(resource:*)
or all operations (action:*)
."principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000001"]}
"principal":{"qcs":["qcs::cam::anonymous:anonymous"]}
"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000001"]}
"principal":{"qcs":["qcs::cam::uin/100000000001:uin/100000000011"]}
allow
) a resource, access is implicitly denied (deny
). You can also deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access. The following example specifies an allow
effect."effect" : "allow"
Description | API |
name/cos:GetService | GET Service |
name/cos:GetBucket | GET Bucket (List Objects) |
name/cos:PutBucket | PUT Bucket |
name/cos:DeleteBucket | DELETE Bucket |
Description | API |
name/cos:GetObject | GET Object |
name/cos:PutObject | PUT Object |
name/cos:HeadObject | HEAD Object |
name/cos:DeleteObject | DELETE Object |
"action":["name/cos:GetObject","name/cos:HeadObject"]
resource
element describes one or multiple operation objects including COS buckets or objects. All the resources can be described using the following 6-segment format.qcs:project_id:service_type:region:account:resource
Parameter | Description | Required |
qcs | Abbreviation of the qcloud service, which refers to Tencent Cloud services. | Yes |
project_id | Describes the project information, which is only used to enable compatibility with legacy CAM logic. | No |
service_type | Describes the abbreviation of the product such as COS. | Yes |
region | Describes the region information. For more information, see Regions & Endpoints supported by Tencent Cloud COS. | Yes |
account | Describes the root account information of the resource owner. Currently, uin or uid can be used to describe the resource owner. uin is the UIN of the root account. It is expressed in the format of uin/${OwnerUin} , for example, uin/100000000001 . uid is the app ID of the root account. It is expressed in the format of uid/${appid} , for example, uid/1250000000 . Currently, COS resource owners are all described using uid , i.e., the app ID of the root account. | Yes |
resource | Describes the detailed resource information. In COS, a resource is described using the bucket XML API access domain name. | Yes |
examplebucket-1250000000
."resource": ["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"]
/folder/
folder in the bucket examplebucket-1250000000
."resource": ["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/folder/*"]
/folder/exampleobject
object in the bucket examplebucket-1250000000
."resource": ["qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/folder/exampleobject"]
Conditional Operator | Description | Condition Name | Example |
Ip_equal | IP is equal to | qcs:ip | {"ip_equal":{"qcs:ip ":"10.121.2.0/24"}} |
Ip_not_equal | IP is not equal to | qcs:ip | {"ip_not_equal":{"qcs:ip":["10.121.1.0/24","10.121.2.0/24"]}} |
10.121.2.0/24
IP range."ip_equal":{"qcs:ip ":"10.121.2.0/24"}
"ip_equal":{"qcs: ip": ["101.226.100.185","101.226.100.186"]}
examplebucket-1250000000
in South China, no authentication is required. For more information, see Cases of Permission Setting.{"version": "2.0","principal":{"qcs":["qcs: : cam: : anonymous: anonymous"]},"statement": [{"action":["name/cos: GetObject","name/cos: HeadObject"],"condition":{"ip_equal":{"qcs: ip": ["101.226.100.185","101.226.100.186"]}},"effect": "allow","resource": ["qcs: : cos: ap-guangzhou: uid/1250000000: examplebucket-1250000000.ap-guangzhou.myqcloud.com/*"]}]}
Apakah halaman ini membantu?