腾讯云前置准备
本文主要介绍创建 BYOC 类型仓库涉及的阿里云平台相关操作,包括创建 CAM 用户并授权、创建私有网络 VPC 和子网、了解资源编排 等。
准备 CAM 用户并授权
创建 BYOC 类型仓库前,需提前准备好具备相关权限的腾讯云 CAM 用户。
请将此文档发送给您的腾讯云管理员,请求管理员参照此文档为您创建 CAM 用户,并授权。
管理员访问腾讯云 访问管理 CAM (opens in a new tab) 控制台,执行以下操作:
创建权限策略
创建 SelectDB Cloud BYOC 类型仓库时,需要通过 CloudShell 执行 Terraform 模板,会创建 CVM、VPC、COS 等云资源或进行相关操作,因此需要一系列 CAM 权限。
点击左侧 策略,进入权限策略管理页面,点击新建自定义策略,选择按策略语法创建
选择空白模板,点击下一步
输入策略名称,清空原有文本框,复制以下脚本,输入文本框。详细的权限说明,请见下文 资源栈模板依赖的权限说明 部分。
{
"statement": [
{
"action": [
"cvm:DescribeInstances",
"cvm:DescribeInstanceAttributes",
"cvm:InquiryPriceRunInstances",
"cvm:StartInstances",
"cvm:StopInstances",
"cvm:RebootInstances",
"cvm:TerminateInstances",
"cvm:ModifyInstancesChargeType",
"cvm:AttachCbsStorages",
"cvm:DetachCbsStorages",
"cvm:ModifyCbsStorageAttributes",
"cvm:AttachDisks",
"cvm:DetachDisks",
"cvm:RenewDisk",
"cvm:ResizeDisk",
"clb:DescribeLoadBalancers",
"clb:DescribeLoadBalancersDetail",
"clb:InquiryPriceRefundLoadBalancer",
"clb:InquiryPriceRenewLoadBalancer",
"clb:DescribeListeners",
"clb:DescribeLBListeners",
"clb:CreateListener",
"clb:CreateLoadBalancerListeners",
"clb:SetLoadBalancerStartStatus",
"clb:DeleteListener",
"clb:DeleteLoadBalancerListeners",
"clb:DescribeTargets",
"clb:DescribeTargetGroupInstances",
"clb:RegisterTargets",
"clb:DeregisterTargets",
"clb:CreateRule",
"clb:CreateListenerRules",
"clb:DeleteRule",
"clb:SetSecurityGroupForLoadbalancers",
"clb:SetLoadBalancerSecurityGroups"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"resource-created-by&selectdb"
]
}
},
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cvm:RunInstances",
"cvm:PurgeInstances",
"cvm:RenewInstances",
"cvm:ViewModifyInstancesAttribute",
"cvm:ModifyInstancesAttribute",
"cvm:ResetInstancesType",
"cvm:DescribeImages",
"cvm:DescribeSecurityGroupAssociateInstances",
"cvm:DescribeSecurityGroups",
"cvm:DescribeSecurityGroupPolicys",
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:ModifySecurityGroupPolicys",
"cvm:ModifySecurityGroupAttributes",
"cvm:AssociateSecurityGroups",
"cvm:DisassociateSecurityGroups",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:CreateCbsStorages",
"cvm:ResizeCbsStorage",
"cvm:DescribeDisks",
"cvm:CreateDisks",
"cvm:ModifyDiskAttributes",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnet",
"vpc:DescribeSubnetEx",
"vpc:DescribeNetworkInterfaces",
"vpc:DescribeRouteTable",
"vpc:DescribeVpcLimits",
"vpc:DescribeVpcEndPoint",
"vpc:DescribeVpcEndPointService",
"vpc:DescribeVpcEndPointServiceWhiteList",
"vpc:CheckVpcEndPointServiceExist",
"vpc:CreateVpcEndPoint",
"vpc:ModifyVpcEndPointAttribute",
"vpc:DisassociateVpcEndPointSecurityGroups",
"vpc:DeleteVpcEndPoint",
"clb:InquiryPriceCreateLoadBalancer",
"clb:CreateLoadBalancer",
"clb:DeleteLoadBalancer",
"clb:DeleteLoadBalancers",
"clb:DescribeLoadBalancerListeners",
"clb:DescribeTargetGroups",
