tencent cloud

Cloud Infinite

Release Notes and Announcements
Release Notes
Announcements
Product Introduction
Product Overview
Product Strengths
Use Cases
Feature Overview
Regions and Domains
Specifications and Limits
Billing
Billing Overview
Billing Mode
Billable Items
Free Tier
Payment Overdue
Viewing Bill Details
FAQs
Getting Started
Registering and Logging In
Bind Bucket
Uploading and Processing File
Downloading and Deleting Images
Unbinding Buckets
Using CI via COS
Features
Image Processing
Media Processing
Content Moderation
AI Content Recognition
File Processing
Smart Voice
File processing
User Guide
Overview
Bucket Management
Smart Toolbox
Job and Workflow
Data Monitoring
Usage statistics
Use Cases
Copyright Protection Solutions
Image Processing Practices
Working with API Authorization Policies
Workflow Practices
API Documentation
API Overview
Structure
Common Request Headers
Common Response Headers
Activate Vast Service
Image Processing
AI-Based Content Recognition
Smart Audio
Media Processing
Content Moderation
Document Processing
File Processing
Job and Workflow
Cloud Virus Detection
Error Codes
Request Signature
SDK Documentation
SDK Overview
Android SDK
iOS SDK
COS Android SDK
C SDK
C++ SDK
.NET(C#) SDK
Go SDK
COS iOS SDK
Java SDK
JavaScript SDK
Node.js SDK
PHP SDK
Python SDK
Mini Program SDK
Personal Information Protection Policy for SDK
Security and Compliance
Permission ‍Management
FAQs
Basic Settings
Document Processing
Media Processing
Content Recognition
Smart Audio
Agreements
Service Level Agreement
Contact Us
Glossary
DocumentationCloud InfiniteUse CasesWorking with API Authorization Policies

Working with API Authorization Policies

PDF
Focus Mode
Font Size
Last updated: 2025-09-08 16:56:46
Note:
Grant the minimum API operation permissions to a sub-user or collaborator based on business requirements. If you grant the permissions of all resources (resource:*) or all operations (action:*) to a sub-user or collaborator, data security risks exist due to an excessive permission scope.

Overview

When using a temporary key to access Cloud Infinite (CI), the operation permissions required vary by API or series of APIs that you specify.
The authorization policy (policy) for CI APIs is a JSON string. For example, to grant permissions for media processing, file zipping, and file preview task creation to the bucket examplebucket-1250000000 (APPID: 1250000000, region: ap-beijing, path prefix: doc), the policy is as follows:
{
    "version": "2.0",
    "statement": [{
            "action": [
                //Create a file processing job 
                "ci:CreateFileProcessJobs",
                //Create a file preview job 
                "ci:CreateDocProcessJobs",
                //Create a media job
                "ci:CreateMediaJobs",
            ],
            "effect": "allow",
            "resource": [
                "qcs::ci:ap-beijing:uid/1250000000:bucket/examplebucket-1250000000/doc/*"
            ]
        }
    ]
}

Authorization Policy Element Description

Name
Description
version
Policy syntax version, which is 2.0 by default.
effect
There are two cases: allow (permission) and deny (explicit deny).
resource
Authorized data to be operated can be any resources, resources with a specified path prefix, resources with a specified absolute path, or their combinations.
The rule is: qcs::ci:{region}:uid/{appid}:bucket/{bucket}/{path}
List several typical authorization scenarios: 1. Allow access to all objects: "*" 2. Allow access to specified objects: "a/a1.txt", "b/b1.txt" 3. Allow access to objects with specified prefixes: "a*", "a/*", "b/*"
Note:If the path is in Chinese, keep typing in Chinese. For exampleexamplebucket-125000000/folder/filename.txt.
action
Here refers to the API of CI. Specify a combination of one or a sequence of operations or all operations (*) as required, such as action being ci:CreateMediaJobs. Please note it is case-sensitive.
condition
Constraint conditions, which can be left blank. For details, see condition description.
For CI API authorization policies, please refer to Cloud Infinite Global Access Management.

Service API

Media Processing Task

Take the media transcoding API as an example. The API interface is CreateMediaJobs. To grant its operation permission, the policy action should be ci:CreateMediaJobs.
Media tasks involve several permission APIs:
cos:GetObject Obtain COS resource permissions,
ci:CreateMediaJobs Create a task,
ci:CreateMediaTemplate Create a template,
ci:UpdateMediaTemplate Update a template,
ci:DescribeMediaJob Query a task,
ci:DescribeMediaJobs Task list query,
ci:CancelMediaJob Task cancellation.

Example

The following policy grants the permission to query the bucket list.
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "cos:GetObject",
        "ci:CreateMediaJobs",
        "ci:CreateMediaTemplate",
        "ci:UpdateMediaTemplate",
        "ci:DescribeMediaJob",
        "ci:DescribeMediaJobs",
        "ci:CancelMediaJob"
      ],
      "effect": "allow",
      "resource": [
        "qcs::ci:ap-beijing:uid/1250000000:bucket/examplebucket-1250000000/*"
      ]
    }
  ]
}

Recommended for Use SDK

Cloud Infinite SDK provides a complete temporary key usage Demo, integration service API, and signature calculation capabilities. You can conveniently and efficiently make API calls via the SDK. View the SDK documentation here.

Previous Topic: Hybrid WatermarkingNext Topic: Using Custom Function to Manage COS Files

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback