Policy Syntax
Cloud Access Management (CAM) policy:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"]
}
]
}
version: Required. Currently, only the value 2.0 is allowed.
statement: This element describes the detailed information of one or more permissions and covers permissions or permission sets of several other elements such as effect, action, resource, and condition. A policy has only one statement element.
effect: Required. This element describes the statement results. Value values: allow and deny.
action: Required. This element describes the allowed or denied actions. Actions can be APIs (prefixed with cfg:).
resource: Required. This element describes the specific data of authorization. The resources are described in a six-segment format and the resource definition details vary by product.
TSA-CFG Operations
In the policy statement of TSA-Chaotic Fault Generator (TSA-CFG), you can specify any API operation from any service that supports TSA-CFG. For TSA-CFG, use APIs prefixed with cfg:. Example: cfg:CreateTask or cfg:CreateTemplate.
To specify multiple operations in a single statement, separate them with commas, as shown below:
"action":["cfg:action1","cfg:action2"]
You can also use wildcards to specify multiple operations. For example, you can specify all operations that begin with Describe, as shown below:
"action":["cfg:Describe*"]
If you want to specify all operations in the cloud database, use the * wildcard, as shown below:
TSA-CFG Resources
Each CAM policy statement is applicable to specific resources. The general format of resources is as follows:
qcs:project_id:service_type:region:account:resource
project_id: project information. This element is only for compatibility with early CAM logic and does not need to be filled in.
service_type: product abbreviation. Example: cfg.
region: region information. Example: ap-guangzhou.
account: root account of the resource owner. Example: uin/653339763.
resource: specific resource details of each product. Example: instanceId/instance_id1 or instanceId/*.
For example, you can specify the specific task ID (1) in the statement, as shown below:
"resource":[ "qcs::cfg:ap-guangzhou:uin/11111:taskid/1"]
You can also use the * wildcard to specify all instances belonging to a specific account, as shown below:
"resource":[ "qcs::cfg:ap-guangzhou:uin/11111:taskid/*"]
If you want to specify all resources or if a particular API action does not support resource-level authorization, use the * wildcard in the resource element, as shown below:
To specify multiple resources in one instruction, separate them with commas. The following is an example of specifying two resources:
"resource":["resource1","resource2"]
The following table describes the resources available for TSA-CFG and the corresponding resource description methods. Words prefixed with $ are placeholders. For example, $region represents a region and $account represents an account ID.
|
| qcs::cfg:$region:$account:taskid/$TaskId
|
| qcs::cfg::$account:templateid/$TemplateId
|
| qcs::cfg::$account:actionid/$ActionId
|