When you create a policy, the system automatically checks whether the policy document is correct based on the policy syntax and security best practices. The system provides real-time check results that are classified into the following types: Error, Security Warning, General Warning, and Suggestion. You can view the check results and modify the policy document based on the solutions in the check results to ensure that the policy document conforms to the policy syntax and security best practices.
Error: Data type mismatch
Error code: Data type mismatch
Error message: Data type mismatch
Solution: Change the data format of the policy document to JSON.
Error: Invalid action format
Error code: Invalid action format
Error message: Invalid action format
Solution: Change the format of the Action element to <ram-code>:<action-name>.
Error: Invalid ARN prefix
Error code: Invalid ARN prefix
Error message: Invalid Alibaba Cloud Resource Name (ARN) prefix
Solution: Make sure that the ARN contains the fixed prefix acs. An ARN is a globally unique name that is used to identify a resource in Alibaba Cloud.
Error: Invalid condition key format
Error code: Invalid condition key format
Error message: Invalid condition key format
Solution: Make sure that the condition key is in the format of <ram-code>:<condition-key>.
Error: Invalid condition multiple Boolean
Error code: Invalid condition multiple Boolean
Error message: Multiple Boolean values for a condition
Solution: Make sure that the condition key contains only one Boolean value.
Error: Invalid condition operator
Error code: Invalid condition operator
Error message: Invalid condition operator
Solution: Make sure that the conditional operator is valid. For more information about supported conditional operators, see Condition.
Error: Invalid effect
Error code: Invalid effect
Error message: Invalid effect
Solution: Make sure that the value of the Effect element is Allow or Deny.
Error: Invalid policy element
Error code: Invalid policy element
Error message: Invalid policy element
Solution: Make sure that policy elements are valid. For more information about supported policy elements, see Policy elements.
Error: Invalid version
Error code: Invalid version
Error message: Invalid version
Solution: Set the Version parameter to 1.
Error: Json syntax error
Error code: Json syntax error
Error message: JSON syntax error
Solution: Make sure that no JSON syntax error exists in the policy document. For more information about JSON syntax standards, see RFC 7159.
Error: Missing action
Error code: Missing action
Error message: Missing action
Solution: Add the Action or NotAction element to the policy document.
Error: Missing ARN field
Error code: Missing ARN field
Error message: Missing ARN field
Solution: Make sure that the ARN contains five fields in the format of acs:<ram-code>:<region>:<account-id>:<relative-id>. An ARN is a globally unique name that is used to identify a resource in Alibaba Cloud. The following list describes the definitions of the fields.
acs: the initialism of Alibaba Cloud Service, which indicates the public cloud of Alibaba Cloud.ram-code: the code that is used in RAM to indicate an Alibaba Cloud service. For more information, see the codes that are listed in the RAM code column in Services that work with RAM.region: information about the region. This parameter is set to an asterisk (*) for a global resource. A global resource can be accessed without the need to specify a region. For more information, see Regions and zones.account-id: the ID of the Apsara Stack tenant account. For example, you can enter123456789012****.relative-id: the identifier of the service-related resource. The meaning of this element varies based on services. The format of the relative-id field is similar to a file path. For example,relative-id = "mybucket/dir1/object1.jpg"indicates an OSS object.
Error: Missing effect
Error code: Missing effect
Error message: Missing effect
Solution: Add the Effect element to the policy document. The value can be Allow or Deny.
Error: Missing qualifier
Error code: Missing qualifier
Error message: Missing qualifier
Solution: The condition key contains multiple values in the request. Add the condition key qualifier ForAllValues or ForAnyValue to the policy document to allow bitwise operations.
Error: Missing resource
Error code: Missing resource
Error message: Missing resource
Solution: Add the Resource element to the policy document.
Error: Missing statement
Error code: Missing statement
Error message: Missing statement
Solution: Add at least one statement block to the JSON policy document. The statement block must include the Effect, Action, and Resource attributes.
Error: Unsupported element combination
Error code: Unsupported element combination
Error message: Unsupported element combination
Solution: Make sure that a statement does not contain both element1 and element2 at the same time.
Error: Missing version
Error code: Missing version
Error message: Missing version
Solution: Add the Version parameter to the policy document and set the parameter to 1.
Error: Type mismatch IP range
Error code: Type mismatch IP range
Error message: IP range mismatch
Solution: Specify a valid IP address range for the conditional operator in the format of standard CIDR blocks.
Error: Empty array action
Error code: Empty array action
Error message: Empty array action
Solution: Specify an action in the statement.
Error: Empty array resource
Error code: Empty array resource
Error message: Empty array resource
Solution: Specify a resource in the statement.
Security Warning: ForAllValues with single valued key
Error code: ForAllValues with single valued key
Error message: ForAllValues used for a single-valued key
Solution: Excessive permissions may be granted when the ForAllValues qualifier is used for a single-valued key. We recommend that you remove the ForAllValues qualifier.
General Warning: Wildcard without like operator
Error code: Wildcard without like operator
Error message: Wildcard without the like operator
Solution: If the condition value contains the asterisk (*) or question mark (?) wildcard, use the like operator.
General Warning: Type mismatch Boolean
Error code: Type mismatch Boolean
Error message: Boolean type mismatch
Solution: Add the Boolean value true or false for the conditional operator.
General Warning: Type mismatch date
Error code: Type mismatch date
Error message: Date type mismatch
Solution: Make sure that the condition value matches the conditional operator of the date and time type and that the date and time format is valid.
General Warning: Type mismatch number
Error code: Type mismatch number
Error message: Number type mismatch
Solution: Add a valid number for the conditional operator.
Suggestion: Empty array condition
Error code: Empty array condition
Error message: Empty array condition
Solution: Specify a value for the condition key.
Suggestion: Empty object condition
Error code: Empty object condition
Error message: Empty object condition
Solution: Make sure that the condition block is not empty.
Suggestion: Improve IP range
Error code: Improve IP range
Error message: IP range improvement
Solution: After the subnet mask is used, the non-zero bits in the IP address are ignored. Specify an appropriate IP address range.
Suggestion: Wildcard in service name
Error code: Wildcard in service name
Error message: Wildcard in the service name
Solution: Do not use asterisks (*) or question marks (?) in the service name. If you use one of the preceding wildcards in the service name, the permissions to access other services that have similar names are also granted.