Creating a Custom Policy for Agencies
Function
This API is provided for the administrator to create a custom policy for agencies.
The API can be called using both the global endpoint and region-specific endpoints.
URI
POST /v3.0/OS-ROLE/roles
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Content-Type |
Yes |
String |
Fill application/json;charset=utf8 in this field. |
X-Auth-Token |
Yes |
String |
Access token issued to a user to bear its identity and permissions. For details about the permissions required by the token, see Actions. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Yes |
Object |
Custom policy information. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
display_name |
Yes |
String |
Display name of the custom policy. The value contains 1 to 64 characters. |
type |
Yes |
String |
Display mode.
NOTE:
|
description |
Yes |
String |
Description of the custom policy. |
description_cn |
No |
String |
Description of the custom policy in Chinese. |
Yes |
Object |
Content of the custom policy. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Version |
Yes |
String |
Policy version. When creating a custom policy, set this parameter to 1.1.
NOTE:
|
Yes |
Array of objects |
Statement of the policy. A policy can contain a maximum of eight statements. |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
Action |
Yes |
Array of strings |
Specific operation permissions on a resource. For details about supported actions, see "Permissions and Supported Actions" in the API Reference of cloud services.
NOTE:
Set this parameter to iam:agencies:assume. |
Effect |
Yes |
String |
Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
Yes |
Object |
Resources to be managed. After an account establishes multiple trust relationships between itself and your account, you can authorize IAM users in different user groups to manage resources of the delegating party. Each IAM user can only switch to the agencies they have been authorized to access. For example: "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]} |
Response Parameters
Parameter |
Type |
Description |
---|---|---|
Object |
Custom policy information. |
Parameter |
Type |
Description |
---|---|---|
catalog |
String |
Service catalog. |
display_name |
String |
Display name of the custom policy. |
description |
String |
Description of the custom policy. |
Object |
Resource link of the custom policy. |
|
Object |
Content of the custom policy. |
|
description_cn |
String |
Description of the custom policy in Chinese. |
domain_id |
String |
Account ID. |
type |
String |
Display mode.
NOTE:
|
id |
String |
Custom policy ID. |
name |
String |
Name of the custom policy. |
updated_time |
String |
Time when the custom policy was last updated.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
created_time |
String |
Time when the custom policy was created.
NOTE:
The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601. |
references |
String |
Number of references. |
Parameter |
Type |
Description |
---|---|---|
Version |
String |
Policy version.
NOTE:
|
Array of objects |
Statement of the policy. |
Parameter |
Type |
Description |
---|---|---|
Action |
Array of strings |
Specific operation permissions on a resource. For details about supported actions, see "Permissions and Supported Actions" in the API Reference of cloud services.
NOTE:
|
Effect |
String |
Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
Object |
Resources to be managed. After an account establishes multiple trust relationships between itself and your account, you can authorize IAM users in different user groups to manage resources of the delegating party. Each IAM user can only switch to the agencies they have been authorized to access. For example: "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]} |
Example Request
Request to create a custom policy with display_name set to IAMAgencyPolicy and uri set to /iam/agencies/07805acaba800fdd4fbdc00b8f888c7c. The policy applies to global services.
POST https://iam.myhuaweicloud.eu/v3.0/OS-ROLE/roles
{ "role": { "display_name": "IAMAgencyPolicy", "type": "AX", "description": "IAMDescription", "description_cn": "Description in Chinese", "policy": { "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "iam:agencies:assume" ], "Resource": { "uri": [ "/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c" ] } } ] } } }
Example Response
Status code: 201
The custom policy for agencies is created successfully.
{
"role": {
"catalog": "CUSTOMED",
"display_name": "IAMAgencyPolicy",
"description": "IAMDescription",
"links": {
"self": "https://iam.myhuaweicloud.eu/v3/roles/f67224e84dc849ab954ce29fb4f47f8e"
},
"policy": {
"Version": "1.1",
"Statement": [
{
"Action": [
"iam:agencies:assume"
],
"Resource": {
"uri": [
"/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"
]
},
"Effect": "Allow"
}
]
},
"description_cn": "Description in Chinese",
"domain_id": "d78cbac186b744899480f25bd02...",
"type": "AX",
"id": "f67224e84dc849ab954ce29fb4f47f8e",
"name": "custom_d78cbac186b744899480f25bd022f468_0"
}
}
Status Codes
Status Code |
Description |
---|---|
201 |
The custom policy for agencies is created successfully. |
400 |
Invalid parameters. |
401 |
Authentication failed. |
403 |
Access denied. |
500 |
Internal server error. |
Error Codes
None
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.