Conditional operators - Resource Access Management - Alibaba Cloud Documentation Center

Operators in a Condition element combine condition keys and values to create a conditional statement. The policy is enforced when a request meets this condition. Operators are categorized into five types: string, number, date and time, Boolean, and IP address. This topic describes the operators that Resource Access Management (RAM) supports and provides examples.

String

Category	Operator	Description
String	StringEquals	Matches an exact string (case-sensitive).
	StringNotEquals	Does not match an exact string (case-sensitive).
	StringEqualsIgnoreCase	Matches an exact string (case-insensitive).
	StringNotEqualsIgnoreCase	Does not match an exact string (case-insensitive).
	StringLike	Matches a string pattern (case-sensitive, supports asterisks [``] and question marks [`?`] as wildcard characters). ``: Matches any number of characters, including an empty string. `?`: Matches a single character.
	StringNotLike	Does not match a string pattern (case-sensitive, supports asterisks [``] and question marks [`?`] as wildcard characters). ``: Matches any number of characters, including an empty string. `?`: Matches a single character.

Examples:

StringEquals

This policy allows a RAM user to manage only ECS instances that have the team:dev tag. It uses the StringEquals operator and the acs:ResourceTag condition key in the Condition element.

{
  "Effect": "Allow",
  "Action": "ecs:*",
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "acs:ResourceTag/team": [
        "dev"
      ]
    }
  }
}

StringLike

This policy allows a RAM user to use the OSS CLI to access the myphotos/hangzhou/2015/ folder and list the objects it contains. The policy uses the StringLike operator and the oss:Prefix condition key in the Condition element. This ensures that only objects with the hangzhou/2015/ prefix are listed.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetObject"
      ],
      "Resource": [
        "acs:oss:*:*:myphotos/hangzhou/2015/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects"
      ],
      "Resource": [
        "acs:oss:*:*:myphotos"
      ],
      "Condition":{
        "StringLike":{
          "oss:Prefix":"hangzhou/2015/*"
        }
      }
    }
  ]
}

Number

Category	Operator	Description
Number	NumericEquals	Equal to.
	NumericNotEquals	Not equal to.
	NumericLessThan	Less than.
	NumericLessThanEquals	Less than or equal to.
	NumericGreaterThan	Greater than.
	NumericGreaterThanEquals	Greater than or equal to.

Example:

This policy denies all RAM users and RAM roles from deleting Key Management Service (KMS) credentials if the recovery window is set to 10 days or less. It uses the NumericLessThanEquals operator and the kms:RecoveryWindowInDays condition key in the Condition element.

{
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "kms:DeleteSecret",
      "Principal": "*",
      "Resource": "*",
      "Condition": {
        "NumericLessThanEquals": {
          "kms:RecoveryWindowInDays": "10"
        }
      }
    }
  ]
}

Date and time

Category	Operator	Description
Date and time	DateEquals	Equal to.
	DateNotEquals	Not equal to.
	DateLessThan	Earlier than.
	DateLessThanEquals	Earlier than or equal to.
	DateGreaterThan	Later than.
	DateGreaterThanEquals	Later than or equal to.

Example:

This policy allows a RAM user to access ECS instances only before 17:00 on August 12, 2019 (UTC+8). It uses the DateLessThan operator and the acs:CurrentTime condition key in the Condition element.

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
          "DateLessThan": {
              "acs:CurrentTime": "2019-08-12T17:00:00+08:00"
          }
      }
    }
  ],
  "Version": "1"
}

Boolean

Category	Operator	Description
Boolean	Bool	Matches a Boolean value (`true` or `false`).

Example:

This policy allows only RAM users who have multi-factor authentication (MFA) enabled to access ECS instances. It uses the Bool operator and the acs:MFAPresent condition key in the Condition element.

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "acs:MFAPresent": "true"
        }
      }
    }
  ],
  "Version": "1"
}

IP address

Category	Operator	Description
IP address	IpAddress	Matches the specified IP address or is within the specified CIDR block.
	NotIpAddress	Does not match the specified IP address and is not within the specified CIDR block.
	IpAddressIncludeBorder	Matches the specified IP address or CIDR block. Note Supported by only some cloud services. Test this operator before use.
	NotIpAddressIncludeBorder	Does not match the specified IP address or CIDR block. Note Supported by only some cloud services. Test this operator before use.

Example:

This policy allows a RAM user to access ECS instances only from the 192.0.2.0/24 and 203.0.113.2 IP addresses. It uses the IpAddress operator and the acs:SourceIp condition key in the Condition element.

{
  "Statement": [
    {
      "Action": "ecs:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "acs:SourceIp": [
            "192.0.2.0/24",
            "203.0.113.2"
          ]
        }
      }
    }
  ],
  "Version": "1"
}