tencent cloud

Authorization Policy Syntax
Last updated:2025-12-04 10:30:09
Authorization Policy Syntax
Last updated: 2025-12-04 10:30:09

Policy Syntax

The following is the CAM policy:
{     
        "version":"2.0", 
        "statement": 
        [ 
           { 
              "effect":"effect", 
              "action":["action"], 
              "resource":["resource"], 
              "condition": {"key":{"value": "example_value"}} 
           } 
       ] 
}

Parameter Description

version : This field is required and currently only allows the value "2.0".
statement: This is used to describe the details of one or more permissions. This element includes permissions or a set of permissions for other elements such as effect, action, resource, and condition. A policy has exactly one statement element.
Action: Describes the operations that are allowed or denied. Action can be APIs (described with the name prefix) or a feature set (a set of specific APIs described with the permid prefix). This element is required.
Resource: Describes the specific data being authorized. Resources are described in a six-segment format. This element is required. For detailed description, see the following Resource Six-Segment Description.
Condition: Describes the constraints under which the policy takes effect. Conditions consist of operators, keys, and values. Condition values may include information such as time and IP addresses. This element is optional.
Effect : Describes whether the statement produces an "allow" or "explicit deny" result. There are two situations: Allow (permit) and deny (explicitly deny). This element is required.

Resource Six-Segment Description

qcs: is short for qcloud service, indicating Tencent Cloud resources. This field is required.
project_id: Describes project information, only for compatibility with CAM's early logic. If not necessary, no need to fill it in.
service_type: Product abbreviation. Cloud Infinite is ci.
region: Region information, for example, ap-shanghai.
account: The primary account information of the resource owner, for example, uid/1250000001.
resource: Details of the specific resource, for example, bucket/examplebucket-1250000001/*.
For example, you can use a specific Bucket (examplebucket-1250000001), described in the statement as follows:
"resource":[ "qcs::ci:ap-shanghai:uid/1250000001:bucket/examplebucket-1250000001/*"]
If you want to specify multiple resources in one instruction, separate them with commas. The following is an example of specifying two resources:
"resource":["resource1","resource2"]

Authorization Example

The following is a syntax example for granting a sub-account permission to submit Media Processing task information in Bucket examplebucket-1250000001.
{     
        "version":"2.0", 
        "statement": 
        [ 
           { 
              "effect":"allow",
              "action":[
                  "name/ci:CreateMediaJobs"
              ],
              "resource":[
                  "qcs::ci:ap-shanghai:uid/1250000001:bucket/examplebucket-1250000001/*"
              ]
           } 
       ] 
}

Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback