Creating a Custom Policy for Cloud Services
Function
This API is provided for the administrator to create a custom policy for cloud services.
The API can be called using both the global endpoint and region-specific endpoints.
URI
POST /v3.0/OS-ROLE/roles
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Content-Type |
Yes |
String |
Fill application/json;charset=utf8 in this field. |
X-Auth-Token |
Yes |
String |
Access token issued to a user to bear its identity and permissions. For details about the permissions required by the token, see Actions. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Yes |
Object |
Custom policy information. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
display_name |
Yes |
String |
Display name of the custom policy. |
type |
Yes |
String |
Application scope of the custom policy.
Set the display mode of a custom policy to either AX or XA.
NOTE:
|
description |
Yes |
String |
Description of the custom policy. |
description_cn |
No |
String |
Description of the custom policy in Chinese. |
Yes |
Object |
Content of the custom policy. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Version |
Yes |
String |
Policy version. When creating a custom policy, set this parameter to 1.1.
NOTE:
|
Yes |
Array of objects |
Statement of the policy. A policy can contain a maximum of eight statements. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Action |
Yes |
Array of strings |
Specific operation permissions on a resource. For details about supported actions, see "Permissions and Supported Actions" in the API Reference of cloud services.
NOTE:
|
Effect |
Yes |
String |
Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
Condition |
No |
Map<String,Map<String,Array<String>>> |
Conditions for the permission to take effect. For details, see Creating a Custom Policy.
NOTE:
Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals). "Condition": { "StringEquals": { "obs:prefix": [ "public" ] } } |
Resource |
No |
Array of strings |
Cloud resource.
NOTE:
|
Response Parameters
Parameter |
Type |
Description |
---|---|---|
Object |
Custom policy information. |
Parameter |
Type |
Description |
---|---|---|
catalog |
String |
Service catalog. |
display_name |
String |
Display name of the custom policy. |
description |
String |
Description of the custom policy. |
Object |
Resource link of the custom policy. |
|
Object |
Content of the custom policy. |
|
description_cn |
String |
Description of the custom policy in Chinese. |
domain_id |
String |
Account ID. |
type |
String |
Display mode.
NOTE:
|
id |
String |
Custom policy ID. |
name |
String |
Name of the custom policy. |
updated_time |
String |
Time when the custom policy was last updated.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
created_time |
String |
Time when the custom policy was created.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
references |
String |
Number of references. |
Parameter |
Type |
Description |
---|---|---|
Version |
String |
Policy version.
NOTE:
|
Array of objects |
Statement of the policy. A policy can contain a maximum of eight statements. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Action |
Yes |
Array of strings |
Specific operation permissions on a resource. For details about supported actions, see "Permissions and Supported Actions" in the API Reference of cloud services.
NOTE:
|
Effect |
Yes |
String |
Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
Condition |
No |
Map<String,Map<String,Array<String>>> |
Conditions for the permission to take effect. For details, see Creating a Custom Policy.
NOTE:
Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals). "Condition": { "StringEquals": { "obs:prefix": [ "public" ] } } |
Resource |
No |
Array of strings |
Cloud resource.
NOTE:
|
Example Request
Request to create a custom policy named IAMCloudServicePolicy that allows only projects whose names start with eu-west-101 to obtain ACL information about all buckets.
POST https://iam.myhuaweicloud.eu/v3.0/OS-ROLE/roles
{
"role": {
"display_name": "IAMCloudServicePolicy",
"type": "AX",
"description": "IAMDescription",
"description_cn": "Description in Chinese",
"policy": {
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:bucket:GetBucketAcl"
],
"Condition": {
"StringStartWith": {
"g:ProjectName": [
"eu-west-101"
]
}
},
"Resource": [
"obs:*:*:bucket:*"
]
}
]
}
}
}
Example Response
Status code: 201
The custom policy is created successfully.
{ "role": { "catalog": "CUSTOMED", "display_name": "IAMCloudServicePolicy", "description": "IAMDescription", "links": { "self": "https://iam.myhuaweicloud.eu/v3/roles/93879fd90f1046f69e6e0b31c94d2615" }, "policy": { "Version": "1.1", "Statement": [ { "Action": [ "obs:bucket:GetBucketAcl" ], "Resource": [ "obs:*:*:bucket:*" ], "Effect": "Allow", "Condition": { "StringStartWith": { "g:ProjectName": [ "eu-west-101" ] } } } ] }, "description_cn": "Description in Chinese", "domain_id": "d78cbac186b744899480f25bd...", "type": "AX", "id": "93879fd90f1046f69e6e0b31c9...", "name": "custom_d78cbac186b744899480f25bd022f468_1" } }
Status Codes
Status Code |
Description |
---|---|
201 |
The custom policy is created successfully. |
400 |
Invalid parameters. |
401 |
Authentication failed. |
403 |
Access denied. |
500 |
Internal server error. |
Error Codes
None
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.