Policy Syntax
The following uses a custom policy for OBS as an example to describe the policy syntax.
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "obs:bucket:ListAllMyBuckets",
                "obs:bucket:HeadBucket",
                "obs:bucket:ListBucket",
                "obs:bucket:GetBucketLocation"
            ],
            "Condition": {
                "StringEndWithIfExists": {
                    "g:UserName": [
                        "specialCharacter"
                    ]
                },
                "Bool": {
                    "g:MFAPresent": [
                        "true"
                    ]
                }
            },
            "Resource": [
                "obs:*:*:bucket:*"
            ]
        }
    ]
}
 Policy Structure
A policy consists of a version and one or more statements (indicating different actions).
 
  Policy Parameters
Policy parameters include Version and Statement, which are described in the following table. You can create custom policies by specifying the parameters. For details, see Custom Policy Examples.
| Parameter | Description | Value | |
|---|---|---|---|
| Version | Policy version. | 1.1: indicates policy-based access control. | |
| Statement | Effect | Determines whether to allow or deny the operations defined in the action. | 
 
         NOTE: 
         If an action has both Allow and Deny effects, the Deny effect takes precedence. | 
| Action | Operations to be performed on the service. | Format: "Service name:Resource type:Operation". Wildcard characters (*) are supported, indicating all options. Actions are case insensitive. Example: obs:bucket:ListAllMybuckets: Permissions for listing all OBS buckets. View all actions of the service in its API Reference, for example, see Supported Actions of OBS. | |
| Condition | Determines when a policy takes effect. A condition consists of a condition key and an operator. | Format: "Condition operator:{Condition key:[Value 1,Value 2]}" (the condition key is case insensitive) If you set multiple conditions, the policy takes effect only when all the conditions are met. Example: StringEndWithIfExists":{"g:UserName":["specialCharacter"]}: The statement is valid for users whose names end with specialCharacter. | |
| Resource | Resources on which the policy takes effect. | Format: Service name:region:domainId:Resource type:Resource path. The resource type is case insensitive. It supports wildcard characters (*), which indicates all resources. For details about cloud services that support resource-level authorization and supported resource types, see Cloud Services that Support Resource-Level Authorization Using IAM. Example: 
 | |
- Condition key
    A condition key is a key in the Condition element of a statement. There are global and service-level condition keys.- Global condition keys (starting with g:) apply to all operations. IAM provides common global condition keys and special global condition keys.
       - Common global condition keys: Cloud services do not need to provide user identity information. Instead, IAM automatically abstracts user information and authenticates users. For details, see Table 2.
- Special global condition keys: IAM obtains condition information from cloud services for authentication. Only certain cloud services support special global condition keys.
 
