User Identity Authentication
By default, cloud hosting does not provide authentication services. If customers do not implement authentication, security issues may arise in certain scenarios. If your service handles requests from customers, the best practice is to only allow authorized users to access it.
function for the path to set access permissions for the cloud hosting service.
User Creation
- Log in to Tencent Cloud Hosting
- In the navigation menu under 'Extended Capabilities', select Cloud Admin Console and click to go.
- In the cloud admin console, select User Management to add a user, and set the username and password.
User Permissions Configuration
Cloud hosting service by default can only be accessed by customers with the following roles:
- Default Internal User Role
- Default External User Role
- Custom Policy Access
Default Internal User Role
If you do not want certain users to access, unbind the
Custom Policy
- Log in to Tencent Cloud Hosting
- In the navigation menu under 'Extended Capabilities', select Cloud Admin Console and click to go.
- In the cloud admin console, select 'Access Control'. On the access control page, select 'Policy Management'. If the option is not available, refresh the page.
- Click 'Add Custom Policy' and fill out the form.
- Policy Identifier: Fill in English
- Policy Name: Fill in both Chinese and English
- Policy Content: Take allowing access to
/api
as an example. Configure the/api
path in the action section as shown below.{
"statement": [
{
"action": "cloudrun:/api",
"resource": "*",
"effect": "allow"
}
],
"version": "1.0"
}
- After configuring the custom policy, associate this policy with the role requiring access to the resource, then link the role to the relevant users.
Getting User Token
Refer to Username/Password Login OpenAPI to obtain the user login token.
Accessing CloudBase Hosting via Custom Domain
We take configuring a service with routing starting with /api
as an example.
Refer to the Custom Domains feature. When associating a domain with resources, set the 'Authentication Switch' to ON. Configure 'Path Passthrough' based on actual requirements. For example, if our API path is /api
:
- With path passthrough disabled, accessing
/api/users
will deliver/users
to the backend service - With path passthrough enabled, accessing
/api/users
will deliver/api/users
to the backend service.
After completing the configuration, access it using the following methods:
curl -H "Content-Type: application/json" -H "Authorization: Bearer <obtained Token>" https://<custom-domain>/api/users
The access result will be obtained.
Obtaining Token via Alternative Login Methods
Refer to User Login Settings.
Get User Information
We will passthrough the customer's token to the backend. The backend can retrieve the request token from the Authorization
field in the request Header, noting that the Bearer prefix should be removed.
Then decode the token using jwt. After decoding, the user_id
field serves as the user's unique identifier. The parsed payload content is as follows:
{
"iss": "",
"sub": "22332323",
"aud": "",
"exp": 1750073415,
"iat": 1750066215,
"at_hash": "",
"scope": "",
"project_id": "",
"provider_type": "username",
"meta": {
"wxOpenId": "",
"wxUnionId": ""
},
"user_id": "1934543672625225729",
"user_type": "internal"
}
If you need to query customer details, please refer to User Details.