Resource Description Method

Last updated: 2024-10-11 10:09:01

The "resource" element describes one or more objects of operation, such as CVM resources, COS buckets, etc. This document primarily introduces the resource description information of CAM.

Definition of All Resources

When the "resource" is set to *, it represents all resources, thereby granting operation permissions for all resources associated with the action.
If the authorized cloud service's authorization granularity is at the service level, or if the operation action of the authorized service supports interface-level granularity, the "resource" must be set to *, thereby granting all resource permissions for that cloud service or the service operation action.

Definition of One or Multiple Resources

You can describe the permissions of one or multiple resources in the following six-segment format for authorization. Each service has its own resources and detailed resource definition. The six-segment format is defined as follows:
qcs:project_id:service_type:region:account:resource
A six-segment resource description contains six fields as detailed below:
Field
Description and Values
Required
Sample
qcs
The abbreviation for qcloud service, indicating it is a cloud resource of Tencent Cloud.
Supported
qcs
project_id
Describing project information is only compatible with early CAM logic. The current policy syntax prohibits filling in this information, so it can be left blank.
Not required
Set to Null
service_type
Describes the product's abbreviation. For details, see "Abbreviation in CAM" in Products Supported by CAM.
When the value is null, it represents all products.
Not required
Cloud Virtual Machine is referred to as CVM.
Content Delivery Network is referred to as CDN.
region
To describe region information, please see the Region List for the naming convention of regions.
When the value is empty, it represents all regions.
Not required
North China (Beijing) is represented as ap-beijing
South China (Guangzhou) is ap-guangzhou
account
Describes the primary account information of the resource owner, currently supporting two methods of description, namely, the uin and uid methods. The uin method refers to the account ID of the primary account, represented as uin/${uin}.
The uid method, which is the APPID of the primary account, is represented as uid/${appid}. Only the resource owners of COS and CAS services use this method of description.
When the value is empty, it represents the primary account to which the CAM user creating the policy belongs.
Not required
UIN, for example: uin/12345678
uid, for instance: uid/10001234
resource
The detailed resource information of each product is described, currently supporting two ways to describe resource information, resource_type/${resourceid} and <resource_type>/<resource_path>.
resource_type/${resourceid}: resourcetype is the resource prefix, describing the resource type. For details, see the six-segment resource description of the product in Business Interfaces Supporting CAM. ${resourceid} is the specific resource ID, which can be viewed in each product's console. When the value is *, it represents all resources of that type.
<resource_type>/<resource_path>: The "resource_type" is a resource prefix that describes the type of resource.
<resource_path> is the resource path, which supports directory-level prefix matching. For details, see the six-segment resource format of the product in Business Interfaces Supporting CAM.
Supported
Cloud Virtual Machine: instance/ins-1
TencentDB for MySQL: instanceId/cdb-1
Cloud Object Storage (COS): prefix//10001234/bucket1/* represents all files under bucket1. COS resources (resource) support various types. For more details, please see the COS Authorization Policy Usage Guide.

Definition of CAM Resources

CAM resources include users, user groups, and policies. A CAM resource can be described as follows:

Primary Account:

qcs::cam::uin/164256472:uin/164256472
OR
qcs::cam::uin/164256472:root

Sub-account:

qcs::cam::uin/164256472:uin/73829520

Group:

qcs::cam::uin/164256472:groupid/2340

All resources

*

Policy:

qcs::cam::uin/12345678:policy/*
OR
qcs::cam::uin/12345678:policy/12423

Notes on Resources

The owner of a resource is always the primary account. If a resource is created by a sub-account, it will not automatically have access to the resource without authorization. The resource owner must grant access.
Services such as COS and CAS support cross-account authorization for resource access. The authorized account can delegate resource permissions to its sub-accounts through permission propagation.

Associated Documents

If you wish to understand the detailed resource definitions for each product, please refer to the reference documents for the corresponding products in Products Supported by CAM.