Action (Action) is a required element of each policy declaration, containing the scope of action defined by this permission declaration, in the format: ${ServiceCode}: ${Action} , where ${ServiceCode} is the service code of the cloud product, ${Action} is usually the same value as the Action of the Cloud as a Service API (the ServiceCode and supported Actions of different Cloud as a Service can be queried from the API documentation of the service). In some scenarios, you can use the NotAction keyword to exclude actions defined in partial Actions . For details, please refer to the NotAction syntax description .

${Action} can be expressed as an array, supporting * and ? two wild-cards.

• Wild-card * : Matches 0, 1, or more characters.
• Wild-card ? : Matches one character (cannot be 0).

The following is a policy that includes specific Cloud as a Service Actions and uses wild-card:

{ 
  "Statement": [ 
    { 
      "Effect": "Allow", 
      "Action": [ 
        "vpc:*" 
      ], 
      "Resource": [ 
        "*" 
      ] 
    }, 
    { 
      "Effect": "Allow", 
      "Action": [ 
        "iam:ListUsers", 
        "iam:GetUser" 
      ], 
      "Resource": [ 
        "*" 
      ] 
    } 
  ] 
}

Interpretation: The first statement of this policy defines the permissions to allow private network (VPC) operations, and the second statement defines the permissions to allow access control (IAM) to query user lists and query user details.

Supported Cloud as a Service #

You can refer to the specific Cloud as a Service API documentation for supported operations, for example, the operations supported by Cloud as a Service can be referred to the Cloud as a Service API documentation .