Scenarios

Last updated: 2024-10-11 16:59:44

Scenario
Description
Sample
The condition operator includes a condition value of a condition key.
Permits the VPC to bind with the specified peering connection, the region of the VPC must be specified.
Only cloud server instances with bound tags can be restarted.
The condition operator encompasses multiple condition values of a single condition key.
Allow access for users with two specified IP addresses.
Scenarios with multiple condition operators.
Allow access for users with a specified IP and date.
A single condition operator contains multiple condition keys.
Attaching multiple condition keys to a single condition operator would result in
Application of Boolean Condition Operators
Sub-users must bind the token before they can delete the API key.

The condition operator includes a condition value of a condition key.

Description 1

When a CAM user invokes the VPC peering connection API, it is necessary not only to determine whether the CAM user has access permissions for the peering connection API and peering connection resources, but also to confirm whether the CAM user has access permissions for the VPC associated with the peering connection.

Sample Code 1

In the following example, the VPC region must be Shanghai in order for it to be bound to a specified peering connection:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": "name/vpc:AcceptVpcPeeringConnection",
"resource": "qcs::vpc:sh::pcx/2341",
"condition": {
"string_equal_if_exist": {
"vpc:region": "sh"
}
}
}
]
}

Description 2

When a CAM user accesses Tencent Cloud resources, it is necessary to restrict the user to only access resources bound with specific tags.

Sample Code 2

The following example describes that users can only restart (cvm:RebootInstances) the cloud server instances bound with the tag "Department & Research and Development".
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cvm:RebootInstances"
],
"resource": "*",
"condition": {
"for_any_value:string_equal": {
"qcs:resource_tag": [
"Department&Research and Development"
]
}
}
}
]
}

The condition operator encompasses multiple condition values of a single condition key.

Description

A single condition operator that includes multiple condition values of a condition key is evaluated using the logical OR operator. When there are multiple condition values, a set operator symbol must be used to represent them.
When a CAM user invokes a cloud API, if there is a need to restrict the user's access source, it is required to add an IP condition on the basis of the existing policy.

Sample Code

The following example stipulates that users must be within the 10.217.182.3/24 or 111.21.33.72/24 IP range to upload objects (cos:PutObject).
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": "cos:PutObject",
"resource": "*",
"condition": {
"ip_equal": {
"qcs:ip": [
"10.217.182.3/24",
"111.21.33.72/24"
]
}
}
}
]
}

Scenarios with multiple condition operators.

Description

If your policy has multiple condition operators, they are evaluated using the logical AND.

Sample Code

The following example describes that the user must request IP 192.168.1.1, and the request date must be earlier than 2022-05-31 00:00:00 to match.
"condition": {
"ip_equal": {
"qcs:ip": "192.168.1.1"
},
"date_less_than": {
"qcs:current_time": "2022-05-31 00:00:00"
}
}

A single condition operator contains multiple condition keys.

Description

If your policy has multiple condition operators or attaches multiple condition keys to a single condition operator, then the conditions are evaluated using a logical AND.

Sample Code

The following example describes that the resource tag is "Department & Research and Development", and only when the request tag is "Department & Research and Development" can it be matched.
"condition": {
"string_equal": {
"qcs:resource_tag": [
"Department&Research and Development"
],
"qcs:request_tag": [
"Department&Research and Development"
]
}
}

Application of Boolean Condition Operators

Description

The sub-user must bind the token before the API key can be deleted.

Sample Code

The following example describes that the sub-users authorized by this policy need to bind the token before they can delete the API key.
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"cam:DeleteApiKey"
],
"resource": [
"*"
],
"condition": {
"bool_equal": {
"qcs:BindToken": "true"
}
}
}
]
}