Resource Description Method

Last updated: 2020-08-13 09:37:51

    A resource description identifies one or multiple operation objects including CVM resources and COS buckets. This document introduces CAM resource descriptions.

    Six-Segment Format

    All resources can be described in the following six-segment format. Each service has its own resources and detailed resource definition. For more information on how to specify resources, see the corresponding product documentation in CAM-Enabled Products.
    The six-segment format is defined as follows:

    qcs:project_id:service_type:region:account:resource
    • qcs is the abbreviation of qcloud service and indicates that the resource is a Tencent Cloud resource. This field is required.
    • project_id describes the project information, which is only compatible with legacy CAM logic. It is prohibited to be entered in the current policy syntax and can be left empty.
    • service_type describes the abbreviated service name, such as CVM and CDN. See the corresponding service documentation for more information. The value * indicates all services. This field is required.
    • region describes the region information. If the field is left empty, it indicates all regions. Currently, two naming methods are supported. For more information on the latest naming method standard for regions, please see Regions and Availability Zones. The existing naming method for Tencent Cloud regions is as follows:
    Region Abbreviation Region
    gz Guangzhou
    sh Shanghai
    bj Beijing
    ca Canada
    sg Singapore
    hk Hong Kong (China)
    cd Chengdu
    de Germany
    • account describes the root account information of the resource owner. Currently, either uin or uid can be used to describe the resource owner.

      • uin is the account ID of the root account, which is expressed in the format of uin/${uin}, such as uin/12345678.
      • uid is the APPID of the root account, which is expressed in the format of uid/${appid}, such as uid/10001234.
      • If this value is empty, the account will be the root account of the user who created the policy.

      ? At present, COS resource owners can only be described using uid, and resource owners of other services can only be described using uin.

    • resource describes the detailed resource information of the specific service.

      • This field is required. The resource can be described as follows:
        • It can indicate the ID of a resource in a resource subcategory, such as instance/ins-abcdefg for VPC.
          <resource_type>/<resource_id> 
        • It can indicate the ID of a resource with a path in a resource subcategory, such as prefix//10001234/bucket1/object2 for COS. Prefix match at the directory level is supported for this type of description. For example, prefix//10001234/bucket1/* indicates all the objects in bucket1.
          <resource_type>/<resource_path>
        • It can indicate all the resources in a resource subcategory, such as instance/*.
          <resource_type>/*
        • It can indicate all the resources of a service.
          ```
      • In certain scenarios, the resource element can be described by *, and the definitions are as follows. For more information, please see the corresponding service documentation.
      • If the action needs to be associated with a resource, the resource can be defined as *, indicating that all resources are associated.
      • If the action does not need to be associated with a resource, the resource needs to be defined as *.

    Resource Definition for CAM

    CAM resources include users, user groups, and policies. A CAM resource can be described as follows:

    Root account

    qcs::cam::uin/164256472:uin/164256472

    Or

    qcs::cam::uin/164256472:root 

    Sub-account

    qcs::cam::uin/164256472:uin/73829520

    Group

    qcs::cam::uin/164256472:groupid/2340

    All resources

    *

    Policy

    qcs::cam::uin/12345678:policyid/*

    Or

    qcs::cam::uin/12345678:policyid/12423

    Notes on Resources

    • A resource owner is always a root account. The sub-account that creates a resource will not automatically have access to the resource; instead, it must be authorized by the resource owner.
    • Services such as COS support cross-account authorization for resource access. Authorized accounts can pass permissions to their sub-accounts through permission propagation.

    Relevant Documents

    For more information on service-specific resource definitions, please see the corresponding product documentation in CAM-Enabled Products.

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help