The trust identity (Principal) refers to the trust object of the authority. When authorizing an IAM user, user group, or role, the trust identity is defined in the binding relationship between the policy and the user, user group, or role, so you don't need to define that element when you create a custom policy.

Policies that are tied to IAM identities (users, user groups, or roles) are called "identity-based policies", and in some scenarios, policies can be tied to resources (rather than identities), and such policies are called "resource-based policies". In a resource-based policy, the Principal element must be included in the policy content because of the lack of identity binding, and because a resource-based policy naturally has a binding relationship with resources, the Resource element in the policy does not need to be defined. Volcano Engine currently supports the following two resource-based strategies for resource usage:

• Access control roles: Resource-based policies on roles are also known as trust policies.

For example, the following role trust policy defines a trust object as a container service, allowing the container service to play that role:

{ 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "sts:AssumeRole" 
            ], 
            "Principal": { 
                "Service": [ 
                    "vke" 
                ] 
            } 
        } 
    ] 
}

For another example, the following role trust policy defines the trust object as the account with account ID = 2000000001, allowing the identity within the account to play the role:

{ 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "sts:AssumeRole" 
            ], 
            "Principal": { 
                "IAM": [ 
                    "trn:iam::2000000001:root" 
                ] 
            } 
        } 
    ] 
}

• Object buckets: Resource-based policies on buckets are also known as bucket policies .