Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
Software Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Identity and Access Management/ API Reference/ API/ Custom Policy Management/ Modifying a Custom Policy for Cloud Services

Modifying a Custom Policy for Cloud Services

Updated on 2024-11-18 GMT+08:00

Function

This API is provided for the administrator to modify a custom policy for cloud services.

The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.

Debugging

You can debug this API in API Explorer.

URI

PATCH /v3.0/OS-ROLE/roles/{role_id}

Table 1 URI parameters

Parameter

Mandatory

Type

Description

role_id

Yes

String

Custom policy ID. For details about how to obtain a custom policy ID, see Custom Policy ID.

Request Parameters

Table 2 Parameters in the request header

Parameter

Mandatory

Type

Description

Content-Type

Yes

String

Fill application/json;charset=utf8 in this field.

X-Auth-Token

Yes

String

Access token issued to a user to bear its identity and permissions.

For details about the permissions required by the token, see Actions.

Table 3 Parameters in the request body

Parameter

Mandatory

Type

Description

role

Yes

Object

Custom policy information.

Table 4 role

Parameter

Mandatory

Type

Description

display_name

Yes

String

Display name of the custom policy.

type

Yes

String

Display mode.

NOTE:
  • AX: the global service project
  • XA: region-specific projects
  • This parameter must be set to either AX or XA.

description

Yes

String

Description of the custom policy.

description_cn

No

String

Description of the custom policy in Chinese.

policy

Yes

Object

Content of the custom policy.

Table 5 role.policy

Parameter

Mandatory

Type

Description

Version

Yes

String

Policy version. When creating a custom policy, set this parameter to 1.1.

NOTE:
  • 1.0: System-defined role. Only a limited number of service-level roles are provided for authorization.
  • 1.1: Policy. A policy defines the permissions required to perform operations on a specific cloud resource under certain conditions.

Statement

Yes

Array of objects

Statement of the policy.

Table 6 role.policy.Statement

Parameter

Mandatory

Type

Description

Action

Yes

Array of strings

Specific operation permissions on a resource. For details about supported actions, see "Permissions and Supported Actions" in the API Reference of cloud services.

NOTE:
  • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
  • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.

Effect

Yes

String

Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements.

Options:

  • Allow
  • Deny

Condition

No

Map<String,Map<String,Array<String>>>

Conditions for the permission to take effect. For details, see Creating a Custom Policy.

NOTE:

Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals).

 "Condition": {
              "StringEquals": {
                "obs:prefix": [
                  "public"
                ]
              }
            }

Resource

No

Array of strings

Cloud resource.

NOTE:
  • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
  • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.

Response Parameters

Table 7 Parameters in the response body

Parameter

Type

Description

role

Object

Custom policy information.

Table 8 role

Parameter

Type

Description

catalog

String

Service catalog.

display_name

String

Display name of the custom policy.

description

String

Description of the custom policy.

links

Object

Resource link of the custom policy.

policy

Object

Content of the custom policy.

description_cn

String

Description of a custom policy in Chinese. This parameter is returned in the response only when description_cn is specified in the request.

domain_id

String

Account ID.

type

String

Display mode.

NOTE:
  • AX: the global service project
  • XA: region-specific projects
  • This parameter must be set to either AX or XA.

id

String

Custom policy ID.

name

String

Name of the custom policy.

updated_time

String

Time when the custom policy was last updated.

NOTE:

The value is a Unix timestamp in millisecond, for example, 1687913793000.

created_time

String

Time when the custom policy was created.

NOTE:

The value is a Unix timestamp in millisecond, for example, 1687913793000.

Table 10 role.policy

Parameter

Type

Description

Version

String

Policy version.

NOTE:
  • 1.0: System-defined role. Only a limited number of service-level roles are provided for authorization.
  • 1.1: Policy. A policy defines the permissions required to perform operations on a specific cloud resource under certain conditions.

Statement

Array of objects

Statement of the policy.

Table 11 role.policy.Statement

Parameter

Type

Description

Action

Array of strings

Specific operation permissions on a resource.

Effect

String

Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements.

Options:

  • Allow
  • Deny

Condition

Map<String,Map<String,Array<String>>>

Conditions for the permission to take effect. If this parameter is not specified in the request, it will not be returned in the response.

Resource

Array of strings

Cloud resource. If this parameter is not specified in the request, it will not be returned in the response.

NOTE:
  • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
  • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.

Example Request

Request to modify the custom policy IAMCloudServicePolicy to allow only projects whose names start with ap-southeast-1 to obtain ACL information about all buckets.

PATCH https://iam.myhuaweicloud.com/v3.0/OS-ROLE/roles/{role_id}
{
    "role": {
        "display_name": "IAMCloudServicePolicy",
        "type": "AX",
        "description": "IAMDescription",
        "description_cn": "Description in Chinese",
        "policy": {
            "Version": "1.1",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "obs:bucket:GetBucketAcl"
                    ],
                    "Condition": {
                        "StringStartWith": {
                            "g:ProjectName": [
                                "ap-southeast-1"
                            ]
                        }
                    },
                    "Resource": [
                        "obs:*:*:bucket:*"
                    ]
                }
            ]
        }
    }
}

Example Response

Status code: 200

The request is successful.

{
    "role": {
        "catalog": "CUSTOMED",
        "display_name": "IAMCloudServicePolicy",
        "description": "IAMDescription",
        "links": {
            "self": "https://iam.myhuaweicloud.com/v3/roles/93879fd90f1046f69e6e0b31c94d2615"
        },
        "policy": {
            "Version": "1.1",
            "Statement": [
                {
                    "Action": [
                        "obs:bucket:GetBucketAcl"
                    ],
                    "Resource": [
                        "obs:*:*:bucket:*"
                    ],
                    "Effect": "Allow",
                    "Condition": {
                        "StringStartWith": {
                            "g:ProjectName": [
                                "ap-southeast-1"
                            ]
                        }
                    }
                }
            ]
        },
        "description_cn": "Description in Chinese",
        "domain_id": "d78cbac186b744899480f25bd0...",
        "type": "AX",
        "id": "93879fd90f1046f69e6e0b31c94d2615",
        "name": "custom_d78cbac186b744899480f25bd022f468_1"
    }
}

Status Codes

Status Code

Description

200

The request is successful.

400

Invalid parameters.

401

Authentication failed.

403

Access denied.

500

Internal server error.

Error Codes

None

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback