Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ References/ Policy Reference/ Actions, Resources, and Condition Keys
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Actions, Resources, and Condition Keys

The identity policy authorization reference of each Huawei Cloud service define the actions, resources, and condition keys used by the service for IAM identity policies. For details, see Actions Supported by Identity Policy-based Authorization.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (such as list, read, or write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For more information about resource types, see the corresponding rows in the resource type table.

  • The Condition Key column contains keys that you can specify in the "Condition" element of an identity policy statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For more information about global condition keys, see Global Condition Key.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

Resource Type

A resource type indicates the resources that an identity policy applies to. Not all actions support all resources. Some resources are supported only by some actions. If the resource type is specified for an action, you can specify the URN of the resource in the identity policy statement that grants the action. This indicates that the identity policy applies only to this resource. If no resource type is specified, the resource is set to an asterisk (*) by default, indicating that the identity policy applies to all resources.

  • The URN column specifies the URN format required for using resources of this type. You need to replace the part in angle brackets (<>) with the actual value. For example, replace <account-id> in the URN with the actual account ID of the resource.

Condition

A "Condition" element lets you specify conditions for when an identity policy is in effect. Not all condition keys apply to all actions or resources. Some condition keys apply only to specific actions or resources.

  • The Type column specifies the data type of the condition key. The data type determines which operators you can use to compare the values in the request with the values in the identity policy statement. You must use an operator appropriate for the data type. If you use an operator that is not appropriate for the data type, the request always fails the condition.
  • The Single-valued/Multivalued column indicates whether the condition key supports single values or multiple values. If the condition key supports single values, only one value can match the request. If the condition key supports multiple values, multiple values can match the request. For more information, see Global Condition Key.
Parent topic: Policy Reference