CAM policy:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
A CAM policy allows you to perform API operations in any Tencent Cloud service that supports CAM. For CVM, use the prefix name/cvm:
with any API, such as name/cvm:RunInstances
or name/cvm:ResetInstancesPassword
.
To specify multiple actions in a single statement, separate them with commas, as shown below:
"action":["name/cvm:action1","name/cvm:action2"]
You can also specify multiple actions using a wildcard. For example, you can specify all APIs whose names begin with "Describe", as shown below:
"action":["name/cvm:Describe*"]
To specify all CVM operations, use the wildcard "*" as follows:
"action": ["name/cvm:*"]
Each CAM policy defines its own resources.
The general format of resource paths is as follows:
qcs:project_id:service_type:region:account:resource
project_id: project information, which is only used for compatibility purposes and can be left blank.
service_type: abbreviation of a product, such as CVM.
region: region of the resource, such as bj.
For example, you can specify a specific instance (i-15931881scv4) in the statement as follows:
"resource":[ "qcs::cvm:bj:uin/164256472:instance/i-15931881scv4"]
You can also use the wildcard "*" to specify all instances that belong to a specific account as shown below:
"resource":[ "qcs::redis:bj:uin/164256472:instance/*"]
If you want to specify all resources or if any API operation does not support resource-level permissions, you can use wildcard "*" in resource
as shown below:
"resource":["*"]
To specify multiple resources in one instruction, separate them with commas. In the following example, two resources are specified:
"resource":["resource1","resource2"]
The following table describes CVM resources and the corresponding resource description methods.
In the following table, names with the prefix $ are placeholders.
Resource | Syntax |
---|---|
Instance | qcs::cvm:$region:$account:instance/$instanceId |
Key | qcs::cvm:$region:$account:keypair/$keyId |
VPC | qcs::vpc:$region:$account:vpc/$vpcId |
Subnet | qcs::vpc:$region:$account:vpc/$vpcId |
Image | qcs::cvm:$region:$account:image/* |
Subnet | qcs::vpc:$region:$account:subnet/$subnetId |
CBS | qcs::cvm:$region:$account:volume/$diskid |
Security group | qcs::cvm:$region:$account:sg/$sgId |
EIP | qcs::cvm:$region:$account:eip/* |
You can use conditions to specify the conditions under which policies take effect. Each condition consists of one or more key pairs. These are not case-sensitive.
Condition key | Reference type | Key pair |
---|---|---|
cvm:instance_type |
String |
cvm:instance_type=
|
cvm:image_type |
String |
cvm:image_type=
|
vpc:region |
String |
vpc:region=
|
cvm:disk_size |
Integer |
cvm:disk_size=
|
cvm:disk_type |
String |
cvm_disk_type=
|
cvm:region |
String |
cvm:region=
|
Was this page helpful?