Known Issues
If you use multiple services on Tencent Cloud, such as TencentDB for PostgreSQL, VPC, CVM, and other databases, and these services are managed by different personnel but share your cloud account key, the following issues will arise:
Your key is shared among multiple personnel, leading to a high risk of leakage.
You cannot restrict the access permissions of others, which may cause security risks due to improper operations.
Solution
You can use sub-accounts to avoid the aforementioned issues by having different personnel manage different services. By default, a sub-account does not have the right to use PostgreSQL or permissions for PostgreSQL-related resources. Therefore, you need to create policies to allow sub-accounts to use the resources or permissions they require.
CAM (Cloud Access Management) is an access control service provided by Tencent Cloud. It is primarily designed to help users securely manage access permissions for resources under their Tencent Cloud accounts. Using CAM, you can create, manage, and delete users (or groups), and control which Tencent Cloud resources specified users can access through identity and policy management. When using CAM, you can associate policies with a user or a group of users. Policies can grant or deny permissions for users to access specific resources and perform designated tasks. For more fundamental information on CAM policies, see Policy Syntax. If you do not need to perform CAM for PostgreSQL-related resources on sub-accounts, you can skip this section. Skipping these parts will not affect your understanding and use of the rest of the document.
Getting Started
A CAM policy must either grant or deny permissions to perform operations on one or more PostgreSQL instances. It must also specify the resources that can be used for the operations, which can be all resources or, for certain operations, a subset of resources. Furthermore, the policy can include conditions set for the operation resources.
Resource-level permissions are not supported for some PostgreSQL TencentCloud API operations. This means that for such operations, you cannot specify a particular resource when using them; instead, you must specify all resources.
|
Understanding the Basic Policy Structure | |
Defining Operations in a Policy | |
Defining Resources in a Policy | |
Resource-Level Permissions Supported by PostgreSQL | |
| |