Policy Syntax
The following uses a custom policy for OBS as an example to describe the syntax.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:ListAllMyBuckets", "obs:bucket:HeadBucket", "obs:bucket:ListBucket", "obs:bucket:GetBucketLocation" ], "Condition": { "StringEndWithIfExists": { "g:UserName": [ "specialCharacter" ] }, "Bool": { "g:MFAPresent": [ "true" ] } }, "Resource": [ "obs:*:*:bucket:*" ] } ] }
Policy Structure
A policy consists of a version and one or more statements (indicating different actions).
Policy Parameters
Policy parameters include Version and Statement, which are described in the following table. You can create custom policies by specifying the parameters. For details, see Custom Policy Use Cases.
Parameter |
Description |
Value |
|
---|---|---|---|
Version |
Policy version. |
1.1: indicates policy-based access control. |
|
Statement |
Effect |
Determines whether to allow or deny the operations defined in the action. |
NOTE:
If an action has both Allow and Deny effects, the Deny effect takes precedence. |
Action |
Operations to be performed on the service. |
Format: "Service name:Resource type:Operation". Wildcard characters (*) are supported, indicating all options. Example: obs:bucket:ListAllMybuckets: Permissions for listing all OBS buckets. View all actions of the service in its API Reference. |
|
Condition |
Determines when a policy takes effect. A condition consists of a condition key and an operator. |
Format: "Condition operator:{Condition key:[Value 1,Value 2]}" If you set multiple conditions, the policy takes effect only when all the conditions are met. Example: StringEndWithIfExists":{"g:UserName":["specialCharacter"]}: The statement is valid for users whose names end with specialCharacter. |
|
Resource |
Resources on which the policy takes effect. |
Format: Service name:Region:Account ID:Resource type:Resource path. Wildcard characters (*) are supported. Example:
|
- Condition key
A condition key is a key in the Condition element of a statement. There are global and service-level condition keys.
- Global condition keys (starting with g:) apply to all operations. IAM provides common global condition keys and special global condition keys.
- Common global condition keys: Cloud services do not need to provide user identity information. Instead, IAM automatically abstracts user information and authenticates users. For details, see Common global condition keys.
- Special global condition keys: IAM obtains condition information from cloud services for authentication.
- Service-level condition keys (starting with a service name abbreviation, for example, obs:) apply only to operations on the specified service. For details, see the user guide of the corresponding cloud service.
Table 2 Common global condition keys Global Condition Key
Type
Description
g:CurrentTime
Time
Time when an authentication request is received. The time is in ISO 8601 format, for example, 2012-11-11T23:59:59Z.
g:DomainName
String
Account name.
g:MFAPresent
Boolean
Whether to obtain a token through MFA authentication.
g:MFAAge
Number
Validity period of a token obtained through MFA authentication. This condition must be used together with g:MFAPresent.
g:ProjectName
String
Project name.
g:ServiceName
String
Service name.
g:UserId
String
IAM user ID.
g:UserName
String
IAM user name.
Table 3 Special global condition keys Global Condition Key
Type
Description
g:SourceIp
IP Address
IP address of the user sending a request.
g:SourceVpc
String
VPC ID of the user sending a request.
g:SourceVpce
String
VPC endpoint ID of the user sending a request.
g:TagKeys
String
Resource tag key.
g:ResourceTag/{TagKey}
String
Resource tag key value.
- Global condition keys (starting with g:) apply to all operations. IAM provides common global condition keys and special global condition keys.
- Operator
An operator (see Operators), a condition key, and a condition value together constitute a complete condition statement. A policy takes effect only when its request conditions are met. The operator suffix IfExists indicates that a policy takes effect if a request value is empty or meets the specified condition. For example, if the operator StringEqualsIfExists is selected for a policy, the policy takes effect if a request value is empty or equal to the specified condition value.
Table 4 Operators (String operators are not case-sensitive unless otherwise specified.) Operator
Type
Description
StringEquals
String
(Case-sensitive) The request value is the same as the condition value.
StringNotEquals
String
(Case-sensitive) The request value is different from the condition value.
StringEqualsIgnoreCase
String
The request value is the same as the condition value.
StringNotEqualsIgnoreCase
String
The request value is different from the condition value.
StringLike
String
The request value contains the condition value.
StringNotLike
String
The request value does not contain the condition value.
StringStartWith
String
The request value starts with the condition value.
StringEndWith
String
The request value ends with the condition value.
StringNotStartWith
String
The request value does not start with the condition value.
StringNotEndWith
String
The request value does not end with the condition value.
StringEqualsAnyOf
String
(Case-sensitive) The request value is the same as any of the configured condition values.
StringNotEqualsAnyOf
String
(Case-sensitive) The request value is different from all of the configured condition values.
StringEqualsIgnoreCaseAnyOf
String
The request value is the same as any of the configured condition values.
StringNotEqualsIgnoreCaseAnyOf
String
The request value is different from all of the configured condition values.
StringLikeAnyOf
String
The request value contains any of the configured condition values.
StringNotLikeAnyOf
String
The request value does not contain any of the configured condition values.
StringStartWithAnyOf
String
The request value starts with any of the configured condition values.
StringEndWithAnyOf
String
The request value ends with any of the configured condition values.
StringNotStartWithAnyOf
String
The request value does not start with any of the configured condition values.
StringNotEndWithAnyOf
String
The request value does not end with any of the configured condition values.
NumberEquals
Number
The request value is equal to the condition value.
NumberNotEquals
Number
The request value is not equal to the condition value.
NumberLessThan
Number
The request value is less than the condition value.
NumberLessThanEquals
Number
The request value is less than or equal to the condition value.
NumberGreaterThan
Number
The request value is greater than the condition value.
NumberGreaterThanEquals
Number
The request value is greater than or equal to the condition value.
NumberEqualsAnyOf
Number
The request value is equal to any of the configured condition values.
NumberNotEqualsAnyOf
Number
The request value is not equal to any of the configured condition values.
DateLessThan
Time
The request value is earlier than the condition value.
DateLessThanEquals
Time
The request value is earlier than or equal to the condition value.
DateGreaterThan
Time
The request value is later than the condition value.
DateGreaterThanEquals
Time
The request value is later than or equal to the condition value.
Bool
Boolean
The request value is equal to the condition value.
IpAddress
IP address
The request value is within the IP address range set in the condition value.
NotIpAddress
IP address
The request value is beyond the IP address range set in the condition value.
IsNullOrEmpty
Null
The request value is null or an empty string.
IsNull
Null
The request value is null.
IsNotNull
Null
The request value is not null.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot