Help Center/ Application Service Mesh/ API Reference/ Permissions and Supported Actions/ Actions Supported by Identity Policy-based Authorization
Updated on 2026-06-25 GMT+08:00
View PDF
Share

Actions Supported by Identity Policy-based Authorization

IAM provides system-defined identity policies to define typical cloud service permissions. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service also provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see How IAM Is Different from Organizations for Access Control?.

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your identity policy statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by ASM, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by ASM, see Conditions.

  • The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements for ASM.

Table 1 Actions supported by ASM

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

asm:mesh:create

Grants permission to create mesh.

Write

mesh *

-

-

-

asm:mesh:delete

Grants permission to delete mesh.

Write

mesh *

-

asm:mesh:get

Grants permission to return details of the specified mesh.

Read

mesh *

-

asm:mesh:list

Grants permission to return list of all meshes.

List

mesh *

-

-

asm:mesh:upgrade

Grants permission to upgrade mesh.

Write

mesh *

-

asm:mesh:getUpgradeJob

Grants permission to get mesh upgrade job.

Read

mesh *

-

asm:mesh:update

Grants permission to update mesh.

Write

mesh *

-

asm:mesh:getAvailableClusters

Grants permission to get available clusters.

Read

-

-

-

asm:mesh:listServices

Grants permission to list mesh services.

List

mesh *

-

asm:mesh:getService

Grants permission to get mesh service.

Read

mesh *

-

asm:mesh:updateService

Grants permission to update mesh service.

Write

mesh *

-

asm:mesh:getServiceGovernance

Grants permission to get mesh service governance.

Read

mesh *

-

asm:mesh:updateServiceGovernance

Grants permission to update mesh service governance.

Write

mesh *

-

asm:mesh:listNamespaces

Grants permission to get mesh namespace.

List

mesh *

-

asm:mesh:getNamespace

Grants permission to get mesh namespace.

Read

mesh *

-

asm:mesh:updateNamespace

Grants permission to update mesh namespace.

Write

mesh *

-

asm:mesh:getRelease

Grants permission to get release.

Read

mesh *

-

asm:mesh:listReleases

Grants permission to list release.

List

mesh *

-

asm:mesh:createRelease

Grants permission to create release.

Write

mesh *

-

asm:mesh:updateRelease

Grants permission to update release.

Write

mesh *

-

asm:mesh:deleteRelease

Grants permission to delete release.

Write

mesh *

-

asm:mesh:listGateways

Grants permission to list gateway.

List

mesh *

-

asm:mesh:createGateway

Grants permission to create gateway.

Write

mesh *

-

asm:mesh:deleteGateway

Grants permission to delete release.

Write

mesh *

-

asm:mesh:listGatewayRoutes

Grants permission to list gateway route.

List

mesh *

-

asm:mesh:createGatewayRoute

Grants permission to create gateway route.

Write

mesh *

-

asm:mesh:deleteGatewayRoute

Grants permission to delete gateway route.

Write

mesh *

-

asm:mesh:getWorkshop

Grants permission to get workshop.

Read

mesh *

-

asm:mesh:listWorkshops

Grants permission to list workshop.

List

mesh *

-

asm:mesh:createWorkshop

Grants permission to create workshop.

Write

mesh *

-

asm:mesh:deleteWorkshop

Grants permission to delete workshop.

Write

mesh *

-

asm:mesh:listResourcesByTag

Grants permission to list mesh by tags.

List

-

g:TagKeys

-

asm:mesh:listTagsForResource

Grants permission to list mesh tags.

List

mesh *

-

asm:mesh:listTags

Grants permission to list tags from meshes.

List

-

-

-

asm:mesh:tagResource

Grants permission to add tags to mesh.

Tagging

mesh *

-

-

asm:mesh:unTagResource

Grants permission to remove tags from mesh.

Tagging

mesh *

-

-

asm:mesh:getTopology

Grants permission to return topology of the specified mesh.

Read

mesh *

-

Each API of ASM usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by ASM APIs

