Last updated:2021-10-29 17:57:34
This topic describes the permission evaluation logic of IAM.
If you use the AccessKey of your Kingsoft Cloud account to generate a signature and initiate an access request, and the resource belongs to your Kingsoft Cloud account, access will be allowed. Otherwise, access will be denied.
If you use the AccessKey of an IAM user to generate a signature and initiate an access request, and the resource belongs to the Kingsoft Cloud account of the IAM user, the system will call the permission evaluation operation to verify the policies attached to the IAM user and determine whether to allow the access.
IAM evaluates all policies attached to an IAM user based on the default/implicit deny rule and determines whether a request of an IAM user is allowed as follows:
That is, a request that is explicitly denied in a policy will be denied even though it is explicitly allowed in another policy. If a request is not explicitly allowed in any policy, the request is implicitly denied by default.
Did you find the above information helpful?
Please give us your feedback.
Thank you for your feedback.