Permission Policy Reference

This article describes the structure, field meanings, and auto-generation tools for CAM permission policies required for CloudBase environment isolation. Whether using Sub-account Mode or White-label Mode, the policy structure is the same; the only difference lies in how credentials are obtained.

Policy Structure

A permission policy consists of two groups of Statements:

1. Global allowed actions: Read-only/auxiliary operations that do not expose environment data, resource is *
2. Environment-scoped actions: All environment modification operations, resource is restricted to the specified environment's resources

Global Allowed Actions

These actions do not expose data within the environment and are allowed for all resources:

Service	Actions	Description
cam	CreateRole, AttachRolePolicy, GetRole, etc.	CAM role management (required for Cloud Function execution)
tcb	CheckTcbService, DescribePackages, DescribeBillingInfo, etc.	CloudBase read-only/billing/query operations
tcbr	DescribeArchitectureType, DescribeUserServiceTermsRecord	CloudBase Run read-only operations
lowcode	GetUserCertifyInfo, DescribeApps, etc.	Weda read-only operations
ssl	DescribeCertificateDetail, DescribeCertificates	SSL certificate read

Environment-Scoped Actions

These actions restrict resource to the specified environment, ensuring sub-accounts can only operate their own environment:

Service	Resource Format	Description
tcb	qcs::tcb:${region}:uin/${uin}:env/${envId}	CloudBase environment-level operations
tcbr	qcs::tcbr:${region}:uin/${uin}:env/${envId}	CloudBase Run environment-level operations
lowcode	qcs::lowcode::uin/${uin}:env/${envId}	Weda environment-level operations
scf	qcs::scf:${region}:uin/${uin}:namespace/${envId}/function/*	Cloud Functions (namespace = environment ID)
cls	qcs::cls::uin/${uin}:topic/${topicId}	Log Service (restricted to log topic)
cos	qcs::cos:${region}:uid/${appId}:${bucket}/*	Object Storage (restricted to environment's storage bucket)

Policy Template

Below is the complete policy template, where ${...} are placeholders to be replaced:

{
  "statement": [
    {
      "action": [
        "cam:CreateRole",
        "cam:AttachRolePolicy",
        "cam:ListAttachedRolePolicies",
        "cam:UpdatePolicy",
        "cam:CreateServiceLinkedRole",
        "cam:DescribeServiceLinkedRole",
        "cam:GetRole",
        "cdn:TcbCheckResource",
        "organization:DescribeCloudApplicationToMember",
        "tcbr:DescribeArchitectureType",
        "tcbr:DescribeUserServiceTermsRecord",
        "lowcode:GetUserCertifyInfo",
        "lowcode:DescribeUserCompositeGroupsList",
        "lowcode:DescribeWedaWxBind",
        "lowcode:GetMaxAppNum",
        "lowcode:DescribeApps",
        "tcb:CheckTcbService",
        "tcb:DescribePackages",
        "tcb:DescribeEnvLimit",
        "tcb:DescribeBillingInfo",
        "tcb:DescribeExtensionsInstalled",
        "tcb:DescribeExtensions",
        "tcb:DescribeCloudBaseRunAdvancedConfiguration",
        "tcb:DescribePostPackage",
        "tcb:DescribeICPResources",
        "tcb:DescribeExtensionUpgrade",
        "tcb:DescribeMonitorMetric",
        "tcb:DescribeLowCodeUserQuotaUsage",
        "tcb:DescribeEnvStatistics",
        "tcb:DescribeLowCodeEnvQuotaUsage",
        "tcb:CheckFeaturePermission",
        "tcb:DescribeCommonBillingResources",
        "tcb:DescribeCommonBillingPackages",
        "tcb:DescribeExtraPackages",
        "tcb:DescribeAgentList",
        "tcb:DescribeTenant",
        "tcb:GetCliTokenList",
        "tcb:CreateCliToken",
        "tcb:GetTemplateAPIsList",
        "tcb:GetApisGroupAndList",
        "tcb:GetUserKeyList",
        "tcb:DescribeEnvBacklogs",
        "tcb:DescribeEnvRestriction",
        "tcb:DescribeUserPromotionalActivity",
        "tcb:DescribeFeaturePermissions",
        "tcb:RefreshAuthDomain",
        "tcb:DescribeActivityInfo",
        "tcb:DescribeTcbAccountInfo",
        "tcb:DescribeAIModels",
        "tcb:DescribeOperationAppTemplates",
        "tcb:DescribeSolutionList",
        "tcb:DescribeCloudBaseRunBaseImages",
        "tcb:DescribeBuildServiceList",
        "tcb:DeleteTable",
        "tcb:CreateTable",
        "tcb:DescribeTable",
        "tcb:DescribeTables",
        "tcb:ListTables",
        "tcb:RunCommands",
        "tcb:UpdateTable",
        "tcb:UpdateItem",
        "tcb:QueryRecords",
        "tcb:PutItem",
        "tcb:ModifyNameSpace",
        "tcb:DeleteItem",
        "tcb:CountRecords",
        "tcb:DescribeRestoreTime",
        "tcb:RestoreTCBTables",
        "tcb:DescribeRestoreTask",
        "tcb:DescribeRestoreTables",
        "tcb:CreateFunction",
        "tcb:UpdateFunctionCode",
        "tcb:UpdateFunctionIncrementalCode",
        "tcb:GetFunctionLogsStatus",
        "tcb:GetFunctionLogDetail",
        "tcb:GetFunctionLogs",
        "ssl:DescribeCertificateDetail",
        "ssl:DescribeCertificates"
      ],
      "effect": "allow",
      "resource": ["*"]
    },
    {
      "action": ["tcb:*"],
      "effect": "allow",
      "resource": ["qcs::tcb:${region}:uin/${uin}:env/${envId}"]
    },
    {
      "action": ["tcbr:*"],
      "effect": "allow",
      "resource": ["qcs::tcbr:${region}:uin/${uin}:env/${envId}"]
    },
    {
      "action": ["lowcode:*"],
      "effect": "allow",
      "resource": ["qcs::lowcode::uin/${uin}:env/${envId}"]
    },
    {
      "action": ["cls:*"],
      "effect": "allow",
      "resource": ["qcs::cls::uin/${uin}:topic/${topicId}"]
    },
    {
      "action": ["scf:*"],
      "effect": "allow",
      "resource": ["qcs::scf:${region}:uin/${uin}:namespace/${envId}/function/*"]
    },
    {
      "action": ["cos:*"],
      "effect": "allow",
      "resource": [
        "qcs::cos:${region}:uid/${appId}:${cos-bucketId}/*",
        "qcs::cos:${region}:uid/${appId}:${static-bucketId}/*"
      ]
    }
  ],
  "version": "2.0"
}

Placeholder Descriptions

Placeholder	Meaning	How to Obtain
${region}	Region where the environment is located	DescribeEnvs returns EnvList[0].Region
${uin}	Main account UIN	Account UIN in Tencent Cloud Console
${appId}	Main account AppId	DescribeEnvs returns EnvList[0].AppId, or extract from storage bucket name suffix
${envId}	CloudBase environment ID	DescribeEnvs returns EnvList[0].EnvId
${topicId}	CLS log topic ID	DescribeEnvs returns EnvList[0].LogServices[0].TopicId
${cos-bucketId}	Cloud Storage bucket name	DescribeEnvs returns EnvList[0].Storages[0].Bucket
${static-bucketId}	Static hosting storage bucket name	DescribeEnvs returns EnvList[0].StaticStorages[0].Bucket

Code Sample

The following is a Node.js example demonstrating how to obtain placeholder values via Tencent Cloud API and generate the final policy. For other languages, please refer to Tencent Cloud API SDK.

// Install dependency: npm install tencentcloud-sdk-nodejs
const tencentcloud = require("tencentcloud-sdk-nodejs");

const TcbClient = tencentcloud.tcb.v20180608.Client;
const AccountClient = tencentcloud.account.v20190119.Client;

// Policy template string (use the JSON from the "Policy Template" section above, escape double quotes or use backticks)
const POLICY_TEMPLATE = `{"statement":[...],"version":"2.0"}`;

const clientConfig = {
  credential: {
    secretId: process.env.TENCENTCLOUD_SECRETID,   // Main account SecretId, obtained from CAM Console
    secretKey: process.env.TENCENTCLOUD_SECRETKEY,  // Main account SecretKey, obtained from CAM Console
  },
  region: "ap-shanghai",
};

async function generatePolicy() {
  const accountClient = new AccountClient(clientConfig);
  const tcbClient = new TcbClient(clientConfig);

  // 1. Get main account UIN
  const { OwnerUin } = await accountClient.GetUserAppId({});

  // 2. Get CloudBase environment details
  const { EnvList } = await tcbClient.DescribeEnvs({
    EnvId: process.env.CLOUDBASE_ENV_ID,
  });
  const env = EnvList[0];

  // 3. Replace placeholders to generate the final policy
  const policyJson = POLICY_TEMPLATE
    .replace(/\$\{region\}/g, env.Region)
    .replace(/\$\{uin\}/g, OwnerUin)
    .replace(/\$\{appId\}/g, String(env.AppId))
    .replace(/\$\{envId\}/g, env.EnvId)
    .replace(/\$\{topicId\}/g, env.LogServices?.[0]?.TopicId || "")
    .replace(/\$\{cos-bucketId\}/g, env.Storages?.[0]?.Bucket || "")
    .replace(/\$\{static-bucketId\}/g, env.StaticStorages?.[0]?.Bucket || "");

  return JSON.parse(policyJson);
}

generatePolicy().then(console.log);

Related API References

API	Purpose	Documentation
GetUserAppId	Get main account UIN and AppId	Account APIs
DescribeEnvs	Query CloudBase environment details (region, storage bucket, log topic, etc.)	CloudBase API Overview
GetFederationToken	STS issues temporary credentials (inline policy, no sub-account needed)	STS API GetFederationToken
CreatePolicy	Create CAM policy via API	CAM API CreatePolicy
AttachUserPolicy	Attach policy to sub-account	CAM API AttachUserPolicy

Manual Policy Configuration

If not using the auto-generation tool, you can also configure manually in the CAM Console:

1. Log in to CAM Console → Policies → Create Custom Policy
2. Select "Create by Policy Syntax" → Blank Template
3. Replace placeholders in the policy template above with actual values, then paste
4. Create the policy and associate it with the target sub-account

Related Documentation

• Sub-account Mode
• White-label Mode
• Overview (with Mode Comparison)
• Tencent Cloud CAM Custom Policy Official Documentation