Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
On this page

Identity and Access Management (IAM)

Updated on 2025-02-25 GMT+08:00

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU.

This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by IAM, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by IAM, see Conditions.

The following table lists the actions that you can define in SCP statements for IAM. The actions without the V5 suffix are used to control access to the old IAM console, and the actions with the V5 suffix are used to control access to the new IAM console.

Table 1 Actions supported by IAM

Action

Description

Access Level

Resource Type (*: required)

Condition Key

iam::listAccessKeys

Grants permission to list permanent access keys.

List

-

-

iam::createAccessKey

Grants permission to create a permanent access key.

Write

-

-

iam::getAccessKey

Grants permission to query a permanent access key.

Read

-

-

iam::updateAccessKey

Grants permission to update a permanent access key.

Write

-

-

iam::deleteAccessKey

Grants permission to delete a permanent access key.

Write

-

-

iam:projects:list

Grants permission to list projects.

List

-

-

iam:projects:create

Grants permission to create a project.

Write

-

-

iam:projects:listForUser

Grants permission to list projects of a specified user.

List

-

-

iam:projects:update

Grants permission to update a project.

Write

-

-

iam:groups:list

Grants permission to list groups.

List

-

-

iam:groups:create

Grants permission to create a group.

Write

-

-

iam:groups:get

Grants permission to query a group.

Read

-

-

iam:groups:delete

Grants permission to delete a group.

Write

-

-

iam:groups:update

Grants permission to update a group.

Write

-

-

iam:groups:removeUser

Grants permission to remove a user from a group.

Write

-

-

iam:groups:listUsers

Grants permission to list users of a specified group.

List

-

-

iam:groups:checkUser

Grants permission to query whether a user is in the group.

Read

-

-

iam:groups:addUser

Grants permission to add a user to a group.

Write

-

-

iam:users:create

Grants permission to create a user.

Write

-

-

iam:users:get

Grants permission to query a user.

Read

-

-

iam:users:update

Grants permission to update a user.

Write

-

-

iam:users:list

Grants permission to list users.

List

-

-

iam:users:delete

Grants permission to delete a user.

Write

-

-

iam:users:listGroups

Grants permission to list groups of a specified user.

List

-

-

iam:users:listVirtualMFADevices

Grants permission to list virtual MFA devices of a specified user.

List

-

-

iam:users:createVirtualMFADevice

Grants permission to create a secret key for a virtual MFA device.

Write

-

-

iam:users:deleteVirtualMFADevice

Grants permission to delete a virtual MFA device.

Write

-

-

iam:users:getVirtualMFADevice

Grants permission to query a virtual MFA device.

Read

-

-

iam:users:bindVirtualMFADevice

Grants permission to bind a virtual MFA device.

Write

-

-

iam:users:unbindVirtualMFADevice

Grants permission to unbind a virtual MFA device.

Write

-

-

iam:identityProviders:list

Grants permission to list identity providers.

List

-

-

iam:identityProviders:get

Grants permission to query an identity provider.

Read

-

-

iam:identityProviders:create

Grants permission to create an identity provider.

Write

-

-

iam:identityProviders:delete

Grants permission to delete an identity provider.

Write

-

-

iam:identityProviders:update

Grants permission to update an identity provider.

Write

-

-

iam:identityProviders:listMappings

Grants permission to list mappings of an identity provider.

List

-

-

iam:identityProviders:getMapping

Grants permission to query a mapping of an identity provider.

Read

-

-

iam:identityProviders:createMapping

Grants permission to create a mapping for an identity provider.

Write

-

-

iam:identityProviders:deleteMapping

Grants permission to delete a mapping of an identity provider.

Write

-

-

iam:identityProviders:updateMapping

Grants permission to update a mapping of an identity provider.

Write

-

-

iam:identityProviders:listProtocols

Grants permission to list protocols of an identity provider.

List

-

-

iam:identityProviders:getProtocol

Grants permission to query a protocol of an identity provider.

Read

-

-

iam:identityProviders:createProtocol

Grants permission to create a protocol for an identity provider.

Write

-

-

iam:identityProviders:deleteProtocol

Grants permission to delete a protocol of an identity provider.

