SCP Syntax
The following uses a custom policy for RAM as an example to describe the SCP syntax.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:resourceShares:create" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringNotEquals": { "g:RequestTag/owner": [ "Alice", "Jack" ] } } } ] }
SCPs use a similar syntax to that used by IAM identity policies.
Policy Structure
A policy consists of a version and a single statement or an array of individual statements, each indicating a different action.
Policy Elements
The following table describes the policy elements (Version and Statement).
Element |
Mandatory |
Description |
Value |
|
---|---|---|---|---|
Version |
Yes |
Policy version. |
5.0 (cannot be customized) |
|
Statement: Permissions defined by a policy |
Statement ID (Sid) |
No |
Identifier of a policy statement. You can assign a Sid value for each statement in a statement array. |
A user-defined character string |
Effect |
Yes |
Determines whether to allow or deny the operations defined in an action. |
NOTE:
|
|
Action |
Mandatory for Allow statements Either Action or NotAction for Deny statements |
Operations that the SCP allows or denies. |
Format: "Service name:Resource type:Operation". Wildcard characters (*) are supported, indicating all options. The wildcard characters (*) and (?) in an element can be used only by itself or at the end of the string. They cannot be used at the beginning or middle of the string. For example, vpc:subnets:list indicates the permission to view the VPC subnet list, where vpc is the service name, subnets refers to the resource type, and list is the action. |
|
NotAction |
Not available for Allow statements. Either Action or NotAction for Deny statements. |
Operations or services that are exempt from the SCP. A Deny statement denies all operations except those in the NotAction list. |
In the same format as Action |
|
Condition |
Not available for Allow statements. |
Determines when a policy is in effect. A condition consists of a condition key and a condition operator. |
Format: "Condition operator:{Condition key:[Value 1,Value 2]}" If you configure multiple conditions, the policy can be applied only when all the conditions are met. Example: "StringEndWithIfExists":{"g:UserName":["specialCharactor"]}: This statement is valid for users whose names end with specialCharactor. |
|
Resource |
No If this element is not specified, * is used by default, indicating that the SCP applies to all resources. |
Resources that the SCP applies to. |
The value can only be * for Allow statements. The value can be either * or a specific resource for Deny statements. Format: Service name:region:domain ID:Resource type:Resource path. Wildcard characters (*) are supported, indicating all resources. Example: "ecs:*:*:instance:*", representing all ECS instances. |
The following elements are not supported in SCPs:
- Principal
- NotPrincipal
- NotResource
Condition Keys
- Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, Organizations automatically obtains user information and authenticates users. For details, see Table 2.
- Service-specific condition keys (with the abbreviation of a service name as the prefix, for example, ram:) apply only to operations of that service. For details, see the service-specific condition keys of each service in Actions Supported by SCP-based Authorization.
Global Condition Key |
Type |
Description |
---|---|---|
g:CalledVia |
String |
Used to control access across services. See an example in 1. |
g:CalledViaFirst |
String |
The first element in the g:CalledVia key. |
g:CalledViaLast |
String |
The last element in the g:CalledVia key. |
g:CurrentTime |
Time |
Time when an authentication request was received. The time is in ISO 8601 format, for example, 2023-11-11T23:59:59Z. See an example in 2. |
g:DomainName |
String |
Account name of the requester. |
g:DomainId |
String |
Account ID of the requester. |
g:MFAPresent |
Boolean |
Whether to use multi-factor authentication (MFA) to obtain a token |
g:MFAAge |
Numeric |
Validity period of the token obtained using MFA. This condition must be used together with g:MFAPresent. |
g:PrincipalAccount |
String |
Same attribute as g:DomainId. |
g:PrincipalUrn |
String |
URN of the requester. Different principals have different URN formats. IAM user: iam::<domain-id>:user:<user-name> IAM agency: sts::<domain-id>:assumed-agency:<agency-name>/<session-name> |
g:PrincipalIsRootUser |
Boolean |
Whether the requesting principal is a root user. This key is included in all requests. |
g:PrincipalIsService |
Boolean |
Whether the requesting principal is a cloud service. You can use this key to control whether only cloud services can access the specified APIs. |
g:PrincipalOrgId |
String |
ID of the organization to which the requesting principal belongs. You can use this key to specify that only requesting principals in the specified organization can access the specified APIs. See an example in 3. |
g:PrincipalOrgManagementAccountId |
String |
Management account ID of the organization to which the requesting principal belongs. See an example in 4. |
g:PrincipalOrgPath |
String |
Organization path for the requesting account. You can use this key to control that only accounts at specified levels in the organization can access the specified APIs. See an example in 5. The format of an account's organization path is as follows: <organization-id>/<root-id>/(<ou-id>/)*<account-id> |
g:PrincipalServiceName |
String |
Name of the cloud service principal of the requester. See an example in 6. |
g:PrincipalTag/tag-key |
String |
Tag attached to the requesting principal. Currently, only the session tag supported by STSToken can be used as this key. |
g:PrincipalType |
String |
Type of the requesting principal, either User or AssumedAgency. When a long-term IAM credential is used for access, the value of this key is User. When a temporary IAM credential is used for access, the value of this key is AssumedAgency. |
g:Referer |
String |
HTTP referer header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests. |
g:RequestedRegion |
String |
Region that was called in a request. If the target cloud service is a global service, set this parameter to NULL. If the target cloud service is a regional service, set this parameter to the ID of the regionfor example, cn-north-4. See an example in 7. |
g:RequestTag/tag-key |
String |
Tag that was passed in a request. See an example in 8. |
g:ResourceAccount |
String |
Account ID of the requested resource owner. |
g:ResourceOrgId |
String |
ID of the organization to which the requested resource account belongs. See an example in 9. |
g:ResourceOrgPath |
String |
Path in the organization to which the requested resource account belongs. See an example in 10. |
g:ResourceTag/tag-key |
String |
Tag attached to the requested resource. You can use this key to control that only resources with specified tags can be accessed. See an example in 11. |
g:SecureTransport |
Boolean |
Whether the request was sent using SSL. |
g:SourceAccount |
String |
Account of the resource making a service-to-service request. |
g:SourceUrn |
String |
URN of the resource making a service-to-service request. |
g:SourceIdentity |
String |
The source_identity field that was set in the temporary IAM credential STSToken. The source_identity field is specified when a user obtains a temporary IAM credential for the first time through the AssumeAgency API of STS and cannot be changed in subsequent agency switching. |
g:SourceIp |
IP |
Source request IP address from the public network. If the request was initiated from an ECS in a VPC through the VPC endpoint, g:VpcSourceIp instead of g:SourceIp is used. See an example in 12. |
g:SourceVpc |
String |
ID of the VPC from which the request was sent. |
g:SourceVpce |
String |
ID of the VPC endpoint used to initiate the request. |
g:TagKeys |
String |
List of tag keys in a request. |
g:TokenIssueTime |
Time |
Time when the STSToken in the access credentials was issued. |
g:UserAgent |
String |
HTTP User-Agent header in a request. As this key is specified by the client, it should not be used to prevent unauthorized parties from making direct requests. |
g:PrincipalId |
String |
ID of the requesting principal. Different principals have different ID formats. IAM user: <user-id> IAM agency: <agency-id>:<session-name> |
g:UserName |
String |
Name of an IAM user. |
g:UserId |
String |
ID of an IAM user. |
g:ViaService |
Boolean |
Whether the request was initiated by the cloud service on behalf of the user through the Impersonate protocol. The value of this key is true only when g:CalledVia is not an empty string. |
g:VpcSourceIp |
IP |
Source IP address of a request initiated in a VPC. |
g:EnterpriseProjectId |
String |
ID of the enterprise project for the request or the requested resource. |
- g:CalledVia
For example, the following policy prohibits the requests initiated by the Console service from calling the API for querying resource shares in RAM.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ram:resourceShares:search"], "Resource": ["*"], "Condition": { "ForAnyValue:StringEquals": { "g:CalledVia": "service.Console" } } } ] }
- g:CurrentTime
For example, the following policy prohibits the invocation of cloud service APIs from March 1, 2023 to March 30, 2023.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ram:resourceShares:search"], "Resource": ["*"], "Condition": { "DateGreaterThan": {"g:CurrentTime": "2023-03-01T00:00:00Z"}, "DateLessThan": {"g:CurrentTime": "2023-03-30T23:59:59Z"} } } ] }
- g:PrincipalOrgId
For example, the following policy prohibits the accounts in organization o-xxxxxxxxxxx from calling the API for searching resource shares in RAM.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ram:resourceShares:search"], "Resource": ["*"], "Condition": { "StringEquals": { "g:PrincipalOrgID": "o-xxxxxxxxxxx" } } } ] }
- g:PrincipalOrgManagementAccountId
For example, the Condition in the following policy returns true when the management account ID of the organization to which the requester belongs is ce20ec0406c844a08026399be5f13b08.
{ "Condition": { "StringEquals": { "g:PrincipalOrgManagementAccountId": "ce20ec0406c844a08026399be5f13b08" } } }
- g:PrincipalOrgPath
For example, the Condition in the following policy returns true only when the requester account belongs to the ou-ab12-22222222 OU.
{ "Condition": { "StringMatch": { "g:PrincipalOrgPath": "o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/*" } } }
- g:PrincipalServiceName
For example, the Condition in the following policy returns true only when the requester is RAM.
{ "Condition": { "StringEquals": { "g:PrincipalServiceName": "service.RAM" } } }
- g:RequestedRegion
For example, the following policy prohibits users from accessing ECS APIs in cn-north-4. This condition key is carried in the request only when the target cloud service is a region-specific service.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ecs:*:*"], "Resource": ["*"], "Condition": { "StringEquals": { "g:RequestedRegion": "cn-north-4" } } } ] }
- g:RequestTag/tag-key
For example, the following policy prohibits users from creating resource shares tagged with {"team": "engineering"}.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ram:resourceShares:create"], "Resource": ["*"], "Condition": { "StringEquals": { "g:RequestTag/team": "engineering" } } } ] }
- g:ResourceOrgId
For example, the following policy prohibits users from modifying resource shares in the accounts in the o-xxxxxxxx organization. This condition key is carried only when the resource owner has joined an organization.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:resourceShares:delete", "ram:resourceShares:update" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:ResourceOrgId": "o-xxxxxxxx" } } } ] }
- g:ResourceOrgPath
For example, the following policy prohibits users from modifying resource shares in the accounts in the o-a1b2c3d4e5/r-ab12/ou-ab12-11111111 organization path. This condition key is carried only when the resource owner has joined an organization.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:resourceShares:delete", "ram:resourceShares:update" ], "Resource": [ "*" ], "Condition": { "StringMatch": { "g:ResourceOrgPath": "o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/*" } } } ] }
- g:ResourceTag/tag-key
For example, the following policy prohibits users from modifying resource shares tagged with {"team": "engineering"}.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:resourceShares:delete", "ram:resourceShares:update" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "g:ResourceTag/team": "engineering" } } } ] }
- g:SourceIp
For example, the following policy prohibits source IP addresses in the 10.27.128.0/24 range from accessing RAM.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": ["ram:*:*"], "Resource": ["*"], "Condition": { "IpAddress": { "g:SourceIp": "10.27.128.0/24" } } } ] }
- Multivalued condition keys
- ForAllValues: Tests whether the value of every member of the request set is a subset of the condition key set. The condition returns true if every key value in the request matches at least one value in the policy.
- ForAnyValue: Tests whether at least one member of the set of request values matches at least one member of the set of condition key values. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy. The condition returns false if there are no matching keys in the request, or if the key value resolves to an empty data set.
Condition OperatorsFigure 2 Condition operators
- If a single condition operator includes multiple values for one key, that condition operator is evaluated using a logical OR. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy.
For condition operators that contain Not (such as StringNotEquals), the request value cannot match any of the condition values.
- The AND operation is used between different condition keys of the same operator. It is also used between different operators.
- If a single condition operator includes multiple values for one key, that condition operator is evaluated using a logical OR. The condition returns true if any one of the key values in the request matches any one of the condition values in the policy.
Operators
A condition operator, a condition key, and a condition value together constitute a complete condition statement. A policy can be applied only when its request conditions are met. The operator suffix IfExists indicates that a policy is applied if a request value is empty or meets the specified condition. For example, if the operator StringEqualsIfExists is selected for a policy, the policy is applied if a request value is empty or equal to the specified condition value. Operators are string operators. They are not case-sensitive unless otherwise specified.
- String
Table 3 String condition operators Type
Operator
Description
String
StringEquals
Exact matching, case sensitive
StringNotEquals
Negated matching, case sensitive
StringEqualsIgnoreCase
Exact matching, ignoring case
StringNotEqualsIgnoreCase
Negated matching, ignoring case
StringMatch
Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string.
StringNotMatch
Negated case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string.
For example, the following policy prohibits the requester Tom from deleting or modifying resource shares.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:resourceShares:delete", "ram:resourceShares:update" ], "Condition": { "StringEquals": { "g:DomainName": [ "Tom" ] } } } ] }
- Numeric
Table 4 Numeric condition operators Type
Operator
Description
Numeric
NumberEquals
Matching
NumberNotEquals
Negated matching
NumberLessThan
"Less than" matching
NumberLessThanEquals
"Less than or equals" matching
NumberGreaterThan
"Greater than" matching
NumberGreaterThanEquals
"Greater than or equals" matching
- Date
Table 5 Date condition operators Type
Operator
Description
Date
DateLessThan
Matching before a specific date and time
DateLessThanEquals
Matching at or before a specific date and time
DateGreaterThan
Matching after a specific date and time
DateGreaterThanEquals
Matching at or after a specific date and time
For example, the following policy prohibits requesters from accessing RAM before August 1, 2022.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "ram:*:*" ], "Condition": { "DateLessThan": { "g:CurrentTime": [ "2022-08-01T00:00:00Z" ] } } } ] }
- Boolean
Table 6 Boolean condition operators Type
Operator
Description
Bool
Bool
Boolean conditions let you construct condition elements that restrict access based on comparing a key to "true" or "false."
- Null
Table 7 Null condition operators Type
Operator
Description
Null
Null
You can use a Null condition operator to check if a condition key is absent at the time of authorization. In the policy statement, you can use either "true" (the key does not exist or is null) or "false" (the key exists and its value is not null).
- IP
Table 8 IP condition operators Type
Operator
Description
IP
IpAddress
IP address or IP address range
NotIpAddress
All IP addresses beyond a specific IP address or IP address range
For example, the following policy prohibits requests from the IP address range (10.27.128.0 to 10.27.128.255) from modifying the specified permanent access keys.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "iam:credentials:updateCredentialV5" ], "Condition": { "IpAddress": { "g:SourceIp": [ "10.27.128.0/24" ] } } } ] }
- IfExists operator suffix
You can add "IfExists" to the end of any condition operator name except the "Null condition", for example, StringEqualsIfExists. If the policy key is present in the context of the request, process the key as specified in the policy. If the key is not present, evaluate the condition element as true.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot