In the CAM console, you can use your Tencent Cloud root account to create CAM users and grant them with Tencent Cloud resource permissions by associating them with policies. Overview
In CAM, you can grant different permissions to different types of users under your root account. These permissions are described in the access policy language and are granted by user, so they are called user policies. Differences between a user policy and a bucket policy
The biggest difference between a user policy and a bucket policy is that the user policy only describes effect, action, resource, and condition (optional), but not principal. Therefore, for a user policy:
You need to write a user policy first, and then associate it manually with a sub-user, a user group or a role.
A user policy cannot grant anonymous users access to resources or operations.
Preset policy and custom policy
Application Scenarios
If you want to specify what operations a user can perform, you are advised to configure user policy. You can search for a CAM user and check the permissions of the user's user groups to see what operations the user can perform. A user policy is recommended in scenarios where you want to:
Configure COS service-level permissions such as the permissions for bucket creation (PutBucket) and bucket listing (GetService).
Grant permissions on all COS buckets and objects under your root account.
Grant the same permissions to a large number of CAM users under the root account.
User Policy Syntax
Policy syntax
Same as a bucket policy, a user policy is described in JSON language and its syntax complies with the unified specifications of the access policy language. The access policy language contains the following basic elements: principal, effect, action, resource, and condition. However, a user policy is directly associated with a user or user group, and therefore you do not need to specify the principal element in a user policy. The following table compares a user policy and a bucket policy:
|
| | |
| | |
| | |
| | Resources in the current bucket |
| | |
Policy examples
The following typical user policy example grants the permission to perform all COS operations on the bucket examplebucket-1250000000
in Guangzhou. You need to save the policy and then associate it with a CAM sub-user, a user group or a role before it takes effect. {
"Statement": [
{
"Effect": "Allow",
"Action": ["cos:*"],
"Resource": [
"qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*",
"qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/"
]
}
],
"Version": "2.0"
}
Granting Sub-account COS Access Permission with User Policy
Prerequisites
Directions
CAM provides preset policies and custom policies. A preset policy is a policy preset in the system provided by CAM. For COS related preset policies, see Preset Policy. A custom policy allows users to customize elements such as resources and actions. The following describes how to create a custom policy to grant permissions to a sub-account: 2. Choose Policy > Create Custom Policy > Create by Policy Syntax to go to the policy creation page.
3. You can select Blank Template to customize a permission policy as needed or select a COS-associated system template. The following uses Blank Template as an example.
4. Select Blank Template and enter your policy syntax.The policy syntax must contain the following elements:
resource: resource to authorize access to
All resources ("*"
)
Specified bucket ("qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"
)
Specified directory or object in a bucket ("qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/test/*"
)
action: action to authorize
effect: select "Allow"
or "Deny"
condition: optional
COS provides user policy examples. You can copy and paste the policy content in the following documents into the Policy Content box and click Done.
5. After creating the policy, you can go to Policy > Custom Policy in the CAM console to view the created custom policy and associate it with sub-accounts. 6. Select the sub-account and click Confirm to complete the authorization.
Preset Policy
1. CAM provides some preset policies. You can view them (filtered by "COS") in Policy > Preset Policy in the CAM console. 2. Click a policy name and choose Policy Syntax > JSON to view the policy context. In a preset policy, resource
is set to "*"
(indicating all resources in COS) and its value cannot be modified. If you want to grant permissions on certain COS buckets or objects, you can copy the JSON preset policy to create a Custom Policy. Table 1 and Table 2 list the COS related preset policies provided by CAM and related descriptions.
Table 1. COS Preset Policies
|
QcloudCOSBucketConfigRead | Permission to read COS bucket configuration |
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cos:GetBucket*", "cos:HeadBucket" ], "resource": "*" } ] }
|
QcloudCOSBucketConfigWrite | Permission to modify COS bucket configuration |
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cos:PutBucket*" ], "resource": "*" } ] }
|
QcloudCOSDataFullControl | Permission to read, write, delete, and list data in the COS bucket (all access permissions) |
{ "version": "2.0", "statement": [ { "effect": "allow", "action": [ "cos:GetService", "cos:GetBucket", "cos:ListMultipartUploads", "cos:GetObject*", "cos:HeadObject", "cos:GetBucketObjectVersions", "cos:OptionsObject", "cos:ListParts", "cos:DeleteObject", "cos:PostObject", "cos:PostObjectRestore", "cos:PutObject*", "cos:InitiateMultipartUpload", "cos:UploadPart", "cos:UploadPartCopy", "cos:CompleteMultipartUpload", "cos:AbortMultipartUpload", "cos:DeleteMultipleObjects", "cos:AppendObject" ], "resource": "*" } ] }
|
Table 2. Relationships between COS actions and preset policies
|
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
Get basic bucket information | | | | | | | | | | |
Get bucket configuration items | | | | | | | | | | |
Modify bucket configuration items | | | | | | | | | | |
Get bucket access permissions | | | | | | | | | | |
Modify bucket access permissions | | | | | | | | | | |
| | | | | | | | | | |
List all objects in a bucket and their historical version information | | | | | | | | | | |
| | | | | | | | | | |
| ListParts
InitiateMultipartUpload UploadPart
UploadPartCopy
CompleteMultipartUpload
AbortMultipartUpload
ListMultipartUploads | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
Issue a preflight request for CORS | | | | | | | | | | |
More User Policy Examples
Apakah halaman ini membantu?