Example 1: Applying a variable to a resource expression. #

Scenario: Restrict child users to create Access Keys only for themselves.
Policy example:

{ 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "iam:CreateAccessKey" 
            ], 
            "Resource": [ 
                "trn:iam::*:user/${volc:UserName}" 
            ] 
        } 
    ] 
}

Interpretation: The operation of creating an access key in IAM supports the definition of resource-level permissions according to the IAM user. The user name of the Resource sub-user TRN is taken from the requested user name to form the resource scope of the policy, that is, it defines "access subject = access object", thus restricting the IAM user to only create keys for himself.

Example 2: Applying a variable to a conditional value. #

Scenario: Restrict the user's project to the same project as the resource of the accessed private network (VPC).
Policy example:

{ 
  "Statement": [ 
    { 
      "Effect": "Allow", 
      "Action": [ 
        "vpc:*" 
      ], 
      "Resource": [ 
        "*" 
      ], 
      "Condition":{ 
          "StringEquals":{ 
                  "volc:ResourceTag/project":"${volc:PrincipalTag/project}" 
          } 
      } 
    } 
  ] 
}

Interpretation: This policy uses the conditional key volc: PrincipalTag/project instead of the fixed condition value, restricting the resource label accessible to the identity and the label on the identity (the label key is also project ) need to be exactly the same.

For detailed instructions on the use of variables, please refer to the variable and wild-card instructions .