Creating a Custom Policy for Cloud Services

Function

This API is provided for the administrator to create a custom policy for cloud services.

The API can be called using both the global endpoint and region-specific endpoints.

URI

POST /v3.0/OS-ROLE/roles

Request Parameters

**Table 1** Parameters in the request header
Parameter	Mandatory	Type	Description
Content-Type	Yes	String	Fill application/json;charset=utf8 in this field.
X-Auth-Token	Yes	String	Token with Security Administrator permissions.

**Table 2** Parameters in the request body
Parameter	Mandatory	Type	Description
role	Yes	Object	Custom policy information.

**Table 3** role
Parameter	Mandatory	Type	Description
display_name	Yes	String	Display name of the custom policy.
type	Yes	String	Display mode. NOTE: AX: Account level. XA: Project level. The display mode of a custom policy can only be AX or XA. A custom policy must be displayed at either of the two levels.
description	Yes	String	Description of the custom policy.
description_cn	No	String	Description of the custom policy.
policy	Yes	Object	Content of custom policy.

**Table 4** role.policy
Parameter	Mandatory	Type	Description
Version	Yes	String	Policy version. When creating a custom policy, set this parameter to 1.1. NOTE: 1.0: System-defined role. Only a limited number of service-level roles are provided for authorization. 1.1: Policy. A policy defines the permissions required to perform operations on a specific cloud resource under certain conditions.
Statement	Yes	Array of objects	Statement of the policy. A policy can contain a maximum of eight statements.

**Table 5** role.policy.Statement
Parameter	Mandatory	Type	Description
Action	Yes	Array of strings	Specific operation permission on a resource. A maximum of 100 actions are allowed. NOTE: The value format is Service name:Resource type:Operation, for example, vpc:ports:create. Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
Effect	Yes	String	Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options: Allow Deny
Condition	No	Object	Conditions for the permission to take effect. A maximum of 10 conditions are allowed. NOTE: Take the condition in the sample request as an example, the condition key (obs:prefix) and the string (public) must be equal (StringEquals). "Condition": { "StringEquals": { "obs:prefix": [ "public" ] } }
Resource	No	Array of strings	Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters. NOTE: Format: ::::. For example, obs:::bucket:. Asterisks are allowed. The region segment can be or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.

Response Parameters

**Table 6** Parameters in the response body
Parameter	Type	Description
role	Object	Custom policy information.

**Table 7** role
Parameter	Type	Description
catalog	String	Service catalog.
display_name	String	Display name of the custom policy.
description	String	Description of the custom policy.
links	Object	Resource link of the custom policy.
policy	Object	Content of custom policy.
description_cn	String	Description of the custom policy.
domain_id	String	Domain ID.
type	String	Display mode. NOTE: AX: Account level. XA: Project level. The display mode of a custom policy can only be AX or XA. A custom policy must be displayed at either of the two levels.
id	String	Policy ID.
name	String	Name of the custom policy.
updated_time	String	Time when the custom policy was last updated.
created_time	String	Time when the custom policy was created.
references	String	Number of references.

**Table 8** role.links
Parameter	Type	Description
self	String	Resource link.

**Table 9** role.policy
Parameter	Type	Description
Version	String	Policy version. NOTE: 1.0: System-defined role. Only a limited number of service-level roles are provided for authorization. 1.1: Policy. A policy defines the permissions required to perform operations on a specific cloud resource under certain conditions.
Statement	Array of objects	Statement of the policy. A policy can contain a maximum of eight statements.

**Table 10** role.policy.Statement
Parameter	Type	Description
Action	Array of strings	Specific operation permission on a resource. A maximum of 100 actions are allowed. NOTE: The value format is Service name:Resource type:Operation, for example, vpc:ports:create. Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
Effect	String	Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements. Options: Allow Deny
Condition	Map<String,Map<String,Array<String>>>	Conditions for the permission to take effect. A maximum of 10 conditions are allowed. NOTE: Take the condition in the sample request as an example, the condition key (obs:prefix) and the string (public) must be equal (StringEquals). "Condition": { "StringEquals": { "obs:prefix": [ "public" ] } }
Resource	Array of strings	Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters. NOTE: Format: ::::. For example, obs:::bucket:. Asterisks are allowed. The region segment can be or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.

Example Request

POST https://sample.domain.com/v3.0/OS-ROLE/roles

{
    "role": {
        "display_name": "IAMCloudServicePolicy",
        "type": "AX",
        "description": "IAMDescription",
        "description_cn": "Policy description",
        "policy": {
            "Version": "1.1",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "obs:bucket:GetBucketAcl"
                    ],
                    "Condition": {
                        "StringStartWith": {
                            "g:ProjectName": [
                                "example-west-1"
                            ]
                        }
                    },
                }
            ]
        }
    }
}

Example Response

Status code: 201

The request is successful.

{
    "role": {
        "catalog": "CUSTOMED",
        "display_name": "IAMCloudServicePolicy",
        "description": "IAMDescription",
        "links": {
            "self": "https://sample.domain.com/v3/roles/93879fd90f1046f69e6e0b31c94d2..."
        },
        "policy": {
            "Version": "1.1",
            "Statement": [
                {
                    "Action": [
                        "obs:bucket:GetBucketAcl"
                    ],
                    "Resource": [
                        "obs:*:*:bucket:*"
                    ],
                    "Effect": "Allow",
                    "Condition": {
                        "StringStartWith": {
                            "g:ProjectName": [
                                "example-west-1"
                            ]
                        }
                    }
                }
            ]
        },
        "description_cn": "Policy description",
        "domain_id": "d78cbac186b744899480f25bd...",
        "type": "AX",
        "id": "93879fd90f1046f69e6e0b31c9...",
        "name": "custom_d78cbac186b744899480f25bd022f468_1"
    }
}