Authorization policy syntax

Last updated: 2020-02-17 14:17:05


Policy Syntax

CAM Policy:

               "condition": {"key":{"value"}} 
  • Version version : is required. Currently, only the allowed value is "2.0" .
  • Statement statement Is used to describe one or more pieces of Permission's detailed information. This element includes the Permission or Permission collection of many other elements, such as effect, action, resource, condition, and so on. A policy has one and only one statement element.
  1. Operation action Used to describe an operation that is allowed or denied The operation can be API (described with the name prefix) or a feature set (a specific set of API described with the permid prefix). This element is required.
  2. Resource resource Describe the specific data of the authorization Resources are described in six paragraphs. The details of the resource definition for each product will vary. This element is required.
  3. Effective condition condition Describes the constraints under which the policy takes effect Conditions include operators, action keys, and operation values. Condition values can include information such as time, IP address, and so on. Some services allow you to specify other values in the condition. This element is not required.
  4. Affect effect Describe whether the result of the statement is "allowed" or "Explicit refused". It includes two cases: allow (allowed) and deny (Explicit refused). This element is required.

Operation of CBS

In the CAM policy statement, you can specify any API operation from any service that supports CAM. For CBS, use the name/cvm: The API that is the prefix. For example: name/cvm:CreateDisks or name/cvm:DescribeDisks .
If you want to specify multiple actions in a single statement, separate them with commas, as follows:


You can also use wildcards to specify multiple actions. For example, you can specify all actions whose names begin with the word "Describe", as follows:


If you want to specify all the actions corresponding to the CVM, use the * Wildcards, as follows:


Resource path of CBS

Each CAM policy statement has its own resources. The general form of a resource path is as follows:

  • Project_id Describe the project information only to be compatible with the early logic of CAM, without the need for Enter.
  • Service_type Product abbreviation, such as CVM.
  • Region : region information, such as bj.
  • File ext The root account information of the resource owner, such as uin/164256472
  • Resource Details of the specific resources of each product, such as volume/diskid1 or volume/ * .

For example, you can specify it in a statement using a specific CBS resource (disk-abcdefg), as follows:

"resource":[ "qcs::cvm:bj:uin/164256472:volume/disk-abcdefg"]

You can also use the * Wildcards specify all CBS resources that belong to a particular account, as follows:

"resource":[ "qcs::cvm:bj:uin/164256472:volume/*"]

You want to specify all resources, or if a specific API operation does not support resource-level Permission, use the in the Resource element * Wildcards, as follows:

"resource": ["*"]

If you want to specify multiple resources at the same time in a single instruction, separate them with commas, as an example of specifying two resources is shown below:


Conditional key of CBS

In a policy statement, you can optionally specify conditions that control when the policy takes effect. Each condition contains one or more key-value pairs. Conditional keys are not case sensitive.

  • If you specify multiple conditions or multiple keys in a single condition, we will evaluate them through a logical AND operation.
  • If you specify a key with multiple values in a single condition, we will evaluate it through a logical OR operation. All conditions must be matched before Permission can be awarded.
    The following table describes the conditional keys that CBS uses for service-specific purposes:
Conditional keyReference typeKey-value pair




  • amongRegionRefers to a region (for example, ap-guangzhou)




  • amongDisk_typeRefers to the disk type (for example, CLOUD_PREMIUM)