API

Action

Dependencies

POST /v1/{project_id}/meshes

asm:mesh:create

-

DELETE /v1/{project_id}/meshes/{mesh_id}

asm:mesh:delete

-

GET /v1/{project_id}/meshes/{mesh_id}

asm:mesh:get

-

GET /v1/{project_id}/meshes

asm:mesh:list

-

PUT /v1/{project_id}/meshes/{mesh_id}

asm:mesh:update

-

POST /v1/{project_id}/mesh-upgrade

asm:mesh:upgrade

-

GET /v1/{project_id}/mesh-upgrade/{mesh_upgrade_id}

asm:mesh:upgrade

-

PUT /v1/{project_id}/mesh-upgrade/{mesh_upgrade_id}

asm:mesh:upgrade

-

DELETE /v1/{project_id}/mesh-upgrade/{mesh_upgrade_id}

asm:mesh:upgrade

-

GET /v1/{project_id}/mesh-job/{job_id}

asm:mesh:getUpgradeJob

-

PUT /v2/projects/{project_id}/meshes/{mesh_id}

asm:mesh:update

-

GET /v3/projects/{project_id}/clusters-to-be-added

asm:mesh:getAvailableClusters

-

GET /v3/meshes/{mesh_id}/namespaces/{namespace}

asm:mesh:listServices

-

GET /v3/meshes/{mesh_id}/namespaces/{namespace}/services/{service}

asm:mesh:getService

-

GET /v3/meshes/{mesh_id}/authorizations

asm:mesh:getServiceGovernance

-

POST /v3/meshes/{mesh_id}/authorizations

asm:mesh:updateServiceGovernance

-

DELETE /v3/meshes/{mesh_id}/authorizations

asm:mesh:updateServiceGovernance

-

PUT /v2/meshes/{mesh_id}/injection

asm:mesh:updateNamespace

-

GET /v2/meshes/{mesh_id}/injection

asm:mesh:getNamespace

-

GET /v2/meshes/{mesh_id}/namespaces

asm:mesh:listNamespaces

-

POST /v2/meshes/{mesh_id}/namespaces/{namespace}/services/validate

asm:mesh:getService

-

POST /v2/meshes/{mesh_id}/namespaces/{namespace}/services/format

asm:mesh:updateService

-

-

asm:mesh:getRelease

-

-

asm:mesh:updateRelease

-

POST /v2/meshes/{mesh_id}/namespaces/{namespace}/releases

asm:mesh:createRelease

-

GET /v2/meshes/{mesh_id}/namespaces/{namespace}/releases/{release_id}

asm:mesh:getRelease

-

GET /v2/meshes/{mesh_id}/releases

asm:mesh:listReleases

-

PUT /v2/meshes/{mesh_id}/namespaces/{namespace}/releases/{release_id}

asm:mesh:updateRelease

-

DELETE /v2/meshes/{mesh_id}/namespaces/{namespace}/releases/{release_id}

asm:mesh:deleteRelease

-

POST /v2/meshes/{mesh_id}/gateways

asm:mesh:createGateway

-

GET /v3/meshes/{mesh_id}/gateways

asm:mesh:listGateways

-

POST /v2/meshes/{mesh_id}/gateways/{gateway}

asm:mesh:deleteGateway

-

POST /v3/meshes/{mesh_id}/gateways/{gateway}/addroute

asm:mesh:createGatewayRoute

-

POST /v3/meshes/{mesh_id}/gateways/{gateway}/routes

asm:mesh:listGatewayRoutes

-

POST /v3/meshes/{mesh_id}/gateways/{gateway}/removeroute

asm:mesh:deleteGatewayRoute

-

POST /v2/meshes/{mesh_id}/workshops

asm:mesh:createWorkshop

-

DELETE /v2/meshes/{mesh_id}/workshops/{workshop}

asm:mesh:deleteWorkshop

-

GET /v2/meshes/{mesh_id}/workshops

asm:mesh:listWorkshops

-

POST /v2/{projectid}/{resourcetype}/resource-instances/filter

asm:mesh:listResourcesByTag

-

POST /v2/{projectid}/{resourcetype}/resource-instances/count

asm:mesh:listResourcesByTag

-

POST /v2/{projectid}/{resourcetype}/{resourceid}/tags/create

asm:mesh:tagResource

-

DELETE /v2/{projectid}/{resourcetype}/{resourceid}/tags/delete

asm:mesh:unTagResource

-

GET /v2/{projectid}/{resourcetype}/{resourceid}/tags

asm:mesh:listTagsForResource

-

GET /v2/{projectid}/{resourcetype}/tags

asm:mesh:listTags

-

GET /api/namespaces/{namespace}/services/{service}/graph

asm:mesh:getTopology

-

GET /api/graph

asm:mesh:getTopology

-

Resources

A resource type (Resource) defines the resources on which an identity policy takes effect. In Table 3, if a specific operation has an associated resource type, then in the identity policy statement containing that operation, the policy will only take effect on the specified resource when the corresponding resource URN is provided. If no resource URN is specified, the policy will apply to all resources under the designated resource type. If no resource type is defined, the default value of Resource is *, meaning the policy applies to all resources. In addition, you can set conditions in the identity policy to further refine and restrict the resource type.

The following table lists the resource types that you can define in identity policy statements for ASM.

Table 3 Resource types supported by ASM

Resource Type

URN

mesh

asm:<region>:<account-id>:mesh:<mesh-id>

Conditions

ASM does not support service-specific condition keys in identity policies. It can only use global condition keys applicable to all services. For details, see Global Condition Keys.