What Should I Do When Encountering SCP Errors?
Service control policies (SCPs) in Organizations use a similar syntax to that used by Identity and Access Management (IAM) policies. They both use the JSON syntax. For details, see SCP Syntax.
You may encounter the following errors when creating SCPs:
- More Than One Policy Object
- More Than One Statement Element
- Policy Document Exceeding the Maximum Size
More Than One Policy Object
An SCP must consist of one and only one JSON object. You denote an object by placing braces ({}) around it. Although you can nest other objects within a JSON object by embedding additional braces ({}), a policy can contain only one outermost pair of braces ({}). The following example is incorrect because it contains two JSON objects, with two outermost pairs of braces ({}):
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:*:*"
],
"Resource": [
"*"
]
}
]
}
{
"Statement": [
{
"Effect": "Deny",
"Action": [
"vpc:*:*"
],
"Resource": [
"*"
]
}
]
}
To meet the intention of this example, you can use correct policy syntax. Instead of including two complete policy objects, each with its own Statement element, you can combine the two blocks into a single Statement element. The Statement element has an array of two objects as its value, as shown in the following example:
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:*:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"vpc:*:*"
],
"Resource": [
"*"
]
}
]
}
This example cannot be further compressed into a Statement with one element because the two elements have different effects. Generally, you can combine statements only when the Effect and Resource elements in each statement are identical.
More Than One Statement Element
This error might at first appear to be a variation on the error in the preceding example. However, syntactically it is a different type of error. In the following example, there is only one policy object as denoted by a single outermost pair of braces ({}). However, that object contains two Statement elements within it.
An SCP must contain only one Statement element. The value of a Statement element must be an object, denoted by braces ({}), containing one Effect element, one Action element, one Resource element, and one optional Condition element. The following example is incorrect because it contains two Statement elements in the policy object:
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:*:*"
],
"Resource": [
"*"
]
},
"Statement": [
{
"Effect": "Deny",
"Action": [
"vpc:*:*"
],
"Resource": [
"*"
]
}
]
}
The value of the Statement element must be an object, and a value object can be an array of multiple value objects. You can solve this problem by combining the two Statement elements into one element with an object array, as illustrated in the following example. In the example, the value of the Statement element is an object array. The array consists of two objects, each of which is a correct value for a Statement element. Each object in the array is separated by commas.
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:*:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"vpc:*:*"
],
"Resource": [
"*"
]
}
]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
