Help & Documentation>Cloud Object Storage>User Guide>Cloud Access Management>Access Permission Configuration Description>Access Control Methods>User policy

User policy

Last updated: 2025-07-07 14:21:30

On this page:

In the CAM console, you can use your Tencent Cloud root account to create CAM users and grant them with Tencent Cloud resource permissions by associating them with policies.

Overview

In CAM, you can grant different permissions to various types of users under the root account. These permissions are described using access policy language and are authorized based on the user, hence referred to as User Policies.

Differences between a user policy and a bucket policy

The biggest difference between a user policy and a bucket policy is that the user policy only describes effect, action, resource, and condition (optional), but not principal. Therefore, for a user policy:
You need to write a user policy first, and then associate it manually with a sub-user, a user group or a role.
A user policy cannot grant anonymous users access to resources or operations.

Preset policy and custom policy

User policies are classified into preset policies and custom policies. You can associate a preset policy for authorization or write a user policy and associate it for authorization. For more information, see CAM's Authorization Guide.

Scenarios

If you want to specify what operations a user can perform, you are advised to configure user policy. You can search for a CAM user and check the permissions of the user's user groups to see what operations the user can perform. A user policy is recommended in scenarios where you want to:
Configure COS service-level permissions such as the permissions for bucket creation (PutBucket) and bucket listing (GetService).
Grant permissions on all COS buckets and objects under your root account.
Grant the same permissions to a large number of CAM users under the root account.

User Policy Syntax

Policy Syntax

Same as a bucket policy, a user policy is described in JSON language and its syntax complies with the unified specifications of the access policy language. The access policy language contains the following basic elements: principal, effect, action, resource, and condition. However, a user policy is directly associated with a user or user group, and therefore you do not need to specify the principal element in a user policy.
The following table compares a user policy and a bucket policy:
Element
User policy
Bucket Policies
Principal
No input
Required
Effect
Required
Required
Action
Required
Required
Resources
Required
Resources in the current bucket
Conditions
Optional
Optional

Policy Example

Below is a typical user policy example, which grants all COS operations on the Guangzhou-based bucket examplebucket-1250000000. You need to save the policy and associate it with a CAM sub-user, user group, or role for it to take effect:
{
  "statement": [
    {
      "effect": "Allow",
      "action": ["cos:*"],
      "resource": [
          "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*"
      ]
    }
  ],
  "version": "2.0"
}

Granting Sub-account COS Access Permission with User Policy

Preparations

You have already created a CAM sub-account. If you haven't, see Create a sub-account to create one.

Configuration steps

CAM provides preset policies and custom policies. A preset policy is a policy preset in the system provided by CAM. For COS related preset policies, see Preset Policy. A custom policy allows users to customize elements such as resources and actions. The following describes how to create a custom policy to grant permissions to a sub-account:
1. Log in to the CAM console.
2. Select Policies > Create Custom Policy > Create by Policy Syntax to enter the policy creation page.
3. You can select Blank Template to customize a permission policy as needed or select a COS-associated system template. The following uses Blank Template as an example.
4. Select blank template, click Next, and enter your policy syntax. It must include the following basic elements.
resource: resource to authorize access to
All resources ("*")
Specified bucket ("qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*")
Specified directory or object in a bucket ("qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/test/*")
action: action to authorize
effect: Choose "allow" (permit) or "deny" (reject).
condition: optional
COS provides user policy examples. You can refer to the following documentation, copy and paste the policy content directly into the Policy Content input box, and click Complete after confirming the input is correct.
Granting Sub-accounts Access to COS
Working with COS API Access Policies
5. After creation, you can view the custom policy in the CAM Console under Policies > Custom Policies and associate it with a sub-account.
6. Select the sub-account and click Confirm to complete the authorization.

Preset Policy

1. CAM offers several preset policies that can be viewed in the CAM console under Policies > Preset Policies. Search for "COS" to filter the results.
2. Click on the policy name to view the specific policy content under Policy Syntax > JSON. The resource (resource) of the preset policy is set to all COS resources ("*") and cannot be modified. If you need to authorize specific COS buckets or objects, you can copy the JSON preset policy and create a custom policy.
Table 1 and Table 2 list the COS related preset policies provided by CAM and related descriptions.
Table 1. COS Preset Policies
Preset Policy
Note
JSON Policy
QcloudCOSBucketConfigRead
Permission to read COS bucket configuration
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cos:GetBucket*",
                "cos:HeadBucket"
            ],
            "resource": "*"
        }
    ]
}
QcloudCOSBucketConfigWrite
Permission to modify COS bucket configuration
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cos:PutBucket*"
            ],
            "resource": "*"
        }
    ]
}
QcloudCOSDataFullControl
Permission to read, write, delete, and list data in the COS bucket (all access permissions)
{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": [
                "cos:GetService",
                "cos:GetBucket",
                "cos:ListMultipartUploads",
                "cos:GetObject*",
                "cos:HeadObject",
                "cos:GetBucketObjectVersions",
                "cos:OptionsObject",
                "cos:ListParts",
                "cos:DeleteObject",
                "cos:PostObject",
                "cos:PostObjectRestore",
                "cos:PutObject*",
                "cos:InitiateMultipartUpload",
                "cos:UploadPart",
                "cos:UploadPartCopy",
                "cos:CompleteMultipartUpload",
                "cos:AbortMultipartUpload",
                "cos:DeleteMultipleObjects"
            ],
            "resource": "*"
        }
    ]
}
Table 2. Relationships between COS actions and preset policies
Note
Action
QcloudCOS
Bucket
ConfigRead
QcloudCOS
Bucket
ConfigWrite
QcloudCOS
Data
FullControl
QcloudCOS
Data
ReadOnly
QcloudCOS
Data
WriteOnly
QcloudCOS
FullAccess
QcloudCOS
GetService
Access
QcloudCOS
ListOnly
QcloudCOS
Read
OnlyAccess
List buckets
GetService
Create a bucket
PutBucket
Delete a bucket
DeleteBucket
Get basic bucket information
HeadBucket
Get bucket configuration items
GetBucket*
Modify bucket configuration items
PutBucket*
Get bucket access permissions
GetBucketAcl
Modify bucket access permissions
PutBucketAcl
List objects in a bucket
GetBucket
List all objects in a bucket and their historical version information
GetBucketObjectVersions
Uploading object
PutObject
Multipart upload
ListParts
InitiateMultipartUpload
UploadPart
UploadPartCopy
CompleteMultipartUpload
AbortMultipartUpload
ListMultipartUploads
Downloading object
GetObject
View object metadata
HeadObject
Issue a preflight request for CORS
OptionsObject

More User Policy Examples

Granting Sub-accounts Access to COS
Working with COS API Access Policies
中国站 - English