Product Introduction

CAM Overview

Features

Scenarios

Basic Concepts

Use Limits

User Types

Purchase Guide

Getting Started

Creating Admin User

Creating and Authorizing Sub-account

Logging In to Console with Sub-account

User Guide

Overview

Users

Access Key

User Groups

Role

Identity Provider

Policies

Permissions Boundary

Troubleshooting

Downloading Security Analysis Report

CAM-Enabled Role

Overview

Compute

Container

Microservice

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Database SaaS Service

Networking

CDN and Acceleration

Network Security

Data Security

Application Security

Domains & Websites

Big Data

Middleware

Interactive Video Services

Real-Time Interaction

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

CAM-Enabled API

Overview

Compute

Edge Computing

Container

Distributed cloud

Microservice

Serverless

Essential Storage Service

Data Process and Analysis

Data Migration

Relational Database

Enterprise Distributed DBMS

NoSQL Database

Database SaaS Tool

Networking

CDN and Acceleration

Network Security

Endpoint Security

Data Security

Business Security

Application Security

Domains & Websites

Office Collaboration

Big Data

Voice Technology

Image Creation

Tencent Big Model

AI Platform Service

Natural Language Processing

Optical Character Recognition

Middleware

Communication

Interactive Video Services

Real-Time Interaction

Stream Services

Media On-Demand

Media Process Services

Media Process

Cloud Real-time Rendering

Game Services

Education Sevices

Medical Services

Cloud Resource Management

Management and Audit Tools

Developer Tools

Monitor and Operation

Use Cases

Security Practical Tutorial

Multi-Identity Personnel Permission Management

Authorizing Certain Operations by Tag

Supporting Isolated Resource Access for Employees

Enterprise Multi-Account Permissions Management

Reviewing Employee Operation Records on Tencent Cloud

Implementing Attribute-Based Access Control for Employee Resource Permissions Management

During tag-based authentication, only tag key matching is supported

Business Use Cases

TencentDB for MySQL

CLB

CMQ

COS

CVM

VPC

VOD

Others

API Documentation

History

Introduction

API Category

Making API Requests

User APIs

Policy APIs

Role APIs

Identity Provider APIs

Data Types

Error Codes

FAQs

Role

Key

Others

CAM Users and Permissions

Glossary

Resource Description Method

PDF

Focus Mode

Font Size

Last updated: 2024-01-23 17:54:33

The resource element describes one or multiple operation objects such as CVM resources and COS buckets. This document describes the resource information in CAM.
Definition of All Resources
If resource is *, it indicates all resources; that is, you can grant the action (operation) permission of all resources.
If you want to authorize a Tencent Cloud service at the service level or authorize a service operation at the API level, you need to enter * for resource to grant the permission of all resources in the Tencent Cloud service or the action permission of all resources.
Definition of One or Multiple Resources
You can describe the permissions of one or multiple resources in the following six-segment format for authorization. Each service has its own resources and detailed resource definition.
The six-segment format is defined as follows:
qcs:project_id:service_type:region:account:resource
A six-segment resource description contains six fields as detailed below:
Field
Description and Valid Values
Required
Example
qcs
Tencent Cloud service abbreviation, which indicates a resource of Tencent Cloud.
Yes
qcs
project_id
Project information, which is only compatible with legacy CAM logic. It cannot be entered in the current policy syntax and can be left empty.
No
Empty
service_type
Product (service) abbreviation. For more information, see "Abbreviation in CAM" in CAM-Enabled Products.
If this field is left empty, it indicates all products.
No
CVM: cvm
CDN: cdn
region
Region information. For more information on region names, see "Region List" in Common Params.
If this field is left empty, it indicates all regions.
No
North China (Beijing): ap-beijing
South China (Guangzhou): ap-guangzhou
account
Root account information of the resource owner. Currently, either uin or uid can be used to describe the resource owner.
uin is the root account ID in uin/${uin} format.
uid is the root account's APPID in uid/${appid} format, and only COS and CAS resource owners can be described in this way.
If this field is left empty, it indicates the root account of the CAM user creating the policy.
No
uin: uin/12345678
uid: uid/10001234 
resource
Resource details of the product. Currently, you can describe a resource in the following two formats: resource_type/${resourceid} and <resource_type>/<resource_path>. 
resource_type/${resourceid}: resourcetype is the resource prefix, which describes the resource type. ${resourceid} is the specific resource ID, which can be viewed in the corresponding product console. * indicates all resources of this type. 
<resource_type>/<resource_path>: resourcetype is the resource prefix, which describes the resource type. 
<resource_path> is the resource path. This format supports directory-level prefix match.
Yes
CVM: instance/ins-1
TencentDB for MySQL: instanceId/cdb-1
COS: prefix//10001234/bucket1/*, which indicates all files in bucket1. Various COS resource types are supported. For more information, see Working with COS API Authorization Policies.
Definition of CAM Resources
CAM resources include users, user groups, and policies. A CAM resource can be described as follows: 
Root account
qcs::cam::uin/164256472:uin/164256472
Or
qcs::cam::uin/164256472:root 
Sub-account
qcs::cam::uin/164256472:uin/73829520
Group
qcs::cam::uin/164256472:groupid/2340
All resources
*
Policy
qcs::cam::uin/12345678:policyid/*
Or
qcs::cam::uin/12345678:policyid/12423
Notes on Resources
A resource owner is always a root account. The sub-account that creates a resource will not automatically have access to the resource without authorization; instead, it must be authorized by the resource owner.
Services such as COS and CAS support cross-account authorization for resource access. Authorized accounts can pass permissions to their sub-accounts through permission propagation.
Relevant Documents
For more information on service-specific resource definitions, see the corresponding product documentation in CAM-Enabled Products. 

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Cloud Access Management

Resource Description Method

Definition of All Resources

Definition of One or Multiple Resources

Definition of CAM Resources

Root account

Sub-account

Group

All resources

Policy

Notes on Resources

Relevant Documents

Help and Support

Field	Description and Valid Values	Required	Example
qcs	Tencent Cloud service abbreviation, which indicates a resource of Tencent Cloud.	Yes	qcs
project_id	Project information, which is only compatible with legacy CAM logic. It cannot be entered in the current policy syntax and can be left empty.	No	Empty
service_type	Product (service) abbreviation. For more information, see "Abbreviation in CAM" in CAM-Enabled Products. If this field is left empty, it indicates all products.	No	CVM: cvm CDN: cdn
region	Region information. For more information on region names, see "Region List" in Common Params. If this field is left empty, it indicates all regions.	No	North China (Beijing): ap-beijing South China (Guangzhou): ap-guangzhou
account	Root account information of the resource owner. Currently, either `uin` or `uid` can be used to describe the resource owner. `uin` is the root account ID in `uin/${uin}` format. `uid` is the root account's `APPID` in `uid/${appid}` format, and only COS and CAS resource owners can be described in this way. If this field is left empty, it indicates the root account of the CAM user creating the policy.	No	uin: uin/12345678 uid: uid/10001234
resource	Resource details of the product. Currently, you can describe a resource in the following two formats: `resource_type/${resourceid}` and `<resource_type>/<resource_path>`. `resource_type/${resourceid}`: `resourcetype` is the resource prefix, which describes the resource type. `${resourceid}` is the specific resource ID, which can be viewed in the corresponding product console. `*` indicates all resources of this type. `<resource_type>/<resource_path>`: `resourcetype` is the resource prefix, which describes the resource type. `<resource_path>` is the resource path. This format supports directory-level prefix match.	Yes	CVM: instance/ins-1 TencentDB for MySQL: instanceId/cdb-1 COS: `prefix//10001234/bucket1/*`, which indicates all files in `bucket1`. Various COS resource types are supported. For more information, see Working with COS API Authorization Policies.