"clb:DescribeTargetGroupList",
"clb:CreateTargetGroup",
"clb:ModifyTargetGroupAttribute",
"clb:DeleteTargetGroups",
"clb:BatchRegisterTargets",
"clb:BatchDeregisterTargets",
"clb:RegisterTargetGroupInstances",
"clb:DeregisterTargetGroupInstances",
"clb:AssociateTargetGroups",
"clb:DisassociateTargetGroups",
"clb:RegisterInstancesWithLoadBalancer",
"clb:DeregisterInstancesFromLoadBalancer",
"clb:ModifyRule",
"clb:SetSecurityGroups",
"tag:DescribeResourceTagsByResourceIds",
"tag:TagResources",
"tag:UnTagResources"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"finance:*"
],
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cos:*"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"sts:AssumeRole",
"cam:GetPolicy",
"cam:GetPolicyVersion",
"cam:ListPolicyVersions",
"cam:ListAccessKeys",
"cam:GetUserPermissionBoundary",
"cam:ListUserTags",
"cam:CheckUserPolicyAttachment",
"cam:CreatePolicy",
"cam:DeletePolicy",
"cam:UpdatePolicy",
"cam:GetAccountSummary",
"cam:DescribeSubAccounts",
"cam:ListSubAccounts",
"cam:GetUser",
"cam:GetUserAppId",
"cam:ListUsers",
"cam:GetAllMaskedSubUser",
"cam:GetUserPermissionBoundary",
"cam:AddUser",
"cam:AttachUserPolicy",
"cam:ListAttachedUserPolicies",
"cam:ListAttachedUserAllPolicies",
"cam:CheckUserPolicyAttachment",
"cam:DetachUserPolicy",
"cam:DeleteUser",
"cam:UpdateUser",
"cam:ListUserTags",
"cam:DescribeRoleList",
"cam:GetRole",
"cam:CreateRole",
"cam:GetRolePermissionBoundary",
"cam:GetServiceLinkedRoleDeletionStatus",
"cam:CreateServiceLinkedRole",
"cam:PutRolePermissionsBoundary",
"cam:AttachRolePolicy",
"cam:ListAttachedRolePolicies",
"cam:DeleteRole",
"cam:DeleteRolePermissionsBoundary",
"cam:DeleteServiceLinkedRole",
"cam:DetachRolePolicy",
"cam:LogoutRoleSessions",
"cam:PassRole",
"cam:ListRoleTags",
"cam:TagRole",
"cam:UntagRole",
"cam:UpdateRoleConsoleLogin",
"cam:UpdateRoleDescription",
"cam:UpdateAssumeRolePolicy",
"cam:ListAccessKeys",
"cam:CreateAccessKey",
"cam:DeleteAccessKey",
"cam:UpdateAccessKey"
],
"effect": "allow",
"resource": [
"*"
]
}
],
"version": "2.0"
}点击完成,完成创建权限策略。
创建 CAM 用户,并授权
提示: 如果已有 CAM 用户,可以跳过创建 CAM 用户步骤,直接对已有 CAM 用户授权。
点击左侧 用户,进入用户管理页面,点击新建用户 > 快速新建用户,输入相关信息,点击创建用户,完成用户创建。
返回用户列表,点击用户右侧授权按钮,选中上述步骤创建的策略,点击确定,完成授权。
创建 CAM 用户组,并授权(可选)
提示: 如果已有 CAM 用户组,可以跳过创建 CAM 用户组步骤,直接对已有 CAM 用户组授权。
如果企业内存在多名人员使用 SelectDB Cloud,可以创建 CAM 用户组,并将相关人员加入用户组,并统一授权。
点击左侧 用户组,进入用户组管理页面,点击新建用户组,输入用户组名,点击下一步,选择上述步骤创建的策略,点击完成,完成创建。
准备私有网络 VPC 和子网
提示:
- 如果已有符合地域要求的 VPC ,并期望将 BYOC 仓库部署在此 VPC 内,可以跳过下面创建私有网络 VPC 和子网步骤。
- 当前支持的地域和子网可用区为:
| 云平台 | 地域名称 | 地域 ID | 可用区 ID |
|---|---|---|---|
| 腾讯云 | 北京 | ap-beijing | 3, 6, 7 |
| 腾讯云 | 上海 | ap-shanghai | 2, 5, 8 |
| 腾讯云 | 广州 | ap-guangzhou | 6, 7 |
创建 BYOC 类型仓库前,需要使用上述 CAM 用户提前创建私有网络 VPC 和子网,以下是具体操作。
打开腾讯云 私有网络 VPC (opens in a new tab) 控制台,切换到您期望创建 BYOC 仓库的地域,点击 新建,进入 VPC 创建页面。
输入名称、选择 IPv4 CIDR,子网名称,子网 IPv4 CIDR,子网可用区,点击确定完成创建。
