When setting up access management policies, you can specify the conditions (Condition) under which the policy takes effect. These conditions are optional. Once set, when a user sends a request to Tencent Cloud, the system will match the condition keys and values in the request context with those specified in the policy. Only when the conditions are successfully matched will the corresponding permission policy take effect.
Composition of Effective Conditions
Effective conditions are composed of one or more condition clauses. A condition clause consists of a condition key, an operator, and a condition value. A single condition key can specify one or more condition values.
"condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}Example of a Condition Clause
The request IP is
192.168.1.1, and the request date is before 2022-05-31 00:00:00. The Condition is as follows:"condition":{"ip_equal": {"qcs:ip": "192.168.1.1"},"date_less_than": {"qcs:current_time": "2022-05-31 00:00:00"}}
Matching Logic for Activation Conditions
The evaluation logic for effective conditions is as follows:
Evaluation Logic | Note |
Condition Satisfaction | A single condition key can specify one or more condition values. During condition checking, if the value of the condition key matches any of the specified values, the condition is deemed to be met. |
Condition Clause Fulfillment | Under a condition clause with the same condition operation type, if there are multiple condition keys, all condition keys must be satisfied simultaneously for the condition clause to be deemed fulfilled. |
Condition Block Fulfillment | The condition block is only considered satisfied when all condition clauses within it are met simultaneously. |
Condition operators (excluding null_equal) with the suffix if_exist | This implies that the context information remains effective even if it does not contain the corresponding key-value pair. |
for_all_value | Qualifiers are used in conjunction with condition operators, indicating that the policy will only take effect when each condition value in the context information meets the requirements. |
for_any_value | Qualifiers are used in conjunction with condition operators to indicate that any one of the condition values in the context information can satisfy the requirement for the condition key to take effect. |
Note
Authorization by tag only supports 'for_any_value'. For more information on authorizing by tag, please see Manage Project Resources Based on Tags.
Condition Example
"condition":{"ip_equal": {"qcs:ip": "192.168.1.1"}}
The condition value in the request is represented by the condition key, which in this example is qcs:ip. The context key value is compared with the value you specified as a text value, such as
192.168.1.1. The type of comparison to be performed is specified by the condition operator (here it is ip_equal).In certain scenarios, it is necessary to match multiple access situations to meet practical needs. In such cases, you can specify multiple condition values when setting the Condition. For instance, the user must be within the
10.217.182.3/24 or 111.21.33.72/24 subnet to upload objects (cos:PutObject). The content of the permission policy is as follows:{"version": "2.0","statement": [{"effect": "allow","action": ["cos:PutObject"],"resource": ["*"],"condition":{"ip_equal": {"qcs:ip": ["10.217.182.3/24","111.21.33.72/24"]}}}]}