- What's New
- Function Overview
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- Logging In to Huawei Cloud
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- Custom Identity Broker
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
- Best Practices
-
API Reference
- Before You Start
- API Overview
- Calling APIs
- Getting Started
-
API
- Token Management
-
Access Key Management
- Obtaining Temporary Access Keys and Security Tokens of an Agency
- Obtaining Temporary Access Keys and Security Tokens of an IAM User
- Obtaining Temporary Access Keys and Security Tokens of a Federated User
- Creating a Permanent Access Key
- Querying Permanent Access Keys
- Querying a Permanent Access Key
- Modifying a Permanent Access Key
- Deleting a Permanent Access Key
- Region Management
- Project Management
- Account Management
-
IAM User Management
- Listing IAM Users
- Querying IAM User Details (Recommended)
- Querying IAM User Details
- Querying the User Groups Which an IAM User Belongs to
- Querying the IAM Users in a Group
- Creating an IAM User (Recommended)
- Creating an IAM User
- Changing the Login Password
- Modifying IAM User Information (By an IAM User) (Recommended)
- Modifying IAM User Information (By the Administrator) (Recommended)
- Modifying IAM User Information (By the Administrator)
- Deleting an IAM User
- User Group Management
-
Permissions Management
- Listing Permissions
- Querying Permission Details
- Querying Permissions Assignment Records
- Querying Permissions of a User Group for a Global Service Project
- Querying Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for a Global Service Project
- Granting Permissions to a User Group for a Region-specific Project
- Checking Whether a User Group Has Specified Permissions for a Global Service Project
- Checking Whether a User Group Has Specified Permissions for a Region-specific Project
- Querying All Permissions of a User Group
- Checking Whether a User Group Has Specified Permissions for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Removing Permissions of a User Group for a Global Service Project
- Removing the Permissions of a User Group for a Region-specific Project
- Granting Permissions to a User Group for All Projects
- Custom Policy Management
-
Agency Management
- Listing Agencies
- Querying Agency Details
- Creating an Agency
- Modifying an Agency
- Deleting an Agency
- Querying Permissions of an Agency for a Global Service Project
- Querying Permissions of an Agency for a Region-specific Project
- Granting Permissions to an Agency for a Global Service Project
- Granting Permissions to an Agency for a Region-specific Project
- Checking Whether an Agency Has Specified Permissions for a Global Service Project
- Checking Whether an Agency Has Specified Permissions for a Region-specific Project
- Removing Permissions of an Agency for a Global Service Project
- Removing Permissions of an Agency for a Region-specific Project
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Enterprise Project Management
- Querying User Groups Associated with an Enterprise Project
- Querying the Permissions of a User Group Associated with an Enterprise Project
- Granting Permissions to a User Group Associated with an Enterprise Project
- Removing Permissions of a User Group Associated with an Enterprise Project
- Querying the Enterprise Projects Associated with a User Group
- Querying the Enterprise Projects Directly Associated with an IAM User
- Querying Users Directly Associated with an Enterprise Project
- Querying Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to a User Associated with an Enterprise Project
- Removing Permissions of a User Directly Associated with an Enterprise Project
- Granting Permissions to Agencies Associated with Specified Enterprise Projects
- Removing Permissions of Agencies Associated with Specified Enterprise Projects
-
Security Settings
- Modifying the Operation Protection Policy
- Querying the Operation Protection Policy
- Modifying the Password Policy
- Querying the Password Policy of an Account
- Modifying the Login Authentication Policy
- Querying the Login Authentication Policy
- Modifying the ACL for Console Access
- Querying the ACL for Console Access
- Modifying the ACL for API Access
- Querying the ACL for API Access
- Listing MFA Device Information of IAM Users
- Querying the MFA Device Information of an IAM User
- Listing Login Protection Configurations of IAM Users
- Querying the Login Protection Configuration of an IAM User
- Modifying the Login Protection Configuration of an IAM User
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
-
Federated Identity Authentication Management
- Obtaining a Token Through Federated Identity Authentication
-
Identity Providers
- Listing Identity Providers
- Querying Identity Provider Details
- Creating an Identity Provider
- Modifying a SAML Identity Provider
- Deleting a SAML Identity Provider
- Creating an OpenID Connect Identity Provider Configuration
- Modifying an OpenID Connect Identity Provider
- Querying an OpenID Connect Identity Provider
- Mappings
- Protocols
- Metadata
- Token
- Listing Accounts Accessible to Federated Users
- Listing Projects Accessible to Federated Users
- Custom Identity Brokers
- Version Information Management
- Services and Endpoints
- Out-of-Date APIs
- Permissions and Actions
- Appendix
- Change History
- SDK Reference
-
FAQs
-
User Groups and Permissions Management
- Why Can't I Find Permissions for a Cloud Service?
- How Do I Grant Cloud Service Permissions in the EU-Dublin Region to IAM Users?
- Why Have Permissions Granted to a User Not Been Applied?
- What Should I Do If an IAM User Does Not Have the Required Permissions to Access the IAM Console?
- How Can I Grant an IAM User Permissions to Place Orders But Disallow Order Payment?
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Doesn't My API Access Control Policy Take Effect?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- How Do I Obtain an Access Key (AK/SK)?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain Access Keys (AK/SK Pairs) for the EU-Dublin Region?
- Project Management
- Agency Management
- Account Management
- Others
-
User Groups and Permissions Management
- Videos
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions
- Projects
- Agencies
- Account Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Authentication?
- How Do I Disable Login Authentication?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
-
Passwords and Credentials
- How Do I Reset My Password?
- How Do I Change My Password?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and SecurityToken)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the ME-Abu Dhabi-OP5 Region?
- Project Management
- Agency Management
- Others
- Change History
- API Reference (ME-Abu Dhabi Region)
-
User Guide (Paris Regions)
- Service Overview
- Getting Started
-
User Guide
- IAM Users
- User Groups and Authorization
- Permissions
- Account Settings
- Projects
- Agencies
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Auditing
-
FAQs
- How Do I Enable Login Authentication?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain MFA Verification Codes?
- How Do I Unbind a Virtual MFA Device?
- Why Does IAM User Login Fail?
- How Do I Control IAM User Access to the Console?
- Differences Between IAM and Enterprise Management
- What Are the Differences Between IAM Projects and Enterprise Projects?
- How Can I Obtain Permissions to Create an Agency?
- What Can I Do If Text Box Prompt Information Does Not Disappear?
- How Do I Disable Password Association and Saving on Google Chrome?
- How Do I Grant Cloud Service Permissions in the EU-Paris Region to IAM Users?
- How Do I Obtain an Access Key (AK/SK) in the EU-Paris Region?
- Change History
- API Reference (Paris Regions)
-
User Guide (Kuala Lumpur Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Viewing IAM Operation Records
- Quotas
-
FAQs
- User Groups and Permissions Management
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Why Is My Account Locked?
- Why Do I Still Need to Perform MFA During Login After Unbinding the Virtual MFA Device?
-
Passwords and Credentials
- What Should I Do If I Forgot My Password?
- How Do I Change My Password?
- What Should I Do If I Have Forgotten My Access Key (AK/SK)?
- What Are Temporary Security Credentials (AK/SK and Security Token)?
- How Do I Obtain a Token with Security Administrator Permissions?
- How Do I Obtain an Access Key (AK/SK) in the AP-Kuala Lumpur-OP6 Region?
