tencent cloud

Feedback

Authorization Policy Syntax

Last updated: 2024-10-23 10:24:14

    Policy Syntax

    CAM policy:
    {
    "version":"2.0",
    "statement":
    [
    {
    "effect":"effect",
    "action":["action"],
    "resource":["resource"],
    "condition": {"key":{"value"}}
    }
    ]
    }
    version: (Required) It must be 2.0 for now.
    statement: It describes the details of one or more permissions. It contains effect, action, resource, and condition. One policy can have only one statement.
    1.1 action: (Required) It specifies whether to allow or deny the operation. The operation can be an API (prefixed with name) or a feature set (a group of APIs, prefixed with permid).
    1.2 resource: (Required) It describes the details of an authorization. A resource is described in a six-part format. Detailed resource definitions vary by product. For more information on how to specify a resource, see the corresponding documentation for the product for which you want to write a resource statement.
    1.3 condition: (Optional) It describes the condition for the policy to take effect. A condition consists of an operator, an action key, and an action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition.
    1.4 effect: (Required) It describes whether the statement result is allow or deny.

    ENI Operations

    In the statement of a CAM policy, you can specify any API operation from any service that supports CAM. For VPC, use APIs with the prefix name/vpc:, for example, name/vpc:Modify, or name/vpc:CreateNetworkInterface. To specify multiple operations in a single statement, separate them with commas, as shown below:
    "action":["name/vpc:action1","name/vpc:action2"]
    You can also specify multiple operations by using a wildcard, such as all operations that start with "Modify" as shown below:
    "action":["name/vpc:Modify*"]
    To specify all operations in a VPC, use a wildcard (*) as follows:
    "action"["name/vpc:*"]

    ENI Resource Path

    Each CAM policy statement has its own applicable resources. The general format of resource paths is as follows:
    qcs:project_id:service_type:region:account:resource
    project_id: Describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
    service_type: Abbreviation of the Tencent Cloud service, such as VPC.
    region: Region of the resource, for example, bj.
    account: Root account of the resource owner, such as uin/164256472.
    resource: Describes the resource details of each product, such as eni/eni_id1 or eni/*.
    For example, you can specify a specific instance (eni-abcdefgh) in the statement as follows:
    "resource":[ "qcs::vpc:bj:uin/164256472:eni/eni-abcdefgh"]
    You can also use the wildcard (*) to specify all instances that belong to a specific account as shown in the following:
    "resource":[ "qcs::vpc:bj:uin/164256472:eni/*"]
    If you want to specify all resources or if a specific API operation does not support resource-level permission, you can use the wildcard (*) in the resource element as shown below:
    "resource": ["*"]
    To specify multiple resources in one policy, separate them with a comma.
    "resource":["resource1","resource2"]
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support