- Service-level condition keys (starting with a service name abbreviation, for example, obs:) apply only to operations on the specified service. For details, see the user guide of the corresponding cloud service, for example, see OBS Request Conditions.
 Table 2 Common global condition keys Global Condition Key Type Description g:CurrentTime Time Time when an authentication request is received. The time is in ISO 8601 format, for example, 2012-11-11T23:59:59Z. (See an example in 1.) g:DomainName String Account name of the requester. (See an example in 2.) g:MFAPresent Boolean Whether to obtain a token through MFA authentication. (See an example in 3.) g:MFAAge Number Validity period of a token obtained through MFA authentication. This condition must be used together with g:MFAPresent. (See an example in 4.) g:PKITokenIssueTime Time Time when the PKI token is issued. The time is in ISO 8601 format, for example, 2012-11-11T23:59:59Z. (See an example in 5.) g:ProjectName String Project name. (See an example in 6.) g:UserId String IAM user ID. (See an example in 7.) g:UserName String IAM username. (See an example in 8.) Table 3 Special global condition keys Global Condition Key Type Description g:SourceIp IP Address IP address of the user sending a request. g:SourceVpc String VPC ID of the user sending a request. g:SourceVpce String VPC endpoint ID of the user sending a request. g:TagKeys String Resource tag key. g:ResourceTag/{TagKey} String Resource tag key value. - g:CurrentTime
      Example: The following policy grants permission to create agencies in IAM from March 1, 2023, 08:00 GMT+08:00 to March 30, 2023, 08:00 GMT+08:00. The value of the g:CurrentTime condition key is in UTC format. { "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": ["iam:roles:createRoles"], "Condition": { "DateGreaterThan": { "g:CurrentTime": ["2023-03-01T00:00:00Z"] }, "DateLessThan": { "g:CurrentTime": ["2023-03-30T00:00:00Z"] } } }] }
- g: DomainName
      Example: The following policy only allows user zhangsan to create agencies in IAM. { "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": ["iam:roles:createRoles"], "Condition": { "StringEquals": { "g:DomainName": ["zhangsan"] } } }] }
- g:MFAPresent
      Example: The following policy allows users who obtain credentials using MFA to create agencies in IAM. { "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": ["iam:roles:createRoles"], "Condition": { "Bool": { "g:MFAPresent": ["true"] } } }] }
- g:MFAAge
      Example: The following policy allows users who obtain credentials using MFA with the valid period greater than 900s to create agencies in IAM. { "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": ["iam:roles:createRoles"], "Condition": { " NumberGreaterThanEquals ": { "g:MFAAge": ["900"] } } }] }
- g:PKITokenIssueTime
      Example: The following policy allows users who use the PKI token issued before March 1 08:00, 2023 (Beijing Time) to create agencies in IAM.   The value of the g:PKITokenIssueTime condition key is in UTC format. { "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": ["iam:roles:createRoles"], "Condition": { "DateLessThan": { "g:PKITokenIssueTime": ["2023-03-01T00:00:00Z"] } } }] }
- g:ProjectName
      Example: The following policy allows users who obtain credentials in CN North-Beijing to create agencies in IAM. { "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": ["iam:roles:createRoles"], "Condition": { " StringEquals ": { "g: ProjectName ": ["cn-north-4"] } } }] }
- g: UserId
      Example: The following policy allows user whose ID is xxxxxxxxxxx… to create agencies in IAM. { "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": ["iam:roles:createRoles"], "Condition": { "StringEquals": { "g: UserId ": ["xxxxxxxxxxx…"] } } }] }
- g: UserName
      Example: The following policy allows user lisi to create agencies in IAM. { "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": ["iam:roles:createRoles"], "Condition": { "StringEquals": { "g: UserName ": ["lisi"] } } }] }
 - Multivalued condition keys
      - ForAllValues: Tests whether the value of every member of the request set is a subset of the condition key set. The condition returns true if every key value in the request matches at least one value in the policy.
        { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ims:images:share" ], "Condition": { "ForAllValues:StringEquals": { "ims:TargetOrgPaths": [ "orgPath1", "orgPath2", "orgPath3" ] } } } ] }This policy shows how to use the ForAllValues qualifier with the StringEquals condition operator. The condition determines whether to allow sharing with the member accounts in organization path orgPath1, orgPath2, or orgPath3. Assume a user makes a request to share IMS with the member accounts in organization paths orgPath1 and orgPath3. The request is allowed because the user's requested attributes all match values specified in the policy. If the user's request includes orgPath1, orgPath2, orgPath3, and orgPath4, the request fails because orgPath4 is not included in the condition operator. 
- ForAnyValue: Tests whether at least one member of the set of request values matches at least one member of the set of condition key values. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. For no matching key or a null dataset, the condition returns false.
        { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "ims:images:share" ], "Condition": { "ForAnyValue:StringEquals": { "ims:TargetOrgPaths": [ "orgPath1", "orgPath2", "orgPath3" ] } } } ] }This policy shows how to use the ForAnyValue qualifier with the StringEquals condition operator. The condition determines whether to allow sharing with the member accounts in organization path orgPath1, orgPath2, or orgPath3. Assume a user makes a request to share IMS with the member accounts in organization path orgPath1 or orgPath4. The request is allowed because the user's requested attributes all match values specified in the policy. If the user initiates a request to share IMS with the member accounts in organization path orgPath4 or orgPath5, the request fails because orgPath4 and orgPath5 are not included in the condition operator. 
 
- ForAllValues: Tests whether the value of every member of the request set is a subset of the condition key set. The condition returns true if every key value in the request matches at least one value in the policy.
        
 Condition operators Figure 2 Condition operators  - If a single condition operator includes multiple values for one key, that condition operator is evaluated using a logical OR. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy.
        For negated matching condition operators (such as StringNotEquals), the request value cannot match any of the condition values based on the condition operators. 
- If your policy has multiple condition operators or multiple keys attached to a single condition operator, the conditions are evaluated using a logical AND.
 
- Global condition keys (starting with g:) apply to all operations. IAM provides common global condition keys and special global condition keys.
       
- Operator
   An operator, a condition key, and a condition value together constitute a complete condition statement. A policy takes effect only when its request conditions are met. The operator suffix IfExists indicates that a policy takes effect if a request value is empty or meets the specified condition. For example, if the operator StringEqualsIfExists is selected for a policy, the policy takes effect if a request value is empty or equal to the specified condition value. Operators are string operators. They are not case-sensitive unless otherwise specified. - String condition operators 
     Table 4 String condition operators Type Operator Description String StringEquals Exact matching, case sensitive StringNotEquals Negated matching, case sensitive StringEqualsIgnoreCase Exact matching StringNotEqualsIgnoreCase Negated matching StringMatch Case-sensitive matching. The values are regular expressions that support only multi-character match wildcards (*) and single-character match wildcards (?). StringNotMatch Negated case-sensitive matching. The values are regular expressions that support only multi-character match wildcards (*) and single-character match wildcards (?). For example, the following statement contains a Condition element that uses "g:DomainName" to specify that the principal whose domain name is "ZhangSan" can obtain the object content and metadata. { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:GetObject" ], "Condition": { "StringEquals": { "g:DomainName": [ "ZhangSan" ] } } } ] }
- Numeric condition operators 
     Table 5 Numeric condition operators Type Operator Description Number NumberEquals Matching NumberNotEquals Negated matching NumberLessThan "Less than" matching NumberLessThanEquals "Less than or equals" matching NumberGreaterThan "Greater than" matching NumberGreaterThanEquals "Greater than or equals" matching For example, the following statement contains a Condition element that uses the "NumericLessThanEquals" condition operator with the "obs:max-keys" key to specify that the requester can list up to 10 objects in "example_bucket" at a time. { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:ListBucket" ], "Resource": [ "OBS:*:*:bucket:example_bucket" ], "Condition": { "NumberLessThanEquals": { "obs:max-keys": [ "10" ] } } } ] }
- Date condition operators 
     Table 6 Date condition operators Type Operator Description Date DateLessThan Matching before a specific date and time DateLessThanEquals Matching at or before a specific date and time DateGreaterThan Matching after a specific date and time DateGreaterThanEquals Matching at or after a specific date and time For example, the following statement contains a Condition element that uses the "DateLessThan" condition operator with the "g:CurrentTime" key to specify that the requester can create buckets only before August 1, 2022. { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:CreateBucket" ], "Condition": { "DateLessThan": { "g:CurrentTime": [ "2022-08-01T00:00:00Z" ] } } } ] }
- Bool condition operators 
     Table 7 Bool condition operators Type Operator Description Bool Bool Boolean conditions let you construct Condition elements that restrict access based on comparing a key to "true" or "false." For example, the following policy allows only the requester with MFA enabled to modify specified permanent access keys. { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "iam:credentials:updateCredential" ], "Condition": { "Bool": { "g:MFAPresent": [ "true" ] } } } ] }
- Null condition operators 
     Table 8 Null condition operators Type Operator Description Null Null Use a Null condition operator to check if a condition key is absent at the time of authorization. In the policy statement, use either "true" (the key does not exist or is null) or "false" (the key exists and its value is not null). For example, you can use this condition operator to specify that only requests of creating buckets from VPCs are allowed. { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ " obs:bucket:CreateBucket" ], "Condition": { "Null": { "obs:SourceVpc": [ "false" ] } } } ] }
- IfExists operator suffix
     You can add "IfExists" to the end of any condition operator name except the "Null condition", for example, StringEqualsIfExists. If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the Condition element as true. 
 
- String condition operators 
     
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot 
    