Skip to main content

User Identity Authentication

By default, cloud hosting does not provide authentication services. If customers do not implement authentication, security issues may arise in certain scenarios. If your service handles requests from customers, the best practice is to only allow authorized users to access it.

function for the path to set access permissions for the cloud hosting service.

User Creation

    1. Log in to Tencent Cloud Hosting
    1. In the navigation menu under 'Extended Capabilities', select Cloud Admin Console and click to go.
    1. In the cloud admin console, select User Management to add a user, and set the username and password.

User Permissions Configuration

Cloud hosting service by default can only be accessed by customers with the following roles:

  • Default Internal User Role
  • Default External User Role
  • Custom Policy Access

Default Internal User Role

If you do not want certain users to access, unbind the

Custom Policy

    1. Log in to Tencent Cloud Hosting
    1. In the navigation menu under 'Extended Capabilities', select Cloud Admin Console and click to go.
    1. In the cloud admin console, select 'Access Control'. On the access control page, select 'Policy Management'. If the option is not available, refresh the page.
    1. Click 'Add Custom Policy' and fill out the form.
    • Policy Identifier: Fill in English
    • Policy Name: Fill in both Chinese and English
    • Policy Content: Take allowing access to /api as an example. Configure the /api path in the action section as shown below.
      {
      "statement": [
      {
      "action": "cloudrun:/api",
      "resource": "*",
      "effect": "allow"
      }
      ],
      "version": "1.0"
      }
    1. After configuring the custom policy, associate this policy with the role requiring access to the resource, then link the role to the relevant users.

Getting User Token

Refer to Username/Password Login OpenAPI to obtain the user login token.

Accessing CloudBase Hosting via Custom Domain

We take configuring a service with routing starting with /api as an example.

Refer to the Custom Domains feature. When associating a domain with resources, set the 'Authentication Switch' to ON. Configure 'Path Passthrough' based on actual requirements. For example, if our API path is /api:

  • With path passthrough disabled, accessing /api/users will deliver /users to the backend service
  • With path passthrough enabled, accessing /api/users will deliver /api/users to the backend service.

After completing the configuration, access it using the following methods:

curl -H "Content-Type: application/json" -H "Authorization: Bearer <obtained Token>" https://<custom-domain>/api/users

The access result will be obtained.

Obtaining Token via Alternative Login Methods

Refer to User Login Settings.

Get User Information

We will passthrough the customer's token to the backend. The backend can retrieve the request token from the Authorization field in the request Header, noting that the Bearer prefix should be removed.

Then decode the token using jwt. After decoding, the user_id field serves as the user's unique identifier. The parsed payload content is as follows:

{
"iss": "",
"sub": "22332323",
"aud": "",
"exp": 1750073415,
"iat": 1750066215,
"at_hash": "",
"scope": "",
"project_id": "",
"provider_type": "username",
"meta": {
"wxOpenId": "",
"wxUnionId": ""
},
"user_id": "1934543672625225729",
"user_type": "internal"
}

If you need to query customer details, please refer to User Details.