简介
访问管理(Cloud Access Management,CAM)主要用于帮助您对腾讯云账户下资源的访问权限进行安全管理。您可以通过 CAM 创建、管理和销毁用户或用户组,并使用身份管理和策略管理控制其他用户使用腾讯云资源的权限。策略能够授权或者拒绝用户使用指定资源完成指定任务,当您在使用 CAM 时,可以将策略与一个用户或一组用户关联起来进行权限控制。
自动化助手已接入 CAM,您可以使用 CAM 对自动化助手服务的相关资源进行权限控制。
授权粒度
自动化助手支持资源级授权、按标签授权两种方式:
资源级授权:您可以通过策略语法给子账号单个资源的管理权限,详细请参见 授权指南。
按标签授权:您可以通过为资源标记标签,实现 基于标签管理项目资源。
预设策略
预设策略名 | 授权范围描述 |
QcloudTATReadOnlyAccess | 自动化助手只读访问权限 |
QcloudTATFullAccess | 自动化助手全读写访问权限 |
可授权的资源类型
自动化助手支持资源级授权,您可以指定子账号拥有特定资源的接口权限。
在访问管理中对自动化助手可授权的资源类型如下:
业务类型 | 资源类型 | 资源前缀 | 授权策略中的资源描述方式 |
tat | 命令 | command | qcs::tat:${region}:uin/${uin}:command/${CommandId} |
tat | 托管实例 | register-instance | qcs::tat:${region}:uin/${uin}:register-instance/${InstanceId} |
tat | 执行器 | invoker | qcs::tat:${region}:uin/${uin}:invoker/${InvokerId} |
cvm | 云服务器实例 | instance | qcs::cvm:${region}:uin/${uin}:instance/${InstanceId} |
lighthouse | 轻量应用服务器实例 | instance | qcs::lighthouse:${region}:uin/${uin}:instance/${InstanceId} |
接口支持的授权情况
授权方案示例
您可通过以下示例,快速了解如何使用 CAM 进行权限控制:
说明
示例中的
${uin} 需要替换为用户主账号,${InstanceId}、${tag}等需要替换为具体的 ID。允许所有执行命令功能
{"version": "2.0","statement": [{"effect": "allow","action": ["tat:CreateCommand","tat:ModifyCommand","tat:DeleteCommand","tat:DeleteCommands","tat:DescribeCommands","tat:PreviewReplacedCommandContent","tat:InvokeCommand","tat:RunCommand","tat:CancelInvocation","tat:DescribeInvocations","tat:DescribeInvocationTasks","tat:DescribeAutomationAgentStatus","tat:DescribeScenes","tat:DescribeAllResourcesCount","tat:DescribeQuotas","tat:CloneCommands"],"resource": ["*"]}]}
允许所有托管实例功能
{"version": "2.0","statement": [{"effect": "allow","action": ["tat:CreateRegisterCode","tat:DisableRegisterCode","tat:DisableRegisterCodes","tat:DeleteRegisterCode","tat:DeleteRegisterCodes","tat:DescribeRegisterCodes","tat:ModifyRegisterInstance","tat:DeleteRegisterInstance","tat:DescribeRegisterInstances","tat:DescribeQuotas","tat:DescribeAllResourcesCount"],"resource": ["*"]}]}
允许所有定时执行功能
{"version": "2.0","statement": [{"effect": "allow","action": ["tat:CreateInvoker","tat:ModifyInvoker","tat:DeleteInvoker","tat:DeleteInvokers","tat:EnableInvoker","tat:DisableInvoker","tat:DescribeInvokers","tat:DescribeInvokerRecords","tat:DescribeQuotas","tat:DescribeAllResourcesCount"],"resource": ["*"]}]}
禁止执行任意自定义命令
只能执行创建好的命令,不允许以任何方式执行其他自定义命令内容。
{"version": "2.0","statement": [{"effect": "deny","action": ["tat:CreateCommand","tat:ModifyCommand","tat:RunCommand"],"resource": ["*"]}]}
允许有标签的实例执行任意命令
{"version": "2.0","statement": [{"effect": "allow","action": ["tat:InvokeCommand","tat:RunCommand","tat:CancelInvocation","tat:DescribeInvocations","tat:DescribeInvocationTasks","tat:DescribeAutomationAgentStatus"],"resource": ["qcs::cvm::uin/${uin}:instance/*","qcs::lighthouse::uin/${uin}:instance/*","qcs::tat::uin/${uin}:register-instance/*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["${tag}&${value}"]}}},{"effect": "allow","action": ["tat:InvokeCommand","tat:CancelInvocation","tat:DescribeInvocations","tat:DescribeInvocationTasks"],"resource": ["qcs::tat::uin/${uin}:command/*"]},{"effect": "allow","action": ["tat:CreateCommand","tat:ModifyCommand","tat:DeleteCommand","tat:DeleteCommands","tat:PreviewReplacedCommandContent","tat:DescribeCommands","tat:DescribeQuotas","tat:DescribeAllResourcesCount","tat:DescribeScenes"],"resource": ["*"]}]}
禁止指定实例执行任意命令
{"version": "2.0","statement": [{"effect": "deny","action": ["tat:InvokeCommand","tat:RunCommand","tat:CreateInvoker","tat:ModifyInvoker"],"resource": ["qcs::cvm::uin/${uin}:instance/${InstanceId}","qcs::lighthouse::uin/${uin}:instance/${InstanceId}","qcs::tat::uin/${uin}:register-instance/${InstanceId}"]}]}
允许任何实例执行有标签的命令
此类场景一般不允许执行除有标签命令以外的其他任意自定义命令内容,故不授予创建命令、修改命令的权限。
