tencent cloud

Authorization Policy Syntax
Download PDF
Last updated: 2022-05-12 12:24:12
Authorization Policy Syntax
Last updated: 2022-05-12 12:24:12
Download PDF

Policy syntax

{     
      "version":"2.0", 
      "statement": 
      [ 
         { 
            "effect":"effect", 
            "action":["action"], 
            "resource":["resource"], 
             "condition": {"key":{"value"}} 
         } 
     ] 
}
Element
Description
version
It is required. Currently, only the value "2.0" is allowed.
statement
It describes the details of one or more permissions. It contains a permission or permission set of multiple other elements such as `effect`, `action`, `resource`, and `condition`. One policy has only one `statement`.
effect
It is required and describes whether the statement result is an "allow" or an explicit "deny".
action
It is required and describes the allowed or denied action (operation). An operation can be an API (prefixed with "name") or a feature set (a set of specific APIs prefixed with "permid").
resource
It is required and describes the details of authorization. A resource is described in a six-segment format. Detailed resource definitions vary by product. For more information on how to specify a resource, see the product documentation corresponding to the resource statement you are writing.
condition
It is optional and describes the condition for the policy to take effect. A condition consists of an operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition.


Sample CAM Policy for Lighthouse

The following policy grants the permission to view the list of Lighthouse instances and prohibits the user xxxxxx from viewing the details of the instance lhins-e31oxxxx. 
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "lighthouse:DescribeInstances"
            ],
            "resource": [
                "*"
            ]
        },
        {
            "effect": "deny",
            "action": [
                "lighthouse:DescribeInstances"
            ],
            "resource": [
                "qcs::lighthouse::uin/xxxxxx:instance/lhins-e31oxxxx"
            ]
        }
    ]
}

Lighthouse Resource Path

Each Lighthouse policy statement has its own applicable resources generally in the following format:
qcs:project_id:service_type:region:account:resource
project_id: Describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty. service_type: Describes the product abbreviation such as lighthouse. region: Describes the region information, such as ap-guangzhou. account: Describes the root account of the resource owner, such as uin/xxxxxx. resource: Detailed resource information of each product, for example, instance/instance_id1 or instance/*.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback