Actions Supported by Identity Policy-based Authorization (New IAM Version)
IAM provides system-defined identity policies to define common actions supported by cloud services. You can also create custom identity policies using the actions supported by cloud services for more refined access control.
In addition to IAM, the Organizations service also provides Service Control Policies (SCPs) to set access control policies.
SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.
To learn more about how IAM is different from Organizations for access control, see What Are the Differences in Access Control Between IAM and Organizations?
This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.
- For details about how to use these elements to edit an IAM custom identity policy, see Creating a Custom Identity Policy.
- For details about how to use these elements to edit a custom SCP, see Creating an SCP.
Action
Actions are specific operations that are allowed or denied in an identity policy.
- The Access Level column describes how the action is classified (list, read, or write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
- The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your identity policy statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by UCS, see Resources.
- The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by UCS, see Conditions.
- The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.
The following table lists the actions that you can define in identity policy statements for UCS.
|
Action |
Description |
Access Level |
Resource Type (*: required) |
Condition Key |
Alias |
|---|---|---|---|---|---|
|
ucs:clustergroups:createFleet |
Grants permission to create a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:create |
|
ucs:clustergroups:deleteFleet |
Grants permission to delete a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:delete |
|
ucs:clustergroups:getFleet |
Grants permission to query the details about a fleet. |
read |
clustergroup |
- |
ucs:clustergroups:get |
|
ucs:clustergroups:listFleets |
Grants permission to query the fleet list. |
list |
clustergroup |
- |
ucs:clustergroups:list |
|
ucs:clustergroups:updateFleet |
Grants permission to update a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:update |
|
ucs:clustergroups:addClusters |
Grants permission to add clusters to a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:update |
|
ucs:clustergroups:enablePolicy |
Grants permission to enable policy management for a fleet. |
write |
clustergroup |
- |
ucs:permissionsRules:create |
|
ucs:clustergroups:disablePolicy |
Grants permission to disable policy management for a fleet. |
write |
clustergroup |
- |
ucs:permissionsRules:delete |
|
ucs:clustergroups:createPolicy |
Grants permission to create a policy instance for a fleet. |
write |
clustergroup |
- |
ucs:permissionsRules:create |
|
ucs:clustergroups:enableFederation |
Grants permission to enable cluster federation for a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:create |
|
ucs:clustergroups:disableFederation |
Grants permission to disable cluster federation for a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:delete |
|
ucs:clustergroups:upgradeFederation |
Grants permission to upgrade the cluster federation for a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:create |
|
ucs:clustergroups:rollbackFederation |
Grants permission to roll back the cluster federation for a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:create |
|
ucs:clustergroups:getOperation |
Grants permission to query the operation details of a fleet. |
read |
clustergroup |
- |
ucs:clustergroups:get |
|
ucs:clustergroups:updateFederationDomain |
Grants permission to update the domain name for the cluster federation of a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:update |
|
ucs:clustergroups:generateCredential |
Grants permission to generate the access credential for the cluster federation of a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:get |
|
ucs:clustergroups:generateConnection |
Grants permission to create a federation connection for a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:get |
|
ucs:clustergroups:connect |
Grants permission to connect to the cluster federation of a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:get |
|
ucs:clustergroups:updateRule |
Grants permission to modify the permission rules of a cluster in a fleet. |
write |
clustergroup |
- |
ucs:clustergroups:update |
|
ucs:clusters:createCluster |
Grants permission to create a cluster. |
write |
cluster |
- |
ucs:clusters:create |
|
ucs:clusters:deleteCluster |
Grants permission to delete a cluster. |
write |
cluster |
- |
ucs:clusters:delete |
|
ucs:clusters:getCluster |
Grants permission to query the details about a cluster. |
read |
cluster |
- |
ucs:clusters:get |
|
ucs:clusters:listClusters |
Grants permission to query the cluster list. |
list |
cluster |
- |
ucs:clusters:list |
|
ucs:clusters:updateCluster |
Grants permission to update a cluster. |
write |
cluster |
- |
ucs:clusters:update |
|
ucs:clusters:activate |
Grants permission to activate a cluster. |
write |
cluster |
- |
ucs:clusters:update |
|
ucs:clusters:getConnectManifest |
Grants permission to obtain the manifest file to connect a cluster to UCS. |
read |
cluster |
- |
ucs:clusters:create |
|
ucs:clusters:generateConfig |
Grants permission to generate cluster configuration. |
write |
cluster |
- |
ucs:clusters:update |
|
ucs:clusters:getPackageVersion |
Grants permission to query the cluster software package version list. |
read |
cluster |
- |
ucs:clusters:get |
|
ucs:clusters:getCredential |
Grants permission to query the cluster access credential. |
read |
cluster |
- |
ucs:clusters:get |
|
ucs:clusters:join |
Grants permission to add a cluster to a fleet. |
write |
cluster |
- |
ucs:clusters:update |
|
ucs:clusters:unjoin |
Grants permission to remove a cluster from a fleet. |
write |
cluster |
- |
ucs:clusters:update |
|
ucs:clusters:enablePolicy |
Grants permission to enable policy management for a cluster. |
write |
cluster |
- |
ucs:permissionsRules:create |
|
ucs:clusters:disablePolicy |
Grants permission to disable policy management for a cluster. |
write |
cluster |
- |
ucs:permissionsRules:delete |
|
ucs:clusters:createPolicy |
Grants permission to create a policy instance for a cluster. |
write |
cluster |
- |
ucs:permissionsRules:create |
|
ucs:clusters:generateCredential |
Grants permission to generate the cluster access credential. |
write |
cluster |
- |
ucs:clusters:get |
|
ucs:clusters:updateRule |
Grants permission to modify the permission rules of a cluster. |
write |
cluster |
- |
ucs:clusters:update |
|
ucs::getAddonTemplate |
Grants permission to query the details about an add-on template. |
read |
* |
- |
ucs:addonTemplates:get |
|
ucs::listAddonTemplates |
Grants permission to query the add-on template list. |
list |
* |
- |
ucs:addonTemplates:list |
|
ucs:addons:get |
Grants permission to query the details about an add-on instance. |
read |
cluster |
- |
- |
|
ucs:addons:update |
Grants permission to update an add-on instance. |
write |
cluster |
- |
- |
|
ucs:configsets:create |
Grants permission to create a configuration set. |
write |
cluster |
- |
- |
|
ucs:configsets:delete |
Grants permission to delete a configuration set. |
write |
cluster |
- |
- |
|
ucs:configsets:get |
Grants permission to query the details about a configuration set. |
read |
cluster |
- |
- |
|
ucs:configsets:list |
Grants permission to query the configuration set list. |
list |
cluster |
- |
- |
|
ucs:configsets:update |
Grants permission to update a configuration set. |
write |
cluster |
- |
- |
|
ucs:permissions:listRules |
Grants permission to query the rule list. |
list |
* |
- |
ucs:permissionsRules:list |
|
ucs:permissions:updateRule |
Grants permission to update a rule. |
write |
* |
- |
ucs:permissionsRules:update |
|
ucs:permissions:deleteRule |
Grants permission to delete a rule. |
write |
* |
- |
ucs:permissionsRules:delete |
|
ucs:permissions:createRule |
Grants permission to create a rule. |
write |
* |
- |
ucs:permissionsRules:create |
|
ucs::getPolicyDefinition |
Grants permission to query the details about a policy definition. |
read |
* |
- |
ucs:permissionsRules:get |
|
ucs::listPolicyDefinitions |
Grants permission to query the policy definition list. |
list |
* |
- |
ucs:permissionsRules:get |
|
ucs::updatepolicyDefinition |
Grants permission to update a policy definition. |
write |
* |
- |
ucs:permissionsRules:update |
|
ucs:policyInstances:delete |
Grants permission to delete a policy instance. |
write |
cluster/clustergroup |
- |
ucs:permissionsRules:delete |
|
ucs:policyInstances:get |
Grants permission to query the details about a policy instance. |
read |
cluster/clustergroup |
- |
ucs:permissionsRules:get |
|
ucs:policyInstances:list |
Grants permission to query the policy instance list. |
list |
cluster/clustergroup |
- |
ucs:permissionsRules:get |
|
ucs:policyInstances:update |
Grants permission to update a policy instance. |
write |
cluster/clustergroup |
- |
ucs:permissionsRules:update |
|
ucs:policyInstances:operate |
Grants permission to retry a policy instance. |
write |
cluster/clustergroup |
- |
ucs:permissionsRules:update |
|
ucs:policyInstances:getOperation |
Grants permission to query the operation status of a policy instance. |
read |
* |
- |
ucs:permissionsRules:get |
|
ucs:policyInstances:listOperations |
Grants permission to query the batch operation status of a policy instance. |
write |
* |
- |
ucs:permissionsRules:get |
|
ucs:traffic:create |
Grants permission to create a record set. |
write |
* |
- |
- |
|
ucs:traffic:list |
Grants permission to query a record set. |
list |
* |
- |
- |
|
ucs:workloads:create |
Grants permission to create a workload. |
write |
cluster/clustergroup |
- |
- |
|
ucs:workloads:delete |
Grants permission to delete a workload. |
write |
cluster/clustergroup |
- |
- |
|
ucs:workloads:get |
Grants permission to query a workload. |
read |
cluster/clustergroup |
- |
- |
|
ucs:workloads:update |
Grants permission to update a workload. |
write |
cluster/clustergroup |
- |
- |
Resources
A resource type indicates the resources that an identity policy applies to. If you specify a resource type for any action in Table 2, the resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in an identity policy to define resource types.
The following table lists the resource types that you can specify in identity policy statements for UCS.
Conditions
Condition Key Overview
A Condition element lets you specify conditions for when an identity policy is in effect. It contains condition keys and operators.
- The condition key that you specify can be a global condition key or a service-specific condition key.
- Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Table 3. For details about global condition keys, see Global Condition Keys.
- Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, ucs:) apply only to operations of that service. UCS does not support service-specific condition keys in identity policies.
- The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
- An operator, a condition key, and a condition value together constitute a complete condition statement. An identity policy can be applied only when its request conditions are met. For supported operators, see Operators.
The following table lists the condition keys that you can define in identity policies for UCS. You can include these condition keys to specify conditions for when your identity policy is in effect.
|
Global Condition Key |
Type |
Single-valued/Multivalued |
Description |
|---|---|---|---|
|
g:CalledVia |
String |
Multivalued |
You can use this key to control cross-service access. |
|
g:CalledViaFirst |
String |
Single-valued |
The first element in g:CalledVia |
|
g:CalledViaLast |
String |
Single-valued |
The last element in g:CalledVia |
|
g:CurrentTime |
Date |
Single-valued |
You can use this key to control the time range in which cloud service APIs can be accessed. |
|
g:MFAAge |
Number |
Single-valued |
Time elapsed since multi-factor authentication (MFA) of the current requester, in seconds |
|
g:MFAPresent |
Boolean |
Single-valued |
You can use this key to control the cloud service APIs that can be called only by principals authenticated using MFA. |
|
g:DomainId |
String |
Single-valued |
Domain/Account ID of the requester |
|
g:DomainName |
String |
Single-valued |
Domain/Account name of the requester |
|
g:PrincipalAccount |
String |
Single-valued |
Same as g:DomainId |
|
g:PrincipalUrn |
String |
Single-valued |
URN of the requester. The URN format varies depending on the requester type. |
|
g:PrincipalIsService |
Boolean |
Single-valued |
Whether the requester is a cloud service. You can use this key to control whether only cloud services can access the specified APIs. |
|
g:PrincipalIsRootUser |
Boolean |
Single-valued |
Whether the requester is a root user |
|
g:PrincipalOrgId |
String |
Single-valued |
ID of the organization that the requester belongs to. You can use this key to specify that only requesters in the specified organization can access the specified APIs. |
|
g:PrincipalOrgManagementAccountId |
String |
Single-valued |
Management account ID of the organization that the requester belongs to |
|
g:PrincipalOrgPath |
String |
Single-valued |
Organization path for the requester account. You can use this key to control that only accounts of specified levels in the organization can access the specified APIs. |
|
g:PrincipalServiceName |
String |
Single-valued |
Cloud service principal of the requester |
|
g:PrincipalType |
String |
Single-valued |
Tag attached to the requester. This key is present only when the requester is a tagged IAM user or trust agency, or an assumed-agency session with a session tag. |
|
g:Referer |
String |
Single-valued |
HTTP referer header in a request
CAUTION:
As this key is specified by the client, it should not be used to prevent unauthorized access. |
|
g:ResourceAccount |
String |
Single-valued |
Account ID of the requested resource owner |
|
g:SecureTransport |
Boolean |
Single-valued |
Whether the request is sent using SSL |
|
g:SourceAccount |
String |
Single-valued |
Account of the resource for which a service-to-service request was initiated. You can use this key to solve the confused deputy problem in cross-service access. |
|
g:SourceUrn |
String |
Single-valued |
URN of the resource for which a service-to-service request was initiated. You can use this key to solve the confused deputy problem in cross-service access. |
|
g:SourceIdentity |
String |
Single-valued |
The source_identity field that was set in the temporary IAM credential STSToken |
|
g:SourceIp |
IP |
Single-valued |
Source IP address from a public network
CAUTION:
If the request was initiated from an ECS in a VPC through the VPC endpoint, g:VpcSourceIp instead of g:SourceIp is used. |
|
g:SourceVpc |
String |
Single-valued |
ID of the VPC that the VPC endpoint belongs to |
|
g:SourceVpce |
String |
Single-valued |
ID of the VPC endpoint used to initiate the request |
|
g:SourceVpceAccount |
String |
Single-valued |
ID of the account that the VPC endpoint ID used to initiate the request belongs to |
|
g:SourceVpceOrgId |
String |
Single-valued |
ID of the organization that the g:SourceVpceAccount belongs to |
|
g:SourceVpceOrgPath |
String |
Single-valued |
Path of the organization that the g:SourceVpceAccount belongs to |
|
g:TokenIssueTime |
Date |
Single-valued |
Time when the STSToken in the access credentials was issued |
|
g:UserAgent |
String |
Single-valued |
HTTP User-Agent header in a request
CAUTION:
As this key is specified by the client, it should not be used to prevent unauthorized access. |
|
g:PrincipalId |
String |
Single-valued |
ID of the requester. The ID format varies depending on the requester type. |
|
g:UserName |
String |
Single-valued |
Name of the IAM user who initiates the request |
|
g:ViaService |
Boolean |
Single-valued |
Whether the request was initiated by the cloud service on behalf of the user through the Impersonate protocol. The value of this key is true only when g:CalledVia is not an empty string. |
|
g:VpcSourceIp |
IP |
Single-valued |
Address used within the VPC to access the previous-hop node of the VPC endpoint |
|
g:UserId |
String |
Single-valued |
ID of the IAM user who initiates the request |
|
g:AssumedByService |
String |
Single-valued |
service_principal of the cloud service who has assumed the agency to initiate the request |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
