tencent cloud

Feedback

Authorization Policy Syntax

Last updated: 2023-11-01 17:22:52

    CAM policy syntax

    {
    "version":"2.0",
    "statement":
    [
    {
    "effect":"effect",
    "action":["action"],
    "resource":["resource"],
    "condition": {"key":{"value"}}
    }
    ]
    }
    version is required. Currently, only the value "2.0" is allowed.
    statement describes the details of one or more permissions. This element contains a permission or permission set of other elements such as effect, action, resource, and condition. One policy has only one statement.
    effect is required. It describes the result of a statement. The result can be "allow" or an "explicit deny".
    action is required. ‌It describes the allowed or denied operation. An operation can be an API or a feature set (a set of specific APIs prefixed with "permid").
    resource is required. It describes the details of authorization. A resource is described in a six-segment format. Detailed resource definitions vary by product.
    condition is required. It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition.

    Operations

    In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with cynosdb: are used for TDSQL-C for MySQL, such as cynosdb:DescribeClusters or cynosdb:ResetAccountPassword. To specify multiple operations in a single statement, separate them by comma.
    "action":["cynosdb:action1","cynosdb:action2"]
    You can also specify multiple operations by using a wildcard. For example, you can specify all operations beginning with "Describe" in the name.
    "action":["cynosdb:Describe*"]
    If you want to specify all operations in TDSQL-C for MySQL, use the * wildcard.
    "action":["cynosdb:*"]

    Resource path

    Each CAM policy statement has its own applicable resources. Resource paths are generally in the following format:
    qcs:project_id:service_type:region:account:resource
    project_id describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
    service_type describes the product abbreviation such as cynosdb.
    region describes the region information, such as bj.
    account describes the root account of the resource owner, such as uin/12xxx8.
    resource describes the detailed resource information of each product, such as instance/clusterId or instance/*.
    For example, you can specify a resource for a specific cluster (cynosdbmysql-123abc) in a statement.
    "resource":[ "qcs::cynosdb:bj:uin/12xxx8:instance/cynosdbmysql-123abc"]
    You can also use the * wildcard to specify it for all clusters that belong to a specific account.
    "resource":[ "qcs::cynosdb:bj:uin/12xxx8:instance/*"]
    If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the "*" wildcard in the resource element.
    "resource": ["*"]
    To specify multiple resources in one policy, separate them with commas. In the following example, two resources are specified:
    "resource":["resource1","resource2"]
    The table below describes the resources that can be used by TDSQL-C for MySQL and the corresponding resource description methods, where words prefixed with $ are placeholders, region refers to a region, and account refers to an account ID.
    Resource
    Resource Description Method in Authorization Policy
    Cluster
    qcs::cynosdb:$region:$account:instance/$clusterId
    VPC
    qcs::vpc:$region:$account:vpc/$vpcId
    Security group
    qcs::cvm:$region:$account:sg/$sgId
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support