Policy Grammar

JSON View of a Policy

Policies are expressed in JSON on the IAM console. When you create or edit a JSON policy, IAM can validate the policy to help you create a valid policy. IAM can identify JSON syntax errors, and IAM Access Analyzer provides additional policy checks and recommendations to help you optimize your policies. For more information about IAM Access Analyzer policy checks, see Validating Custom Identity Policies.

The following are basic JSON rules:

• Spaces are allowed between entities.
• Values are enclosed in quotation marks.
• Most JSON elements can use JSON arrays as values. An array can contain one or more values. If an array contains multiple values, the array is enclosed in square brackets ([ and ]) and separated by commas (,), as shown in the following example:

  "Action": ["iam:users:createUserV5", "iam:users:getUserV5", "iam:users:listUsersV5", "iam:users:deleteUserV5"]

• Basic JSON data types (boolean, number, and string) must comply with RFC 7159.

Conventions

Grammar uses the following conventions:

• The following characters are structure characters of JSON and are contained in policies:

  { } [ ] " , :

• The following characters are special characters in the policy grammar, which are used for auxiliary description of the policy grammar and are not included in policies:

  = < > ( ) |

• If an element allows many values, use duplicate values, commas (,), and ellipsis (...). Example:

  [<action_string>, <action_string>, ...]

  If multiple values are allowed, only one value is valid. If there is only one value, do not add a comma (,) at the end.

• The question mark (?) after an element indicates that the element is optional. Example:

  <sid_block?>

• The vertical bar (|) between elements indicates that the elements are optional. In the grammar, the parenthesis defines the range of options. Example:

  ("Action" | "NotAction")

• Elements that must be strings are enclosed in double quotation marks (" "). Example:

  <version_block> = "Version" : ("5.0")

Grammar

policy = {
  <version_block>,
  <statement_block>
}

<version_block> = "Version" : ("5.0")

<statement_block> = "Statement" : [ <policy_statement>, <policy_statement>, ... ]

<policy_statement> = {
  <sid_block?>,
  <effect_block>,
  <action_block>,
  <resource_block?>,
  <condition_block?>
}

<sid_block> = "Sid" : <sid_string>

<effect_block> = "Effect" : ("Allow" | "Deny")

<action_block> = ("Action" | "NotAction") : [ <action_string>, <action_string>, ... ]

<resource_block> = "Resource" : [ <resource_string>, <resource_string>, ... ]

<condition_block> = "Condition" : { <condition_map> }

<condition_map> = {
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  ...
}

<condition_value_list> = ( <condition_value> | [ <condition_value>, <condition_value>, ... ] )

<condition_value> = "string"

Policy Grammar Notes

• An identity policy cannot exceed 6,144 bytes.
• An identity policy can contain a set of statements.
• An element cannot contain multiple instances of the same key. For example, you cannot include two "Effect" blocks in the same statement.
• The order of the blocks does not matter. For example, in an identity policy, the effect_block, principal_block, action_block can be described in any order in a statement.
• The principal_block should be included in resource policies (for example, OBS bucket policies and IAM trust policies) rather than identity policies.
• Each string value (sid_string, action_string, resource_string, condition_key_string, condition_type_string) has its own required format or allowed value.

Notes About String Values

This section provides details about the string values used in different elements of a policy.

• action_string

  An Action consists of three parts and is case-insensitive. The format is as follows:

  <service-name>:<type-name>:<action-name>

  • service-name: abbreviation of a cloud service name, for example, 'ecs' and 'vpc'.
  • type-name: cloud service resource type
  • action-name: operation name
  You can also use wildcards in action_string. The following is an example:

  "Action": [
      "iam:users:createUserV5",
      "iam:users:getUserV5",
      "iam:users:listUsersV5",
      "iam:users:deleteUserV5"
  ]
  
  "Action": [
      "IAM:*:*"
  ]
  
  "Action": [
      "*"
  ]

• sid_string
  A statement. The following is an example:

  "Sid": "11" 
  
  "Sid": "ThisStatementID"

• resource_string
  URN of a resource. For details about URNs, see Using URNs to Identify Huawei Cloud Resources. You can use wildcards in the resource part of the URN. The following is an example:

  "Resource": [
      "iam:*:*:user:*"
  ]

• condition_type_string
  Condition type, for example, StringEquals and Bool. For the complete list of condition types, see operators in "JSON Element Reference".

  "Condition": {
      "StringEquals": {
          "g:UserName": [
  	    "bob"
  	]
      }
  }

• condition_key_string
  Condition key, for example, iam:ResourceIsRootUser. Condition keys are classified into global condition keys (prefix: g:) and service-specific condition keys (the prefix is the service abbreviation). Global condition keys apply to all operations. For the complete list of global condition keys, see Global Condition Key. Service-specific condition keys apply only to operations of the corresponding service. For details, see Actions Supported by Identity Policy-based Authorization. Then, open the chapter of the specified cloud service and navigate to the "Conditions" section.

  "Condition": {
      "Bool": {
          "iam:ResourceIsRootUser": [
              "true"
          ]
      }
  }

• condition_value_list
  Value of condition_key_string. The value determines whether the condition is met. For the values of condition types, see operators in "JSON Element Reference".

  "Condition": {
      "ForAllValues:StringEquals": {
          "g:UserName": [
              "bob",
              "alice"
          ]
      }
  }