Modifying the Trust Policy of a Trust Agency

Function

This API is used to modify the trust policy of a trust agency.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the following required identity policy-based permissions. For details about the required permissions, see Permissions Policies and Supported Actions.

Action	Access Level	Resource Type (*: required)	Condition Key	Alias	Dependencies
iam:agencies:updateTrustPolicyV5	Write	agency *	g:ResourceTag/<tag-key>	-	-

URI

PUT /v5/agencies/{agency_id}/trust-policy

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
agency_id	Yes	String	Trust agency ID. The value must contain 1 to 64 characters. Only letters, digits, and hyphens (-) are allowed.

Request Parameters

**Table 2** Request body parameters
Parameter	Mandatory	Type	Description
trust_policy	Yes	String	JSON format of the policy document of a trust agency's trust policy. Characters =, <, >, (, ), and \| are special characters in the grammar and are not included in trust policies. The question mark (?) following an element indicates that the element is optional, for example, sid_block?. The vertical bar (\|) separates options, and the parentheses enclose the options, for example, ("Allow" \| "Deny"). When an element allows more than one value, use commas (,), and ellipsis (...), for example, [ <policy_statement>, <policy_statement>, ... ]. The following listing describes the trust policy language grammar: policy = { <version_block>, <statement_block> } <version_block> = "Version" : ("5.0") <statement_block> = "Statement" : [ <policy_statement>, <policy_statement>, ... ] <policy_statement> = { <sid_block?>, <principal_block>, <effect_block>, <action_block>, <resource_block?>, <condition_block?> } <sid_block> = "Sid" : <sid_string> <principal_block> = ("Principal" \| "NotPrincipal") : <principal_map> <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... } <principal_map_entry> = ("IAM" \| "Service") : [ <principal_id_string>, ... \| <service_principal_string>, ... ] <effect_block> = "Effect" : ("Allow" \| "Deny") <action_block> = ("Action" \| "NotAction") : [ <action_string>, <action_string>, ... ] <resource_block> = ("Resource" \| "NotResource") : [ <resource_string>, <resource_string>, ... ] <condition_block> = "Condition" : { <condition_map> } <condition_map> = { <condition_type_string> : { <condition_key_string> : <condition_value_list> }, <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ... } <condition_value_list> = ( <condition_value> \| [ <condition_value>, <condition_value>, ... ] ) <condition_value> = "string"

Table 2 Request body parameters

Parameter

Mandatory

Type

Description

trust_policy

Yes

String

JSON format of the policy document of a trust agency's trust policy. Characters =, <, >, (, ), and | are special characters in the grammar and are not included in trust policies.

The question mark (?) following an element indicates that the element is optional, for example, sid_block?.

The vertical bar (|) separates options, and the parentheses enclose the options, for example, ("Allow" | "Deny").

When an element allows more than one value, use commas (,), and ellipsis (...), for example, [ <policy_statement>, <policy_statement>, ... ].

The following listing describes the trust policy language grammar:

policy = {
  <version_block>,
  <statement_block>
}

<version_block> = "Version" : ("5.0")

<statement_block> = "Statement" : [ <policy_statement>, <policy_statement>, ... ]

<policy_statement> = {
  <sid_block?>,
  <principal_block>,
  <effect_block>,
  <action_block>,
  <resource_block?>,
  <condition_block?>
}

<sid_block> = "Sid" : <sid_string>

<principal_block> = ("Principal" | "NotPrincipal") : <principal_map>

<principal_map> = { <principal_map_entry>, <principal_map_entry>, ... }

<principal_map_entry> = ("IAM" | "Service") : [ <principal_id_string>, ... | <service_principal_string>, ... ]

<effect_block> = "Effect" : ("Allow" | "Deny")

<action_block> = ("Action" | "NotAction") : [ <action_string>, <action_string>, ... ]

<resource_block> = ("Resource" | "NotResource") : [ <resource_string>, <resource_string>, ... ]

<condition_block> = "Condition" : { <condition_map> }

<condition_map> = {
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  <condition_type_string> : { <condition_key_string> : <condition_value_list> },
  ...
}

<condition_value_list> = ( <condition_value> | [ <condition_value>, <condition_value>, ... ] )

<condition_value> = "string"

Response Parameters

Status code: 200

Successful

Status code: 400

**Table 3** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.

Status code: 403

**Table 4** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
request_id	String	Request ID.
encoded_authorization_message	String	Encrypted authentication failure information, which can be decrypted using the STS5 decryption API.

Status code: 404

**Table 5** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
request_id	String	Request ID.

Status code: 409

**Table 6** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
request_id	String	Request ID.

Example Requests

Modifying the trust policy of a trust agency

PUT https://{endpoint}/v5/agencies/{agency_id}/trust-policy

{
  "trust_policy" : "{\"Version\":\"5.0\",\"Statement\":[{\"Action\":[\"sts:agencies:assume\",\"sts::tagSession\",\"sts::setSourceIdentity\"],\"Effect\":\"Allow\",\"Principal\":{\"IAM\":[\"xxx\"]}}]}"
}