tencent cloud

Feedback

Resource Description Method

Last updated: 2024-01-23 17:54:33
    The resource element describes one or multiple operation objects such as CVM resources and COS buckets. This document describes the resource information in CAM.

    Definition of All Resources

    If resource is *, it indicates all resources; that is, you can grant the action (operation) permission of all resources.
    If you want to authorize a Tencent Cloud service at the service level or authorize a service operation at the API level, you need to enter * for resource to grant the permission of all resources in the Tencent Cloud service or the action permission of all resources.

    Definition of One or Multiple Resources

    You can describe the permissions of one or multiple resources in the following six-segment format for authorization. Each service has its own resources and detailed resource definition. The six-segment format is defined as follows:
    qcs:project_id:service_type:region:account:resource
    A six-segment resource description contains six fields as detailed below:
    Field
    Description and Valid Values
    Required
    Example
    qcs
    Tencent Cloud service abbreviation, which indicates a resource of Tencent Cloud.
    Yes
    qcs
    project_id
    Project information, which is only compatible with legacy CAM logic. It cannot be entered in the current policy syntax and can be left empty.
    No
    Empty
    service_type
    Product (service) abbreviation. For more information, see "Abbreviation in CAM" in CAM-Enabled Products.
    If this field is left empty, it indicates all products.
    No
    CVM: cvm
    CDN: cdn
    region
    Region information. For more information on region names, see "Region List" in Common Params.
    If this field is left empty, it indicates all regions.
    No
    North China (Beijing): ap-beijing
    South China (Guangzhou): ap-guangzhou
    account
    Root account information of the resource owner. Currently, either uin or uid can be used to describe the resource owner.
    uin is the root account ID in uin/${uin} format.
    uid is the root account's APPID in uid/${appid} format, and only COS and CAS resource owners can be described in this way.
    If this field is left empty, it indicates the root account of the CAM user creating the policy.
    No
    uin: uin/12345678
    uid: uid/10001234
    resource
    Resource details of the product. Currently, you can describe a resource in the following two formats: resource_type/${resourceid} and <resource_type>/<resource_path>.
    resource_type/${resourceid}: resourcetype is the resource prefix, which describes the resource type. ${resourceid} is the specific resource ID, which can be viewed in the corresponding product console. * indicates all resources of this type.
    <resource_type>/<resource_path>: resourcetype is the resource prefix, which describes the resource type.
    <resource_path> is the resource path. This format supports directory-level prefix match.
    Yes
    CVM: instance/ins-1
    TencentDB for MySQL: instanceId/cdb-1
    COS: prefix//10001234/bucket1/*, which indicates all files in bucket1. Various COS resource types are supported. For more information, see Working with COS API Authorization Policies.

    Definition of CAM Resources

    CAM resources include users, user groups, and policies. A CAM resource can be described as follows:

    Root account

    qcs::cam::uin/164256472:uin/164256472
    Or
    qcs::cam::uin/164256472:root

    Sub-account

    qcs::cam::uin/164256472:uin/73829520

    Group

    qcs::cam::uin/164256472:groupid/2340

    All resources

    *

    Policy

    qcs::cam::uin/12345678:policyid/*
    Or
    qcs::cam::uin/12345678:policyid/12423

    Notes on Resources

    A resource owner is always a root account. The sub-account that creates a resource will not automatically have access to the resource without authorization; instead, it must be authorized by the resource owner.
    Services such as COS and CAS support cross-account authorization for resource access. Authorized accounts can pass permissions to their sub-accounts through permission propagation.

    Relevant Documents

    For more information on service-specific resource definitions, see the corresponding product documentation in CAM-Enabled Products.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support