Syntax Structure

Last updated: 2021-05-27 15:26:24

    The syntax structure of a policy is as shown in the following figure. The policy consists of a version and a statement, and can also contain principal information. principal can only be used in policy syntax-related parameters in policy management APIs.
    A statement is composed of several sub-statements. Each sub-statement contains four elements: action, resource, condition, and effect, where condition is optional.

    JSON Format

    The policy syntax is based on the JSON format as defined in RFC 7159. If a created or updated policy does not meet the JSON format requirement, it cannot be successfully submitted. Therefore, you must ensure that the JSON format is correct. You can check the policy format with an online JSON validator.

    Syntax Conventions

    Here we list some syntax conventions:

    • These characters are JSON characters included in policy syntax:
    { } [ ] " , :
    • These characters are special characters used to describe policy syntax and are not included in policies:
    = < > ( ) |
    • If an element allows multiple values, the values will be described with comma separators and ellipsis; for example:
    [<resource_string>, < resource_string>, ...]  
    <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }

    When multiple values are allowed, you can also choose to include only one value. When an element has only one value, the trailing comma must be removed, and the brackets "[]" are optional; for example:

    "resource": [<resource_string>]     
    "resource": <resource_string>
    • The question mark "?" behind an element indicates that the element is optional; for example:

    • If an element is enumerated, use vertical line "|" to separate the values and use parenthesis "()" to define the range of the enumerated values; for example:

    ("allow" | "deny")
    • String elements are enclosed in double quotation marks; for example:
    <version_block> = "version" : "2.0"

    Syntax Description

    policy  = {
    <version_block> = "version" : "2.0"
    <statement_block> = "statement" : [ <statement>, <statement>, ... ]
    <statement> = {     
    <effect_block> = "effect" : ("allow" | "deny")  
    <principal_block> = "principal": ("*" | <principal_map>)
    <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }
    <principal_map_entry> = "qcs":   
    [<principal_id_string>, <principal_id_string>, ...]
    <action_block> = "action": 
    ("*" | [<action_string>, <action_string>, ...])
    <resource_block> = "resource": 
    ("*" | [<resource_string>, <resource_string>, ...])
    <condition_block> = "condition" : { <condition_map> }
    <condition_map> { 
    <condition_type_string> : { <condition_key_string> : <condition_value_list> },
    <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
    <condition_value_list> = [<condition_value>, <condition_value>, ...]
    <condition_value> = ("string" | "number")

    Syntax description:

    • One policy may contain multiple statement.
      The maximum length of a policy is 4,096 characters (without spaces). For more information, please see Limits.
      The display order of blocks is unrestricted; for example, in a policy, version_block can follow effect_block.

    • Currently supported syntax version is 2.0.

    • The principal_block element cannot be used in the console and can only be used through policy management APIs and policy syntax-related parameters.

    • Lists are supported for both action and resource.

    • A condition can be a single condition or a logical combination of multiple sub-conditions. Each condition contains a condition operator condition_type, a condition key condition_key, and a condition value condition_value.

    • The effect of each statement is deny or allow. If the statement of a policy contains both allow and deny, deny will take precedence.

    String Description

    The element strings described in the syntax are as detailed below:


    It consists of description scope, service type, and operation name.

    // All operations for all products
    // All operations in COS
    // Operation named `GetBucketPolicy` in COS
    // Operation for matching some buckets in COS
    // Operation list named `GetBucketPolicy\PutBucketPolicy\DeleteBucketPolicy` in COS
    "action":["cos:GetBucketPolicy","cos:PutBucketPolicy","cos: DeleteBucketPolicy"]


    Resource is described in a six-segment format.

    qcs: project :serviceType:region:account:resource

    Below are examples:

    // COS object. Region: Shanghai. Resource owner uid: 10001234. Resource name: bucket1/object2. Resource prefix: prefix
    // CMQ queue. Region: Shanghai. Resource owner uin: 12345678. Resource name: 12345678/queueName1. Resource prefix: queueName
    // CVM instance. Region: Shanghai. Resource owner uin: 12345678. Resource name: ins-abcdefg. Resource prefix: instance

    For more information on product-specific resource definitions, please see the corresponding product documentation in CAM-Enabled Tencent Cloud Products.


    Condition operator describes the type of test conditions, such as string_equal, string_not_equal, date_equal, date_not_equal, ip_equal, ip_not_equal, numeric_equal, and numeric_not_equal. Below are examples:



    Condition keys are used with a condition operator to determine whether the condition is met. CAM defines a set of condition keys that can be used in all products, including qcs:current_time, qcs:ip, qcs:uin, qcs:owner_uin, etc. For more information, please see Condition.


    For CAM, users are also its resources. Therefore, the principal also uses a six-segment description. Below is an example. For more information, please see Resource Description Method.

    "principal":   {"qcs":["qcs::cam::uin/1238423:uin/3232",