To perform fine-grained permission management for RabbitMQ resources, you can use the Cloud Access Management (CAM) service to achieve the following features:
User and permission assignment: Create independent users or roles for members of different functional departments based on the enterprise organizational structure. Assign dedicated security credentials (such as the console login password and cloud API key) or request temporary security credentials to ensure secure and controlled access to RabbitMQ resources.
Fine-grained permission control: Set differentiated access policies based on employee responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Account System Introduction
The capability differences between different account types and the reference documentations are as follows:
|
|
| Sub-user | Collaborator | Message Recipient |
Definition | Owns all Tencent Cloud resources and can access any of its resources. | Created by the root account and fully owned by the root account that created the sub-user. | Has root account identity and has been added as a collaborator to the current root account. As one of the sub-accounts under the current root account, it can switch back to its root account identity. | Only has the message receiving feature. |
Console access | ✔ | ✔ | ✔ | - |
Programmatic access | ✔ | ✔ | ✔ | - |
Policy authorization | Has all policies by default. | ✔ | ✔ | - |
Message notification | ✔ | ✔ | ✔ | ✔ |
Reference Documentation | | | | |
Note:
To ensure the security of your Tencent Cloud account and cloud resource usage, avoid using the Tencent Cloud root account directly to operate resources unless necessary. Instead, create sub-accounts, assign them policies based on the principle of least privilege, and use these sub-accounts with limited permissions to operate your cloud resources.
Policies
Policies are used to define and describe the syntax rules for one or more permissions. By default, the root account has access permissions for all resources under it, while its sub-accounts have no access permissions for any resources under it.
The root account can grant users/user groups the permission to view and use specific resources by associating policies with them. Tencent Cloud policies are categorized into preset policies and custom policies.
Preset Policies
RabbitMQ provides two preset policies for sub-accounts:
|
Managed Edition | QcloudTDMQFullAccess | Full read/write access permissions, which allow you to perform read/write operations in the product console. |
| QcloudTDMQReadOnlyAccess | Read-only access permissions, which allow you to view related information in the console only. |
Serverless Edition | QcloudTrabbitFullAccess | Full read/write access permissions, which allow you to perform read/write operations in the product console. |
| QcloudTrabbitReadOnlyaccess | Read-only access permissions, which allow you to view related information in the console only. |
Custom Policies
If the system permission policy cannot meet your requirements, you can create a custom permission policy to achieve least privilege. Policy settings can be precisely controlled at the [API, resource, users/user group, allowing/denying, condition] dimensions. Using custom permission policies helps achieve fine-grained control of permissions and is an effective means to enhance resource access security.
Currently, Tencent Cloud provides the following two flexible custom policy creation methods to meet different usage habits and requirements:
Visualized editor: adopts a wizard-based approach where users can select cloud services, operations, resources, conditions, and other elements via the page without needing to understand policy syntax. The system automatically generates policies, lowering the barrier to use.
JSON editor: allows editing policy content based on specific requirements after selecting a policy template, or directly writing JSON-formatted policy content in the editor. Suitable for users with a technical background.
Custom policy example
The sub-accounts that are granted this permission policy only have console and API permissions to query the instance list, queue details, connection list, and messages for the instance amqp-xxx.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"tdmq:DescribeRabbitMQConnection",
"tdmq:DescribeRabbitMQMessage",
"tdmq:DescribeRabbitMQQueueDetail",
"tdmq:ListRabbitMQInstances"
],
"resource": [
"qcs::tdmq::uin/1000*****555:cluster/amqp-ae3de8qd"
]
}
]
}
Sub-account Authorization Operations
When a sub-account uses RabbitMQ, permissions need to be granted in two aspects:
|
Permissions to access other cloud products | Permissions to access other cloud product resources, such as Virtual Private Cloud (VPC) and Cloud Virtual Machine (CVM,) during the use of RabbitMQ, for example, to view the availability zone (AZ) information of the user's subnet. | |
Read/Write permissions for RabbitMQ resources | Obtain read/write permissions for RabbitMQ resources. | |
Documentation
|
Understand the relationship between policies and users. | |
Understand the basic structure of a policy. | |
Understand which other products support CAM. | |