Write

-

-

iam:identityProviders:updateProtocol

Grants permission to update a protocol of an identity provider.

Write

-

-

iam:identityProviders:getSAMLMetadata

Grants permission to query a SAML metadata file of an identity provider.

Read

-

-

iam:identityProviders:createSAMLMetadata

Grants permission to create a SAML metadata file for an identity provider.

Write

-

-

iam:identityProviders:getOIDCConfig

Grants permission to query the OIDC configuration of an identity provider.

Read

-

-

iam:identityProviders:createOIDCConfig

Grants permission to create the OIDC configuration of an identity provider.

Write

-

-

iam:identityProviders:updateOIDCConfig

Grants permission to update the OIDC configuration of an identity provider.

Write

-

-

iam:securityPolicies:getProtectPolicy

Grants permission to query an operation protection policy.

Read

-

-

iam:securityPolicies:updateProtectPolicy

Grants permission to update an operation protection policy.

Write

-

-

iam:securityPolicies:getPasswordPolicy

Grants permission to query a password policy.

Read

-

-

iam:securityPolicies:updatePasswordPolicy

Grants permission to update a password policy.

Write

-

-

iam:securityPolicies:getLoginPolicy

Grants permission to query a login policy.

Read

-

-

iam:securityPolicies:updateLoginPolicy

Grants permission to update a login policy.

Write

-

-

iam:securityPolicies:getConsoleAclPolicy

Grants permission to query a console access policy.

Read

-

-

iam:securityPolicies:updateConsoleAclPolicy

Grants permission to update a console access policy.

Write

-

-

iam:securityPolicies:getApiAclPolicy

Grants permission to query an API access policy.

Read

-

-

iam:securityPolicies:updateApiAclPolicy

Grants permission to update an API access policy.

Write

-

-

iam:users:listLoginProtectSettings

Grants permission to list user login protection settings under a tenant.

List

-

-

iam:users:getLoginProtectSetting

Grants permission to query login protection settings.

Read

-

-

iam:users:updateLoginProtectSetting

Grants permission to update login protection settings.

Write

-

-

iam:quotas:list

Grants permission to list quotas.

List

-

-

iam:quotas:listForProject

Grants permission to list quotas of a specified project.

List

-

-

iam:agencies:pass

Grants permission to pass an agency to a cloud service.

Permission_management

agency *

-

iam:roles:list

Grants permission to query a permission list.

List

-

-

iam:roles:get

Grants permission to query permission details.

Read

-

-

iam::listRoleAssignments

Grants permission to query authorization records of a tenant.

List

-

-

iam:groups:listRolesOnDomain

Grants permission to query group permissions in global services.

List

-

-

iam:groups:listRolesOnProject

Grants permission to query group permissions in project services.

List

-

-

iam:groups:grantRoleOnDomain

Grants permission to grant global service permissions to a group.

Write

-

-

iam:groups:grantRoleOnProject

Grants permission to grant project service permissions to a group.

Write

-

-

iam:groups:checkRoleOnDomain

Grants permission to query whether a group has global service permissions.

Read

-

-

iam:groups:checkRoleOnProject

Grants permission to query whether a group has project service permissions.

Read

-

-

iam:groups:listRoles

Grants permission to query permissions of a group.

List

-

-

iam:groups:checkRole

Grants permission to query whether a group has specified permissions.

Read

-

-

iam:groups:revokeRole

Grants permission to remove specified permissions from a group.

Write

-

-

iam:groups:revokeRoleOnDomain

Grants permission to remove global service permissions from a group.

Write

-

-

iam:groups:revokeRoleOnProject

Grants permission to remove project service permissions from a group.

Write

-

-

iam:groups:grantRole

Grants permission to grant specified permissions to a group.

Write

-

-

iam:roles:create

Grants permission to create a custom policy.

Write

-

-

iam:roles:update

Grants permission to update a custom policy.

Write

-

-

iam:roles:delete

Grants permission to delete a custom policy.

Write

-

-

iam:agencies:list

Grants permission to list agencies.

List

-

-

iam:agencies:get

Grants permission to query details of a specified agency.

Read

-

-

iam:agencies:create

Grants permission to create an agency.

Write

-

-

iam:agencies:update

Grants permission to update an agency.

