tencent cloud

Working with API Authorization Policies
Download PDF
Last updated: 2025-09-08 16:56:46
Working with API Authorization Policies
Last updated: 2025-09-08 16:56:46
Download PDF
Note:
Grant the minimum API operation permissions to a sub-user or collaborator based on business requirements. If you grant the permissions of all resources (resource:*) or all operations (action:*) to a sub-user or collaborator, data security risks exist due to an excessive permission scope.

Overview

When using a temporary key to access Cloud Infinite (CI), the operation permissions required vary by API or series of APIs that you specify.
The authorization policy (policy) for CI APIs is a JSON string. For example, to grant permissions for media processing, file zipping, and file preview task creation to the bucket examplebucket-1250000000 (APPID: 1250000000, region: ap-beijing, path prefix: doc), the policy is as follows:
{
    "version": "2.0",
    "statement": [{
            "action": [
                //Create a file processing job 
                "ci:CreateFileProcessJobs",
                //Create a file preview job 
                "ci:CreateDocProcessJobs",
                //Create a media job
                "ci:CreateMediaJobs",
            ],
            "effect": "allow",
            "resource": [
                "qcs::ci:ap-beijing:uid/1250000000:bucket/examplebucket-1250000000/doc/*"
            ]
        }
    ]
}

Authorization Policy Element Description

Name
Description
version
Policy syntax version, which is 2.0 by default.
effect
There are two cases: allow (permission) and deny (explicit deny).
resource
Authorized data to be operated can be any resources, resources with a specified path prefix, resources with a specified absolute path, or their combinations.
The rule is: qcs::ci:{region}:uid/{appid}:bucket/{bucket}/{path}
List several typical authorization scenarios: 1. Allow access to all objects: "*" 2. Allow access to specified objects: "a/a1.txt", "b/b1.txt" 3. Allow access to objects with specified prefixes: "a*", "a/*", "b/*"
Note:If the path is in Chinese, keep typing in Chinese. For exampleexamplebucket-125000000/folder/filename.txt.
action
Here refers to the API of CI. Specify a combination of one or a sequence of operations or all operations (*) as required, such as action being ci:CreateMediaJobs. Please note it is case-sensitive.
condition
Constraint conditions, which can be left blank. For details, see condition description.
For CI API authorization policies, please refer to Cloud Infinite Global Access Management.

Service API

Media Processing Task

Take the media transcoding API as an example. The API interface is CreateMediaJobs. To grant its operation permission, the policy action should be ci:CreateMediaJobs.
Media tasks involve several permission APIs:
cos:GetObject Obtain COS resource permissions,
ci:CreateMediaJobs Create a task,
ci:CreateMediaTemplate Create a template,
ci:UpdateMediaTemplate Update a template,
ci:DescribeMediaJob Query a task,
ci:DescribeMediaJobs Task list query,
ci:CancelMediaJob Task cancellation.

Example

The following policy grants the permission to query the bucket list.
{
  "version": "2.0",
  "statement": [
    {
      "action": [
        "cos:GetObject",
        "ci:CreateMediaJobs",
        "ci:CreateMediaTemplate",
        "ci:UpdateMediaTemplate",
        "ci:DescribeMediaJob",
        "ci:DescribeMediaJobs",
        "ci:CancelMediaJob"
      ],
      "effect": "allow",
      "resource": [
        "qcs::ci:ap-beijing:uid/1250000000:bucket/examplebucket-1250000000/*"
      ]
    }
  ]
}

Recommended for Use SDK

Cloud Infinite SDK provides a complete temporary key usage Demo, integration service API, and signature calculation capabilities. You can conveniently and efficiently make API calls via the SDK. View the SDK documentation here.

Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback