Take the custom policy of OBS as an example to illustrate the syntax of the policy.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:bucket:ListAllMyBuckets",
"obs:bucket:HeadBucket",
"obs:bucket:ListBucket",
"obs:bucket:GetBucketLocation"
],
"Condition": {
"StringEndWithIfExists": {
"g:UserName": [
"specialCharactor"
]
},
"Bool": {
"g:MFAPresent": [
"true"
]
}
},
"Resource": [
"obs:*:*:bucket:*"
]
}
]
}
Policy Structure
The policy structure consists of two parts: Version (policy version number) and Statement (policy permission statements). The Statement section can include multiple entries, each representing a distinct authorization rule.
Figure: Policy Structure
Policy Parameters
The policy parameters consist of two parts: Version and Statement. Below is a detailed explanation of the policy parameters. Once you understand the policy parameters, you can customize the policy according to your scenario.
Table: Policy Parameter Description
Parameters | Definition | Value | |
Version | Policy Version | 1.0: Role-Based Access Control. | |
Statement: | Effect: | Define whether the operation permissions in the Action are allowed to be executed. | l Allow l Deny Description: When the same Action has both 'Allow' and 'Deny' in its Effect, the 'Deny' principle takes precedence. |
Action: Authorization Item | Operation Permissions | Format as 'service name:resource type:operation'. The permission entry supports the wildcard symbol *, denoting 'all'. | |
Condition: | The specific conditions that enforce the policy, including condition keys and operators. | Condition operator: {Condition key: [Condition value1, Condition value2]} | |
Resource: | Resources affected by the policy. | Format as "service name:region:domainId:resource type:resource path". The resource type supports wildcard *, which represents all. Example: l "obs:::bucket:": represent all OBS buckets. l "obs:::object:my-bucket/my-object/*": represent all objects under the my-object directory in the my-bucket bucket.
| |
l A condition key represents the key value within the Condition element of a policy statement. Based on its scope of application, it is categorized into global condition keys and service-specific condition keys.
n Global condition keys (prefixed with g:) apply to all actions, and IAM provides universal global condition keys.
u Universal Global Condition Keys: During the authorization process, cloud services do not need to provide user identity information—IAM automatically retrieves and authenticates it. For details, see Table: Universal Global Condition Keys.
n Service-specific condition keys (prefixed with the service abbreviation, e.g., obs:) are only applicable to operations of the corresponding service. For details, refer to the user guide of the respective cloud service.
Table: Universal Global Condition Keys
Global Condition Key | Type | Description |
g:CurrentTime | Time | The time when the authentication request was received. Expressed in ISO 8601 format, for example:2012-11-11T23:59:59Z |
g:DomainName | String | Account Name |
g:MFAPresent | Bool | Whether to use MFA (Multi-Factor Authentication) to obtain the token |
g:MFAAge | Numerical Value | Validity duration of tokens obtained through MFA (Multi-Factor Authentication). This condition is used together with g:MFAPresent. |
g:ProjectName | String | Project Name |
g:ServiceName | String | Service Name |
g:UserId | String | IAM User ID |
g:UserName | String | IAM User Name |
l Operator
An operator, a condition key, and a condition value together constitute a complete condition statement. A policy takes effect only when its request conditions are met. For details, refer to the table below. The operator suffix IfExists indicates that a policy takes effect if a request value is empty or meets the specified condition. For example, if the operator StringEqualsIfExists is selected for a policy, the policy takes effect if a request value is empty or equal to the specified value.
Operators (Operators are string operators. They are not case-sensitive unless otherwise specified.)
Operator | Type | Description |
StringEquals | String | The request value is the same as the condition value (case-sensitive). |
StringNotEquals | String | The request value is different from the condition value (case-sensitive). |
StringEqualsIgnoreCase | String | The request value is the same as the condition value. |
StringNotEqualsIgnoreCase | String | The request value is different from the condition value. |
StringLike | String | The request value contains the condition value. |
StringNotLike | String | The request value does not contain the condition value. |
StringStartWith | String | The request value starts with the condition value. |
StringEndWith | String | The request value ends with the condition value. |
StringNotStartWith | String | The request value does not start with the condition value. |
StringNotEndWith | String | The request value does not end with the condition value. |
StringEqualsAnyOf | String | The request value is the same as any of the configurable condition values (case-sensitive). |
StringNotEqualsAnyOf | String | Multiple condition values can be configured, and the request value differs from all condition values (case-sensitive). |
StringEqualsIgnoreCaseAnyOf | String | Multiple condition values can be configured, and the request value will match if it is equal to any of the condition values. |
StringNotEqualsIgnoreCaseAnyOf | String | Multiple condition values can be configured, and the request value differs from all of them. |
StringLikeAnyOf | String | Multiple condition values can be configured. The request value contains any of the condition values. |
StringNotLikeAnyOf | String | Multiple condition values can be configured. The request value does not contain any of the condition values. |
StringStartWithAnyOf | String | Multiple condition values can be configured. The request value starts with any of the condition values. |
StringEndWithAnyOf | String | Multiple condition values can be configured. The request value ends with any of the condition values. |
StringNotStartWithAnyOf | String | Multiple condition values can be configured. The request value does not start with any of the condition values. |
StringNotEndWithAnyOf | String | Configurable with multiple condition values, the request value does not end with any of the specified condition values. |
NumberEquals | Numerical Value | The request value is equal to the condition value. |
NumberNotEquals | Numerical Value | The request value is not equal to the condition value. |
NumberLessThan | Numerical Value | The request value is less than the condition value. |
NumberLessThanEquals | Numerical Value | The request value is less than or equal to the condition value. |
NumberGreaterThan | Numerical Value | The request value is greater than the condition value. |
NumberGreaterThanEquals | Numerical Value | The request value is greater than or equal to the condition value. |
NumberEqualsAnyOf | Numerical Value | Multiple condition values can be configured. The request value must match any of them. |
NumberNotEqualsAnyOf | Numerical Value | Multiple condition values can be configured. The request value must differ from all of them. |
DateLessThan | Time | The request value is earlier than the condition value. |
DateLessThanEquals | Time | The request value is earlier than or equal to the condition value. |
DateGreaterThan | Time | The request value is later than the condition value. |
DateGreaterThanEquals | Time | The request value is later than or equal to the condition value. |
Bool | Bool | The request value is equal to the condition value. |
IpAddress | IP address | The request value is within the IP address range set in the condition value. |
NotIpAddress | IP address | The request value must not fall within any IP address range set in the condition value(s). |
IsNullOrEmpty | Null | The request value is null or an empty string. |
IsNull | Null | The request value is null. |
IsNotNull | Null | The request value is not null. |