The "resource" element describes one or more objects of operation, such as CVM resources, COS buckets, etc. This document primarily introduces the resource description information of CAM.
Definition of All Resources
When the "resource" is set to
*, it represents all resources, thereby granting operation permissions for all resources associated with the action.If the authorized cloud service's authorization granularity is at the service level, or if the operation action of the authorized service supports interface-level granularity, the "resource" must be set to *, thereby granting all resource permissions for that cloud service or the service operation action.
Definition of One or Multiple Resources
You can describe the permissions of one or multiple resources in the following six-segment format for authorization. Each service has its own resources and detailed resource definition.
The six-segment format is defined as follows:
qcs:project_id:service_type:region:account:resource
A six-segment resource description contains six fields as detailed below:
Field | Description and Values | Required | Sample |
qcs | The abbreviation for qcloud service, indicating it is a cloud resource of Tencent Cloud. | Supported | qcs |
project_id | Describing project information is only compatible with early CAM logic. The current policy syntax prohibits filling in this information, so it can be left blank. | Not required | Set to Null |
service_type | Describes the product's abbreviation. For details, see "Abbreviation in CAM" in Products Supported by CAM. When the value is null, it represents all products. | Not required | Cloud Virtual Machine is referred to as CVM. Content Delivery Network is referred to as CDN. |
region | When the value is empty, it represents all regions. | Not required | North China (Beijing) is represented as ap-beijing South China (Guangzhou) is ap-guangzhou |
account | Describes the primary account information of the resource owner, currently supporting two methods of description, namely, the uin and uid methods. The uin method refers to the account ID of the primary account, represented as uin/${uin}.The uid method, which is the APPID of the primary account, is represented as uid/${appid}. Only the resource owners of COS and CAS services use this method of description.When the value is empty, it represents the primary account to which the CAM user creating the policy belongs. | Not required | UIN, for example: uin/12345678uid, for instance: uid/10001234 |
resource | The detailed resource information of each product is described, currently supporting two ways to describe resource information, resource_type/${resourceid} and <resource_type>/<resource_path>.resource_type/${resourceid}: resourcetype is the resource prefix, describing the resource type. For details, see the six-segment resource description of the product in Business Interfaces Supporting CAM. ${resourceid} is the specific resource ID, which can be viewed in each product's console. When the value is *, it represents all resources of that type.<resource_type>/<resource_path>: The "resource_type" is a resource prefix that describes the type of resource.<resource_path> is the resource path, which supports directory-level prefix matching. For details, see the six-segment resource format of the product in Business Interfaces Supporting CAM. | Supported | Cloud Virtual Machine: instance/ins-1 TencentDB for MySQL: instanceId/cdb-1 Cloud Object Storage (COS): prefix//10001234/bucket1/* represents all files under bucket1. COS resources (resource) support various types. For more details, please see the COS Authorization Policy Usage Guide. |
Definition of CAM Resources
CAM resources include users, user groups, and policies. A CAM resource can be described as follows:
Primary Account:
qcs::cam::uin/164256472:uin/164256472
OR
qcs::cam::uin/164256472:root
Sub-account:
qcs::cam::uin/164256472:uin/73829520
Group:
qcs::cam::uin/164256472:groupid/2340
All resources
*
Policy:
qcs::cam::uin/12345678:policy/*
OR
qcs::cam::uin/12345678:policy/12423
Notes on Resources
The owner of a resource is always the primary account. If a resource is created by a sub-account, it will not automatically have access to the resource without authorization. The resource owner must grant access.
Services such as COS and CAS support cross-account authorization for resource access. The authorized account can delegate resource permissions to its sub-accounts through permission propagation.
Associated Documents
If you wish to understand the detailed resource definitions for each product, please refer to the reference documents for the corresponding products in Products Supported by CAM.