Policy Syntax
CAM policy:
{
"version":"2.0",
"statement":
[
{
"effect":"effect",
"action":["action"],
"resource":["resource"],
}
]
}
version: Required. Currently, only the value 2.0 is allowed.
statement: It is used to describe the detailed information of one or more permissions. This element covers permissions or permission sets of several other elements such as effect, action, resource, and condition. A policy has only one statement element.
effect: Required. This element describes the statement results. Value options: allow (allow) and deny (explicitly deny).
action: Required. This element describes the allowing or denial actions. Actions can be APIs (prefixed with cfg:).
resource: Required. This element describes the specific data of authorization. The resources are described in a six-segment format, and the resource definition details of each product are different.
Tencent Smart Advisor-Chaotic Fault Generator (CFG) Operations
In the CFG policy statement, you can specify any API operation from any service that supports Tencent Smart Advisor-Chaotic Fault Generator. For CFG, use the API prefixed with cfg:. Example: cfg:CreateTask or cfg:CreateTemplate.
To specify multiple operations in one statement, separate them with commas as follows:
"action":["cfg:action1","cfg:action2"]
You can also use wildcards to specify multiple operations. For example, you can specify all operations that begin with the word "Describe" as follows:
"action":["cfg:Describe*"]
If you want to specify all operations in the cloud database, use the * wildcard character as follows:
CFG Resources
Each CAM policy statement is applicable to specific resources. The general format of resources is as follows:
qcs:project_id:service_type:region:account:resource
project_id: Describe the project information. It is only for compatibility with early CAM logic and does not need to be filled in.
service_type: product abbreviation, such as cfg
region : regional information, such as ap-guangzhou
account: root account of the resource owner, such as uin/653339763
resource: specific resource details of each product, such as instanceId/instance_id1 or instanceId/*
For example, you can specify the specific task ID (1) in the statement as follows:
"resource":[ "qcs::cfg:ap-guangzhou:uin/11111:taskid/1"]
You can also use the * wildcard character to specify all instances belonging to a specific account, as follows:
"resource":[ "qcs::cfg:ap-guangzhou:uin/11111:taskid/*"]
If you want to specify all resources, or if a particular API action does not support resource-level permissions, use the * wildcard character in the Resource element, as follows:
To specify multiple resources in one instruction, separate them with a comma. The following is an example of specifying two resources:
"resource":["resource1","resource2"]
The following table describes the resources that can be used by CFG and the corresponding resource description methods. The word prefixed by $ is an alias, region refers to the target region, and account refers to the account ID.
|
| qcs::cfg:$region:$account:taskid/$TaskId
|
| qcs::cfg::$account:templateid/$TemplateId
|
| qcs::cfg::$account:actionid/$ActionId
|