- Project Management
- Agency Management
- Others
- Change History
-
API Reference (Kuala Lumpur Region)
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Token Management
- Access Key Management
- Region Management
-
Project Management
- Querying Project Information Based on the Specified Criteria
- Querying a User Project List
- Querying the List of Projects Accessible to Users
- Creating a Project
- Modifying Project Data
- Querying Information About a Specified Project
- Setting the Status of a Specified Project
- Querying Information and Status of a Specified Project
- Querying the Quotas of a Project
- Tenant Management
-
User Management
- Querying a User List
- Querying User Details
- Querying User Details (Recommended)
- Querying the User Group to Which a User Belongs
- Querying Users in a User Group
- Creating a User
- Changing a Password
- Modifying User Information
- Modifying User Information (Including Email Address and Mobile Number)
- Modifying User Information (Including Email Address and Mobile Number)
- Deleting a User
- Deleting a User from a User Group
- Querying MFA Device Information of Users
- Querying the MFA Device Information of a User
- Querying Login Protection Configurations of Users
- Querying the Login Protection Configuration of a User
- Creating a Virtual MFA Device
- Deleting a Virtual MFA Device
- Binding a Virtual MFA Device
- Unbinding a Virtual MFA Device
- Modifying the Login Protection Configuration of a User
- User Group Management
-
Permission Management
- Querying a Role List
- Querying Role Details
- Querying Permissions of a User Group Under a Domain
- Querying Permissions of a User Group Corresponding to a Project
- Granting Permissions to a User Group of a Domain
- Granting Permissions to a User Group Corresponding to a Project
- Deleting Permissions of a User Group Corresponding to a Project
- Deleting Permissions of a User Group of a Domain
- Querying Whether a User Group Under a Domain Has Specific Permissions
- Querying Whether a User Group Corresponding to a Project Has Specific Permissions
- Granting Permissions to a User Group for All Projects
- Removing Specified Permissions of a User Group in All Projects
- Checking Whether a User Group Has Specified Permissions for All Projects
- Querying All Permissions of a User Group
- Custom Policy Management
-
Agency Management
- Creating an Agency
- Querying an Agency List Based on the Specified Conditions
- Obtaining Details of a Specified Agency
- Modifying an Agency
- Deleting an Agency
- Granting Permissions to an Agency for a Project
- Checking Whether an Agency Has the Specified Permissions on a Project
- Querying the List of Permissions of an Agency on a Project
- Deleting Permissions of an Agency on a Project
- Granting Permissions to an Agency on a Domain
- Checking Whether an Agency Has the Specified Permissions on a Domain
- Querying the List of Permissions of an Agency on a Domain
- Deleting Permissions of an Agency on a Domain
- Querying All Permissions of an Agency
- Granting Specified Permissions to an Agency for All Projects
- Checking Whether an Agency Has Specified Permissions
- Removing Specified Permissions of an Agency in All Projects
-
Security Settings
- Querying the Operation Protection Policy
- Modifying the Operation Protection Policy
- Querying the Password Policy
- Modifying the Password Policy
- Querying the Login Authentication Policy
- Modifying the Login Authentication Policy
- Querying the ACL for Console Access
- Modifying the ACL for Console Access
- Querying the ACL for API Access
- Modifying the ACL for API Access
- Federated Identity Authentication Management
- Version Information Management
- Services and Endpoints
- Permissions Policies and Supported Actions
- Appendix
- Change History
-
User Guide (Ankara Region)
- Service Overview
- Getting Started
-
User Guide
- Before You Start
- IAM Users
- User Groups and Authorization
- Permissions Management
- Projects
- Agencies
- Security Settings
- Identity Providers
- MFA Authentication and Virtual MFA Device
- Quotas
-
FAQs
- IAM User Management
-
Security Settings
- How Do I Enable Login Verification?
- How Do I Disable Login Verification?
- How Do I Change the Verification Method for Performing Critical Operations?
- How Do I Disable Operation Protection?
- How Do I Bind a Virtual MFA Device?
- How Do I Obtain a Virtual MFA Verification Code?
- How Do I Unbind or Remove a Virtual MFA Device?
- Why Does MFA Authentication Fail?
- Why Am I Not Getting the Verification Code?
- Passwords and Credentials
- Agency Management
- Others
- Change History
- API Reference (Ankara Region)
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Copied.
Policy Variables
Introduction
When creating a custom policy, you can use policy variables as placeholders in the Resource or Condition element of a statement. When the policy is evaluated, these placeholders are automatically replaced with the values of the conditional context keys passed in the request.
