Cloud Access Management Syntax Structure-User Guide-Help & Documentation-Tencent Cloud

The syntax structure of the entire policy is as depicted in the diagram. The policy is composed of the version and the statement. 
The statement is made up of several sub-statements. Each sub-statement includes four elements: action, resource, condition, and effect. Among them, the condition and principal information are optional.
﻿
﻿
﻿
JSON Format
The policy syntax is based on the JSON format. If the policy being created or updated does not meet the JSON format, it will not be successfully submitted, so users must ensure the correctness of the JSON format. The JSON format standard is defined in RFC7159. You can also use an online JSON validator to check the policy format.   
Syntax Convention
Here we list some syntax conventions:
The following characters are included in the policy syntax as JSON characters:
 { } [ ] " , :
The following characters are used to describe special characters in policy syntax and are not included in the policy: 
 = < > ( ) |
When an element allows multiple values, it is represented with a comma separator and ellipsis. For instance:
 [<resource_string>, < resource_string>, ...]  
 <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }
When multiple values are allowed, a single value can also be included. When an element has only one value, the trailing comma must be removed, and the square brackets "[]" are optional. For instance:
 "resource": [<resource_string>]     
 "resource": <resource_string>
A question mark (?) following an element indicates that the element is optional. For instance:
<condition_block?>
In cases where the element is an enumerated value, the enumerated values are represented by a vertical line "|" and the range of enumerated values is defined by parentheses "()". For instance:
("allow" | "deny")
String elements are enclosed in double quotes. For instance:     
<version_block> = "version" : "2.0"
Syntax Description
policy  = {
     <version_block>
     <principal_block?>,
     <statement_block>
}
﻿
<version_block> = "version" : "2.0"
﻿
<statement_block> = "statement" : [ <statement>, <statement>, ... ]
﻿
<statement> = {     
    <effect_block>,
    <action_block>,
    <resource_block>,
    <condition_block?>
}
﻿
<effect_block> = "effect" : ("allow" | "deny")  
﻿
<principal_block> = "principal": ("*" | <principal_map>)
﻿
<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }
﻿
<principal_map_entry> = "qcs":   
    [<principal_id_string>, <principal_id_string>, ...]
﻿
<action_block> = "action": 
    ("*" | [<action_string>, <action_string>, ...])
﻿
<resource_block> = "resource": 
    ("*" | [<resource_string>, <resource_string>, ...])
﻿
<condition_block> = "condition" : { <condition_map> }
<condition_map> { 
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ...
}  
<condition_value_list> = [<condition_value>, <condition_value>, ...]
<condition_value> = ("string" | "number")
Syntax Description:
A policy can contain multiple statements.
The maximum length of a policy is 6,144 characters (excluding spaces). For more information, please refer to Limitations.
There is no restriction on the display order of each block. For example, in a policy, the version_block can follow the effect_block, and so on.
The currently supported syntax version is 2.0.
The principal_block element is only supported for use in the trust policy of a role and the bucket policy of COS.
Both action and resource support lists.
The condition can be a single condition, or a logical combination of multiple sub-condition blocks. Each condition includes a condition operator (condition_type), a condition key (condition_key), and a condition value (condition_value).
Each statement's effect can be either "deny" or "allow". When a policy contains both "allow" and "deny" statements, the "deny" takes precedence.
String Description
The element strings described in the syntax are as detailed below:
action_string
It consists of description scope, service type, and operation name.   
// All actions across all products
"action":"*"
"action":":"
// All operations in COS
"action":"cos:*"
// Operation named GetBucketPolicy in COS
"action":"cos:GetBucketPolicy"
// Operation for matching some buckets in COS
"action":"cos:Bucket"
// Operation list named GetBucketPolicy\PutBucketPolicy\DeleteBucketPolicy in COS
"action":["cos:GetBucketPolicy","cos:PutBucketPolicy","cos: DeleteBucketPolicy"]
﻿
resource_string
Resource is described in a six-segment format.
qcs: project :serviceType:region:account:resource
Below is a sample:
// The object resource of the COS product, located in the Shanghai region, the resource owner's uid is 10001234, and the resource name is bucket1/object2.
qcs::cos:ap-shanghai:uid/10001234:bucket1-10001234/object2
// CMQ queue. Region: Shanghai. Resource owner uin: 12345678. Resource name: 12345678/queueName1. Resource prefix: queueName
qcs::cmqqueue:sh:uin/12345678:queueName/12345678/queueName1
// CVM instance. Region: Shanghai. Resource owner uin: 12345678. Resource name: ins-abcdefg. Resource prefix: instance
qcs::cvm:sh:uin/12345678:instance/ins-abcdefg
If you intend to understand the resource definition details corresponding to each product, please see the reference documentation of the corresponding product in Products Supported by CAM.
condition_type_string
Condition operators describe the type of test conditions. For instance, string_equal, string_not_equal, date_equal, date_not_equal, ip_equal, ip_not_equal, numeric_equal, numeric_not_equal, and so on. Here are some examples:
"condition":{
         "string_equal":{"cvm:region":["sh","gz"]},
         "ip_equal":{"qcs:ip":"10.131.12.12/24"}
}
condition_key_string
Condition keys denote the values that will be manipulated using conditional operators to determine whether the condition is met. CAM has defined a set of condition keys that can be used across all products, including qcs:current_time, qcs:ip, qcs:uin, and qcs:owner_uin, etc. For more information, please see Effective Conditions.
principal_id_string
For CAM, users are also considered resources. Therefore, the principal is also described in a six-segment format. For specific information, please see Resource Description Method.
"principal":   {"qcs":["qcs::cam::uin/1238423:uin/3232",
             "qcs::cam::uin/1238423:groupid/13"]}
﻿
Syntax Structure

On this page:

JSON Format

Syntax Convention

Syntax Description

String Description

action_string

resource_string

condition_type_string

condition_key_string

principal_id_string
