You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Cloud Access Management (CAM) is Tencent Cloud's identity and access management service. CAM controls who can access your resources and what they can do — the equivalent of AWS IAM or Alibaba Cloud RAM.
When you sign up for Tencent Cloud, you receive a root account with full access to all resources and billing.
Root account best practices:
CAM supports two types of sub-accounts:
| Type | Description | Use Case |
|---|---|---|
| Sub-user | An identity with its own login credentials | Team members, developers |
| Collaborator | Another root account granted access to your resources | Partner companies, cross-account access |
Each sub-user gets:
User groups let you manage permissions for multiple users at once:
User Group: Developers
├── Sub-user: alice
├── Sub-user: bob
└── Sub-user: charlie
→ Attached policy: QcloudCVMFullAccess
→ Attached policy: QcloudCOSReadOnlyAccess
Best practice: Always attach policies to groups, not individual users.
Policies are JSON documents that define permissions:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": ["cvm:*"],
"resource": ["*"]
}
]
}
| Type | Description |
|---|---|
| Preset policies | Pre-built policies managed by Tencent (e.g., QcloudCVMFullAccess) |
| Custom policies | Policies you write for fine-grained control |
| Element | Description |
|---|---|
| effect | allow or deny |
| action | API operations permitted (e.g., cvm:RunInstances) |
| resource | Resources the policy applies to (resource six-segment format) |
| condition | Optional conditions (IP range, time, MFA status) |
CAM roles provide temporary credentials for:
When a role is assumed, temporary credentials (SecretId, SecretKey, Token) are issued with an expiry time.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.