Write

-

-

iam:agencies:delete

Grants permission to delete an agency.

Write

-

-

iam:agencies:listRolesOnDomain

Grants permission to query global service permissions of an agency.

List

-

-

iam:agencies:listRolesOnProject

Grants permission to query the permissions of a specified project for an agency.

List

-

-

iam:agencies:grantRoleOnDomain

Grants permission to grant global service permissions to an agency.

Write

-

-

iam:agencies:grantRoleOnProject

Grants permission to grant project service permissions to an agency.

Write

-

-

iam:agencies:checkRoleOnDomain

Grants permission to query whether an agency has global service permissions.

Read

-

-

iam:agencies:checkRoleOnProject

Grants permission to query whether an agency has project service permissions.

Read

-

-

iam:agencies:revokeRoleOnDomain

Grants permission to remove global service permissions from an agency.

Write

-

-

iam:agencies:revokeRoleOnProject

Grants permission to remove project service permissions from an agency.

Write

-

-

iam:agencies:listRoles

Grants permission to query permissions of an agency.

List

-

-

iam:agencies:grantRole

Grants permission to grant specified permissions to an agency.

Write

-

-

iam:agencies:checkRole

Grants permission to query whether an agency has specified permissions.

Read

-

-

iam:agencies:revokeRole

Grants permission to remove specified permissions from an agency.

Write

-

-

iam::listGroupsAssignedEnterpriseProject

Grants permission to query permissions of a group associated with an enterprise project.

List

-

-

iam:groups:listRolesOnEnterpriseProject

Grants permission to query permissions of a group associated with an enterprise project.

List

-

-

iam:groups:grantRoleOnEnterpriseProject

Grants permission to grant permissions to an enterprise project based on groups.

Write

-

-

iam:groups:revokeRoleOnEnterpriseProject

Grants permission to delete permissions of a group associated with an enterprise project.

Write

-

-

iam:groups:listAssignedEnterpriseProjects

Grants permission to query enterprise projects associated with a group.

List

-

-

iam:users:listAssignedEnterpriseProjects

Grants permission to query enterprise projects associated with a user.

List

-

-

iam::listUsersAssignedEnterpriseProject

Grants permission to query users associated with an enterprise project.

List

-

-

iam:users:listRolesOnEnterpriseProject

Grants permission to query permissions of a user associated with an enterprise project.

List

-

-

iam:users:grantRoleOnEnterpriseProject

Grants permission to grant permissions to an enterprise project based on users.

Write

-

-

iam:users:revokeRoleOnEnterpriseProject

Grants permission to delete permissions of a user associated with an enterprise project.

Write

-

-

iam:agencies:grantRoleOnEnterpriseProject

Grants permission to grant permissions to an enterprise project based on agencies.

Write

-

-

iam:agencies:revokeRoleOnEnterpriseProject

Grants permission to delete permissions of an agency associated with an enterprise project.

Write

-

-

iam:mfa:listVirtualMFADevicesV5

Grants permission to list virtual MFA devices.

List

mfa *

-

iam:mfa:createVirtualMFADeviceV5

Grants permission to create a virtual MFA device.

Write

mfa *

-

iam:mfa:deleteVirtualMFADeviceV5

Grants permission to delete a virtual MFA device.

Write

mfa *

-

iam:mfa:enableV5

Grants permission to enable a virtual MFA device.

Write

mfa *

-

iam:mfa:disableV5

Grants permission to disable a virtual MFA device.

Write

mfa *

-

iam:securitypolicies:getPasswordPolicyV5

Grants permission to obtain password policy information.

Read

-

-

iam:securitypolicies:updatePasswordPolicyV5

Grants permission to update a password policy.

Write

-

-

iam:securitypolicies:getLoginPolicyV5

Grants permission to obtain login policy information.

Read

-

-

iam:securitypolicies:updateLoginPolicyV5

Grants permission to update a login policy.

Write

-

-

iam:credentials:listCredentialsV5

Grants permission to list permanent access keys for an IAM user.

List

user *

g:ResourceTag/<tag-key>

iam:credentials:showAccessKeyLastUsedV5

Grants permission to obtain the last usage time of a specified permanent access key.

