IAM
IAM
- Documentation
IAMUser GuidePermission PolicyPolicy GrammarVariables and wild-card
Copy page
Download PDFCopy pageDownload PDFYou can use wild-cards or variables in specific places in the policy declaration to define more flexible and complex permission rules.
wild-card
Access control supports the use of wildcard * and ? :
- Wild-card
*: Matches 0, 1, or more characters. - Wild-card
?: Matches one character (cannot be 0).
You can use wild-card in the following locations of the policy:
- The Action section of the policy.
- TRN in the Policy Resource from paragraph 2 to each subsequent paragraph.
- The Condition value part of the policy Condition.
For example, the following is a policy that uses wild-card:
{ "Statement": [ { "Effect": "Allow", "Action": [ "natgateway:*" ], "Resource": [ "trn:natgateway:*:2000000001:ngw/*" ], "Condition":{ "StringEquals":{ "volc:PrincipalTrn":"trn:iam::2000000001:role/*" } } } ] }
**Interpretation: **This policy uses a total of four wild-cards, and the wild-card * in the Action expresses the operation range as all operations in the NAT gateway; in the TRN of the NAT gateway instance in the Resource, the first wild-card * expresses the resource range without limit, and the second wild-card * expresses any instance of the NAT gateway; in the Condition, the wild-card * expresses the effective condition of the declaration as the request identity is any role under the account.
variable
Conditional keys can be placed as variables in certain places in the policy declaration to proxy fixed values.
The format of a variable is $ {'condition-key'}, which can be substituted for any supported conditional key, such as ${volc: UserName} '.
Variables are supported in the following locations:
The part of the resource name path in the TRN expression in the Resource (that is, the part after
${AccountId}:);Condition key and condition value in Condition.
For example, the following is a strategy that uses variables:
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:UpdateSecureContactInfo" ], "Resource": [ "trn:iam::2000000000:user/${volc:UserName}" ] } ] }
This policy restricts IAM users to only modify their secure email or mobile phone number by limiting "access subject = access object". The specific principle is: the variable ${volc: UserName} in the policy Resource element can obtain the user name of the requesting user (for the specific description of the condition key, please refer to the Condition help document ). Suppose an IAM user with the user name Bob initiates a modify security information operation (UpdateSecureContactInfo). At this time, the value of the variable ${volc: UserName} is the user name of the requestor (i.e. Bob), and the system will substitute this value into the trn: i am :: 2000000000: user/${volc: UserName} expression, so in this request, the policy will be equivalent to the following policy:
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:UpdateSecureContactInfo" ], "Resource": [ "trn:iam::2000000000:user/Bob" ] } ] }
Therefore, this policy restricts users from modifying security information only for themselves. Similarly, when another IAM user who has been granted the policy initiates a modification of the security information operation, the variable will also be valued and substituted according to the same logic, resulting in other users who can only modify the security information for themselves.
