tencent cloud

Feedback

Resource Description Method

Last updated: 2024-01-23 17:54:33
The resource element describes one or multiple operation objects such as CVM resources and COS buckets. This document describes the resource information in CAM.

Definition of All Resources

If resource is *, it indicates all resources; that is, you can grant the action (operation) permission of all resources.
If you want to authorize a Tencent Cloud service at the service level or authorize a service operation at the API level, you need to enter * for resource to grant the permission of all resources in the Tencent Cloud service or the action permission of all resources.

Definition of One or Multiple Resources

You can describe the permissions of one or multiple resources in the following six-segment format for authorization. Each service has its own resources and detailed resource definition. The six-segment format is defined as follows:
qcs:project_id:service_type:region:account:resource
A six-segment resource description contains six fields as detailed below:
Field
Description and Valid Values
Required
Example
qcs
Tencent Cloud service abbreviation, which indicates a resource of Tencent Cloud.
Yes
qcs
project_id
Project information, which is only compatible with legacy CAM logic. It cannot be entered in the current policy syntax and can be left empty.
No
Empty
service_type
Product (service) abbreviation. For more information, see "Abbreviation in CAM" in CAM-Enabled Products.
If this field is left empty, it indicates all products.
No
CVM: cvm
CDN: cdn
region
Region information. For more information on region names, see "Region List" in Common Params.
If this field is left empty, it indicates all regions.
No
North China (Beijing): ap-beijing
South China (Guangzhou): ap-guangzhou
account
Root account information of the resource owner. Currently, either uin or uid can be used to describe the resource owner.
uin is the root account ID in uin/${uin} format.
uid is the root account's APPID in uid/${appid} format, and only COS and CAS resource owners can be described in this way.
If this field is left empty, it indicates the root account of the CAM user creating the policy.
No
uin: uin/12345678
uid: uid/10001234
resource
Resource details of the product. Currently, you can describe a resource in the following two formats: resource_type/${resourceid} and <resource_type>/<resource_path>.
resource_type/${resourceid}: resourcetype is the resource prefix, which describes the resource type. ${resourceid} is the specific resource ID, which can be viewed in the corresponding product console. * indicates all resources of this type.
<resource_type>/<resource_path>: resourcetype is the resource prefix, which describes the resource type.
<resource_path> is the resource path. This format supports directory-level prefix match.
Yes
CVM: instance/ins-1
TencentDB for MySQL: instanceId/cdb-1
COS: prefix//10001234/bucket1/*, which indicates all files in bucket1. Various COS resource types are supported. For more information, see Working with COS API Authorization Policies.

Definition of CAM Resources

CAM resources include users, user groups, and policies. A CAM resource can be described as follows:

Root account

qcs::cam::uin/164256472:uin/164256472
Or
qcs::cam::uin/164256472:root

Sub-account

qcs::cam::uin/164256472:uin/73829520

Group

qcs::cam::uin/164256472:groupid/2340

All resources

*

Policy

qcs::cam::uin/12345678:policyid/*
Or
qcs::cam::uin/12345678:policyid/12423

Notes on Resources

A resource owner is always a root account. The sub-account that creates a resource will not automatically have access to the resource without authorization; instead, it must be authorized by the resource owner.
Services such as COS and CAS support cross-account authorization for resource access. Authorized accounts can pass permissions to their sub-accounts through permission propagation.

Relevant Documents

For more information on service-specific resource definitions, see the corresponding product documentation in CAM-Enabled Products.
Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support