How Are Identity Policies Compatible with Policies?
The role/policy-based authorization model and identity policy-based authorization model are independent from each other but the way of using them is similar.
You are advised to use only identity policies to manage authorization of new accounts for more secure and fine-grained permission control. You may use both roles/policies and identity policies for permissions management of existing accounts. This means an IAM principal can be granted multiple permissions, including system-defined roles, system-defined policies, custom policies, system-defined identity policies, and custom identity policies. These permissions can take effect at the same time. System-defined roles are a coarse-grained authorization strategy provided by IAM to assign permissions based on users' job responsibilities. They are not changeable and you can choose whether to use roles for authorization based on service requirements. System-defined policies, custom policies, system-defined identity policies, and custom identity policies are fine-grained for permissions management.
When using policies and identity policies, it is important to select required actions. Using IAM as an example. For details about all actions supported by IAM, see Permissions and Supported Actions. The "Actions Supported by Policy-based Authorization" describes the policy actions supported by IAM APIs. The "Actions Supported by Identity Policy-based Authorization" describes the identity policy actions supported by IAM APIs. To be compatible with APIs that support only policy actions, certain identity policy actions that can call these APIs are added to IAM identity policies. Among these identity policy actions, some of their names are changed while some are not. We call the actions whose names are changed the alias of the identity policy actions.
Table 1 lists the policy actions that are added to identity policies without changing their names. Table 2 lists the policy actions that are added to identity policies with their names changed.
|
Identity Policy Action |
Access Level |
Policy Action |
|---|---|---|
|
iam:identityProviders:listMappings |
List |
iam:identityProviders:listMappings |
|
iam:identityProviders:getMapping |
Read |
iam:identityProviders:getMapping |
|
iam:identityProviders:createMapping |
Write |
iam:identityProviders:createMapping |
|
iam:identityProviders:deleteMapping |
Write |
iam:identityProviders:deleteMapping |
|
iam:identityProviders:updateMapping |
Write |
iam:identityProviders:updateMapping |
|
iam:identityProviders:listProtocols |
List |
iam:identityProviders:listProtocols |
|
iam:identityProviders:getProtocol |
Read |
iam:identityProviders:getProtocol |
|
iam:identityProviders:createProtocol |
Write |
iam:identityProviders:createProtocol |
|
iam:identityProviders:deleteProtocol |
Write |
iam:identityProviders:deleteProtocol |
|
iam:identityProviders:updateProtocol |
Write |
iam:identityProviders:updateProtocol |
|
iam:securityPolicies:getProtectPolicy |
Read |
iam:securityPolicies:getProtectPolicy |
|
iam:securityPolicies:updateProtectPolicy |
Write |
iam:securityPolicies:updateProtectPolicy |
|
iam:securityPolicies:getPasswordPolicy |
Read |
iam:securityPolicies:getPasswordPolicy |
|
iam:securityPolicies:updatePasswordPolicy |
Write |
iam:securityPolicies:updatePasswordPolicy |
|
iam:securityPolicies:getLoginPolicy |
Read |
iam:securityPolicies:getLoginPolicy |
|
iam:securityPolicies:updateLoginPolicy |
Write |
iam:securityPolicies:updateLoginPolicy |
|
iam:securityPolicies:getConsoleAclPolicy |
Read |
iam:securityPolicies:getConsoleAclPolicy |
|
iam:securityPolicies:updateConsoleAclPolicy |
Write |
iam:securityPolicies:updateConsoleAclPolicy |
|
iam:securityPolicies:getApiAclPolicy |
Read |
iam:securityPolicies:getApiAclPolicy |
|
iam:securityPolicies:updateApiAclPolicy |
Write |
iam:securityPolicies:updateApiAclPolicy |
|
Identity Policy Action |
Access Level |
Policy Action (Alias of Identity Policy Action) |
|---|---|---|
|
iam::listAccessKeys |
List |
iam:credentials:listCredentials |
|
iam::createAccessKey |
Write |
iam:credentials:createCredential |
|
iam::getAccessKey |
Read |
iam:credentials:getCredential |
|
iam::updateAccessKey |
Write |
iam:credentials:updateCredential |
|
iam::deleteAccessKey |
Write |
iam:credentials:deleteCredential |
|
iam:projects:list |
List |
iam:projects:listProjects |
|
iam:projects:create |
Write |
iam:projects:createProject |
|
iam:projects:listForUser |
List |
iam:projects:listProjectsForUser |
|
iam:projects:update |
Write |
iam:projects:updateProject |
|
iam:groups:list |
List |
iam:groups:listGroups |
|
iam:groups:create |
Write |
iam:groups:createGroup |
|
iam:groups:get |
Read |
iam:groups:getGroup |
|
iam:groups:delete |
Write |
iam:groups:deleteGroup |
|
iam:groups:update |
Write |
iam:groups:updateGroup |
|
iam:groups:removeUser |
Write |
iam:permissions:removeUserFromGroup |
|
iam:groups:listUsers |
List |
iam:users:listUsersForGroup |
|
iam:groups:checkUser |
Read |
iam:permissions:checkUserInGroup |
|
iam:groups:addUser |
Write |
iam:permissions:addUserToGroup |
|
iam:users:create |
Write |
iam:users:createUser |
|
iam:users:get |
Read |
iam:users:getUser |
|
iam:users:update |
Write |
iam:users:updateUser |
|
iam:users:list |
List |
iam:users:listUsers |
|
iam:users:delete |
Write |
iam:users:deleteUser |
|
iam:users:listGroups |
List |
iam:groups:listGroupsForUser |
|
iam:users:listVirtualMFADevices |
List |
iam:mfa:listVirtualMFADevices |
|
iam:users:createVirtualMFADevice |
Write |
iam:mfa:createVirtualMFADevice |
|
iam:users:deleteVirtualMFADevice |
Write |
iam:mfa:deleteVirtualMFADevice |
|
iam:users:getVirtualMFADevice |
Read |
iam:mfa:getVirtualMFADevice |
|
iam:users:bindVirtualMFADevice |
Write |
iam:mfa:bindMFADevice |
|
iam:users:unbindVirtualMFADevice |
Write |
iam:mfa:unbindMFADevice |
|
iam:identityProviders:list |
List |
iam:identityProviders:listIdentityProviders |
|
iam:identityProviders:get |
Read |
iam:identityProviders:getIdentityProvider |
|
iam:identityProviders:create |
Write |
iam:identityProviders:createIdentityProvider |
|
iam:identityProviders:delete |
Write |
iam:identityProviders:deleteIdentityProvider |
|
iam:identityProviders:update |
Write |
iam:identityProviders:updateIdentityProvider |
|
iam:identityProviders:getSAMLMetadata |
Read |
iam:identityProviders:getIDPMetadata |
|
iam:identityProviders:createSAMLMetadata |
Write |
iam:identityProviders:createIDPMetadata |
|
iam:identityProviders:getOIDCConfig |
Read |
iam:identityProviders:getOpenIDConnectConfig |
|
iam:identityProviders:createOIDCConfig |
Write |
iam:identityProviders:createOpenIDConnectConfig |
|
iam:identityProviders:updateOIDCConfig |
Write |
iam:identityProviders:updateOpenIDConnectConfig |
|
iam:users:listLoginProtectSettings |
List |
iam:users:listUserLoginProtects |
|
iam:users:getLoginProtectSetting |
Read |
iam:users:getUserLoginProtect |
|
iam:users:updateLoginProtectSetting |
Write |
iam:users:setUserLoginProtect |
|
iam:quotas:list |
List |
iam:quotas:listQuotas |
|
iam:quotas:listForProject |
List |
iam:quotas:listQuotasForProject |
Table 2 lists policy actions that are aliases in the identity policy authorization. For example, you can create the following identity policy with the iam:identityProviders:listMappings action in Table 1 allowed on the new IAM console to call the API GET /v3/OS-FEDERATION/mappings to list mappings of an identity provider. For details, see Creating a Custom Identity Policy.
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:identityProviders:listMappings"
]
}
]
}
This is the same as creating a policy with the iam:identityProviders:listMappings action on the old IAM console. For details, see Creating a Custom Policy.
{
"Version": "1.1",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:identityProviders:listMappings"
]
}]
}
You can create the following identity policy that allows the iam::listAccessKeys action in Table 2 on the new IAM console to call the API GET /v3.0/OS-CREDENTIAL/credentials to query permanent access keys.
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam::listAccessKeys"
]
}
]
}
The policy effect above is the same as the following policy that allows the iam:credentials:listCredentials action on the old IAM console:
{
"Version": "1.1",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:credentials:listCredentials"
]
}]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