Read

user *

g:ResourceTag/<tag-key>

iam:credentials:createCredentialV5

Grants permission to create a permanent access key for an IAM user.

Write

user *

g:ResourceTag/<tag-key>

iam:credentials:updateCredentialV5

Grants permission to update a permanent access key for an IAM user.

Write

user *

g:ResourceTag/<tag-key>

iam:credentials:deleteCredentialV5

Grants permission to delete a permanent access key for an IAM user.

Write

user *

g:ResourceTag/<tag-key>

iam:users:changePasswordV5

Grants permission to change their own passwords for an IAM user.

Write

user *

g:ResourceTag/<tag-key>

iam:users:showLoginProfileV5

Grants permission to obtain login information of an IAM user.

Read

user *

g:ResourceTag/<tag-key>

iam:users:createLoginProfileV5

Grants permission to create login information for an IAM user.

Write

user *

g:ResourceTag/<tag-key>

iam:users:updateLoginProfileV5

Grants permission to update login information for an IAM user.

Write

user *

g:ResourceTag/<tag-key>

iam:users:deleteLoginProfileV5

Grants permission to delete login information for an IAM user.

Write

user *

g:ResourceTag/<tag-key>

iam:users:listUsersV5

Grants permission to list IAM users.

List

user *

-

iam:users:getUserV5

Grants permission to obtain information of an IAM user.

Read

user *

g:ResourceTag/<tag-key>

iam:users:showUserLastLoginV5

Grants permission to obtain the last login time of an IAM user.

Read

user *

g:ResourceTag/<tag-key>

iam:users:createUserV5

Grants permission to create an IAM user.

Write

user *

-

iam:users:updateUserV5

Grants permission to update an IAM user.

Write

user *

g:ResourceTag/<tag-key>

iam:users:deleteUserV5

Grants permission to delete an IAM user.

Write

user *

g:ResourceTag/<tag-key>

iam:groups:listGroupsV5

Grants permission to list groups.

List

group *

-

iam:groups:getGroupV5

Grants permission to obtain group information.

Read

group *

-

iam:groups:createGroupV5

Grants permission to create a group.

Write

group *

-

iam:groups:updateGroupV5

Grants permission to update a group.

Write

group *

-

iam:groups:deleteGroupV5

Grants permission to delete a group.

Write

group *

-

iam:permissions:addUserToGroupV5

Grants permission to add an IAM user to a group.

Write

group *

-

iam:permissions:removeUserFromGroupV5

Grants permission to remove an IAM user from a group.

Write

group *

-

iam:policies:listV5

Grants permission to list identity policies.

List

policy *

-

iam:policies:getV5

Grants permission to obtain identity policy information.

Read

policy *

-

iam:policies:createV5

Grants permission to create a custom identity policy.

Permission_management

policy *

-

iam:policies:deleteV5

Grants permission to delete a custom identity policy.

Permission_management

policy *

-

iam:policies:listVersionsV5

Grants permission to list identity policy versions.

List

policy *

-

iam:policies:getVersionV5

Grants permission to obtain identity policy version information.

Read

policy *

-

iam:policies:createVersionV5

Grants permission to create another version for a custom identity policy.

Permission_management

policy *

-

iam:policies:deleteVersionV5

Grants permission to delete a version for a custom identity policy.

Permission_management

policy *

-

iam:policies:setDefaultVersionV5

Grants permission to set the default version for a custom identity policy.

Permission_management

policy *

-

iam:agencies:attachPolicyV5

Grants permission to attach an identity policy to an agency or trust agency.

Permission_management

agency *

g:ResourceTag/<tag-key>

-

iam:PolicyURN

iam:groups:attachPolicyV5

Grants permission to attach an identity policy to a group.

Permission_management

group *

-

-

iam:PolicyURN

iam:users:attachPolicyV5

Grants permission to attach an identity policy to an IAM user.

Permission_management

user *

g:ResourceTag/<tag-key>

-

iam:PolicyURN

iam:agencies:detachPolicyV5

Grants permission to detach an identity policy from an agency or trust agency.

Permission_management

agency *

g:ResourceTag/<tag-key>

-

iam:PolicyURN

iam:groups:detachPolicyV5

Grants permission to detach an identity policy from a group.

