tencent cloud

Feedback

User Policy

Last updated: 2024-03-25 15:51:41
    In the CAM console, you can use your Tencent Cloud root account to create CAM users and grant them with Tencent Cloud resource permissions by associating them with policies.

    Overview

    In CAM, you can grant different permissions to different types of users under your root account. These permissions are described in the access policy language and are granted by user, so they are called user policies.

    Differences between a user policy and a bucket policy

    The biggest difference between a user policy and a bucket policy is that the user policy only describes effect, action, resource, and condition (optional), but not principal. Therefore, for a user policy:
    You need to write a user policy first, and then associate it manually with a sub-user, a user group or a role.
    A user policy cannot grant anonymous users access to resources or operations.

    Preset policy and custom policy

    User policies are classified into preset policies and custom policies. You can associate a preset policy for authorization or write a user policy and associate it for authorization. For more information, see CAM's Authorization Guide.

    Application Scenarios

    If you want to specify what operations a user can perform, you are advised to configure user policy. You can search for a CAM user and check the permissions of the user's user groups to see what operations the user can perform. A user policy is recommended in scenarios where you want to:
    Configure COS service-level permissions such as the permissions for bucket creation (PutBucket) and bucket listing (GetService).
    Grant permissions on all COS buckets and objects under your root account.
    Grant the same permissions to a large number of CAM users under the root account.

    User Policy Syntax

    Policy syntax

    Same as a bucket policy, a user policy is described in JSON language and its syntax complies with the unified specifications of the access policy language. The access policy language contains the following basic elements: principal, effect, action, resource, and condition. However, a user policy is directly associated with a user or user group, and therefore you do not need to specify the principal element in a user policy.
    The following table compares a user policy and a bucket policy:
    Element
    User Policy
    Bucket Policy
    Principal
    No input
    Required
    Effect
    Required
    Required
    Action
    Required
    Required
    Resource
    Required
    Resources in the current bucket
    Condition
    Optional
    Optional

    Policy examples

    The following typical user policy example grants the permission to perform all COS operations on the bucket examplebucket-1250000000 in Guangzhou. You need to save the policy and then associate it with a CAM sub-user, a user group or a role before it takes effect.
    {
    "Statement": [
    {
    "Effect": "Allow",
    "Action": ["cos:*"],
    "Resource": [
    "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*",
    "qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/"
    ]
    }
    ],
    "Version": "2.0"
    }

    Granting Sub-account COS Access Permission with User Policy

    Prerequisites

    You have already created a CAM sub-account. If you haven't, see Create a sub-account to create one.

    Directions

    CAM provides preset policies and custom policies. A preset policy is a policy preset in the system provided by CAM. For COS related preset policies, see Preset Policy. A custom policy allows users to customize elements such as resources and actions. The following describes how to create a custom policy to grant permissions to a sub-account:
    1. Log in to the CAM console.
    2. Choose Policy > Create Custom Policy > Create by Policy Syntax to go to the policy creation page.
    3. You can select Blank Template to customize a permission policy as needed or select a COS-associated system template. The following uses Blank Template as an example.
    4. Select Blank Template and enter your policy syntax.The policy syntax must contain the following elements:
    resource: resource to authorize access to
    All resources ("*")
    Specified bucket ("qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/*")
    Specified directory or object in a bucket ("qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000/test/*")
    action: action to authorize
    effect: select "Allow" or "Deny"
    condition: optional
    COS provides user policy examples. You can copy and paste the policy content in the following documents into the Policy Content box and click Done.
    5. After creating the policy, you can go to Policy > Custom Policy in the CAM console to view the created custom policy and associate it with sub-accounts.
    6. Select the sub-account and click Confirm to complete the authorization.

    Preset Policy

    1. CAM provides some preset policies. You can view them (filtered by "COS") in Policy > Preset Policy in the CAM console.
    2. Click a policy name and choose Policy Syntax > JSON to view the policy context. In a preset policy, resource is set to "*" (indicating all resources in COS) and its value cannot be modified. If you want to grant permissions on certain COS buckets or objects, you can copy the JSON preset policy to create a Custom Policy.
    Table 1 and Table 2 list the COS related preset policies provided by CAM and related descriptions.
    Table 1. COS Preset Policies
    Preset Policy
    Description
    JSON Policy
    QcloudCOSBucketConfigRead
    Permission to read COS bucket configuration
    
    
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cos:GetBucket*",
    "cos:HeadBucket"
    ],
    "resource": "*"
    }
    ]
    }
    
    QcloudCOSBucketConfigWrite
    Permission to modify COS bucket configuration
    
    
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cos:PutBucket*"
    ],
    "resource": "*"
    }
    ]
    }
    
    QcloudCOSDataFullControl
    Permission to read, write, delete, and list data in the COS bucket (all access permissions)
    
    
    {
    "version": "2.0",
    "statement": [
    {
    "effect": "allow",
    "action": [
    "cos:GetService",
    "cos:GetBucket",
    "cos:ListMultipartUploads",
    "cos:GetObject*",
    "cos:HeadObject",
    "cos:GetBucketObjectVersions",
    "cos:OptionsObject",
    "cos:ListParts",
    "cos:DeleteObject",
    "cos:PostObject",
    "cos:PostObjectRestore",
    "cos:PutObject*",
    "cos:InitiateMultipartUpload",
    "cos:UploadPart",
    "cos:UploadPartCopy",
    "cos:CompleteMultipartUpload",
    "cos:AbortMultipartUpload",
    "cos:DeleteMultipleObjects",
    "cos:AppendObject"
    ],
    "resource": "*"
    }
    ]
    }
    
    
    Table 2. Relationships between COS actions and preset policies
    Action Purpose
    Action
    QcloudCOS
    Bucket
    ConfigRead
    QcloudCOS
    Bucket
    ConfigWrite
    QcloudCOS
    Data
    FullControl
    QcloudCOS
    Data
    ReadOnly
    QcloudCOS
    Data
    WriteOnly
    QcloudCOS
    Ful
    Access
    QcloudCOS
    GetService
    Access
    QcloudCOS
    ListOnly
    QcloudCOS
    Read
    OnlyAccess
    List buckets
    GetService
    Create a bucket
    PutBucket
    Delete a bucket
    DeleteBucket
    Get basic bucket information
    HeadBucket
    Get bucket configuration items
    GetBucket*
    Modify bucket configuration items
    GetBucket*
    Get bucket access permissions
    GetBucketAcl
    Modify bucket access permissions
    PutBucketAcl
    List objects in a bucket
    GetBucket
    List all objects in a bucket and their historical version information
    GetBucketObjectVersions
    Upload an object
    PutObject
    Multipart upload
    ListParts InitiateMultipartUpload UploadPart UploadPartCopy CompleteMultipartUpload AbortMultipartUpload ListMultipartUploads
    Append an object
    AppendObject
    Download an object
    GetObject
    View object metadata
    HeadObject
    Issue a preflight request for CORS
    OptionsObject

    More User Policy Examples

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support