tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Cloud Virtual Machine
    Documentation
    Download PDF

    Authorization Policy Syntax

    Last updated: 2024-01-08 09:12:28
    Download PDF

      Policy Syntax

      CAM policy:
      {	 
              "version":"2.0", 
              "statement": 
              [ 
                 { 
                    "effect":"effect", 
                    "action":["action"], 
                    "resource":["resource"], 
                     "condition": {"key":{"value"}} 
                 } 
             ] 
      } 
      
      version is required. Currently, only "2.0" is supported.
      statement describes the details of one or more permissions. This element contains a permission or permission set consisting of other elements such as effect, action, resource, and condition. One policy has only one statement.
      1.1 effect describes whether the result produced by the statement is "allowed" (allow) or "denied" (deny). This element is required.
      1.2 Action describes the allowed or denied actions. An action can be an API (described using the prefix "name") or a feature set (a set of specific APIs, described using the prefix "permit"). This element is required.
      1.3 resource describes the authorization details. A resource is described in a six-piece format. Detailed resource definitions vary by product. For more information on how to specify a resource, see the documentation for the relevant product. This element is required.
      1.4 condition describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition. This element is optional.

      CVM Operations

      A CAM policy allows you to perform API operations in any Tencent Cloud service that supports CAM. For CVM, use the prefix name/cvm: with any API, such as name/cvm:RunInstances or name/cvm:ResetInstancesPassword. To specify multiple actions in a single statement, separate them with commas, as shown below:
      "action":["name/cvm:action1","name/cvm:action2"]
      You can also specify multiple actions using a wildcard. For example, you can specify all APIs whose names begin with "Describe", as shown below:
      "action":["name/cvm:Describe*"]
      To specify all CVM operations, use the wildcard "*" as follows:
      "action": ["name/cvm:*"]

      CVM Resource Path

      Each CAM policy defines its own resources. The general format of resource paths is as follows:
      qcs:project_id:service_type:region:account:resource
      project_id: project information, which is only used for compatibility purposes and can be left blank. service_type: abbreviation of a product, such as CVM. region: region of the resource, such as bj.
      account: the root account of the resource owner, such as uin/164256472. resource: detailed resource information of each product, such as instance/instance_id1 or instance/*.
      For example, you can specify a specific instance (i-15931881scv4) in the statement as follows:
      "resource":[ "qcs::cvm:bj:uin/164256472:instance/i-15931881scv4"]
      You can also use the wildcard "*" to specify all instances that belong to a specific account as shown below:
      "resource":[ "qcs::redis:bj:uin/164256472:instance/*"]
      If you want to specify all resources or if any API operation does not support resource-level permissions, you can use wildcard "*" in resource as shown below:
      "resource":["*"]
      To specify multiple resources in one instruction, separate them with commas. In the following example, two resources are specified:
      "resource":["resource1","resource2"]
      The following table describes CVM resources and the corresponding resource description methods.
      In the following table, names with the prefix $ are placeholders.
      $project is the ID of the project.
      $region is the region of the resource.
      $account is the ID of the account.
      Resource
      Syntax
      Instance
      qcs::cvm:$region:$account:instance/$instanceId
      Key
      qcs::cvm:$region:$account:keypair/$keyId
      VPC
      qcs::vpc:$region:$account:vpc/$vpcId
      Subnet
      qcs::vpc:$region:$account:subnet/$subnetId
      Image
      qcs::cvm:$region:$account:image/*
      CBS
      qcs::cvm:$region:$account:volume/$diskid
      Security group
      qcs::cvm:$region:$account:sg/$sgId
      EIP
      qcs::cvm:$region:$account:eip/*

      CVM Condition Keys

      You can use conditions to specify the conditions under which policies take effect. Each condition consists of one or more key pairs. These are not case-sensitive.
      If you specify multiple conditions or multiple keys in one condition, they are connected with the logical operator "AND".
      If you specify a key with multiple values in one condition, they are connected with the logical operator "OR". The following table describes CVM condition keys for specific services.
      Condition key
      Reference type
      Key pair
      
      cvm:instance_type
      
      
      String
      
      cvm:instance_type=instance_type
      instance_type is the model of the CVM instance, such as S1.SMALL1.
      
      cvm:image_type
      
      
      String
      
      cvm:image_type=image_type
      image_type is the type of the image, such as IMAGE_PUBLIC.
      
      vpc:region
      
      
      String
      
      vpc:region=region
      region is the region of the CVM instance, such as ap-guangzhou.
      
      cvm:disk_size
      
      
      Integer
      
      cvm:disk_size=disk_size
      disk_size is the size of the disk, such as 500.
      
      cvm:disk_type
      
      
      String
      
      cvm_disk_type=disk_type
      disk_type is the type of the disk, such as CLOUD_BASIC.
      
      cvm:region
      
      
      String
      
      cvm:region=region
      region is the region of the CVM instance, such as ap-guangzhou.
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy