SCP Syntax
The following uses a custom policy for RAM as an example to describe the SCP syntax.
{
"Version": "5.0",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ram:resourceShares:create"
],
"Resource": [
"*"
],
"Condition": {
"ForAnyValue:StringNotEquals": {
"g:RequestTag/owner": [
"Alice",
"Jack"
]
}
}
}
]
}
SCPs use a similar syntax to that used by IAM identity policies.
Policy Structure
A policy consists of a version and a single statement or an array of individual statements, each indicating a different action.
Policy Elements
The following table describes the policy elements (Version and Statement).
|
Element |
Mandatory |
Description |
Value |
|
|---|---|---|---|---|
|
Version |
Yes |
Policy version. |
5.0 (cannot be customized) |
|
|
Statement: Permissions defined by a policy |
Statement ID (Sid) |
No |
Identifier of a policy statement. You can assign a Sid value for each statement in a statement array. |
A user-defined character string |
|
Effect |
Yes |
Determines whether to allow or deny the operations defined in an action. |
Deny |
|
|
Action |
Optional for Deny statements |
Operations that the SCP allows or denies. |
Format: "Service name:Resource type:Operation". For example, vpc:subnets:list indicates the permission to view the VPC subnet list, where vpc is the service name, subnets refers to the resource type, and list is the action. |
|
|
Condition |
Optional for Deny statements |
Determines when a policy is in effect. A condition consists of a condition key and a condition operator. |
Format: "Condition operator:{Condition key:[Value 1,Value 2]}" If you configure multiple conditions, the policy can be applied only when all the conditions are met. Example: "StringEndWithIfExists":{"g:UserName":["specialCharacter"]}: The statement is valid only for users whose names end with specialCharacter. |
|
|
Resource |
No. If this element is not specified, * is used by default, indicating that the SCP applies to all resources. |
Resources that the SCP applies to. |
The value can be either * or a specific resource for Deny statements. Format: Service name:region:domain ID:Resource type:Resource path. Wildcard characters (*) are supported, indicating all resources. Example: "ecs:*:*:instance:*", representing all ECS instances. |
|
|
NotResource |
No. If it is not specified, see Resource. |
Resources that the policy does not apply to. |
||
The following elements are not supported in SCPs:
- Principal
- NotPrincipal
- NotAction
Condition Keys
A condition key is a key in the Condition element of a statement. The condition key that you specify can be a global condition key or a service-specific condition key. For details, see the condition keys supported by each service in Global Condition Keys.
Operators
A condition operator, a condition key, and a condition value together constitute a complete condition statement. A policy can be applied only when its request conditions are met. Operators can have the "IfExists" suffix added, which means the policy will take effect either if the corresponding request value does not exist or if it exists and meets the condition. For example, "StringEqualsIfExists" indicates that the policy will take effect if the request value does not exist or if it equals the condition value. For details, see Operators.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
