackageLicenseInfo",
        "tcb:CheckOnceOwnedEnvironment",
        "tcb:DescribeCloudBaseProjectLatestVersionList",
        "tcb:DescribeEnvDiscounts",
        "tcb:DescribeCreditsPackageUsageDetail",
        "tcb:DescribeICPResourcesInfo"
      ],
      "effect": "allow",
      "resource": ["*"]
    },
    {
      "action": ["tcb:*"],
      "effect": "allow",
      "resource": ["qcs::tcb:${region}:uin/${uin}:env/${envId}"]
    },
    {
      "action": ["tcbr:*"],
      "effect": "allow",
      "resource": ["qcs::tcbr:${region}:uin/${uin}:env/${envId}"]
    },
    {
      "action": ["lowcode:*"],
      "effect": "allow",
      "resource": ["qcs::lowcode::uin/${uin}:env/${envId}"]
    },
    {
      "action": ["scf:*"],
      "effect": "allow",
      "resource": [
        "qcs::scf:${region}:uin/${uin}:namespace/${envId}",
        "qcs::scf:${region}:uin/${uin}:namespace/${envId}/function/*",
        "qcs::scf:${region}:uin/${uin}:namespace/${envId}/layer/*",
        "qcs::cls:${region}:uin/${uin}:logset/${logsetId}",
        "qcs::cls:${region}:uin/${uin}:topic/${topicId}"
      ]
    },
    {
      "action": ["cls:*"],
      "effect": "allow",
      "resource": [
        "qcs::cls:${region}:uin/${uin}:logset/${logsetId}",
        "qcs::cls:${region}:uin/${uin}:topic/${topicId}"
      ]
    },
    {
      "action": ["cos:*"],
      "effect": "allow",
      "resource": [
        "qcs::cos:${region}:uid/${appId}:${cosBucketId}/*",
        "qcs::cos:${region}:uid/${appId}:${staticBucketId}/*"
      ]
    }
  ],
  "version": "2.0"
}

Placeholder Description

Placeholder	Meaning	How to Obtain
${region}	Environment region	EnvList[0].Region returned by DescribeEnvs
${uin}	Main account UIN	Uin returned by GetUserAppId when called with the main account key
${appId}	Main account AppId	EnvList[0].AppId returned by DescribeEnvs, or extracted from the storage bucket name
${envId}	CloudBase environment ID	EnvList[0].EnvId returned by DescribeEnvs
${topicId}	CLS log topic ID	EnvList[0].LogServices[0].TopicId returned by DescribeEnvs
${logsetId}	CLS logset ID	EnvList[0].LogServices[0].LogsetId returned by DescribeEnvs
${cosBucketId}	Cloud storage bucket name	EnvList[0].Storages[0].Bucket returned by DescribeEnvs
${staticBucketId}	Static hosting bucket name	EnvList[0].StaticStorages[0].Bucket returned by DescribeEnvs

Click to view the Node.js policy generation example

// Install dependency: npm install tencentcloud-sdk-nodejs
// Usage:
// 1. Save the JSON from the "Policy Template" section as policy-template.json.
// 2. Set TENCENTCLOUD_SECRETID, TENCENTCLOUD_SECRETKEY, and CLOUDBASE_ENV_ID.
// 3. Run: node script.js

const tencentcloud = require("tencentcloud-sdk-nodejs");
const fs = require("fs");
const path = require("path");

const TcbClient = tencentcloud.tcb.v20180608.Client;
const AccountClient = tencentcloud.account.v20190119.Client;

const POLICY_TEMPLATE = fs.readFileSync(
  path.join(__dirname, "policy-template.json"),
  "utf8"
);

const clientConfig = {
  credential: {
    secretId: process.env.TENCENTCLOUD_SECRETID,
    secretKey: process.env.TENCENTCLOUD_SECRETKEY,
  },
  region: "ap-shanghai",
};

function getRequiredEnv(name) {
  const value = process.env[name];
  if (!value) {
    throw new Error(`Set the ${name} environment variable first.`);
  }
  return value;
}

async function generatePolicy() {
  const accountClient = new AccountClient(clientConfig);
  const tcbClient = new TcbClient(clientConfig);

  // When the script uses the main account key, Uin is the main account UIN in the policy.
  const { Uin } = await accountClient.GetUserAppId({});

  const { EnvList } = await tcbClient.DescribeEnvs({
    EnvId: getRequiredEnv("CLOUDBASE_ENV_ID"),
  });
  const env = EnvList[0];
  if (!env) {
    throw new Error("CloudBase environment not found. Check CLOUDBASE_ENV_ID.");
  }

  const policyJson = POLICY_TEMPLATE
    .replace(/\$\{region\}/g, env.Region)
    .replace(/\$\{uin\}/g, Uin)
    .replace(/\$\{appId\}/g, String(env.AppId))
    .replace(/\$\{envId\}/g, env.EnvId)
    .replace(/\$\{logsetId\}/g, env.LogServices?.[0]?.LogsetId || "")
    .replace(/\$\{topicId\}/g, env.LogServices?.[0]?.TopicId || "")
    .replace(/\$\{cosBucketId\}/g, env.Storages?.[0]?.Bucket || "")
    .replace(/\$\{staticBucketId\}/g, env.StaticStorages?.[0]?.Bucket || "");

  return JSON.parse(policyJson);
}

async function main() {
  const policy = await generatePolicy();
  console.log(JSON.stringify(policy, null, 2));

  // Optional: create the CAM policy directly.
  // const camClient = new tencentcloud.cam.v20190119.Client(clientConfig);
  // await camClient.CreatePolicy({
  //   PolicyName: `cloudbase-env-${process.env.CLOUDBASE_ENV_ID}`,
  //   PolicyDocument: JSON.stringify(policy),
  // });
}

main().catch(console.error);

Related API References

API	Purpose	Documentation
GetUserAppId	Get the main account UIN and AppId	Account-related APIs
DescribeEnvs	Query environment details such as region, buckets, and log topics	CloudBase API Overview
CreatePolicy	Create a CAM policy through API	CAM API CreatePolicy
AttachUserPolicy	Attach a policy to a sub-account	CAM API AttachUserPolicy

Configure the Policy Manually

To configure the policy in the console:

1. Open CAM Console and create a custom policy.
2. Choose policy syntax and start from a blank template.
3. Replace the placeholders in the policy template above and paste the JSON.
4. Create the policy and attach it to the target sub-account.

---

Log in to Console

A unique advantage of sub-account mode: employees can directly use their Tencent Cloud sub-account to log in to the CloudBase Console and manage their own CloudBase environment — viewing databases, debugging cloud functions, inspecting storage, etc. The permission policy automatically restricts sub-accounts to only see and operate their own environment.

---

Configure MCP and Skill

Sub-account mode supports two MCP connection methods. After configuration, MCP and Skill can be used:

Auth Code Login (Recommended)

Employees do not need to manually configure any keys. After MCP starts, it automatically initiates device code authorization and completes login in the browser. The environments accessible after login are controlled by the CAM permission policy — sub-accounts can only see the environments allowed by the policy.

Client

Configure your AI tool to connect with CloudBase capabilities. Supports local and hosted connection. See connection modes.

Step 1: Install / Configure CloudBase

Use project template (recommended) - Template includes MCP configuration and AI rulesView templates

Install in one click:

Add to Cursor

Or manual configuration:

Or add this configuration to .cursor/mcp.json:

json

1{
2  "mcpServers": {
3    "cloudbase": {
4      "command": "npx",
5      "args": ["@cloudbase/cloudbase-mcp@latest"],
6      "env": {
7        "INTEGRATION_IDE": "Cursor"
8      }
9    }
10  }
11}

Need help?View Cursor docs

Step 2: Chat with AI

Enter the following in your AI chat in order:

prompt

Install CloudBase Skills: run npx skills add tencentcloudbase/cloudbase-skills -y

Use CloudBase Skills: 帮我按照 Spec 工作流开发一个 CloudBase 新功能

Sub-account Keys

Configure the sub-account's API key in MCP, suitable for automated scenarios.

Client

Configure your AI tool to connect with CloudBase capabilities. Supports local and hosted connection. See connection modes.

Step 1: Install / Configure CloudBase

Use project template (recommended) - Template includes MCP configuration and AI rulesView templates

Install in one click:

Add to Cursor

Or manual configuration:

Or add this configuration to .cursor/mcp.json:

json

1{
2  "mcpServers": {
3    "cloudbase": {
4      "command": "npx",
5      "args": [
6        "@cloudbase/cloudbase-mcp@latest"
7      ],
8      "env": {
9        "INTEGRATION_IDE": "Cursor",
10        "CLOUDBASE_ENV_ID": "<this employee's environment ID>",
11        "TENCENTCLOUD_SECRETID": "<sub-account SecretId>",
12        "TENCENTCLOUD_SECRETKEY": "<sub-account SecretKey>"
13      }
14    }
15  }
16}

Need help?View Cursor docs

Step 2: Chat with AI

Enter the following in your AI chat in order:

prompt

Install CloudBase Skills: run npx skills add tencentcloudbase/cloudbase-skills -y

Use CloudBase Skills: Use CloudBase to operate the environment, sub-account keys configured via MCP

---

Cost Estimation

Item	Unit Price	Quantity	Subtotal
Management Environment (CloudBase Personal)	¥19.9/month	1	¥19.9
Employee Environment (CloudBase Personal, including OpenClaw Server)	¥19.9/month	N	¥19.9 × N

Examples:

• 10 employees: ¥19.9 × (1 + 10) = ¥219/month
• 50 employees: ¥19.9 × (1 + 50) = ¥1,015/month

---

Responsibilities of All Parties

Role	Responsibilities
Enterprise Internal System	Employee identity authentication, create CAM sub-accounts and CloudBase environments for employees, create Lighthouse servers and install CloudBase Skill/MCP via TAT, configure CAM permission policies
OpenClaw	As the employee's operation entry point, provide AI assistant capabilities, operate cloud resources via CloudBase Skill/MCP
Tencent Cloud CAM	Provide capabilities such as sub-account creation, API key generation, and permission policy management
Tencent Cloud CloudBase	Provide cloud resource capabilities such as environment creation, database, cloud functions, and storage

---

Verify Isolation Effect

After configuration is complete, verify that isolation is effective:

1. Use the sub-account key to call DescribeEnvs, confirm that only the user's own environment can be seen
2. Try to access resources of other environments, should return insufficient permission error
3. Operate cloud resources in MCP, confirm that only resources within the user's own environment can be operated