This document describes how to create a permissions policy when you are prompted for permission but do not have any. After the permissions policy is created, the sub-account can manage resources under the root account within the new permission scope.
Prerequisite
Your account is a root account or a sub-account with full read/write access (QcloudCamFullAccess).
Directions
1. Log in to the CAM console and go to Policies. Click Create Custom Policy.
2. In the pop-up window, click Create by Policy Generator to go to the Edit Policy page.
3. On the Edit Policy page, set the following information:
Effect (required): Select Allow or Deny. In this example, select Allow.
Service (required): Select the product by short name to authorize. In this example, it will be cvm referenced in the operation field in the error information.
Action (required): Select the action to authorize. In this example, select RebootInstances corresponding to the operation field in the error information.
Resource (required): For products that don't support resource-level authorization, you can only select all resources as the authorization granularity. For products that support resource-level authorization, you can select a specific resource. To do so, click Add a 6-segment resource description and enter the resource prefix and resource. In this example, the error message is for a specific resource, so you need to authorize it: Select the specific resource, click Add a 6-segment resource description, and then you can directly copy the prefix and resource in qcs:id/0:cvm:ap-guangzhou:uin/10***6:instance/ins-arh4gyp2 and paste them.
Condition (required): Set the condition for the sub-account’s authorization to take effect. key indicates the condition key, ope, the operator, and value, the condition value. In this example, key is qcs:request_tag, ope is for_all_value:string_equal, and value is server&1024","a&b".
4. Click Next to go to the Associate Users/User Groups page.
5. On the Associate Users/User Groups page, add the policy name (automatically generated by the console) and description.
Note:
The policy name is policygen by default. The suffix number is generated based on the creation date. This is customizable.
The description corresponds to the service and action selected in Step 3. You can modify it as needed.
6. Click Complete to complete the custom policy creation.
7. Authorize the sub-account as instructed in Authorization Management. After successful authorization, the sub-account will be granted the required permission, and the error will be fixed.
