权限策略参考
本文介绍 CloudBase 环境隔离所需 CAM 权限策略的结构、字段含义以及自动生成工具。无论使用 子账号模式 还是 自有品牌模式,权限策略的结构是相同的,区别仅在于凭证的获取方式。
策略结构
权限策略由两组 Statement 组成:
- 全局允许操作:不涉及敏感环境数据的只读/辅助操作,
resource为* - 环境限定操作:所有环境修改操作,
resource限定到指定环境的资源
全局允许操作
这些操作不暴露环境内的数据,允许对所有资源执行:
| 服务 | 操作 | 说明 |
|---|---|---|
| cam | CreateRole, AttachRolePolicy, GetRole 等 | CAM 角色管理(云函数运行必需) |
| tcb | CheckTcbService, DescribePackages, DescribeBillingInfo 等 | 云开发只读/计费/查询类操作 |
| tcbr | DescribeArchitectureType, DescribeUserServiceTermsRecord | 云托管只读操作 |
| lowcode | GetUserCertifyInfo, DescribeApps 等 | 微搭只读操作 |
| ssl | DescribeCertificateDetail, DescribeCertificates | SSL 证书读取 |
环境限定操作
这些操作通过 resource 字段限定到指定环境,确保子账号只能操作自己的环境:
| 服务 | 资源格式 | 说明 |
|---|---|---|
| tcb | qcs::tcb:${region}:uin/${uin}:env/${envId} | 云开发环境级操作 |
| tcbr | qcs::tcbr:${region}:uin/${uin}:env/${envId} | 云托管环境级操作 |
| lowcode | qcs::lowcode::uin/${uin}:env/${envId} | 微搭环境级操作 |
| scf | qcs::scf:${region}:uin/${uin}:namespace/${envId}/function/* | 云函数(命名空间 = 环境ID) |
| cls | qcs::cls::uin/${uin}:topic/${topicId} | 日志服务(限定到日志主题) |
| cos | qcs::cos:${region}:uid/${appId}:${bucket}/* | 对象存储(限定到环境对应的存储桶) |
策略模板
以下是完整的策略模板,其中 ${...} 为需要替换的占位符:
{
"statement": [
{
"action": [
"cam:CreateRole",
"cam:AttachRolePolicy",
"cam:ListAttachedRolePolicies",
"cam:UpdatePolicy",
"cam:CreateServiceLinkedRole",
"cam:DescribeServiceLinkedRole",
"cam:GetRole",
"cdn:TcbCheckResource",
"organization:DescribeCloudApplicationToMember",
"tcbr:DescribeArchitectureType",
"tcbr:DescribeUserServiceTermsRecord",
"lowcode:GetUserCertifyInfo",
"lowcode:DescribeUserCompositeGroupsList",
"lowcode:DescribeWedaWxBind",
"lowcode:GetMaxAppNum",
"lowcode:DescribeApps",
"tcb:CheckTcbService",
"tcb:DescribePackages",
"tcb:DescribeEnvLimit",
"tcb:DescribeBillingInfo",
"tcb:DescribeExtensionsInstalled",
"tcb:DescribeExtensions",
"tcb:DescribeCloudBaseRunAdvancedConfiguration",
"tcb:DescribePostPackage",
"tcb:DescribeICPResources",
"tcb:DescribeExtensionUpgrade",
"tcb:DescribeMonitorMetric",
"tcb:DescribeLowCodeUserQuotaUsage",
"tcb:DescribeEnvStatistics",
"tcb:DescribeLowCodeEnvQuotaUsage",
"tcb:CheckFeaturePermission",
"tcb:DescribeCommonBillingResources",
"tcb:DescribeCommonBillingPackages",
"tcb:DescribeExtraPackages",
"tcb:DescribeAgentList",
"tcb:DescribeTenant",
"tcb:GetCliTokenList",
"tcb:CreateCliToken",
"tcb:GetTemplateAPIsList",
"tcb:GetApisGroupAndList",
"tcb:GetUserKeyList",
"tcb:DescribeEnvBacklogs",
"tcb:DescribeEnvRestriction",
"tcb:DescribeUserPromotionalActivity",
"tcb:DescribeFeaturePermissions",
"tcb:RefreshAuthDomain",
"tcb:DescribeActivityInfo",
"tcb:DescribeTcbAccountInfo",
"tcb:DescribeAIModels",
"tcb:DescribeOperationAppTemplates",
"tcb:DescribeSolutionList",
"tcb:DescribeCloudBaseRunBaseImages",
"tcb:DescribeBuildServiceList",
"tcb:DeleteTable",
"tcb:CreateTable",
"tcb:DescribeTable",
"tcb:DescribeTables",
"tcb:ListTables",
"tcb:RunCommands",
"tcb:UpdateTable",
"tcb:UpdateItem",
"tcb:QueryRecords",
"tcb:PutItem",
"tcb:ModifyNameSpace",
"tcb:DeleteItem",
"tcb:CountRecords",
"tcb:DescribeRestoreTime",
"tcb:RestoreTCBTables",
"tcb:DescribeRestoreTask",
"tcb:DescribeRestoreTables",
"tcb:CreateFunction",
"tcb:UpdateFunctionCode",
"tcb:UpdateFunctionIncrementalCode",
"tcb:GetFunctionLogsStatus",
"tcb:GetFunctionLogDetail",
"tcb:GetFunctionLogs",
"ssl:DescribeCertificateDetail",
"ssl:DescribeCertificates"
],
"effect": "allow",
"resource": ["*"]
},
{
"action": ["tcb:*"],
"effect": "allow",
"resource": ["qcs::tcb:${region}:uin/${uin}:env/${envId}"]
},
{
"action": ["tcbr:*"],
"effect": "allow",
"resource": ["qcs::tcbr:${region}:uin/${uin}:env/${envId}"]
},
{
"action": ["lowcode:*"],
"effect": "allow",
"resource": ["qcs::lowcode::uin/${uin}:env/${envId}"]
},
{
"action": ["cls:*"],
"effect": "allow",
"resource": ["qcs::cls::uin/${uin}:topic/${topicId}"]
},
{
"action": ["scf:*"],
"effect": "allow",
"resource": ["qcs::scf:${region}:uin/${uin}:namespace/${envId}/function/*"]
},
{
"action": ["cos:*"],
"effect": "allow",
"resource": [
"qcs::cos:${region}:uid/${appId}:${cos-bucketId}/*",
"qcs::cos:${region}:uid/${appId}:${static-bucketId}/*"
]
}
],
"version": "2.0"
}
占位符说明
| 占位符 | 含义 | 获取方式 |
|---|---|---|
${region} | 环境所在地域 | DescribeEnvs 返回的 EnvList[0].Region |
${uin} | 主账号 UIN | 腾讯云控制台 账号信息 中的账号 UIN |
${appId} | 主账号 AppId | DescribeEnvs 返回的 EnvList[0].AppId,或从存储桶名称末段提取 |
${envId} | 云开发环境 ID | DescribeEnvs 返回的 EnvList[0].EnvId |
${topicId} | CLS 日志主题 ID | DescribeEnvs 返回的 EnvList[0].LogServices[0].TopicId |
${cos-bucketId} | 云存储桶名称 | DescribeEnvs 返回的 EnvList[0].Storages[0].Bucket |
${static-bucketId} | 静态托管存储桶名称 | DescribeEnvs 返回的 EnvList[0].StaticStorages[0].Bucket |
代码样例
以下为 Node.js 示例,演示如何通过腾讯云 API 获取占位符值并生成最终策略。其他语言请参考 腾讯云 API SDK。
// 安装依赖:npm install tencentcloud-sdk-nodejs
const tencentcloud = require("tencentcloud-sdk-nodejs");
const TcbClient = tencentcloud.tcb.v20180608.Client;
const AccountClient = tencentcloud.account.v20190119.Client;
// 策略模板字符串(使用上方「策略模板」章节的 JSON,将双引号转义或使用反引号包裹)
const POLICY_TEMPLATE = `{"statement":[...],"version":"2.0"}`;
const clientConfig = {
credential: {
secretId: process.env.TENCENTCLOUD_SECRETID, // 主账号 SecretId,从 CAM 控制台获取
secretKey: process.env.TENCENTCLOUD_SECRETKEY, // 主账号 SecretKey,从 CAM 控制台获取
},
region: "ap-shanghai",
};
async function generatePolicy() {
const accountClient = new AccountClient(clientConfig);
const tcbClient = new TcbClient(clientConfig);
// 1. 获取主账号 UIN
const { OwnerUin } = await accountClient.GetUserAppId({});
// 2. 获取云开发环境详情
const { EnvList } = await tcbClient.DescribeEnvs({
EnvId: process.env.CLOUDBASE_ENV_ID,
});
const env = EnvList[0];
// 3. 替换占位符,生成最终策略
const policyJson = POLICY_TEMPLATE
.replace(/\$\{region\}/g, env.Region)
.replace(/\$\{uin\}/g, OwnerUin)
.replace(/\$\{appId\}/g, String(env.AppId))
.replace(/\$\{envId\}/g, env.EnvId)
.replace(/\$\{topicId\}/g, env.LogServices?.[0]?.TopicId || "")
.replace(/\$\{cos-bucketId\}/g, env.Storages?.[0]?.Bucket || "")
.replace(/\$\{static-bucketId\}/g, env.StaticStorages?.[0]?.Bucket || "");
return JSON.parse(policyJson);
}
generatePolicy().then(console.log);
相关 API 参考
| API | 用途 | 文档 |
|---|---|---|
GetUserAppId | 获取主账号 UIN 和 AppId | 账号相关接口 |
DescribeEnvs | 查询云开发环境详情(地域、存储桶、日志主题等) | 云开发 API 概览 |
GetFederationToken | STS 签发临时凭证(策略内联传入,无需创建子账号) | STS 接口 GetFederationToken |
CreatePolicy | 通过 API 创建 CAM 策略 | CAM 接口 CreatePolicy |
AttachUserPolicy | 将策略关联到子账号 | CAM 接口 AttachUserPolicy |
手动配置策略
如果不使用自动生成工具,也可以手动在 CAM 控制台配置:
- 登录 CAM 控制台 → 策略 → 新建自定义策略
- 选择「按策略语法创建」→ 空白模板
- 将上方策略模板中的占位符替换为实际值后粘贴
- 创建策略并关联到目标子账号