SCP Syntax
The following uses a custom policy for RAM as an example to describe the SCP syntax.
{
"Version": "5.0",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:resourceShares:create"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringNotEquals": {
"g:RequestTag/owner": [
"Alice",
"Jack"
]
}
}
}
]
}
SCPs use a similar syntax to that used by IAM identity policies.
Policy Structure
A policy consists of a version and a single statement or an array of individual statements, each indicating a different action.
Policy Elements
The following table describes the policy elements (Version and Statement).
|
Element |
Mandatory |
Description |
Value |
|
|---|---|---|---|---|
|
Version |
Yes |
Policy version. |
5.0 (cannot be customized) |
|
|
Statement: Permissions defined by a policy |
Statement ID (Sid) |
No |
Identifier of a policy statement. You can assign a Sid value for each statement in a statement array. |
A user-defined character string |
|
Effect |
Yes |
Determines whether to allow or deny the operations defined in an action. |
NOTE:
|
|
|
Action |
Mandatory for Allow statements Either Action or NotAction for Deny statements |
Operations that the SCP allows or denies. |
Format: "Service name:Resource type:Operation". Wildcard characters (*) are supported, indicating all options. The wildcard characters (*) and (?) in an element can be used only by itself or at the end of the string. They cannot be used at the beginning or middle of the string. For example, vpc:subnets:list indicates the permission to view the VPC subnet list, where vpc is the service name, subnets refers to the resource type, and list is the action. |
|
|
NotAction |
Not available for Allow statements. Either Action or NotAction for Deny statements. |
Operations or services that are exempt from the SCP. A Deny statement denies all operations except those in the NotAction list. |
In the same format as Action |
|
|
Condition |
Not available for Allow statements. |
Determines when a policy is in effect. A condition consists of a condition key and a condition operator. |
Format: "Condition operator:{Condition key:[Value 1,Value 2]}" If you configure multiple conditions, the policy can be applied only when all the conditions are met. Example: "StringEndWithIfExists":{"g:UserName":["specialCharactor"]}: This statement is valid for users whose names end with specialCharactor. |
|
|
Resource |
No If this element is not specified, * is used by default, indicating that the SCP applies to all resources. |
Resources that the SCP applies to. |
The value can only be * for Allow statements. The value can be either * or a specific resource for Deny statements. Format: Service name:region:domain ID:Resource type:Resource path. Wildcard characters (*) are supported, indicating all resources. Example: "ecs:*:*:instance:*", representing all ECS instances. |
|
The following elements are not supported in SCPs:
- Principal
- NotPrincipal
- NotResource
Condition Keys
- Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, Organizations automatically obtains user information and authenticates users.
- Service-specific condition keys (with the abbreviation of a service name as the prefix, for example, ram:) apply only to operations of that service. For details, see the service-specific condition keys of each service in Actions Supported by SCP-based Authorization.
|
Global Condition Key |
Type |
Description |
|---|---|---|
|
g:CalledVia |
String array |
Used to control access across services. When a principal initiates an access request to a cloud service, the service may forward the request to another service. The g:CalledVia key contains a list of services in the chain that send requests on behalf of the principal. This condition key is present when the service forwards the access request of the principal. This condition key is not present when the principal accesses the service directly. See an example in 1. |
|
g:CalledViaFirst |
String |
Similar to g:CalledVia, it refers to the first element in the g:CalledVia key, which means the first service that forwards a request on behalf of the principal. |
|
g:CalledViaLast |
String |
Similar to g:CalledVia, it refers to the last element in the g:CalledVia key, which means the last service that forwards a request on behalf of the principal. |
|
g:CurrentTime |
Time |
Time when a request is received. It is in ISO 8601 format, for example, 2012-11-11T23:59:59Z. See an example in 2. |
|
g:DomainName |
String |
Account name of the requester. |
|
g:DomainId |
String |
Account ID of the requester. |
|
g:EnterpriseProjectId |
String |
ID of the enterprise project for the request or the requested resource. This condition key is present when the ID of the enterprise project for the request or the requested resource is passed in the API request and the action supports g:EnterpriseProjectId. This condition key is used in authentication, rather than a filter condition. This means resources in the enterprise project specified by this condition key will not be filtered out. See an example in 3. |
|
g:MFAPresent |
Boolean |
Whether to use multi-factor authentication (MFA) to obtain STS security tokens. This condition key is present only when you log in to the console through MFA authentication or when you use the assumed-agency session obtained through MFA to make a request. See an example in 4. |
|
g:MFAAge |
Numeric |
Validity period of STS security tokens obtained through MFA authentication. This condition key is present only when you log in to the console through MFA authentication or when you use the assumed-agency session obtained through MFA to make a request. The unit is second. |
|
g:PrincipalAccount |
String |
Same as g:DomainId. |
|
g:PrincipalUrn |
String |
URN of the requesting principal. Different principals have different URN formats. IAM users: iam::<domain-id>:user:<user-name> IAM assumed-agency sessions: sts::<domain-id>:assumed-agency:<agency-name>/<session-name> Virtual federated users: sts::<domain-id>:external-user:<idp-id>/<session-name> See an example in 5. |
|
g:PrincipalIsRootUser |
Boolean |
Whether the requesting principal is an IAM root user. This condition key is present in all requests. |
|
g:PrincipalIsService |
Boolean |
Whether the requesting principal is a cloud service. You can use this condition key to control whether only cloud services can access the specified APIs. |
|
g:PrincipalOrgId |
String |
ID of the organization that the requesting principal belongs to. You can use this condition key to control access to the specified APIs only from identities in the specific organization. This condition key is present only when the requesting principal is part of an organization. See an example in 6. |
|
g:PrincipalOrgManagementAccountId |
String |
ID of the management account in the organization that the requesting principal belongs to. This condition key is present only when the requesting principal is part of an organization. See an example in 7. |
|
g:PrincipalOrgPath |
String |
Path of the organization that the requesting principal belongs to. You can use this condition key to control access to the specified APIs only from accounts within the specified organization root or organizational units (OUs). This condition key is present only when the requesting principal is part of an organization. See an example in 8. An account's organization path is in the following format: <organization-id>/<root-id>/(<ou-id>/)*<account-id> |
|
g:PrincipalServiceName |
String |
Requesting principal's name. This condition key is present only when the requesting principal is a cloud service. See an example in 9. |
|
g:PrincipalTag/<tag-key> |
String |
Tag contained in the requesting principal. The <tag-key> is case insensitive. This condition key is present only when the requesting principal is a tagged IAM user or trust agency, or an assumed-agency session with a session tag. See an example in 10. |
|
g:PrincipalType |
String |
Type of the requesting principal, which can be User, AssumedAgency, or ExternalUser. When an IAM user is used for access, the value is User. When an IAM assumed-agency session is used for access, the value is AssumedAgency. When a virtual federated user is used for access, the value is ExternalUser. |
|
g:Referer |
String |
HTTP referer header in a request. As this condition key is specified by the client, it should not be used to prevent unauthorized access. |
|
g:RequestedRegion |
String |
Region called in a request. If the requested cloud service is a region-specific service, set this condition key to the corresponding region ID, for example, cn-north-4. This condition key is present only when certain region-specific services are requested. |
|
g:RequestTag/<tag-key> |
String |
Tag contained in a request. The <tag-key> is case insensitive. If a requester passes a tag when calling an API (for example, for adding a tag to an existing resource, or adding a tag during resource creation), you can use this condition key to check whether the request contains the tag. This condition key is present only when the action supports g:RequestTag/<tag-key> and tags are passed in the API request. For more information, see Actions Supported by SCP-based Authorization. See an example in 11. |
|
g:ResourceAccount |
String |
Requested resource owner's account ID. This condition key is present only in actions of cloud services that support fine-grained permissions management. For more information, see Actions Supported by SCP-based Authorization. See an example in 12. |
|
g:ResourceOrgId |
String |
ID of the organization that the requested resource account belongs to. This condition key is present only in actions of cloud services that support fine-grained permissions management and the resource owner account is part of an organization. For more information, see Actions Supported by SCP-based Authorization. See an example in 13. |
|
g:ResourceOrgPath |
String |
Path in the organization that the requested resource account belongs to. This condition key is present only in actions of cloud services that support fine-grained permissions management and the resource owner account is part of an organization. For more information, see Actions Supported by SCP-based Authorization. See an example in 14. |
|
g:ResourceTag/<tag-key> |
String |
Tag contained in the requested resource. The tag key <tag-key> is case insensitive. You can use this condition key to control that only resources with specified tags attached can be accessed. This condition key is present only when the action supports g:ResourceTag/<tag-key> and tags are attached to the requested resources. For more information, see Actions Supported by SCP-based Authorization. See an example in 15. |
|
g:SecureTransport |
Boolean |
Whether the request is sent using SSL. |
|
g:SourceAccount |
String |
Account of the resource making a service-to-service request in cross-service access scenarios. This condition key is present only when the action supports g:SourceAccount. It should only be used in resource policies where the cloud service is the principal. See an example in 16. |
|
g:SourceUrn |
String |
URN of the resource making a service-to-service request. This condition key is present only when the action supports g:SourceUrn. It should only be used in resource policies where the cloud service is the principal. See an example in 17. |
|
g:SourceIdentity |
String |
The source_identity field specified when a user obtains IAM temporary credentials through the AssumeAgency API of STS for the first time. This field cannot be changed during subsequent agency switches. This condition key is present only when a request with source_identity specified is sent using STS Security Token. See an example in 18. |
|
g:SourceIp |
IP |
Source IP address from a public network. See an example in 19.
NOTE:
If the request is initiated within a VPC and passes through a VPC endpoint, g:VpcSourceIp would be used instead of g:SourceIp. This condition key is present only if the access is not initiated through a VPC endpoint. This condition key can be used as a valid access control condition only when the access is initiated through a public network. It does not take effect when a cloud service uses an agency to initiate access on behalf of a user without going through a public network. |
|
g:SourceVpc |
String |
ID of the VPC from which the request is sent. This condition key is present only when the request is initiated within a VPC and passes through a VPC endpoint to access a cloud service that is configured as a VPC endpoint service. |
|
g:SourceVpce |
String |
ID of the VPC endpoint that initiates the request. This condition key is present only when the request is initiated within a VPC and passes through a VPC endpoint to access a cloud service that is configured as a VPC endpoint service. See an example in 20. |
|
g:TagKeys |
String array |
List of tag keys in a request. This condition key is present only when the action supports g:TagKeys and tags are passed in the API request. |
|
g:TokenIssueTime |
Time |
Time when STS Security Token in the access credentials is issued. This condition key is present only when a request is sent using STS Security Token. |
|
g:UserAgent |
String |
HTTP User-Agent header in a request. As this condition key is specified by the client, it should not be used to prevent unauthorized access. |
|
g:PrincipalId |
String |
ID of the requesting principal. Different principals have different ID formats. IAM users: <user-id> IAM assumed-agency sessions: <agency-id>:<session-name> Virtual federated users: <idp-id>:<session-name> |
|
g:UserName |
String |
Name of an IAM user. This condition key is present only when the requester is an IAM user. |
|
g:UserId |
String |
ID of an IAM user. This condition key is present only when the requester is an IAM user. |
|
g:ViaService |
Boolean |
Whether the request is initiated by access forwarding from a cloud service on behalf of a principal. The value of this condition key is true only when g:CalledVia is not an empty string. |
|
g:VpcSourceIp |
IP |
Source IP address of a request initiated in a VPC. This condition key is present only when the request is initiated within a VPC and passes through a VPC endpoint to access a cloud service that is configured as a VPC endpoint service. |
- g:CalledVia
For example, a user makes a request to service A. Service A then makes a request to service B on behalf of the user, and service B makes a request to service C on behalf of the user. The request received by service A does not contain the g:CalledVia condition key because the requesting principal is a user. In the request received by service B, g:CalledVia contains the service principal of service A because the request is made by service A on behalf of the user. In the request received by service C, the g:CalledVia contains the service principals of service A and service B, and the sequence is the same as that of the forwarding access request chain. In this case, g:CalledViaFirst is the service principal of service A, and g:CalledViaLast is the service principal of service B. The g:CalledViaFirst and g:CalledViaLast condition keys can be used to specify the first and last services that are called in the forwarding access chain.
Figure 2 g:CalledVia application scenario
When the user makes a request to a cloud service through the management console, CalledVia contains service.console.
For example, the following policy prevents the requests initiated on the management console from calling the RAM API for querying resource shares.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "ram:resourceShares:search" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringEquals": { "g:CalledVia": "service.console" } } }] } - g:CurrentTime
For example, the following policy prevents the invocation of cloud service APIs from March 1, 2023 to March 30, 2023.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ram:resourceShares:search"], "Resource": ["*"], "Condition": { "DateGreaterThan": {"g:CurrentTime": "2023-03-01T00:00:00Z"}, "DateLessThan": {"g:CurrentTime": "2023-03-30T23:59:59Z"} } } ] } - g:EnterpriseProjectId
This condition key is used in authentication. For example, the following policy prevents users from querying VPC permissions by enterprise project, and only denies access with enterprise_project_id set to xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in the request for calling the GET /v1/{project_id}/vpcs API.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "vpc:vpcs:list" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:EnterpriseProjectId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } } }] }
The g:EnterpriseProjectId condition key is not a filtering condition. This means resources in the enterprise project specified by this condition key will not be filtered out. In the example for calling the GET /v1/{project_id}/vpcs API, when enterprise_project_id is all_granted_eps, the VPCs associated with all enterprise projects of the user are queried. If this policy has been configured for the user, the VPCs associated with the enterprise project specified by g:EnterpriseProjectId in the policy will not be queried.
- g:MFAPresent
This condition key is present only when a request is sent using STS Security Token. If a request is sent using permanent credentials, this condition key is not present.
For example, the following identity policy only allows API calling by principals authenticated using multi-factor authentication (MFA). The IfExists operator is used to cover scenarios where the g:MFAPresent condition key is not present when requests are made using permanent credentials.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "*" ], "Resource": [ "*" ], "Condition": { "BoolIfExists": { "g:MFAPresent": "false" } } }] } - g:PrincipalUrn
For example, the following SCP prevents the user yyy from creating resource shares.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "ram:resourceShares:create" ], "Condition": { "StringEquals": { "g:PrincipalUrn": "iam::xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:user:yyy" } } }] } - g:PrincipalOrgId
For example, the following policy prevents the accounts in organization o-xxxxxxxxxxx from calling the API for searching resource shares in RAM.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ram:resourceShares:search"], "Resource": ["*"], "Condition": { "StringEquals": { "g:PrincipalOrgID": "o-xxxxxxxxxxx" } } } ] } - g:PrincipalOrgManagementAccountId
For example, the condition key value xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx in the following identity policy matches the management account ID in the request.
{ "Condition": { "StringEquals": { "g:PrincipalOrgManagementAccountId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } } } - g:PrincipalOrgPath
For example, the condition key value ou-qqq in the following identity policy matches the organizational units (OUs) that the requesting principal belongs to in the request.
{ "Condition": { "StringMatch": { "g:PrincipalOrgPath": "o-xxx/r-yyy/ou-zzz/ou-qqq/*" } } }For example, the condition key value ou-qqq in the following identity policy matches any child OUs that the requesting principal belongs to in the request.
{ "Condition": { "StringMatch": { "g:PrincipalOrgPath": "o-xxx/r-yyy/ou-zzz/ou-qqq/ou-*" } } } - g:PrincipalServiceName
For example, the condition key value service.RAM in the following policy matches the principal that is making the request.
{ "Condition": { "StringEquals": { "g:PrincipalServiceName": "service.RAM" } } } - g:PrincipalTag/<tag-key>
For example, the following policy prevents IAM users tagged with {"department": "hr"} from accessing IAM APIs.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "iam:*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:PrincipalTag/department": "hr" } } }] } - g:RequestTag/<tag-key>
For example, the following policy prevents users from creating resource shares tagged with {"team": "engineering"}.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ram:resourceShares:create"], "Resource": ["*"], "Condition": { "StringEquals": { "g:RequestTag/team": "engineering" } } } ] } - g:ResourceAccount
For example, the following identity policy prevents users from using KMS keys of other than the specified users to decrypt data.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "g:ResourceAccount": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" } } }] } - g:ResourceOrgId
For example, the following identity policy prevents users from using KMS keys of other than the specified organizations to decrypt data.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "g:ResourceOrgId": "o-xxxxxxxx" } } }] } - g:ResourceOrgPath
For example, the following policy prevents users from using KMS keys of the accounts in the ou-qqq OU to decrypt data.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringMatch": { "g:ResourceOrgPath": "o-xxx/r-yyy/ou-zzz/ou-qqq/*" } } }] }For example, the following policy prevents users from using KMS keys of the accounts in the child OUs under the ou-qqq OU to decrypt data.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringMatch": { "g:ResourceOrgPath": "o-xxx/r-yyy/ou-zzz/ou-qqq/ou-*" } } }] } - g:ResourceTag/<tag-key>
For example, the following policy prevents users from modifying resource shares tagged with {"team": "engineering"}.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:resourceShares:delete", "ram:resourceShares:update" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:ResourceTag/team": "engineering" } } } ] } - g:SourceAccount
For example, service A is used to record activities. It helps a user (account B) to dump activity logs triggered by a device (account C) to a specified OBS bucket. To enable service A to write data into the bucket, the administrator of account B creates an agency or trust agency named X for service A to manage OBS buckets under account B. After account B or account C accesses service A and triggers a request, service A obtains the temporary identity credentials of the specified agency or trust agency X and writes data to the bucket.
Figure 3 Confused deputy
The agency or trust agency name X is not confidential. If an attacker (account D) obtains the agency name and triggers service A in the same way, the activity records of the attacker would be incorrectly recorded in the OBS bucket. The attacker uses service A's agency to indirectly modify the OBS bucket of account B. This is called the confused deputy.
The g:SourceAccount condition key is used to control the account of the resource making a service-to-service request. The following policy only allows service A to switch to the assumed-agency session for account xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx or yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.
{ "Version": "5.0", "Statement": [{ "Principal": { "Service": [ "Service.A" ] }, "Action": [ "sts:agencies:assume" ], "Condition": { "StringEquals": { "g:sourceAccount": [ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" ] } } }] } - g:SourceUrn
Similar to g:SourceAccount, this condition key is also used to solve the confused deputy issue. Assume that user devices (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) are defined as watches and bracelets. The g:SourceUrn condition key is used to control the URN of the resource making a service-to-service request. The following policy only allows service A to switch to the corresponding assumed-agency session for the watch or bracelet that meets the conditions.
{ "Version": "5.0", "Statement": [{ "Principal": { "Service": [ "Service.A" ] }, "Action": [ "sts:agencies:assume" ], "Condition": { "StringEquals": { "g:sourceUrn": [ "alarm:*:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:watch:*", "alarm:*:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:bracelet:*" ] } } }] } - g:SourceIdentity
For example, the following policy prevents principals whose source_identity is yyyyy from switching the agency.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Principal": { "IAM": [ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" ] }, "Action": [ "sts:agencies:assume" ], "Condition": { "StringEquals": { "g:SourceIdentity": "yyyyy" } } }] } - g:SourceIp
For example, the following policy denies the programmatic or console access to KMS from source IP addresses within the xxx.xx.xx.0/24 range.
The source IP address must be a public IP address. Do not include a private IP address in the condition key.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "IpAddress": { "g:SourceIp": "xxx.xx.xx.0/24" } } }] }The following condition keys in the initial request context will not be passed in subsequent requests forwarded by the service on behalf of the principal: g:SourceIp, g:SourceVpce, g:SourceVpc, and g:VpcSourceIp. As a result, when these condition keys are used to control access permissions, requests forwarded by the cloud service on behalf of the principal may be denied. In practice, you are advised to use g:CalledVia to forward access requests.
There is an exception: The public network access initiated by the principal from the console can be regarded as a programmatic access of the principal from the public network, so the request forwarded by the console on behalf of the principal contains the initial g:SourceIp.
For example, the following policy denies the programmatic or console access to KMS from source IP addresses beyond xxx.xx.xx.0/24. In addition, the policy allows cloud services to forward access requests on behalf of the principal.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "NotIpAddress": { "g:SourceIp": "xxx.xx.xx.0/24" }, "Bool": { "g:ViaService": "false" } } }, { "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "NotIpAddress": { "g:SourceIp": "xxx.xx.xx.0/24" }, "StringEqualsIfExists": { "g:CalledViaFirst": "service.console", "g:CalledViaLast": "service.console" } } } ] } - g:SourceVpce
For example, the following policy denies access to KMS from a VPC endpoint other than xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. In addition, the policy allows cloud services to forward access requests on behalf of the principal.
{ "Version": "5.0", "Statement": [{ "Effect": "Deny", "Action": [ "kms:cmk:decryptData" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "g:SourceVpce": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, "Bool": { "g:ViaService": "false" } } }] }
- Multivalued condition keys
- ForAllValues: Tests whether the value of every member of the request set is a subset of the condition key set. The condition returns true if every key value in the request matches at least one value in the policy.
- ForAnyValue: Tests whether at least one member of the set of request values matches at least one member of the set of condition key values. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. The condition returns false if there are no matching keys in the request, or if the key value resolves to an empty data set.
Condition OperatorsFigure 4 Condition operators
- If a single condition operator includes multiple values for one key, that condition operator is evaluated using a logical OR. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy.
For condition operators that contain Not (such as StringNotEquals), the request value cannot match any of the condition values.
- The AND operation is used between different condition keys of the same operator. It is also used between different operators.
- If a single condition operator includes multiple values for one key, that condition operator is evaluated using a logical OR. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy.
Operators
A condition operator, a condition key, and a condition value together constitute a complete condition statement. A policy can be applied only when its request conditions are met. The operator suffix IfExists indicates that a policy is applied if a request value is empty or meets the specified condition. For example, if the operator StringEqualsIfExists is selected for a policy, the policy is applied if a request value is empty or equal to the specified condition value. Operators are string operators. They are not case-sensitive unless otherwise specified.
- String
Table 3 String condition operators Type
Operator
Description
String
StringEquals
Exact matching, case sensitive
StringNotEquals
Negated matching, case sensitive
StringEqualsIgnoreCase
Exact matching, ignoring case
StringNotEqualsIgnoreCase
Negated matching, ignoring case
StringMatch
Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string.
StringNotMatch
Negated case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string.
For example, the following policy prevents the requester Tom from deleting or modifying resource shares.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:resourceShares:delete", "ram:resourceShares:update" ], "Condition": { "StringEquals": { "g:DomainName": [ "Tom" ] } } } ] } - Numeric
Table 4 Numeric condition operators Type
Operator
Description
Numeric
NumberEquals
Matching
NumberNotEquals
Negated matching
NumberLessThan
"Less than" matching
NumberLessThanEquals
"Less than or equals" matching
NumberGreaterThan
"Greater than" matching
NumberGreaterThanEquals
"Greater than or equals" matching
- Date
Table 5 Date condition operators Type
Operator
Description
Date
DateLessThan
Matching before a specific date and time
DateLessThanEquals
Matching at or before a specific date and time
DateGreaterThan
Matching after a specific date and time
DateGreaterThanEquals
Matching at or after a specific date and time
For example, the following policy prevents requesters from accessing RAM before August 1, 2022.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:*:*" ], "Condition": { "DateLessThan": { "g:CurrentTime": [ "2022-08-01T00:00:00Z" ] } } } ] } - Boolean
Table 6 Boolean condition operators Type
Operator
Description
Bool
Bool
Boolean conditions let you construct condition elements that restrict access based on comparing a key to "true" or "false."
- Null
Table 7 Null condition operators Type
Operator
Description
Null
Null
You can use a Null condition operator to check if a condition key is absent at the time of authorization. In the policy statement, you can use either "true" (the key does not exist or is null) or "false" (the key exists and its value is not null).
- IP
Table 8 IP condition operators Type
Operator
Description
IP
IpAddress
IP address or IP address range
NotIpAddress
All IP addresses beyond a specific IP address or IP address range
For example, the following policy prevents requests from the IP address range (10.27.128.0 to 10.27.128.255) from modifying the specified permanent access keys.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "iam:credentials:updateCredentialV5" ], "Condition": { "IpAddress": { "g:SourceIp": [ "10.27.128.0/24" ] } } } ] } - IfExists operator suffix
You can add "IfExists" to the end of any condition operator name except the "Null condition", for example, StringEqualsIfExists. If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
