- Release Notes and Announcements
- Release Notes
- [Oct. 2022] Discontinuing the Free Tier of Outbound Traffic and Introducing a New Pricing Plan
- Direct Connect Resource Lifecycle Standardization
- Dec. 31, 2022 - Migration of Direct Connect Cross-Region Tunnel Service to CCN
- Redundant Direct Connect Gateway Clearance
- Jun. 1, 2022 - Starts Commercialization of Shared Tunnel Service
- [Dec 1, 2020] Free Trial Period Extension and Billing Rule Change for Direct Connect Outbound Traffic
- Aug. 1, 2020 - Service Change Notice
- Dec. 31, 2021 - Direct Connect 2.0 Released
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Cloud Access Management
- Best Practices
- Connecting a Local IDC to CVM by Using a VPC NAT Gateway and Direct Connect
- Hybrid Cloud Primary/Secondary Communication (DC and VPN)
- Best Practices on Direct Connect High Availability and Hybrid Cloud Network
- Migrating Cross-Region Dedicated Tunnel to CCN
- Migrating IDC to the Cloud Through CCN
- Accelerating Routing Convergence Through BGP+BFD (Layer 3)
- IDC Local Configuration
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Direct Connect APIs
- RejectDirectConnectTunnel
- ModifyDirectConnectTunnelAttribute
- DescribeDirectConnectTunnels
- DeleteDirectConnectTunnel
- CreateDirectConnectTunnel
- AcceptDirectConnectTunnel
- ModifyDirectConnectAttribute
- DescribeDirectConnects
- DescribeAccessPoints
- DeleteDirectConnect
- CreateDirectConnect
- ReleaseInternetAddress
- EnableInternetAddress
- DisableInternetAddress
- DescribeInternetAddressStatistics
- DescribeInternetAddressQuota
- DescribeInternetAddress
- ApplyInternetAddress
- Data Types
- Error Codes
- FAQ
- Troubleshooting
- Agreements
- Contact Us
- Glossary
- Release Notes and Announcements
- Release Notes
- [Oct. 2022] Discontinuing the Free Tier of Outbound Traffic and Introducing a New Pricing Plan
- Direct Connect Resource Lifecycle Standardization
- Dec. 31, 2022 - Migration of Direct Connect Cross-Region Tunnel Service to CCN
- Redundant Direct Connect Gateway Clearance
- Jun. 1, 2022 - Starts Commercialization of Shared Tunnel Service
- [Dec 1, 2020] Free Trial Period Extension and Billing Rule Change for Direct Connect Outbound Traffic
- Aug. 1, 2020 - Service Change Notice
- Dec. 31, 2021 - Direct Connect 2.0 Released
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Cloud Access Management
- Best Practices
- Connecting a Local IDC to CVM by Using a VPC NAT Gateway and Direct Connect
- Hybrid Cloud Primary/Secondary Communication (DC and VPN)
- Best Practices on Direct Connect High Availability and Hybrid Cloud Network
- Migrating Cross-Region Dedicated Tunnel to CCN
- Migrating IDC to the Cloud Through CCN
- Accelerating Routing Convergence Through BGP+BFD (Layer 3)
- IDC Local Configuration
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Direct Connect APIs
- RejectDirectConnectTunnel
- ModifyDirectConnectTunnelAttribute
- DescribeDirectConnectTunnels
- DeleteDirectConnectTunnel
- CreateDirectConnectTunnel
- AcceptDirectConnectTunnel
- ModifyDirectConnectAttribute
- DescribeDirectConnects
- DescribeAccessPoints
- DeleteDirectConnect
- CreateDirectConnect
- ReleaseInternetAddress
- EnableInternetAddress
- DisableInternetAddress
- DescribeInternetAddressStatistics
- DescribeInternetAddressQuota
- DescribeInternetAddress
- ApplyInternetAddress
- Data Types
- Error Codes
- FAQ
- Troubleshooting
- Agreements
- Contact Us
- Glossary
This document describes CAM access policy syntax and use cases.
CAM Policy Syntax
CAM policy:
{"version":"2.0","statement":[{"effect":"effect","action":["action"],"resource":["resource"],"condition": {"key":{"value"}}}]}
version is required. Currently, only the value "2.0" is allowed.
statement describes the details of one or more permissions, and therefore contains the permission(s) of other elements such as
effect, action, resource, and condition. One policy has only one statement.1.1 effect is required. It describes the result of a statement. The result can be "allow" or an explicit "deny".
1.2 action is required. It describes the allowed or denied operation. An operation can be an API (prefixed with “name” or a feature set (a set of specific APIs prefixed with "permit").
1.3 resource is required. It describes the details of authorization. A resource is described in a six-segment format. Detailed resource definitions vary by product. For more information on how to specify a resource, see the documentation for the product whose resources you are writing a statement for.
1.4 condition is optional. It describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address. Some services allow you to specify additional values in a condition.
Policy Examples
Specify a full read/write permission policy for dedicated tunnel as follows:
Grant the sub-accounts all operation permissions for dedicated tunnels, such as creation and management.
Policy name: QcloudDCFullAccess
{"version": "2.0","statement": [{"action": ["dc:*"],"resource": "*","effect": "allow"}]}
Specify a read-only permission policy for dedicated tunnel as follows:
Grant the sub-account read-only permission for dedicated tunnels. The authorized sub-account can view all resources of the dedicated tunnels, but cannot create, update or delete resources.
Policy name: QcloudDCReadOnlyAccess
{"version": "2.0","statement": [{"action": ["dc:Describe*","dc:Is*"],"resource": "*","effect": "allow"}]
Yes
No
Was this page helpful?