|
The condition operator contains a condition value of a condition key. | The VPC is allowed to bind with the specified peering connection. The region of the VPC must be specified. | |
| Only cloud server instances with bound tags can be restarted. | |
The condition operator contains multiple condition values of a single condition key. | Users with two specified IP addresses are allowed to access. | |
Scenarios with multiple condition operators. | Users with a specified IP are allowed to access on the specified date. | |
A single condition operator contains multiple condition keys. | Multiple condition keys are attached to a single condition operator. | |
Application of Boolean Condition Operators | Sub-users must bind the token before they can delete the API key. | |
The condition operator contains a condition value of a condition key.
Description 1
When a CAM user invokes the VPC peering connection API, it is necessary not only to determine whether the CAM user has access permissions for the peering connection API and peering connection resources, but also to check whether the CAM user has access permissions for the VPC associated with the peering connection.
Sample Code 1
In the following example, the VPC is allowed to be bound to a specified peering connection. The VPC region must be Shanghai
:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": "name/vpc:AcceptVpcPeeringConnection",
"resource": "qcs::vpc:sh::pcx/2341",
"condition": {
"string_equal_if_exist": {
"vpc:region": "sh"
}
}
}
]
}
Description 2
When a CAM user accesses Tencent Cloud resources, it is necessary to restrict the user to only access resources bound with specific tags.
Sample Code 2
The following example describes that users can only restart (cvm:RebootInstances) the cloud server instances bound with the tag "Department & Research and Development".
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cvm:RebootInstances"
],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"Department&Research and Development"
]
}
}
}
]
}
The condition operator contains multiple condition values of a single condition key.
Description
A single condition operator that contains multiple condition values of a condition key is evaluated using the logic OR. When there are multiple condition values, a set operator symbol must be used to represent them.
When a CAM user invokes a cloud API, if there is a need to restrict the user's access source, it is required to add an IP condition on the basis of the existing policy.
Sample Code
The following example describes that users must be within the 10.217.182.3/24
or 111.21.33.72/24
IP range to upload objects (cos:PutObject).
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": "cos:PutObject",
"resource": "*",
"condition": {
"ip_equal": {
"qcs:ip": [
"10.217.182.3/24",
"111.21.33.72/24"
]
}
}
}
]
}
Scenarios with Multiple Condition Operators
Description
If your policy involves multiple condition operators, they are evaluated using the logic AND.
Sample Code
The following example describes that the user must request IP 192.168.1.1
, and the request date must be earlier than 2022-05-31 00:00:00 in order to match.
"condition": {
"ip_equal": {
"qcs:ip": "192.168.1.1"
},
"date_less_than": {
"qcs:current_time": "2022-05-31 00:00:00"
}
}
A single condition operator contains multiple condition keys.
Description
If your policy involves multiple condition operators or attaches multiple condition keys to a single condition operator, the conditions are evaluated using a logic AND.
Sample Code
The following example describes that it can be matched only if both the resource tag and the request tag are "Department & Research and Development".
"condition": {
"string_equal": {
"qcs:resource_tag": [
"Department&Research and Development"
],
"qcs:request_tag": [
"Department&Research and Development"
]
}
}
Application of Boolean Condition Operators
Description
The sub-user must bind the token before the API key can be deleted.
Sample Code
The following example describes that the sub-users authorized by this policy need to bind the token before they can delete the API key.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cam:DeleteApiKey"
],
"resource": [
"*"
],
"condition": {
"bool_equal": {
"qcs:BindToken": "true"
}
}
}
]
}
Was this page helpful?