tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Object Storage
    Documentation
    Download PDF

    User Policy

    Last updated: 2024-03-25 15:51:41
    Download PDF
      In the CAM console, you can use your Tencent Cloud root account to create CAM users and grant them with Tencent Cloud resource permissions by associating them with policies.

      Overview

      In CAM, you can grant different permissions to different types of users under your root account. These permissions are described in the access policy language and are granted by user, so they are called user policies.

      Differences between a user policy and a bucket policy

      The biggest difference between a user policy and a bucket policy is that the user policy only describes effect, action, resource, and condition (optional), but not principal. Therefore, for a user policy:
      You need to write a user policy first, and then associate it manually with a sub-user, a user group or a role.
      A user policy cannot grant anonymous users access to resources or operations.

      Preset policy and custom policy

      User policies are classified into preset policies and custom policies. You can associate a preset policy for authorization or write a user policy and associate it for authorization. For more information, see CAM's Authorization Guide.

      Application Scenarios

      If you want to specify what operations a user can perform, you are advised to configure user policy. You can search for a CAM user and check the permissions of the user's user groups to see what operations the user can perform. A user policy is recommended in scenarios where you want to:
      Configure COS service-level permissions such as the permissions for bucket creation (PutBucket) and bucket listing (GetService).
      Grant permissions on all COS buckets and objects under your root account.
      Grant the same permissions to a large number of CAM users under the root account.

      User Policy Syntax

      Policy syntax

      Same as a bucket policy, a user policy is described in JSON language and its syntax complies with the unified specifications of the access policy language. The access policy language contains the following basic elements: principal, effect, action, resource, and condition. However, a user policy is directly associated with a user or user group, and therefore you do not need to specify the principal element in a user policy.
      The following table compares a user policy and a bucket policy:
      Element
      User Policy
      Bucket Policy
      Principal
      No input
      Required
      Effect
      Required
      Required
      Action
      Required
      Required
      Resource
      Required
      Resources in the current bucket
      Condition
      Optional
      Optional

      Policy examples

      The following typical user policy example grants the permission to perform all COS operations on the bucket examplebucket-1250000000 in Guangzhou. You need to save the policy and then associate it with a CAM sub-user, a user group or a role before it takes effect.
      {
        "Statement": [
          {
            "Effect": "Allow",
            "Action": ["cos:*"],
            "Resource": [
                "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*",
                "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/"
            ]
          }
        ],
        "Version": "2.0"
      }

      Granting Sub-account COS Access Permission with User Policy

      Prerequisites

      You have already created a CAM sub-account. If you haven't, see Create a sub-account to create one.

      Directions

      CAM provides preset policies and custom policies. A preset policy is a policy preset in the system provided by CAM. For COS related preset policies, see Preset Policy. A custom policy allows users to customize elements such as resources and actions. The following describes how to create a custom policy to grant permissions to a sub-account:
      1. Log in to the CAM console.
      2. Choose Policy > Create Custom Policy > Create by Policy Syntax to go to the policy creation page.
      3. You can select Blank Template to customize a permission policy as needed or select a COS-associated system template. The following uses Blank Template as an example.
      4. Select Blank Template and enter your policy syntax.The policy syntax must contain the following elements:
      resource: resource to authorize access to
      All resources ("*")
      Specified bucket ("qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*")
      Specified directory or object in a bucket ("qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/test/*")
      action: action to authorize
      effect: select "Allow" or "Deny"
      condition: optional
      COS provides user policy examples. You can copy and paste the policy content in the following documents into the Policy Content box and click Done.
      Granting Sub-accounts Access to COS
      Working with COS API Access Policies
      5. After creating the policy, you can go to Policy > Custom Policy in the CAM console to view the created custom policy and associate it with sub-accounts.
      6. Select the sub-account and click Confirm to complete the authorization.

      Preset Policy

      1. CAM provides some preset policies. You can view them (filtered by "COS") in Policy > Preset Policy in the CAM console.
      2. Click a policy name and choose Policy Syntax > JSON to view the policy context. In a preset policy, resource is set to "*" (indicating all resources in COS) and its value cannot be modified. If you want to grant permissions on certain COS buckets or objects, you can copy the JSON preset policy to create a Custom Policy.
      Table 1 and Table 2 list the COS related preset policies provided by CAM and related descriptions.
      Table 1. COS Preset Policies
      Preset Policy
      Description
      JSON Policy
      QcloudCOSBucketConfigRead
      Permission to read COS bucket configuration
      
      
      {
          "version": "2.0",
          "statement": [
              {
                  "effect": "allow",
                  "action": [
                      "cos:GetBucket*",
                      "cos:HeadBucket"
                  ],
                  "resource": "*"
              }
          ]
      }
      
      QcloudCOSBucketConfigWrite
      Permission to modify COS bucket configuration
      
      
      {
          "version": "2.0",
          "statement": [
              {
                  "effect": "allow",
                  "action": [
                      "cos:PutBucket*"
                  ],
                  "resource": "*"
              }
          ]
      }
      
      QcloudCOSDataFullControl
      Permission to read, write, delete, and list data in the COS bucket (all access permissions)
      
      
      {
          "version": "2.0",
          "statement": [
              {
                  "effect": "allow",
                  "action": [
                      "cos:GetService",
                      "cos:GetBucket",
                      "cos:ListMultipartUploads",
                      "cos:GetObject*",
                      "cos:HeadObject",
                      "cos:GetBucketObjectVersions",
                      "cos:OptionsObject",
                      "cos:ListParts",
                      "cos:DeleteObject",
                      "cos:PostObject",
                      "cos:PostObjectRestore",
                      "cos:PutObject*",
                      "cos:InitiateMultipartUpload",
                      "cos:UploadPart",
                      "cos:UploadPartCopy",
                      "cos:CompleteMultipartUpload",
                      "cos:AbortMultipartUpload",
                      "cos:DeleteMultipleObjects",
                      "cos:AppendObject"
                  ],
                  "resource": "*"
              }
          ]
      }
      
      
      Table 2. Relationships between COS actions and preset policies
      Action Purpose
      Action
      QcloudCOS
      Bucket
      ConfigRead
      QcloudCOS
      Bucket
      ConfigWrite
      QcloudCOS
      Data
      FullControl
      QcloudCOS
      Data
      ReadOnly
      QcloudCOS
      Data
      WriteOnly
      QcloudCOS
      Ful
      Access
      QcloudCOS
      GetService
      Access
      QcloudCOS
      ListOnly
      QcloudCOS
      Read
      OnlyAccess
      List buckets
      GetService
      Create a bucket
      PutBucket
      Delete a bucket
      DeleteBucket
      Get basic bucket information
      HeadBucket
      Get bucket configuration items
      GetBucket*
      Modify bucket configuration items
      GetBucket*
      Get bucket access permissions
      GetBucketAcl
      Modify bucket access permissions
      PutBucketAcl
      List objects in a bucket
      GetBucket
      List all objects in a bucket and their historical version information
      GetBucketObjectVersions
      Upload an object
      PutObject
      Multipart upload
      ListParts InitiateMultipartUpload UploadPart UploadPartCopy CompleteMultipartUpload AbortMultipartUpload ListMultipartUploads
      Append an object
      AppendObject
      Download an object
      GetObject
      View object metadata
      HeadObject
      Issue a preflight request for CORS
      OptionsObject

      More User Policy Examples

      Granting Sub-accounts Access to COS
      Working with COS API Access Policies
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy