{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
version is required. Currently, only the value "2.0" is allowed.
statement describes the details of one or more permissions. This element contains a permission or permission set of other elements such as effect
, action
, resource
, and condition
. One policy has only one statement.
effect is required. It describes whether the declaration result is allow
or explicit deny
.
action is required. It specifies whether to allow or deny the operation, which can be an API or a feature set (a set of specific APIs prefixed with "permid").
resource is required. It describes the details of authorization. A resource is described in a six-segment format. Detailed resource definitions vary by product.
condition is required. It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition.
In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with name/ctsdb:
should be used for CTSDB. To specify multiple operations in a single statement, separate them by comma as shown below:
"action":["name/ctsdb:action1","name/ctsdb:action2"]
You can also specify multiple operations using a wildcard. For example, you can specify all operations whose names begin with "Describe" as shown below:
"action":["name/ctsdb:Describe*"]
If you want to specify all operations in CTSDB, use the *
wildcard as shown below:
"action":["name/ctsdb:*"]
Each CAM policy statement has its own applicable resources.
The general form of a resource path is as follows:
qcs:project_id:service_type:region:account:resource
qcs describes the abbreviation of qcloud service
. It indicates that the resource is a Tencent Cloud resource, which is required.
project_id describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
service_type describes the product abbreviation such as ctsdb
.
region describes the region information, such as bj
.
account describes the root account of the resource owner, such as uin/12345678
.
resource describes the detailed resource information of each product, such as instance/instance_id
or instance/*
.
Was this page helpful?