Policy Variable Syntax and Replacement Rules
Policy variables are marked using a $ prefix followed by a pair of curly braces ({ }). In the curly braces ({ }), enter the name of the target conditional context key passed in the request, for example, ${g:UserName}. When the policy is evaluated, ${g:UserName} is automatically replaced with the value of the g:UserName condition key.
You can use a policy variable for Condition values in any position. The variable for the Resource element must appear in the fifth part separated by colons (:), for example, OBS:*:*:bucket:${g:UserName}.
If the specified conditional context key does not exist in the request or is a multivalued condition key, the replacement fails and the entire statement may be invalid. For example, the request contains the g:UserName condition key only when the principal is an IAM user. For other principals, the request does not contain the g:UserName condition key and therefore does not match any resource and condition key that contains ${g:UserName}. Similarly, a multivalued condition key (one condition key has multiple values) fails to be replaced even if it exists in the request context.
If the condition key specified by the variable fails to be replaced, you can use its original text string as the default value. To add a default value to a variable, enclose the default value in a pair of single quotation marks (' ') and separate the condition key name from the default value with a comma and space (, ). For example, if the key in ${key, 'default'} does not exist or fails to be replaced, ${key, 'default'} will be replaced with default. Condition key names are case-insensitive, but default values are case-sensitive. Spaces before and after the condition key name and the default value's single quotation marks are ignored. For example, if the principal is an IAM user, ${ g:username , 'Default_User_Name' } will be replaced with the value of g:UserName. For other principals, ${ g:username , 'Default_User_Name' } will be replaced with Default_User_Name.
If you want the dollar sign ($), which identifies a policy variable, to be interpreted literally, use ${$}. If you want to insert a single quotation mark (') in the default value of a policy variable, use a pair of single quotation marks (''). For example, when ${g:UserName, 'A single quote is '', two quotes are ''''.'} is replaced with the default value, it would be A single quote is ', two quotes are ''.
Policy variables are replaced only once. If the replacement still contains variables, they would not be replaced anymore. For example, when ${g:UserName, '${g:UserName}'} is replaced with the default value, it would be ${g:UserName}. The ${g:UserName} would not be replaced again.
Policy Variable Replacement Failures
Policy variables will fail to be replaced in the following scenarios:
- The variable does not exist in the request context, for example, "${g:UserName}" will fail to be resolved for non-IAM user logins.
- The variable identifier is invalid, for example, "${foo" or "${foo, 'default'".
- The default value in the variable is invalid, for example, ${key, value}, ${foo, 'default}, or ${foo, 'default''}.
- The variable is empty, for example, ${}, ${ }, or ${ }.
- The variable contains spaces, for example, ${g:user id}.
- There is variable nesting, for example, ${var1${var2}}.
Examples of Using Policy Variables
- Using variables in the Resource element
- In the following policy, if you log in as IAM user test_user_name (the value of g:UserName), you are allowed to perform action obs:bucket:CreateBucket on OBS bucket OBS:*:*:bucket:test_user_name ("*" is a wildcard character).
{ "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": [ "obs:bucket:CreateBucket" ], "Resource": [ "OBS:*:*:bucket:${g:UserName}" ] }] }
- In the following policy, if you log in as IAM user test_user_name (the value of g:UserName), you are allowed to perform action obs:bucket:CreateBucket on OBS bucket OBS:*:*:bucket:prefix_test_user_name_suffix ("*" is a wildcard character).
{ "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": [ "obs:bucket:CreateBucket" ], "Resource": [ "OBS:*:*:bucket:prefix_${g:UserName}_suffix" ] }] }
- In the following policy, if you log in as IAM user test_user_name (the value of g:UserName), you are allowed to perform action obs:bucket:CreateBucket on OBS bucket OBS:*:*:bucket:test_user_name ("*" is a wildcard character).
- Using variables in the Condition element
In the following policy, if you log in as IAM user test_user_name (the value of g:UserName), you are allowed to perform action iam:agencies:getAgency.
{ "Version": "1.1", "Statement": [{ "Effect": "Allow", "Action": [ "iam:agencies:getAgency" ], "Condition": { "StringEquals": { "g:UserName": [ "${g:UserName}" ] } } }] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot