Skip to main content

Tencent Cloud Sub-account Mode

Applicable Scenarios

Provide isolated AI development environments for employees. Each employee gets a Tencent Cloud sub-account with independent isolation and can log in to the Tencent Cloud console.

Implementation Pattern

This article describes one possible reference implementation. The sub-account mode can be implemented in various ways, for example:

  • Develop cloud functions + web pages + authentication on the management environment to automatically assign sub-accounts and resources
  • Manually create sub-accounts and distribute resources via local scripts

Both approaches are valid reference implementations. Enterprises can choose the implementation method that best fits their tech stack and operational processes.

Solution Overview

Provide enterprises with a unified AI development resource management platform. Independent CloudBase environments and AI assistant servers are allocated for each employee, achieving:

  • Unified resource allocation: Enterprise administrators allocate independent CloudBase environments and servers for employees through the management environment
  • Fully isolated resources: Each employee has an independent CloudBase environment and server, without interference from others
  • Out-of-the-box AI capabilities: Each server comes pre-installed with the OpenClaw AI assistant, with CloudBase integration configured
  • Fine-grained permission control: Employees can only access their own resources and cannot accidentally operate on others' environments
  • Unified management view: Enterprises can view all resource usage, with controllable costs
  • Manageable and auditable by humans: Employees can log in to the Tencent Cloud console via sub-accounts to manually manage/inspect cloud resources

Overall Architecture

Core Process

Configure Permission Policy

Configure CAM permission policies for each sub-account, restricting them to only access their own CloudBase environment. For detailed policy structure and field descriptions, see the policy template below.

Create a custom policy in the CAM Console, replace the placeholders in the policy template with actual values, and associate it with the sub-account. See the complete policy template and placeholder descriptions below.

Log in to Console

A unique advantage of sub-account mode: employees can directly use their Tencent Cloud sub-account to log in to the CloudBase Console and manage their own CloudBase environment — viewing databases, debugging cloud functions, inspecting storage, etc. The permission policy automatically restricts sub-accounts to only see and operate their own environment.

Configure MCP and Skill

Sub-account mode supports two MCP connection methods. After configuration, MCP and Skill can be used:

Employees do not need to manually configure any keys. After MCP starts, it automatically initiates device code authorization and completes login in the browser. The environments accessible after login are controlled by the CAM permission policy — sub-accounts can only see the environments allowed by the policy.

Client

Configure your AI tool to connect with CloudBase capabilities. Supports local and hosted connection. See connection modes.

Step 1: Install / Configure CloudBase

Use project template (recommended) - Template includes MCP configuration and AI rulesView templates

Install in one click:

Add to Cursor

Or manual configuration:

Or add this configuration to .cursor/mcp.json:

json
1{
2  "mcpServers": {
3    "cloudbase": {
4      "command": "npx",
5      "args": ["@cloudbase/cloudbase-mcp@latest"],
6      "env": {
7        "INTEGRATION_IDE": "Cursor"
8      }
9    }
10  }
11}
Need help?View Cursor docs

Step 2: Chat with AI

Enter the following in your AI chat in order:

prompt
Install CloudBase Skills: run npx skills add tencentcloudbase/cloudbase-skills -y
Use CloudBase Skills: 创建一个使用 CloudBase Auth 支持微信登录的小程序应用

Cost Estimation

ItemUnit PriceQuantitySubtotal
Management Environment (CloudBase Personal)¥19.9/month1¥19.9
Employee Environment (CloudBase Personal, including OpenClaw Server)¥19.9/monthN¥19.9 × N

Examples:

  • 10 employees: ¥19.9 × (1 + 10) = ¥219/month
  • 50 employees: ¥19.9 × (1 + 50) = ¥1,015/month

Responsibilities of All Parties

RoleResponsibilities
Enterprise Internal SystemEmployee identity authentication, create CAM sub-accounts and CloudBase environments for employees, create Lighthouse servers and install CloudBase Skill/MCP via TAT, configure CAM permission policies
OpenClawAs the employee's operation entry point, provide AI assistant capabilities, operate cloud resources via CloudBase Skill/MCP
Tencent Cloud CAMProvide capabilities such as sub-account creation, API key generation, and permission policy management
Tencent Cloud CloudBaseProvide cloud resource capabilities such as environment creation, database, cloud functions, and storage

Verify Isolation Effect

After configuration is complete, verify that isolation is effective:

  1. Use the sub-account key to call DescribeEnvs, confirm that only the user's own environment can be seen
  2. Try to access resources of other environments, should return insufficient permission error
  3. Operate cloud resources in MCP, confirm that only resources within the user's own environment can be operated