{"version": "2.0","statement": [{"effect": "allow","action": ["tat:InvokeCommand","tat:CancelInvocation","tat:DescribeCommands","tat:DescribeInvocations","tat:DescribeInvocationTasks","tat:PreviewReplacedCommandContent","tat:DescribeAllResourcesCount"],"resource": ["qcs::tat::uin/${uin}:command/*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["${tag}&${value}"]}}},{"effect": "allow","action": ["tat:InvokeCommand","tat:CancelInvocation","tat:DescribeInvocations","tat:DescribeInvocationTasks"],"resource": ["qcs::cvm::uin/${uin}:instance/*","qcs::lighthouse::uin/${uin}:instance/*","qcs::tat::uin/${uin}:register-instance/*"]},{"effect": "allow","action": ["tat:DescribeAutomationAgentStatus","tat:DescribeScenes"],"resource": ["*"]}]}
仅允许有标签的实例执行有标签的命令
实例与命令的标签可以不一致。
{"version": "2.0","statement": [{"effect": "allow","action": ["tat:InvokeCommand","tat:CancelInvocation","tat:DescribeCommands","tat:DescribeInvocations","tat:DescribeInvocationTasks","tat:PreviewReplacedCommandContent","tat:DescribeAllResourcesCount"],"resource": ["qcs::tat::uin/${uin}:command/*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["${commandTag}&${commandValue}"]}}},{"effect": "allow","action": ["tat:InvokeCommand","tat:CancelInvocation","tat:DescribeInvocations","tat:DescribeInvocationTasks","tat:DescribeAutomationAgentStatus"],"resource": ["qcs::cvm::uin/${uin}:instance/*","qcs::lighthouse::uin/${uin}:instance/*","qcs::tat::uin/${uin}:register-instance/*"],"condition": {"for_any_value:string_equal": {"qcs:resource_tag": ["${instanceTag}&${instanceValue}"]}}},{"effect": "allow","action": ["tat:DescribeScenes"],"resource": ["*"]}]}
仅允许执行公共命令
{"version": "2.0","statement": [{"effect": "allow","action": ["tat:InvokeCommand","tat:CancelInvocation","tat:DescribeCommands","tat:DescribeInvocations","tat:DescribeInvocationTasks","tat:DescribeAllResourcesCount","tat:PreviewReplacedCommandContent"],"resource": ["qcs::tat::uin/${uin}:command/cmd-4l96v59d","qcs::tat::uin/${uin}:command/cmd-o2zy58ll","qcs::tat::uin/${uin}:command/cmd-978lsblt","qcs::tat::uin/${uin}:command/cmd-7g5txu6j","qcs::tat::uin/${uin}:command/cmd-e4ompj3h","qcs::tat::uin/${uin}:command/cmd-ihh9i45h","qcs::tat::uin/${uin}:command/cmd-gb4159l1","qcs::tat::uin/${uin}:command/cmd-2x4yxd2h","qcs::tat::uin/${uin}:command/cmd-450zxmf5","qcs::tat::uin/${uin}:command/cmd-glunqdaf","qcs::tat::uin/${uin}:command/cmd-rlyqe4mb","qcs::tat::uin/${uin}:command/cmd-k0pgmw9z","qcs::tat::uin/${uin}:command/cmd-ovngtxex","qcs::tat::uin/${uin}:command/cmd-m7xhg9ry","qcs::tat::uin/${uin}:command/cmd-itb8k5w0","qcs::tat::uin/${uin}:command/cmd-4he2skhv","qcs::tat::uin/${uin}:command/cmd-67qk31wl","qcs::tat::uin/${uin}:command/cmd-d8jj2skv","qcs::tat::uin/${uin}:command/cmd-r6i6607b","qcs::tat::uin/${uin}:command/cmd-hyi1qkaz","qcs::tat::uin/${uin}:command/cmd-udf823bk","qcs::tat::uin/${uin}:command/cmd-9wn4yql2","qcs::tat::uin/${uin}:command/cmd-q4r20drw","qcs::tat::uin/${uin}:command/cmd-89a912de","qcs::tat::uin/${uin}:command/cmd-5b9p4ql1","qcs::tat::uin/${uin}:command/cmd-6a8p3ql1","qcs::tat::uin/${uin}:command/cmd-ge21jh6a","qcs::tat::uin/${uin}:command/cmd-y6jn1jhf","qcs::tat::uin/${uin}:command/cmd-ytybn895","qcs::tat::uin/${uin}:command/cmd-9cz7txqs","qcs::tat::uin/${uin}:command/cmd-aw6f52ae","qcs::tat::uin/${uin}:command/cmd-o9d1r89q","qcs::tat::uin/${uin}:command/cmd-hjpj9gbc","qcs::tat::uin/${uin}:command/cmd-109qbaca","qcs::tat::uin/${uin}:command/cmd-9zlw1sai","qcs::tat::uin/${uin}:command/cmd-flnxlyns"]},{"effect": "allow","action": ["tat:InvokeCommand","tat:CancelInvocation","tat:DescribeInvocations","tat:DescribeInvocationTasks"],"resource": ["qcs::cvm::uin/${uin}:instance/*","qcs::lighthouse::uin/${uin}:instance/*","qcs::tat::uin/${uin}:register-instance/*"]},{"effect": "allow","action": ["tat:DescribeScenes","tat:DescribeAutomationAgentStatus"],"resource": ["*"]}]}