了解资源编排
当用户创建 BYOC 类型仓库时,会首先借助云厂商的资源编排服务自动部署 Agent,完成 Agent 与 SelectDB Cloud 平台之间的私有连接,然后由 Agent 负责 BYOC 仓库的部署与管理工作。
Terraform 模板说明
SelectDB 提供的 Terraform 资源编排模板运行在您的腾讯云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的 Terraform 模板:
https://online-bj-1313869400.cos.ap-beijing.myqcloud.com/public/txcloud-byoc.tfTerraform 模板创建出的资源
当您通过腾讯云 CloudShell 运行 Terraform 模板时,会创建以下资源:
- 虚拟机
- 名称:SelectDBAgent(CVM)
- 用途:用于部署Agent,Prometheus,FluentBit等程序
- 终端节点
- 名称:SelectDBEndpoint(VPC Endpoint)
- 用途:与 SelectDB Cloud 平台建立私网连接,从而可以拉取管控指令、推送监控和日志
- 存储桶
- 名称:SelectDBBucket(COS Bucket)
- 用途:存储数仓数据
- 安全组
- 名称:SelectDBSecurityGroup(VPC SecurityGroup)
- 用途:绑定在终端节点和 CVM 实例,并通过安全组规则限定特定端口特定子网的流量才能通行(允许来自同一安全组的所有流量访问所有端口,来自同一子网的流量访问8666端口,允许所有流量出网)
- 子用户/角色
- 名称:(CAM User / CAM Role)
- SelectDBUser(子用户),SelectDBUserAccessKey(aksk),SelectDBUserPolicy(子用户权限)
- SelectDBControlPanelRole(管控侧角色),SelectDBControlPanelRolePolicy(管控侧角色权限),SelectDBDataAccessRole(内核侧角色),SelectDBDataAccessRolePolicy(内核侧角色权限)
- 用途:
- 创建出的子用户具备 Agent 所需的最小权限,之后进行的所有的管控操作均使用该子用户的身份进行,子用户信息只会在用户 VPC 内使用,不会外泄
- 绑定在 CVM 实例上,后续可以获取临时 AkSk 来进行鉴权,相较于目前使用永久 AkSk 的方式更加安全。一个给管控侧使用(绑定在 Agent),一个给内核侧使用(绑定在 MS/FE/BE)
- 名称:(CAM User / CAM Role)
注意: 您可以通过查看 terraform.tfstate 状态文件查看创建出的所有资源详情。请勿修改该文件,否则在进行更新或销毁时可能会因状态信息缺失而失败,导致资源泄露。
Terraform 模板依赖的权限说明
在您的云账号下通过 CloudShell 执行 Terraform 模板时,会创建 CVM、VPC、COS 等云资源或进行相关操作,因此需要一系列 CAM 权限。在正式执行前,请确保执行此模板的用户具备相应权限,否则可能会遇到执行模板失败的情况。
注意 Terraform 模版的执行过程完全在您的云账号下进行,创建出来的资源也都属于您的云账号。SelectDB 不会获取您的云账号信息,也无法使用该账号的相应 CAM 权限。
{
"statement": [
{
"action": [
"cvm:DescribeInstances",
"cvm:DescribeInstanceAttributes",
"cvm:InquiryPriceRunInstances",
"cvm:StartInstances",
"cvm:StopInstances",
"cvm:RebootInstances",
"cvm:TerminateInstances",
"cvm:ModifyInstancesChargeType",
"cvm:AttachCbsStorages",
"cvm:DetachCbsStorages",
"cvm:ModifyCbsStorageAttributes",
"cvm:AttachDisks",
"cvm:DetachDisks",
"cvm:RenewDisk",
"cvm:ResizeDisk",
"clb:DescribeLoadBalancers",
"clb:DescribeLoadBalancersDetail",
"clb:InquiryPriceRefundLoadBalancer",
"clb:InquiryPriceRenewLoadBalancer",
"clb:DescribeListeners",
"clb:DescribeLBListeners",
"clb:CreateListener",
"clb:CreateLoadBalancerListeners",
"clb:SetLoadBalancerStartStatus",
"clb:DeleteListener",
"clb:DeleteLoadBalancerListeners",
"clb:DescribeTargets",
"clb:DescribeTargetGroupInstances",
"clb:RegisterTargets",
"clb:DeregisterTargets",
"clb:CreateRule",
"clb:CreateListenerRules",
"clb:DeleteRule",
"clb:SetSecurityGroupForLoadbalancers",
"clb:SetLoadBalancerSecurityGroups"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"resource-created-by&selectdb"
]
}
},
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cvm:RunInstances",
"cvm:PurgeInstances",
"cvm:RenewInstances",
"cvm:ViewModifyInstancesAttribute",
"cvm:ModifyInstancesAttribute",
"cvm:ResetInstancesType",
"cvm:DescribeImages",
"cvm:DescribeSecurityGroupAssociateInstances",
"cvm:DescribeSecurityGroups",
"cvm:DescribeSecurityGroupPolicys",
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:ModifySecurityGroupPolicys",
"cvm:ModifySecurityGroupAttributes",
"cvm:AssociateSecurityGroups",
"cvm:DisassociateSecurityGroups",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:CreateCbsStorages",
"cvm:ResizeCbsStorage",
"cvm:DescribeDisks",
"cvm:CreateDisks",
"cvm:ModifyDiskAttributes",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnet",
"vpc:DescribeSubnetEx",
"vpc:DescribeNetworkInterfaces",
"vpc:DescribeRouteTable",
"vpc:DescribeVpcLimits",
"vpc:DescribeVpcEndPoint",
"vpc:DescribeVpcEndPointService",
"vpc:DescribeVpcEndPointServiceWhiteList",
"vpc:CheckVpcEndPointServiceExist",
"vpc:CreateVpcEndPoint",
"vpc:ModifyVpcEndPointAttribute",
"vpc:DisassociateVpcEndPointSecurityGroups",
"vpc:DeleteVpcEndPoint",
"clb:InquiryPriceCreateLoadBalancer",
"clb:CreateLoadBalancer",
"clb:DeleteLoadBalancer",
"clb:DeleteLoadBalancers",
"clb:DescribeLoadBalancerListeners",
"clb:DescribeTargetGroups",
"clb:DescribeTargetGroupList",
"clb:CreateTargetGroup",
"clb:ModifyTargetGroupAttribute",
"clb:DeleteTargetGroups",
"clb:BatchRegisterTargets",
"clb:BatchDeregisterTargets",
"clb:RegisterTargetGroupInstances",
"clb:DeregisterTargetGroupInstances",
"clb:AssociateTargetGroups",
"clb:DisassociateTargetGroups",
"clb:RegisterInstancesWithLoadBalancer",
"clb:DeregisterInstancesFromLoadBalancer",
"clb:ModifyRule",
"clb:SetSecurityGroups",
"tag:DescribeResourceTagsByResourceIds",
"tag:TagResources",
"tag:UnTagResources"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"finance:*"
],
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cos:*"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"sts:AssumeRole",
"cam:GetPolicy",
"cam:GetPolicyVersion",
"cam:ListPolicyVersions",
"cam:ListAccessKeys",
"cam:GetUserPermissionBoundary",
"cam:ListUserTags",
"cam:CheckUserPolicyAttachment",
"cam:CreatePolicy",
"cam:DeletePolicy",
"cam:UpdatePolicy",
"cam:GetAccountSummary",
"cam:DescribeSubAccounts",
"cam:ListSubAccounts",
"cam:GetUser",
"cam:GetUserAppId",
"cam:ListUsers",
"cam:GetAllMaskedSubUser",
"cam:GetUserPermissionBoundary",
"cam:AddUser",
"cam:AttachUserPolicy",
"cam:ListAttachedUserPolicies",
"cam:ListAttachedUserAllPolicies",
"cam:CheckUserPolicyAttachment",
"cam:DetachUserPolicy",
"cam:DeleteUser",
"cam:UpdateUser",
"cam:ListUserTags",
"cam:DescribeRoleList",
"cam:GetRole",
"cam:CreateRole",
"cam:GetRolePermissionBoundary",
"cam:GetServiceLinkedRoleDeletionStatus",
"cam:CreateServiceLinkedRole",
"cam:PutRolePermissionsBoundary",
"cam:AttachRolePolicy",
"cam:ListAttachedRolePolicies",
"cam:DeleteRole",
"cam:DeleteRolePermissionsBoundary",
"cam:DeleteServiceLinkedRole",
"cam:DetachRolePolicy",
"cam:LogoutRoleSessions",
"cam:PassRole",
"cam:ListRoleTags",
"cam:TagRole",
"cam:UntagRole",
"cam:UpdateRoleConsoleLogin",
"cam:UpdateRoleDescription",
"cam:UpdateAssumeRolePolicy",
"cam:ListAccessKeys",
"cam:CreateAccessKey",
"cam:DeleteAccessKey",
"cam:UpdateAccessKey"
],
"effect": "allow",
"resource": [
"*"
]
}
],
"version": "2.0"
}具体权限划分如下:
-
CVM 权限:
- 管理 CVM 实例
"cvm:DescribeInstances", "cvm:DescribeInstanceAttributes", "cvm:InquiryPriceRunInstances", "cvm:StartInstances", "cvm:StopInstances", "cvm:RebootInstances", "cvm:TerminateInstances", "cvm:ModifyInstancesChargeType", "cvm:AttachCbsStorages", "cvm:DetachCbsStorages", "cvm:ModifyCbsStorageAttributes", "cvm:AttachDisks", "cvm:DetachDisks", "cvm:RenewDisk", "cvm:ResizeDisk", "cvm:RunInstances", "cvm:PurgeInstances", "cvm:RenewInstances", "cvm:ViewModifyInstancesAttribute", "cvm:ModifyInstancesAttribute", "cvm:ResetInstancesType", "cvm:DescribeImages", "cvm:DescribeSecurityGroupAssociateInstances", "cvm:DescribeSecurityGroups", "cvm:DescribeSecurityGroupPolicys", "cvm:CreateSecurityGroup", "cvm:CreateSecurityGroupPolicy", "cvm:ModifySecurityGroupPolicys", "cvm:ModifySecurityGroupAttributes", "cvm:AssociateSecurityGroups", "cvm:DisassociateSecurityGroups", "cvm:DeleteSecurityGroup", "cvm:DeleteSecurityGroupPolicy", "cvm:CreateCbsStorages", "cvm:ResizeCbsStorage", "cvm:DescribeDisks", "cvm:CreateDisks", "cvm:ModifyDiskAttributes",- 管理 CVM 安全组
"cvm:DescribeSecurityGroups", "cvm:DescribeSecurityGroupPolicys", "cvm:CreateSecurityGroup", "cvm:CreateSecurityGroupPolicy", "cvm:ModifySecurityGroupAttributes", "cvm:ModifySingleSecurityGroupPolicy", "cvm:ModifySecurityGroupPolicys", "cvm:AssociateSecurityGroups", "cvm:DisassociateSecurityGroups", "cvm:DeleteSecurityGroup", "cvm:DeleteSecurityGroupPolicy", "cvm:DescribeSecurityGroupAssociateInstances",- 标签管理
"tag:DescribeResourceTagsByResourceIds", "tag:TagResources", "tag:UnTagResources" -
VPC & PrivateLink & CLB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcEx", "vpc:DescribeSubnet", "vpc:DescribeSubnetEx", "vpc:DescribeNetworkInterfaces", "vpc:DescribeRouteTable", "vpc:DescribeVpcLimits",- 管理终端节点资源
"vpc:DescribeVpcEndPoint", "vpc:DescribeVpcEndPointService", "vpc:DescribeVpcEndPointServiceWhiteList", "vpc:CheckVpcEndPointServiceExist", "vpc:CreateVpcEndPoint", "vpc:ModifyVpcEndPointAttribute", "vpc:DisassociateVpcEndPointSecurityGroups", "vpc:DeleteVpcEndPoint",- 管理负载均衡器 CLB 资源
"clb:DescribeLoadBalancers", "clb:DescribeLoadBalancersDetail", "clb:InquiryPriceRefundLoadBalancer", "clb:InquiryPriceRenewLoadBalancer", "clb:DescribeListeners", "clb:DescribeLBListeners", "clb:CreateListener", "clb:CreateLoadBalancerListeners", "clb:SetLoadBalancerStartStatus", "clb:DeleteListener", "clb:DeleteLoadBalancerListeners", "clb:DescribeTargets", "clb:DescribeTargetGroupInstances", "clb:RegisterTargets", "clb:DeregisterTargets", "clb:CreateRule", "clb:CreateListenerRules", "clb:DeleteRule", "clb:SetSecurityGroupForLoadbalancers", "clb:SetLoadBalancerSecurityGroups", "clb:InquiryPriceCreateLoadBalancer", "clb:CreateLoadBalancer", "clb:DeleteLoadBalancer", "clb:DeleteLoadBalancers", "clb:DescribeLoadBalancerListeners", "clb:DescribeTargetGroups", "clb:DescribeTargetGroupList", "clb:CreateTargetGroup", "clb:ModifyTargetGroupAttribute", "clb:DeleteTargetGroups", "clb:BatchRegisterTargets", "clb:BatchDeregisterTargets", "clb:RegisterTargetGroupInstances", "clb:DeregisterTargetGroupInstances", "clb:AssociateTargetGroups", "clb:DisassociateTargetGroups", "clb:RegisterInstancesWithLoadBalancer", "clb:DeregisterInstancesFromLoadBalancer", "clb:ModifyRule", "clb:SetSecurityGroups", -
Finance 权限:
- 允许购买 CVM 和CLB 资源
{ "action": [ "finance:*" ], "effect": "allow", "resource": [ "qcs::cvm:::*", "qcs::clb:::*" ] }, -
COS 权限:
- 管理 COS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "action": [ "cos:*" ], "effect": "allow", "resource": [ "qcs::cos::uid/*:selectdb-bucket-*", "qcs::cos::uid/*:selectdb-bucket-*/*" ] }, -
CAM 权限:
- 管理策略
"cam:GetPolicy", "cam:GetPolicyVersion", "cam:ListPolicyVersions", "cam:ListAccessKeys", "cam:GetUserPermissionBoundary", "cam:ListUserTags", "cam:CheckUserPolicyAttachment", "cam:CreatePolicy", "cam:DeletePolicy", "cam:UpdatePolicy",- 管理子用户,获取账号信息
"cam:GetAccountSummary", "cam:DescribeSubAccounts", "cam:ListSubAccounts", "cam:GetUser", "cam:GetUserAppId", "cam:ListUsers", "cam:GetAllMaskedSubUser", "cam:GetUserPermissionBoundary", "cam:AddUser", "cam:AttachUserPolicy", "cam:ListAttachedUserPolicies", "cam:ListAttachedUserAllPolicies", "cam:CheckUserPolicyAttachment", "cam:DetachUserPolicy", "cam:DeleteUser", "cam:UpdateUser", "cam:ListUserTags",- 管理角色
"cam:DescribeRoleList", "cam:GetRole", "cam:CreateRole", "cam:GetRolePermissionBoundary", "cam:GetServiceLinkedRoleDeletionStatus", "cam:CreateServiceLinkedRole", "cam:PutRolePermissionsBoundary", "cam:AttachRolePolicy", "cam:ListAttachedRolePolicies", "cam:DeleteRole", "cam:DeleteRolePermissionsBoundary", "cam:DeleteServiceLinkedRole", "cam:DetachRolePolicy", "cam:LogoutRoleSessions", "cam:PassRole", "cam:ListRoleTags", "cam:TagRole", "cam:UntagRole", "cam:UpdateRoleConsoleLogin", "cam:UpdateRoleDescription", "cam:UpdateAssumeRolePolicy",- 管理 CAM 访问密钥
"cam:ListAccessKeys", "cam:CreateAccessKey", "cam:DeleteAccessKey", "cam:UpdateAccessKey"
Terraform 模板创建的子用户的权限说明
初次执行完 Terraform 模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户权限示例:
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
{
"statement": [
{
"action": [
"cvm:DescribeInstances",
"cvm:DescribeInstanceAttributes",
"cvm:InquiryPriceRunInstances",
"cvm:StartInstances",
"cvm:StopInstances",
"cvm:RebootInstances",
"cvm:TerminateInstances",
"cvm:ModifyInstancesChargeType",
"cvm:AttachCbsStorages",
"cvm:DetachCbsStorages",
"cvm:ModifyCbsStorageAttributes",
