CAM policy:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
"condition": {"key":{"value"}}
}
]
}
In the statement of a CAM policy, you can specify any API action from any service that supports CAM. For VPC, use APIs with the prefix "name/vpc:", for example, name/vpc:Describe or name/vpc:CreateRoute.
To specify multiple actions in a single statement, separate them with commas, as shown below:
"action":["name/vpc:action1","name/vpc:action2"]
"action":["name/vpc:Describe*"]
To specify all actions in VPC, use the wildcard "*" as follows:
"action": ["name/vpc:*"]
Each CAM policy statement has its own resources.
The general format of a resource path is as follows:
****qcs**:project_id:service_type:region:account:resource**
For example, you can specify an instance (vpc-d08sl2zr in this case) in the statement, as shown below:
"resource":[ "qcs::vpc:bj:uin/164256472:instance/vpc-d08sl2zr"]
You can also use the wildcard "*" to specify all instances under a specific account, as shown below:
"resource":[ "qcs::vpc:bj:uin/164256472:instance/*"]
To specify all resources or if any API action does not support resource-level permissions, you can use the wildcard "*" in the Resource element, as shown below:
"resource": ["*"]
To specify multiple resources in one instruction, separate them with commas. In the following example, two resources are specified:
"resource":["resource1","resource2"]
The following table describes the resources that can be used by VPC and the corresponding methods of describing these resources.
In the following table, the words prefixed with "$" are all alternative names.
project
indicates the project ID.region
indicates the region.account
indicates the account ID.Resource | Resource Description Method in the Authorization Policy |
---|---|
VPC | qcs::vpc:$region:$account:vpc/$vpcId |
Subnet | qcs::vpc:$region:$account:subnet/$subnetId |
Security group | qcs::cvm:$region:$account:sg/$sgId |
EIP | qcs::cvm:$region:$account:eip/* |
Was this page helpful?