Policy Syntax
CAM policy:
{"version":"2.0","statement":[{"effect":"effect","action":["action"],"resource":["resource"],"condition": {"key":{"value"}}}]}
The parameters are described as follows:
Version: Mandatory, and currently only allowing a value of 2.0.
Statement: It is used to describe the detailed information of one or more permissions. This element includes several other elements such as effect, action, resource, and condition, forming a set of permissions or a permission collection. A policy has only one statement element.
effect: Mandatory. It describes whether the statement results in allow or explicitly deny. It includes two possible values: allow (allow) and deny (explicitly deny).
Action: Mandatory. It describes the allowed or denied actions. Actions can be APIs (described with the prefix name) or feature sets (a group of specific APIs, described with the prefix permid).
resource: Mandatory. It describes the specific data being authorized. Resources are described using a six-segment format. The details of resource definitions vary by product. For information on how to specify resources, see the product documentation corresponding to the resource statement you are writing.
condition: Optional. It describes the constraints under which the policy is effective. A condition consists of an operator, a key, and a value. Condition values can include information such as time or IP address. Some services allow you to specify additional values in the condition.
Tencent Cloud CDC Operation
In CAM policy statements, you can specify any API operation from services that support CAM. For Tencent Cloud CDC, please use APIs prefixed with name/cdc:, such as name/cdc:CreateDedicatedCluster.
If you need to specify multiple actions in a single statement, separate them with commas, as shown below:
"action":["name/cdc:action1","name/cdc:action2"]
You can also use wildcards to specify multiple actions. For example, you can specify all actions that start with the word Describe, as shown below:
"action":["name/cdc:Describe*"]
To specify all operations in a Tencent Cloud CDC, use a wildcard (*), as shown below:
"action":["name/cdc:*"]
Resource Path of Tencent Cloud CDC
Each CAM policy statement applies to its resource.
The general format of a resource path is as follows:
qcs:project_id:service_type:region:account:resource
project_id: It describes the project information. It is only for compatibility with early CAM logic and does not need to be filled in.
service_type: It indicates the product abbreviation, such as Tencent Cloud CDC.
region: It indicates regional information, such as bj.
account: It indicates the root account information of the resource owner, such as uin/164256472.
resource : It indicates the specific resource details of each product, such as instance/instance_id1 or instance/*.
For example, you can specify an instance (i-15931881scv4 in this case) in the statement, as shown below:
"resource":[ "qcs::cdc:bj:uin/164256472:cluster/cluster-7yq5m7bl"]
You can also use the * wildcard character to specify all instances belonging to a specific account, as shown below:
"resource":[ "qcs::cdc:bj:uin/164256472:cluster/*"]
If you want to specify all resources, or if a particular API action does not support resource-level permissions, use the wildcard (*) in the Resource element, as shown below:
"resource": ["*"]
To specify multiple resources in one instruction, separate them with a comma. The following is an example of specifying two resources:
"resource":["resource1","resource2"]
The following table describes the resources that can be used by Tencent Cloud CDC and the corresponding methods of describing these resources.
In the following table, words prefixed with $ are aliases.
Among them, region refers to the locality.
Among them, account refers to the account ID.
Resources | Resource Description Method in Authorization Policies |
Site | qcs::cdc:$region:$account:site/$siteId |
Cluster | qcs::cdc:$region:$account:cluster/$clusterId |
Condition Key of Tencent Cloud CDC
In policy statements, you can optionally specify conditions that control when the policy is effective. Each condition includes one or more key-value pairs. Condition keys are case-insensitive.
If you specify multiple conditions or multiple keys in a single condition, we evaluate them using a logical AND operation.
If you specify a key with multiple values in a single condition, we will evaluate it using a logical OR operation. All conditions must be met to grant permission.
The table below describes the service-specific condition key used by Tencent Cloud CDC.
Condition Key | Reference Type | Key-Value Pair |
cdc:region | String | cdc:region= regionWhere, region refers to a region (for example, ap-guangzhou). |
Yes
No
Was this page helpful?