"cvm:AttachDisks",
"cvm:DetachDisks",
"cvm:RenewDisk",
"cvm:ResizeDisk",
"clb:DescribeLoadBalancers",
"clb:DescribeLoadBalancersDetail",
"clb:InquiryPriceRefundLoadBalancer",
"clb:InquiryPriceRenewLoadBalancer",
"clb:DescribeListeners",
"clb:DescribeLBListeners",
"clb:CreateListener",
"clb:CreateLoadBalancerListeners",
"clb:SetLoadBalancerStartStatus",
"clb:DeleteListener",
"clb:DeleteLoadBalancerListeners",
"clb:DescribeTargets",
"clb:DescribeTargetGroupInstances",
"clb:RegisterTargets",
"clb:DeregisterTargets",
"clb:CreateRule",
"clb:CreateListenerRules",
"clb:DeleteRule",
"clb:SetSecurityGroupForLoadbalancers",
"clb:SetLoadBalancerSecurityGroups"
],
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"resource-created-by&selectdb"
]
}
},
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cvm:RunInstances",
"cvm:PurgeInstances",
"cvm:RenewInstances",
"cvm:ViewModifyInstancesAttribute",
"cvm:ModifyInstancesAttribute",
"cvm:ResetInstancesType",
"cvm:DescribeSecurityGroups",
"cvm:DescribeSecurityGroupPolicys",
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:ModifySecurityGroupPolicys",
"cvm:ModifySecurityGroupAttributes",
"cvm:AssociateSecurityGroups",
"cvm:DisassociateSecurityGroups",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:CreateCbsStorages",
"cvm:ResizeCbsStorage",
"cvm:DescribeDisks",
"cvm:CreateDisks",
"cvm:ModifyDiskAttributes",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnet",
"vpc:DescribeSubnetEx",
"vpc:ModifyVpcEndPointAttribute",
"clb:InquiryPriceCreateLoadBalancer",
"clb:CreateLoadBalancer",
"clb:DeleteLoadBalancer",
"clb:DeleteLoadBalancers",
"clb:DescribeLoadBalancerListeners",
"clb:DescribeTargetGroups",
"clb:DescribeTargetGroupList",
"clb:CreateTargetGroup",
"clb:ModifyTargetGroupAttribute",
"clb:DeleteTargetGroups",
"clb:BatchRegisterTargets",
"clb:BatchDeregisterTargets",
"clb:RegisterTargetGroupInstances",
"clb:DeregisterTargetGroupInstances",
"clb:AssociateTargetGroups",
"clb:DisassociateTargetGroups",
"clb:RegisterInstancesWithLoadBalancer",
"clb:DeregisterInstancesFromLoadBalancer",
"clb:ModifyRule",
"clb:SetSecurityGroups",
"tag:TagResources",
"tag:UnTagResources"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"finance:*"
],
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cos:*"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-guangzhou:uid/1314238582:pgtest-v2-1314238582",
"qcs::cos:ap-guangzhou:uid/1314238582:pgtest-v2-1314238582/*"
]
},
{
"action": [
"sts:AssumeRole"
],
"effect": "allow",
"resource": [
"qcs::cam::uin/100027752159:roleName/selectdb-control-panel-role-8mevoxfz",
"qcs::cam::uin/100027752159:roleName/selectdb-data-access-role-8mevoxfz"
]
}
],
"version": "2.0"
}具体权限划分如下:
-
CVM 权限:
- 管理 CVM 实例
"cvm:DescribeInstances", "cvm:DescribeInstanceAttributes", "cvm:InquiryPriceRunInstances", "cvm:RunInstances", "cvm:StartInstances", "cvm:StopInstances", "cvm:PurgeInstances", "cvm:RebootInstances", "cvm:TerminateInstances", "cvm:RenewInstances", "cvm:ViewModifyInstancesAttribute", "cvm:ModifyInstancesAttribute", "cvm:ModifyInstancesChargeType", "cvm:ResetInstancesType", "cvm:CreateCbsStorages", "cvm:AttachCbsStorages", "cvm:DetachCbsStorages", "cvm:ResizeCbsStorage", "cvm:ModifyCbsStorageAttributes", "cvm:DescribeDisks", "cvm:CreateDisks", "cvm:AttachDisks", "cvm:DetachDisks", "cvm:RenewDisk", "cvm:ResizeDisk", "cvm:ModifyDiskAttributes",- 管理 CVM 安全组
"cvm:DescribeSecurityGroups", "cvm:DescribeSecurityGroupPolicy", "cvm:CreateSecurityGroup", "cvm:CreateSecurityGroupPolicy", "cvm:ModifySecurityGroupAttributes", "cvm:ModifySingleSecurityGroupPolicy", "cvm:ModifySecurityGroupPolicys", "cvm:AssociateSecurityGroups", "cvm:DisassociateSecurityGroups", "cvm:DeleteSecurityGroup", "cvm:DeleteSecurityGroupPolicy",- 管理标签
"tag:TagResources", "tag:UnTagResources" -
VPC & CLB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcEx", "vpc:DescribeSubnet", "vpc:DescribeSubnetEx",- 管理负载均衡器 CLB 资源
"clb:DescribeLoadBalancers", "clb:DescribeLoadBalancersDetail", "clb:InquiryPriceCreateLoadBalancer", "clb:InquiryPriceRefundLoadBalancer", "clb:InquiryPriceRenewLoadBalancer", "clb:CreateLoadBalancer", "clb:DeleteLoadBalancer", "clb:DeleteLoadBalancers", "clb:DescribeListeners", "clb:DescribeLBListeners", "clb:DescribeLoadBalancerListeners", "clb:CreateListener", "clb:CreateLoadBalancerListeners", "clb:SetLoadBalancerStartStatus", "clb:DeleteListener", "clb:DeleteLoadBalancerListeners", "clb:DescribeTargets", "clb:DescribeTargetGroups", "clb:DescribeTargetGroupList", "clb:DescribeTargetGroupInstances", "clb:CreateTargetGroup", "clb:ModifyTargetGroupAttribute", "clb:DeleteTargetGroups", "clb:RegisterTargets", "clb:DeregisterTargets", "clb:BatchRegisterTargets", "clb:BatchDeregisterTargets", "clb:RegisterTargetGroupInstances", "clb:AssociateTargetGroups", "clb:DisassociateTargetGroups", "clb:RegisterInstancesWithLoadBalancer", "clb:DeregisterTargetGroupInstances", "clb:DeregisterInstancesFromLoadBalancer", "clb:CreateRule", "clb:CreateListenerRules", "clb:ModifyRule", "clb:DeleteRule", "clb:SetSecurityGroups", "clb:SetSecurityGroupForLoadbalancers", "clb:SetLoadBalancerSecurityGroups" -
Finance 权限:
- 允许购买 CVM 和 LB 资源
{ "action": [ "finance:*" ], "effect": "allow", "resource": [ "qcs::cvm:::*", "qcs::clb:::*" ] }, -
COS 权限:
- 管理 COS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "action": [ "cos:*" ], "effect": "allow", "resource": [ "qcs::cos::uid/*:selectdb-bucket-*", "qcs::cos::uid/*:selectdb-bucket-*/*" ] }, -
CAM 权限:
- 允许扮演特定角色,即允许一个用户、服务或者角色获取另一个角色的临时安全凭证,从而以该角色的权限执行操作
{ "action": [ "sts:AssumeRole" ], "effect": "allow", "resource": [ "qcs::cam::uin/*:roleName/selectdb-control-panel-role-*", "qcs::cam::uin/*:roleName/selectdb-data-access-role-*" ] }