Policy Syntax
CAM policy:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
version is required. Currently, only "2.0" is supported.
statement describes the details of one or more permissions. This element contains a permission or permission set consisting of other elements such as effect, action, resource, and condition. One policy has only one statement.
1.1 effect describes whether the result produced by the statement is "allowed" (allow) or "denied" (deny). This element is required.
1.2 Action describes the allowed or denied actions. An action can be an API (described using the prefix "name") or a feature set (a set of specific APIs, described using the prefix "permit"). This element is required.
1.3 resource describes the authorization details. A resource is described in a six-piece format. Detailed resource definitions vary by product. For more information on how to specify a resource, see the documentation for the relevant product. This element is required.
1.4 condition describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition. This element is optional.
CVM Operations
A CAM policy allows you to perform API operations in any Tencent Cloud service that supports CAM. For CVM, use the prefix name/cvm:
with any API, such as name/cvm:RunInstances
or name/cvm:ResetInstancesPassword
.
To specify multiple actions in a single statement, separate them with commas, as shown below:
"action":["name/cvm:action1","name/cvm:action2"]
You can also specify multiple actions using a wildcard. For example, you can specify all APIs whose names begin with "Describe", as shown below:
"action":["name/cvm:Describe*"]
To specify all CVM operations, use the wildcard "*" as follows:
CVM Resource Path
Each CAM policy defines its own resources.
The general format of resource paths is as follows:
qcs:project_id:service_type:region:account:resource
project_id: project information, which is only used for compatibility purposes and can be left blank.
service_type: abbreviation of a product, such as CVM.
region: region of the resource, such as bj.
account: the root account of the resource owner, such as uin/164256472.
resource: detailed resource information of each product, such as instance/instance_id1 or instance/*.
For example, you can specify a specific instance (i-15931881scv4) in the statement as follows:
"resource":[ "qcs::cvm:bj:uin/164256472:instance/i-15931881scv4"]
You can also use the wildcard "*" to specify all instances that belong to a specific account as shown below:
"resource":[ "qcs::redis:bj:uin/164256472:instance/*"]
If you want to specify all resources or if any API operation does not support resource-level permissions, you can use wildcard "*" in resource
as shown below:
To specify multiple resources in one instruction, separate them with commas. In the following example, two resources are specified:
"resource":["resource1","resource2"]
The following table describes CVM resources and the corresponding resource description methods.
In the following table, names with the prefix $ are placeholders.
$project is the ID of the project.
$region is the region of the resource.
$account is the ID of the account.
|
| qcs::cvm:$region:$account:instance/$instanceId |
| qcs::cvm:$region:$account:keypair/$keyId |
| qcs::vpc:$region:$account:vpc/$vpcId |
| qcs::vpc:$region:$account:subnet/$subnetId |
| qcs::cvm:$region:$account:image/* |
| qcs::cvm:$region:$account:volume/$diskid |
| qcs::cvm:$region:$account:sg/$sgId |
| qcs::cvm:$region:$account:eip/* |
CVM Condition Keys
You can use conditions to specify the conditions under which policies take effect. Each condition consists of one or more key pairs. These are not case-sensitive.
If you specify multiple conditions or multiple keys in one condition, they are connected with the logical operator "AND".
If you specify a key with multiple values in one condition, they are connected with the logical operator "OR".
The following table describes CVM condition keys for specific services.
|
cvm:instance_type
|
String
| cvm:instance_type=instance_type instance_type is the model of the CVM instance, such as S1.SMALL1.
|
cvm:image_type
|
String
| cvm:image_type=image_type image_type is the type of the image, such as IMAGE_PUBLIC.
|
vpc:region
|
String
| vpc:region=region region is the region of the CVM instance, such as ap-guangzhou.
|
cvm:disk_size
|
Integer
| cvm:disk_size=disk_size disk_size is the size of the disk, such as 500.
|
cvm:disk_type
|
String
| cvm_disk_type=disk_type disk_type is the type of the disk, such as CLOUD_BASIC.
|
cvm:region
|
String
| cvm:region=region region is the region of the CVM instance, such as ap-guangzhou.
|
Was this page helpful?