Identity Policy Grammar
The following uses a custom identity policy for OBS as an example to describe the grammar of an identity policy.
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:bucket:getBucketLocation",
"obs:bucket:headBucket",
"obs:bucket:listAllMyBuckets",
"obs:bucket:listBucket"
],
"Condition": {
"StringEndWithIfExists": {
"g:UserName": [
"specialCharacter"
]
},
"Bool": {
"g:MFAPresent": [
"true"
]
}
}
}
]
}
When you create or edit an identity policy on the IAM console, IAM automatically verifies the identity policy grammar. IAM will notify you if an identity policy does not comply with the grammar.
IAM Access Analyzer also provides additional identity policy checks and recommendations to help you optimize your identity policies. For more information about the policy checks and actionable recommendations, see Validating Policies with Access Analyzer.
Structure of an Identity Policy
An identity policy consists of a version and one or more statements (indicating different actions).
Elements of an Identity Policy
The following table describes the elements of an identity policy: Version and Statement. You can create custom identity policies by specifying the elements. For details, see Table 1. An identity policy is composed of JSON elements, such as Version, Statement, Sid, Effect, Action, Condition, and Resource. For more information, see JSON Element Reference.
|
Element |
Description |
Value |
|
|---|---|---|---|
|
Version |
Version of an identity policy. |
The version 5.0, and cannot be changed. It indicates the version of the identity policy JSON grammar. |
|
|
Statements |
Sid |
Statement ID (Sid) indicates an optional identifier of a statement. |
A string. |
|
Effect |
Determines whether to allow or deny the actions. |
NOTE:
If policies both Allow and Deny actions on a resource, the denial policy takes precedence. |
|
|
Action/NotAction |
Actions on the cloud service. |
Format: "Service name:Resource type:Operation". Actions support wildcard characters (* and ?). The wildcard (*) indicates any character and the wildcard (?) indicates a single character. Action and NotAction are case-insensitive. Action matches all actions in the list, and NotAction matches all actions outside the list. Example: "obs:bucket:listAllMyBuckets": Permissions for listing all OBS buckets. You can open Actions Supported by Identity Policy-based Authorization, and navigate to the "Actions" section to view all actions. |
|
|
Resource |
Resources to be controlled by the identity policy. |
Resource type represented by URN in the format of <service-name>:<region>:<account-id>:<type-name>:<resource-path>. The resource URN supports wildcards (*) and (?). (*) indicates any number of characters, and (?) indicates a single character. Resource is case-insensitive. For details about resource URNs, see Using URNs to Identify Huawei Cloud Resources. Example:
|
|
|
Condition |
Determines when an identity policy is in effect. A condition consists of a condition key and a condition operator. |
Format: "Operator:{Condition key:[Value 1,Value 2]}" (condition keys are case-insensitive) If you set multiple conditions, the policy applies only when all the conditions are met. Example: "StringEndWithIfExists":{"g:UserName":["specialCharacter"]}: The statement is valid only for users whose names end with specialCharacter. |
|
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
