IAM
IAM
- Documentation
IAMUser GuidePermission PolicyPolicy GrammarResources
Copy page
Download PDFCopy pageDownload PDF**Resource (Resource) **element contains the scope of resources defined by the permission declaration, using the **TRN **expression definition. TRN (The Resource Name) is a globally unique identifier of resources on Volcano Engine, which consists of information such as service, region, account, resource path, etc. The format is as follows:trn:${ServiceCode}:${Region}:${AccountId}:${ResourcePath}
Here are explanations for each part:
trn: Fixed prefix of TRN${ServiceCode}: The code of Cloud as a Service, for example, the ServiceCode of Cloud as a Service is ecs , and the ServiceCode of different cloud products can be queried from the API documentation of the service.${RegionCode}: Region to which the resource belongs, Global Resource The field value should be empty. The following are the RegionCodes for different regions.${AccountId}: The account ID to which the resource belongs${ResourcePath}: Resource path, for example, the resource path of ECS instance is instance/${InstanceId} , instance is the fixed resource type name of the ECS instance, and ${InstanceId} is the ID of the Cloud as a Service instance. Path formats for different resource types can be found in the table at the end of the document.
Example 1: The account with AccountID 2000000001 created the instance Cloud as a Service with id = i-100 in cn-Beijing, and the corresponding resource TRN is
trn: ecs: cn-Beijing: 2000000001: instance/i-100
Example 2: IAM user with the user name Bob created by the account with AccountID 2000000001, and the corresponding resource TRN is
trn: i am :: 2000000001: user/Bob(IAM is a global service and does not distinguish between regions, so the region value here is empty)
In some scenarios, you can use the NotResource keyword to exclude resources defined in some Resources . For details, please refer to the NotResource syntax description .
The Resource element supports the overall expression of wild-card * , or the use of wild-card in the TRN from paragraph 2 to every subsequent paragraph:
- Wild-card
*: Matches 0, 1, or more characters. - Wild-card
?: Matches one character (cannot be 0).
The following is a policy that includes Resources:
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteInstance" ], "Resource": [ "trn:ecs:cn-beijing:2000000001:instance/i-100", "trn:ecs:cn-beijing:2000000001:instance/i-200" ] }, { "Effect": "Allow", "Action": [ "iam:GetUser" ], "Resource": [ "*" ] } ] }
**Interpretation: **This policy defines permissions to allow deletion of Cloud as a Service instances with instance IDs i-100 and i-200 and to allow querying of all IAM users.
Supported Cloud as a Service Resource Types
You can refer to the specific Cloud as a Service product documentation to learn about the supported resource types. The following are resource TRN formats for some commonly used services:
Products | ServiceCode | Resource type | ResourceType | trn format |
|---|---|---|---|---|
| Cloud as a Service | ecs | example | instance | trn:ecs:{region}:{account}:instance/{instanceid} |
| Key Pair | keypair | trn:ecs:{region}:{account}:keypair/{keypairname} | ||
| mirror image | image | trn:ecs:{region}:{account}:image/{imageid} | ||
| Elastic Block Store | storage_ebs | volume | volume | trn:storage_ebs:{region}:{account}:volume/{volumeid} |
| Cloud Database RDS MySQL | rds_mysql | example | instance | trn:rds_mysql:{region}:{account}:instance/{instanceid} |
| Cache Database Redis Edition | Redis | example | instance | trn:Redis:{region}:{account}:instance/{instanceid} |
| File storage vePFS | vepfs | example | instance | trn:vepfs:{region}:{account}:instance/${instanceid} |
| Information delivery network | CDN | domain name | Domain | trn:CDN:{region}:{account}:Domain/{domain} |
| Application Load Balancer | alb | example | loadbalancer | trn:alb:{region}:{account}:loadbalancer/{id} |
| Listener | listener | trn:alb:{region}:{account}:listener/{id} | ||
| server group | servergroup | trn:alb:{region}:{account}:servergroup/{id} | ||
| personalized configuration | customizedcfg | trn:alb:{region}:{account}:customizedcfg/{id} | ||
| certificate | certificate | trn:alb:{region}:{account}:certificate/{id} | ||
| access control | acl | trn:alb:{region}:{account}:acl/{id} | ||
| Public IP | vpc | example | eip | trn:vpc:{region}:{account}:eip/{eipid} |
| shared bandwidth packet | vpc | example | bandwidthpackage | trn:vpc:{region}:{account}:bandwidthpackage/{bandwidthpackageid} |
| private network | vpc | private network instance | vpc | trn:vpc:{region}:{account}:vpc/{vpcid} |
| subnet | subnet | trn:vpc:{region}:{account}:subnet/{subnetid} | ||
| Network interface card | eni | trn:vpc:{region}:{account}:eni/{eniid} | ||
| security team | securitygroup | trn:vpc:{region}:{account}:securitygroup/{securitygroupid} | ||
| routing table | routetable | trn:vpc:{region}:{account}:routetable/{routetableid} | ||
| Network ACL | networkacl | trn:vpc:{region}:{account}:networkacl/{networkaclid} | ||
| NAT gateway | natgateway | example | ngw | trn:natgateway:{region}:{account}:ngw/{ngwid} |
| VPN connection | vpn | VPN gateway | vpngateway | trn:vpn:{region}:{account}:vpngateway/{vpngatewayid} |
| User Gateway | customergateway | trn:vpn:{region}:{account}:customergateway/{customergatewayid} | ||
| IPSec connection | vpnconnection | trn:vpn:{region}:{account}:vpnconnection/{vpnconnectionid} | ||
| VPN gateway routing | vpngatewayroute | trn:vpn:{region}:{account}:vpngatewayroute/{vpngatewayrouteid} | ||
| private line connection | directconnect | Physics Line | connection | trn:directconnect:{region}:{account}:connection/{id} |
| dedicated gateway | directconnectgateway | trn:directconnect:{region}:{account}:directconnectgateway/{id} | ||
| Transit router | transitrouter | TR example | transitrouter | trn:transitrouter:{region}:{account}:transitrouter/{transitrouterid} |
| TR connection | transitrouterattachment | trn:transitrouter:{region}:{account}:transitrouterattachment/{transitrouterattachmentid} | ||
| TR routing table | transitrouterroutetable | trn:transitrouter:{region}:{account}:transitrouterroutetable/{transitrouterroutetableid} | ||
| TR route entry | transitrouterrouteentry | trn:transitrouter:{region}:{account}:transitrouterrouteentry/{transitrouterrouteentryid} | ||
| TR bandwidth packet | transitrouterbandwidthpackage | trn:transitrouter::{account}:transitrouterbandwidthpackage/{transitrouterbandwidthpackageid} | ||
| load balance | clb | Load balancing example | clb | trn:clb:{region}:{account}:clb/{clbid} |
| Access Control Policy Group | acl | trn:clb:{region}:{account}:acl/{aclid} | ||
| certificate | certificate | trn:clb:{region}:{account}:certificate/{certificateid} | ||
| exclusive cluster | ec | trn:clb:{region}:{account}:ec/{{ecid} | ||
| container service | vke | cluster | cluster | trn:vke:{region}:{account}:cluster/{id} |
| object storage | tos | bucket | bucket | trn:tos:{region}:{account}:{bucket} |
| object | object | trn:tos:{region}:{account}:{bucket}/{object} | ||
| access control | iam | user | user | trn:iam::{account}:user/{UserName} |
| user group | group | trn:iam::{account}:group/{GroupName} | ||
| role | role | trn:iam::{account}:role/{RoleName} | ||
| strategy | policy | trn:iam::{account}:policy/{PolicyName} | ||
| project | project | trn:iam::{account}:project/{ProjectName} |
