Element Reference Overview

Recent Pages

Element Reference Overview

마지막 업데이트 시간:2024-06-27 16:14:52

A policy is made up of elements that describe specific information of the authorization. Core elements include principal, action, resource, condition, and effect. These elements must be lowercase. The order of the elements does not matter. The condition element is optional. The principal element cannot be used in the console and can only be used through policy management APIs and policy syntax-related parameters.
1. version
This required element defines the version of policy syntax. At present, the only available value is "2.0".
2. principal
This element specifies the entity to be authorized by the policy. This includes users (root accounts and sub-accounts). In the future, more entities will be included, such as roles and federated users. This element can only be used in trust policies for roles and COS bucket policies.
3. statement
This element describes the details of one or more permissions. It contains a permission or permission set of multiple other elements such as action, resource, condition, and effect. One policy has only one statement.
4. action
This required element describes the action (operation) to be allowed or denied. An operation can be an API (prefixed with name) or a feature set (a set of specific APIs prefixed with actionName).
5. resource
This required element describes the objects the statement covers. A resource is described in a six-segment format. Detailed resource definitions vary by product. For more information on how to specify a resource, please see the documentation for the product whose resources you are writing a statement for.
6. condition
This optional element describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition.
7. effect
This required element describes whether the statement result is an "allow" or "explicit deny".
8. Sample policy
The following sample policy grants a sub-account (ID: 3232523) of a root account (APPID: 1238423) permissions to use all COS read APIs, write objects, and send message queues for the COS bucket "bucketA" in the Beijing region and the COS object "object2" in the bucket "bucketB" in the Guangzhou region when the access IP falls within the IP range of 10.121.2.*. 
{
  "version": "2.0",
  "statement": [
    {
      "principal": {
        "qcs": [
          "qcs::cam::uin/1238423:uin/3232523"
        ]
      },
      "effect": "allow",
      "action": [
        "cos:PutObject",
        "cos:GetObject",
        "cos:HeadObject",
        "cos:OptionsObject",
        "cos:ListParts",
        "cos:GetObjectTagging"
      ],
      "resource": [
        "qcs::cos:ap-beijing:uid/1238423:bucketA-1238423/*",
        "qcs::cos:ap-guangzhou:uid/1238423:bucketB-1238423/object2"
      ],
      "condition": {
        "ip_equal": {
          "qcs:ip": "10.121.2.10/24"
        }
      }
    },
    {
      "principal": {
        "qcs": [
          "qcs::cam::uin/1238423:uin/3232523"
        ]
      },
      "effect": "allow",
      "action": "cmqqueue:SendMessage",
      "resource": "*"
    }
  ]
}
Relevant documents
For more information on resource in CAM, please see Resource Description Method.

문의하기

고객의 업무에 전용 서비스를 제공해드립니다.

기술 지원

더 많은 도움이 필요하시면, 티켓을 통해 연락 바랍니다. 티켓 서비스는 연중무휴 24시간 제공됩니다.

연중무휴 24시간 전화 지원

tencent cloud

Recent Pages

Element Reference Overview

1. version

2. principal

3. statement

4. action

5. resource

6. condition

7. effect

8. Sample policy

Relevant documents

문제 해결에 도움이 되었나요?

문제 해결에 도움이 되었나요?

tencent cloud

가입하기

로그인

Recent Pages

Element Reference Overview

1. version

2. principal

3. statement

4. action

5. resource

6. condition

7. effect

8. Sample policy

Relevant documents

문제 해결에 도움이 되었나요?

문제 해결에 도움이 되었나요?