Permissions Required for Accessing IAM Resources

This section provides some examples of permissions required for accessing IAM resources, including permissions for users to manage their own passwords and access keys.

Allowing Read-Only Access to the IAM Console

You can use the system-defined identity policy IAMReadOnlyPolicy to allow read-only access to the IAM console. The following example shows how to create an identity policy to allow IAM users to perform any get, list, check, and show operations on IAM resources. The asterisk (*) is used as a wildcard. Using iam:*:get* in an identity policy, the permissions will include all IAM actions whose third part starts with get, such as iam:users:getUserV5 and iam:groups:getGroupV5. Wildcards are useful, especially when new actions are made available for IAM. Policies using wildcards will grant permissions that automatically include the matched new actions.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"iam:*:get*",
			"iam:*:list*",
			"iam:*:check*",
			"iam:*:show*"
		]
	}]
}

Allowing Users to Manage Members of a User Group

The following example identity policy allows IAM users to update the membership of the user group DevelopmentTeam. The first statement allows users to list all users and user groups and view user details. The second statement allows users to view details about the user group DevelopmentTeam, and add or remove members to or from the user group. Note that you need to replace <account-id> with your account ID.

{
	"Version": "5.0",
	"Statement": [{
			"Effect": "Allow",
			"Action": [
				"iam:groups:listGroupsV5",
				"iam:users:getUserV5",
				"iam:users:listUsersV5"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:groups:getGroupV5",
				"iam:permissions:addUserToGroupV5",
				"iam:permissions:removeUserFromGroupV5"
			],
			"Resource": [
				"iam:*:<account-id>:group:DevelopmentTeam"
			]
		}
	]
}

Allowing Users to Manage IAM Users

The following example identity policy allows users to perform operations on IAM users. The first statement allows users to query user details and list users. The second statement allows users to create IAM users and view their login information. The third statement allows users to delete IAM users. An IAM user can be deleted only after the identity policies attached to it are unbound. The fourth statement allows users to update the basic information of IAM users, such as whether a user is enabled and its description. The fifth statement allows users to view identity policies and attach or detach identity policies to or from IAM users.

{
	"Version": "5.0",
	"Statement": [{
			"Effect": "Allow",
			"Action": [
				"iam:users:getUserV5",
				"iam:users:listUsersV5"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:users:createUserV5",
				"iam:users:createLoginProfileV5"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:users:deleteUserV5"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:users:updateUserV5"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:policies:getV5",
				"iam:policies:getVersionV5",
				"iam:policies:listV5",
				"iam:policies:listVersionsV5",
				"iam:users:attachPolicyV5",
				"iam:users:detachPolicyV5",
				"iam:users:listAttachedPoliciesV5"
			]
		}
	]
}

Allowing Users to Set Account Password Policies

The following example identity policy allows users to view and set account password policies. A password policy generally determines the allowed characters, minimum length, validity period, and minimum usage duration of a password.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"iam:securitypolicies:getPasswordPolicyV5",
			"iam:securitypolicies:updatePasswordPolicyV5"
		]
	}]
}

Allowing Users to Perform All IAM Operations

The following example identity policy allows users to perform all operations on IAM, including managing passwords, access keys, and MFA devices.

When you grant users full permissions for IAM, the users can grant any permissions to themselves and others. Users can create IAM principals (users and trust agencies) and grant them full permissions for all resources in your account. Users with full permissions for IAM can perform any operations on all resources in your account, including deleting all resources. You should grant these permissions only to trusted administrators and enable multi-factor authentication (MFA) for these administrators.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"IAM:*:*"
		]
	}]
}

Parent topic: Permissions

Previous topic: Identity Policy Variables

Next topic: Account Security Settings

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot