Creating a Custom Policy for Cloud Services
Function
This API is provided for the administrator to create a custom policy for cloud services.
The API can be called using both the global endpoint and region-specific endpoints.
Authorization Information
Each account is authorized to call all APIs, but its IAM users must obtain the required permissions. For details, see Permissions and Supported Actions.
URI
POST /v3.0/OS-ROLE/roles
Request Parameters
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| Content-Type | Yes | String | Fill application/json;charset=utf8 in this field. |
| X-Auth-Token | Yes | String | Access token issued to a user to bear its identity and permissions. For details about the permissions required by the token, see Actions. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| Yes | Object | Custom policy information. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| display_name | Yes | String | Display name of the custom policy. |
| type | Yes | String | Application scope of the custom policy.
Set the display mode of a custom policy to either AX or XA. NOTE:
|
| description | Yes | String | Description of the custom policy. |
| description_cn | No | String | Description of the custom policy in Chinese. |
| Yes | Object | Content of the custom policy. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| Version | Yes | String | Policy version. When creating a custom policy, set this parameter to 1.1. NOTE:
|
| Yes | Array of objects | Statement of the policy. |
| Parameter | Mandatory | Type | Description |
|---|---|---|---|
| Action | Yes | Array of strings | Specific operation permissions on a resource. For details about supported actions, see "Permissions and Supported Actions" in the API Reference of cloud services. NOTE:
|
| Effect | Yes | String | Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
| Condition | No | Map<String,Map<String,Array<String>>> | Conditions for the permission to take effect. For details about conditions, see Creating a Custom Policy. NOTE: Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals). "Condition": {
"StringEquals": {
"obs:prefix": [
"public"
]
}
} |
| Resource | No | Array of strings | Cloud resource. NOTE:
|
Response Parameters
| Parameter | Type | Description |
|---|---|---|
| Object | Custom policy information. |
| Parameter | Type | Description |
|---|---|---|
| catalog | String | Service catalog. |
| display_name | String | Display name of the custom policy. |
| description | String | Description of the custom policy. |
| Object | Resource link of the custom policy. | |
| Object | Content of the custom policy. | |
| description_cn | String | Description of a custom policy in Chinese. This parameter is returned in the response only when description_cn is specified in the request. |
| domain_id | String | Account ID. |
| type | String | Display mode. NOTE:
|
| id | String | Custom policy ID. |
| name | String | Name of the custom policy. |
| updated_time | String | Time when the custom policy was last updated. NOTE: The value is a Unix timestamp in millisecond, for example, 1687913793000. |
| created_time | String | Time when the custom policy was created. NOTE: The value is a Unix timestamp in millisecond, for example, 1687913793000. |
| Parameter | Type | Description |
|---|---|---|
| Version | String | Policy version. NOTE:
|
| Array of objects | Statement of the policy. A policy can contain a maximum of eight statements. |
| Parameter | Type | Description |
|---|---|---|
| Action | Array of strings | Specific operation permissions on a resource. |
| Effect | String | Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options:
|
| Condition | Map<String,Map<String,Array<String>>> | Conditions for the permission to take effect. If this parameter is not specified in the request, it will not be returned in the response. |
| Resource | Array of strings | Cloud resource. If this parameter is not specified in the request, it will not be returned in the response. NOTE:
|
Example Request
Request to create a custom policy named IAMCloudServicePolicy that allows only projects whose names start with eu-west-101 to obtain ACL information about all buckets.
POST https://iam.myhuaweicloud.eu/v3.0/OS-ROLE/roles {
"role": {
"display_name": "IAMCloudServicePolicy",
"type": "AX",
"description": "IAMDescription",
"description_cn": "Description in Chinese",
"policy": {
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:bucket:GetBucketAcl"
],
"Condition": {
"StringStartWith": {
"g:ProjectName": [
"eu-west-101"
]
}
},
"Resource": [
"obs:*:*:bucket:*"
]
}
]
}
}
} Example Response
Status code: 201
The custom policy is created successfully.
{
"role": {
"catalog": "CUSTOMED",
"display_name": "IAMCloudServicePolicy",
"description": "IAMDescription",
"links": {
"self": "https://iam.myhuaweicloud.eu/v3/roles/93879fd90f1046f69e6e0b31c94d2615"
},
"policy": {
"Version": "1.1",
"Statement": [
{
"Action": [
"obs:bucket:GetBucketAcl"
],
"Resource": [
"obs:*:*:bucket:*"
],
"Effect": "Allow",
"Condition": {
"StringStartWith": {
"g:ProjectName": [
"eu-west-101"
]
}
}
}
]
},
"description_cn": "Description in Chinese",
"domain_id": "d78cbac186b744899480f25bd...",
"type": "AX",
"id": "93879fd90f1046f69e6e0b31c9...",
"name": "custom_d78cbac186b744899480f25bd022f468_1"
}
} Status Codes
| Status Code | Description |
|---|---|
| 201 | The custom policy is created successfully. |
| 400 | Invalid parameters. |
| 401 | Authentication failed. |
| 403 | Access denied. |
| 500 | Internal server error. |
Error Codes
None
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
