- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on Change of Part of Parameters
- Announcement on Update of Database Audit Feature
- Announcement on Authentication of a Newly Added API Interface of Database Audit
- Announcement on Change of Public Network Linkage
- TDSQL-C for MySQL Audit Service Update
- Emergency Fix for Certain Monitoring Metrics
- Monitoring Metric Optimization
- Some AZs Are Sold Out
- Change to Database Audit Resource ID
- Ops Change
- Storage Price Adjustment Notification
- Product Introduction
- Kernel Features
- Purchase Guide
- Getting Started
- Database Audit
- Serverless Service
- Operation Guide
- Switching Cluster Page View in Console
- Database Connection
- Instance Management
- Configuration Adjustment
- Cluster Management
- Scaling Instance
- Database Proxy
- Database Proxy Overview
- Use Limits
- Database Proxy Kernel Features
- Managing Database Proxy
- Enabling Database Proxy
- Setting Database Proxy Address
- Modifying or Deleting Connection Addresses
- Viewing and Changing the Access Policy
- Rebalancing the Load
- Transaction Split Feature
- Access Mode
- Adjusting Database Proxy Configuration
- Switching Database Proxy Network
- Viewing Database Proxy Monitoring Data
- Disabling Database Proxy
- Automatic Read/Write Separation
- Connection Pool Feature
- Other Features
- Account Management
- Database Management
- Database Management Tool
- Columnar Storage Index (CSI)
- Parameter Configuration
- Multi-AZ Deployment
- Backup and Restoration
- Operation Log
- Data Migration
- Parallel Query
- Database Security and Encryption
- Monitoring and Alarms
- Basic SQL Operations
- Connecting to TDSQL-C for MySQL Through SCF
- Tag
- Best Practices
- White Paper
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- CloseClusterPasswordComplexity
- CopyClusterPasswordComplexity
- DescribeClusterPasswordComplexity
- ModifyClusterPasswordComplexity
- OpenClusterPasswordComplexity
- UpgradeClusterVersion
- UpgradeInstance
- SetRenewFlag
- OfflineCluster
- ModifyMaintainPeriodConfig
- IsolateInstance
- IsolateCluster
- DescribeMaintainPeriod
- DescribeInstanceSpecs
- DescribeClusters
- DescribeClusterDetail
- CreateClusters
- AddInstances
- OfflineInstance
- DescribeInstanceDetail
- DescribeClusterInstanceGrps
- DescribeInstances
- ActivateInstance
- ModifyInstanceName
- ModifyClusterName
- SearchClusterTables
- SearchClusterDatabases
- RestartInstance
- Multi-AZ APIs
- Account APIs
- Audit APIs
- Database Proxy APIs
- Backup and Restoration APIs
- Parameter Management APIs
- Performance Analysis APIs
- Billing APIs
- Serverless APIs
- ResourcePackage APIs
- Other APIs
- CloseWan
- CreateClusterDatabase
- DeleteClusterDatabase
- DescribeClusterDetailDatabases
- ModifyClusterDatabase
- OpenWan
- OpenClusterReadOnlyInstanceGroupAccess
- OpenReadOnlyInstanceExclusiveAccess
- ModifyDBInstanceSecurityGroups
- DescribeProjectSecurityGroups
- DescribeDBSecurityGroups
- SwitchProxyVpc
- DescribeFlow
- DescribeZones
- SwitchClusterVpc
- ModifyVipVport
- Data Types
- Error Codes
- FAQs
- TDSQL-C Policy
- Glossary
- Contact Us
- Release Notes and Announcements
- Release Notes
- Announcements
- Announcement on Change of Part of Parameters
- Announcement on Update of Database Audit Feature
- Announcement on Authentication of a Newly Added API Interface of Database Audit
- Announcement on Change of Public Network Linkage
- TDSQL-C for MySQL Audit Service Update
- Emergency Fix for Certain Monitoring Metrics
- Monitoring Metric Optimization
- Some AZs Are Sold Out
- Change to Database Audit Resource ID
- Ops Change
- Storage Price Adjustment Notification
- Product Introduction
- Kernel Features
- Purchase Guide
- Getting Started
- Database Audit
- Serverless Service
- Operation Guide
- Switching Cluster Page View in Console
- Database Connection
- Instance Management
- Configuration Adjustment
- Cluster Management
- Scaling Instance
- Database Proxy
- Database Proxy Overview
- Use Limits
- Database Proxy Kernel Features
- Managing Database Proxy
- Enabling Database Proxy
- Setting Database Proxy Address
- Modifying or Deleting Connection Addresses
- Viewing and Changing the Access Policy
- Rebalancing the Load
- Transaction Split Feature
- Access Mode
- Adjusting Database Proxy Configuration
- Switching Database Proxy Network
- Viewing Database Proxy Monitoring Data
- Disabling Database Proxy
- Automatic Read/Write Separation
- Connection Pool Feature
- Other Features
- Account Management
- Database Management
- Database Management Tool
- Columnar Storage Index (CSI)
- Parameter Configuration
- Multi-AZ Deployment
- Backup and Restoration
- Operation Log
- Data Migration
- Parallel Query
- Database Security and Encryption
- Monitoring and Alarms
- Basic SQL Operations
- Connecting to TDSQL-C for MySQL Through SCF
- Tag
- Best Practices
- White Paper
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- CloseClusterPasswordComplexity
- CopyClusterPasswordComplexity
- DescribeClusterPasswordComplexity
- ModifyClusterPasswordComplexity
- OpenClusterPasswordComplexity
- UpgradeClusterVersion
- UpgradeInstance
- SetRenewFlag
- OfflineCluster
- ModifyMaintainPeriodConfig
- IsolateInstance
- IsolateCluster
- DescribeMaintainPeriod
- DescribeInstanceSpecs
- DescribeClusters
- DescribeClusterDetail
- CreateClusters
- AddInstances
- OfflineInstance
- DescribeInstanceDetail
- DescribeClusterInstanceGrps
- DescribeInstances
- ActivateInstance
- ModifyInstanceName
- ModifyClusterName
- SearchClusterTables
- SearchClusterDatabases
- RestartInstance
- Multi-AZ APIs
- Account APIs
- Audit APIs
- Database Proxy APIs
- Backup and Restoration APIs
- Parameter Management APIs
- Performance Analysis APIs
- Billing APIs
- Serverless APIs
- ResourcePackage APIs
- Other APIs
- CloseWan
- CreateClusterDatabase
- DeleteClusterDatabase
- DescribeClusterDetailDatabases
- ModifyClusterDatabase
- OpenWan
- OpenClusterReadOnlyInstanceGroupAccess
- OpenReadOnlyInstanceExclusiveAccess
- ModifyDBInstanceSecurityGroups
- DescribeProjectSecurityGroups
- DescribeDBSecurityGroups
- SwitchProxyVpc
- DescribeFlow
- DescribeZones
- SwitchClusterVpc
- ModifyVipVport
- Data Types
- Error Codes
- FAQs
- TDSQL-C Policy
- Glossary
- Contact Us
CAM policy syntax
CAM policy syntax
{"version":"2.0","statement":[{"effect":"effect","action":["action"],"resource":["resource"],"condition": {"key":{"value"}}}]}
version is required. Currently, only the value "2.0" is allowed.
statement describes the details of one or more permissions. This element contains a permission or permission set of other elements such as
effect, action, resource, and condition. One policy has only one statement.effect is required. It describes the result of a statement. The result can be "allow" or an "explicit deny".
action is required. It describes the allowed or denied operation. An operation can be an API or a feature set (a set of specific APIs prefixed with "permid").
resource is required. It describes the details of authorization. A resource is described in a six-segment format. Detailed resource definitions vary by product.
condition is required. It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition.
Operations
Operations
In a CAM policy statement, you can specify any API operation from any service that supports CAM. APIs prefixed with
cynosdb: are used for TDSQL-C for MySQL, such as cynosdb:DescribeClusters or cynosdb:ResetAccountPassword.
To specify multiple operations in a single statement, separate them by comma."action":["cynosdb:action1","cynosdb:action2"]
You can also specify multiple operations by using a wildcard. For example, you can specify all operations beginning with "Describe" in the name.
"action":["cynosdb:Describe*"]
If you want to specify all operations in TDSQL-C for MySQL, use the
* wildcard."action":["cynosdb:*"]
Resource path
Resource path
Each CAM policy statement has its own applicable resources.
Resource paths are generally in the following format:
qcs:project_id:service_type:region:account:resource
project_id describes the project information, which is only used to enable compatibility with legacy CAM logic and can be left empty.
service_type describes the product abbreviation such as
cynosdb.region describes the region information, such as
bj.account describes the root account of the resource owner, such as
uin/12xxx8.resource describes the detailed resource information of each product, such as
instance/clusterId or instance/*.For example, you can specify a resource for a specific cluster (cynosdbmysql-123abc) in a statement.
"resource":[ "qcs::cynosdb:bj:uin/12xxx8:instance/cynosdbmysql-123abc"]
You can also use the
* wildcard to specify it for all clusters that belong to a specific account."resource":[ "qcs::cynosdb:bj:uin/12xxx8:instance/*"]
If you want to specify all resources or if a specific API operation does not support resource-level permission control, you can use the "*" wildcard in the
resource element."resource": ["*"]
To specify multiple resources in one policy, separate them with commas. In the following example, two resources are specified:
"resource":["resource1","resource2"]
The table below describes the resources that can be used by TDSQL-C for MySQL and the corresponding resource description methods, where words prefixed with
$ are placeholders, region refers to a region, and account refers to an account ID.Resource | Resource Description Method in Authorization Policy |
Cluster | qcs::cynosdb:$region:$account:instance/$clusterId |
VPC | qcs::vpc:$region:$account:vpc/$vpcId |
Security group | qcs::cvm:$region:$account:sg/$sgId |
Yes
No
Was this page helpful?