Permission_management

group *

-

-

iam:PolicyURN

iam:users:detachPolicyV5

Grants permission to detach an identity policy from an IAM user.

Permission_management

user *

g:ResourceTag/<tag-key>

-

iam:PolicyURN

iam:policies:listEntitiesV5

Grants permission to list all entities attached to an identity policy.

List

policy *

-

iam:agencies:listAttachedPoliciesV5

Grants permission to list the identity policies attached to an agency or trust agency.

List

agency *

g:ResourceTag/<tag-key>

iam:groups:listAttachedPoliciesV5

Grants permission to list the identity policies attached to a group.

List

group *

-

iam:users:listAttachedPoliciesV5

Grants permission to list the identity policies attached to an IAM user.

List

user *

g:ResourceTag/<tag-key>

iam:agencies:createServiceLinkedAgencyV5

Grants permission to create a service-linked agency to allow the cloud service to perform operations on your behalf.

Write

agency *

-

-

iam:ServicePrincipal

iam:agencies:deleteServiceLinkedAgencyV5

Grants permission to delete a service-linked agency.

Write

agency *

g:ResourceTag/<tag-key>

-

iam:ServicePrincipal

iam:agencies:getServiceLinkedAgencyDeletionStatusV5

Grants permission to obtain the deletion status of a service-linked agency.

Read

agency *

-

iam:agencies:listV5

Grants permission to list agencies and trust agencies.

List

agency *

-

iam:agencies:getV5

Grants permission to obtain agencies and trust agencies.

Read

agency *

g:ResourceTag/<tag-key>

iam:agencies:createV5

Grants permission to create a trust agency.

Write

agency *

-

iam:agencies:updateV5

Grants permission to update a trust agency.

Write

agency *

g:ResourceTag/<tag-key>

iam:agencies:deleteV5

Grants permission to delete a trust agency.

Write

agency *

g:ResourceTag/<tag-key>

iam:agencies:updateTrustPolicyV5

Grants permission to update the trust policy of a trust agency.

Write

agency *

g:ResourceTag/<tag-key>

iam::listTagsForResourceV5

Grants permission to list resource tags.

List

agency

g:ResourceTag/<tag-key>

user

g:ResourceTag/<tag-key>

iam::tagForResourceV5

Grants permission to set resource tags.

Tagging

agency

g:ResourceTag/<tag-key>

user

g:ResourceTag/<tag-key>

-

iam::untagForResourceV5

Grants permission to delete resource tags.

Tagging

agency

g:ResourceTag/<tag-key>

user

g:ResourceTag/<tag-key>

-

iam::getAccountSummaryV5

Grants permission to obtain the IAM entity usage and IAM quotas of an account.

List

-

-

iam::getAsymmetricSignatureSwitchV5

Grants permission to obtain the asymmetric signature switch status of a temporary token.

Read

-

-

iam::setAsymmetricSignatureSwitchV5

Grants permission to set the asymmetric signature switch status of a temporary token.

Write

-

-

Each API of IAM usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by IAM APIs

API

Action

Dependencies

GET /v3.0/OS-CREDENTIAL/credentials

iam::listAccessKeys

-

POST /v3.0/OS-CREDENTIAL/credentials

iam::createAccessKey

-

GET /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam::getAccessKey

-

PUT /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam::updateAccessKey

-

DELETE /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam::deleteAccessKey

-

GET /v3.0/OS-QUOTA/domains/{domain_id}

iam:quotas:list

-

GET /v3.0/OS-QUOTA/projects/{project_id}

iam:quotas:listForProject

-

GET /v3/projects

iam:projects:list

-

POST /v3/projects

iam:projects:create

-

GET /v3/users/{user_id}/projects

iam:projects:listForUser

-

PATCH /v3/projects/{project_id}

iam:projects:update

-

PUT /v3-ext/projects/{project_id}

iam:projects:update

-

GET /v3/groups

iam:groups:list

-

POST /v3/groups

iam:groups:create

-

GET /v3/groups/{group_id}

iam:groups:get

-

DELETE /v3/groups/{group_id}

iam:groups:delete

-

PATCH /v3/groups/{group_id}

iam:groups:update

-

GET /v3/groups/{group_id}/users

iam:groups:listUsers

-

HEAD /v3/groups/{group_id}/users/{user_id}

iam:groups:checkUser

-

PUT /v3/groups/{group_id}/users/{user_id}

iam:groups:addUser

-

DELETE /v3/groups/{group_id}/users/{user_id}

iam:groups:removeUser

-

POST /v3.0/OS-USER/users

iam:users:create

-

GET /v3.0/OS-USER/users/{user_id}

iam:users:get

-

PUT /v3.0/OS-USER/users/{user_id}

iam:users:update

-

PUT /v3.0/OS-USER/users/{user_id}/info

iam:users:update

-

GET /v3/users

iam:users:list

-

POST /v3/users

iam:users:create

-

GET /v3/users/{user_id}

iam:users:get

-

DELETE /v3/users/{user_id}

iam:users:delete

-

PATCH /v3/users/{user_id}

iam:users:update

-

GET /v3/users/{user_id}/groups

iam:users:listGroups

-

GET /v3.0/OS-MFA/virtual-mfa-devices

iam:users:listVirtualMFADevices

-

POST /v3.0/OS-MFA/virtual-mfa-devices

iam:users:createVirtualMFADevice

-

DELETE /v3.0/OS-MFA/virtual-mfa-devices

iam:users:deleteVirtualMFADevice

-

GET /v3.0/OS-MFA/users/{user_id}/virtual-mfa-device

iam:users:getVirtualMFADevice

-

PUT /v3.0/OS-MFA/mfa-devices/bind

iam:users:bindVirtualMFADevice

-

PUT /v3.0/OS-MFA/mfa-devices/unbind

iam:users:unbindVirtualMFADevice

-

GET /v3.0/OS-USER/login-protects

iam:users:listLoginProtectSettings

-

GET /v3.0/OS-USER/users/{user_id}/login-protect

iam:users:getLoginProtectSetting

-

PUT /v3.0/OS-USER/users/{user_id}/login-protect

iam:users:updateLoginProtectSetting

-

GET /v3/OS-FEDERATION/identity_providers

iam:identityProviders:list

-

GET /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:get

-

PUT /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:create

-

DELETE /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:delete

-

PATCH /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:update

-

GET /v3/OS-FEDERATION/mappings

iam:identityProviders:listMappings

-

GET /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:getMapping

-

PUT /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:createMapping

-

DELETE /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:deleteMapping

-

PATCH /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:updateMapping

-

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

iam:identityProviders:listProtocols

-

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:getProtocol

-

PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:createProtocol

-

DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:deleteProtocol

-

PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:updateProtocol

-

GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:getSAMLMetadata

-

POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:createSAMLMetadata

-

GET /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:getOIDCConfig

-

POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:createOIDCConfig

-

PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:updateOIDCConfig

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy

iam:securityPolicies:getProtectPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy

iam:securityPolicies:updateProtectPolicy

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy

iam:securityPolicies:getPasswordPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy

iam:securityPolicies:updatePasswordPolicy

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy

iam:securityPolicies:getLoginPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy

iam:securityPolicies:updateLoginPolicy

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy

iam:securityPolicies:getConsoleAclPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy

iam:securityPolicies:updateConsoleAclPolicy

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy

iam:securityPolicies:getApiAclPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy

iam:securityPolicies:updateApiAclPolicy

-

GET /v3/roles

iam:roles:list

-

GET /v3/roles/{role_id}

iam:roles:get

-

GET /v3.0/OS-PERMISSION/role-assignments

iam::listRoleAssignments

-

GET /v3/domains/{domain_id}/groups/{group_id}/roles

iam:groups:listRolesOnDomain

-

GET /v3/projects/{project_id}/groups/{group_id}/roles

iam:groups:listRolesOnProject

-

PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:groups:grantRoleOnDomain

-

PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:groups:grantRoleOnProject

-

HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:groups:checkRoleOnDomain

-

HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:groups:checkRoleOnProject

-

GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects

iam:groups:listRoles

-

HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:groups:checkRole

-

DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:groups:revokeRole

-

DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:groups:revokeRoleOnDomain

-

DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:groups:revokeRoleOnProject

-

PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:groups:grantRole

-

GET /v3.0/OS-ROLE/roles

iam:roles:list

-

GET /v3.0/OS-ROLE/roles/{role_id}

iam:roles:get

-

POST /v3.0/OS-ROLE/roles

iam:roles:create

-

POST /v3.0/OS-ROLE/roles

iam:roles:create

-

PATCH /v3.0/OS-ROLE/roles/{role_id}

iam:roles:update

-

PATCH /v3.0/OS-ROLE/roles/{role_id}

iam:roles:update

-

DELETE /v3.0/OS-ROLE/roles/{role_id}

iam:roles:delete

-

GET /v3.0/OS-AGENCY/agencies

iam:agencies:list

-

GET /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:get

-

POST /v3.0/OS-AGENCY/agencies

iam:agencies:create

-

PUT /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:update

-

DELETE /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:delete

-

GET /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles

iam:agencies:listRolesOnDomain

-

GET /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles

iam:agencies:listRolesOnProject

-

PUT /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:grantRoleOnDomain

-

PUT /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:grantRoleOnProject

-

HEAD /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:checkRoleOnDomain

-

HEAD /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:checkRoleOnProject

-

DELETE /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:revokeRoleOnDomain

-

DELETE /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:revokeRoleOnProject

-

GET /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/inherited_to_projects

iam:agencies:listRoles

-

PUT /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:agencies:grantRole

-

HEAD /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:agencies:checkRole

-

DELETE /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:agencies:revokeRole

-

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups

iam::listGroupsAssignedEnterpriseProject

-

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles

iam:groups:listRolesOnEnterpriseProject

-

PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:groups:grantRoleOnEnterpriseProject

-

DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:groups:revokeRoleOnEnterpriseProject

-

GET /v3.0/OS-PERMISSION/groups/{group_id}/enterprise-projects

iam:groups:listAssignedEnterpriseProjects

-

GET /v3.0/OS-PERMISSION/users/{user_id}/enterprise-projects

iam:users:listAssignedEnterpriseProjects

-

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users

iam::listUsersAssignedEnterpriseProject

-

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles

iam:users:listRolesOnEnterpriseProject

-

PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:users:grantRoleOnEnterpriseProject

-

DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:users:revokeRoleOnEnterpriseProject

-

PUT /v3.0/OS-PERMISSION/subjects/agency/scopes/enterprise-project/role-assignments

iam:agencies:grantRoleOnEnterpriseProject

-

DELETE /v3.0/OS-PERMISSION/subjects/agency/scopes/enterprise-project/role-assignments

iam:agencies:revokeRoleOnEnterpriseProject

-

Resources

A resource type indicates the resources that an SCP applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the SCP statements using that action, and the SCP applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP applies to all resources. You can also set condition keys in an SCP to define resource types.

The following table lists the resource types that you can define in SCP statements for IAM.

Table 3 Resource types supported by IAM

Resource Type

URN

policy

iam::<account-id>:policy:<policy-name-with-path>

agency

iam::<account-id>:agency:<agency-name-with-path>

user

iam::<account-id>:user:<user-name>

group

iam::<account-id>:group:<group-name>

mfa

iam::<account-id>:mfa:<mfa-name>

Conditions

A Condition element lets you specify conditions for when an SCP is in effect. It contains condition keys and operators.

  • The condition key that you specify can be a global condition key or a service-specific condition key.
    • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, IAM automatically obtains such information and authenticates users. For details, see Global Condition Keys.
    • Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, iam:) only apply to operations of the IAM service. For details, see Table 4.
    • The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
  • A condition operator, condition key, and a condition value together constitute a complete condition statement. An SCP can be applied only when its request conditions are met. For supported condition operators, see Condition operators.

The following table lists the condition keys that you can define in SCPs for IAM. You can include these condition keys to specify conditions for when your SCP is in effect.

Table 4 Service-specific condition keys supported by IAM

Service-specific Condition Key

Type

Single-valued/Multivalued

Description

iam:PolicyURN

string

Single-valued

Filters access by the URN of the identity policy

iam:ServicePrincipal

string

Single-valued

Filters access by the service ID of the cloud service transferred by the service-linked agency

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback