All Documents
Current Document

Recommend

Container Engine Virtual Private Cloud Standard Storage Service

Found 0 result in total

Content is empty

If you don't find the content you expect, please try another search term

Documentation

Identity and Access Management

View more results
Document title with current keyword not found
Directory
Expand AllFold All Up
No products found with this keyword
Documentation Identity and Access Management Permission Policy Management Policy elements

Policy elements

Last updated:2023-05-24 17:06:32

Kingsoft Cloud IAM policy documents adopt the syntax and standards of AWS IAM policy documents but contain fewer elements.

Elements and rules of using the elements

Element Required Description
Version No The version of the policy document. Example: "Version":"2015-11-01".
Currently, all Kingsoft Cloud IAM policy documents have only one version: 2015-11-01. If a policy document does not contain this element, its version is set to 2015-11-01 by default.
Statement Yes The rules of granting permissions. Example: "Statement":[{...},{...},{...}]. This element is the main element of a policy document.
This element can contain multiple statements. Each statement must be enclosed in braces ({}).
Sid No The statement ID. Example: "Sid":"1". It must be unique in a policy. This element is optional.
Effect Yes Specifies whether the statement results in an explicit allow or deny. Example: "Effect":"Allow". This element is required for each statement.
(1) You can set this element to either Allow or Deny.
(2) If a statement allows an action but another statement in the same policy denies the action, the action is denied.
Action Yes The action to be allowed or denied. Example: "Action":"iam:CreateUser". This element is required for each statement.
(1) This element can contain multiple values, which are the names of API operations from Kingsoft Cloud services.
(2) Each value is organized in the format of :. service-name specifies the name of the Kingsoft Cloud service, and action-name specifies the name of the API operation.
(3) The values of service-name and action-name are case-insensitive, and the value of action-name can contain asterisks (*) as the wildcards.
Resource Yes The one or more resources that the statement covers. Example: "Resource":"KRN".
(1) Services provide different resources. You can use an asterisk (*) as the wildcard to indicate all resources.
(2) The resource names conform to the naming rules of KRNs. For more information, see KRNs.

Policy syntax

  • A policy document can contain multiple statements.
  • Elements in a policy must be unique. For example, a statement can contain only one Effect element.
  • The sequence of elements in a policy document is not limited.
  • White spaces in a policy document will be ignored.

Sample policy syntax

policy = {
    <version_block?>
    <statment_block>
}
<version_block> = "Version" : "2015-11-01"
<statement_block> = "Statement" : [<statement>, <statement>, ...]
<statement> = {
    <sid_block?>,
    <effect_block>,
    <action_block>,
    <resoure_block>
}
<sid_block> = "Sid" : <sid_string>
<effect_block> = "Effect" : ("Allow" | "Deny")
<action_block> = "Action" : ( "*" | [<action_string>, <action_string>, ...])
<resoure_block> = "Resource" : ( "*" | [<resoure_string>, <resoure_string>, ...])
<action_string> = "service_name : action_name"
<resource_string> = "KRN"

Sample policy document

The following policy document is used to grant permissions to the Kingsoft Cloud Elastic Compute (KEC) administrator:

{
  "Version" : "2015-11-01",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : "KEC:*",
      "Resource" : "*"
    }
  ]
}
On this page
Previous:Overview
Next:Permission evaluation logic
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback