Help Center/ Organizations/ User Guide/ Managing SCPs/ Actions Supported by SCP-based Authorization/ Management & Governance/ Identity and Access Management (IAM)
Updated on 2024-06-21 GMT+08:00
View PDF
Share

Identity and Access Management (IAM)

The Organizations service provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to a principal. They only set the permissions boundary for the principal. When SCPs are attached to a member account or an organizational unit (OU), they do not directly grant permissions to that member account or OU. Instead, the SCPs just determine what permissions are available for that member account or the member accounts under that OU.

This section describes the elements used by Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to create a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an SCP.

  • The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an SCP.
  • The Resource Type column indicates whether the action supports resource-level permissions.
    • You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions, and you must specify all resources ("*") in your SCP statements.
    • If this column includes a resource type, you must specify the URN in the Resource element of your statements.
    • Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.

    For details about the resource types defined by IAM, see Resources.

  • The Condition Key column contains keys that you can specify in the Condition element of an SCP statement.
    • If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
    • If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
    • If the Condition Key column is empty (-) for an action, the action does not support any condition keys.

    For details about the condition keys defined by IAM, see Conditions.

The following table lists the actions that you can define in SCP statements for IAM. The actions without the V5 suffix are used to control access to the old IAM console, and the actions with the V5 suffix are used to control access to the new IAM console.

Table 1 Actions supported by IAM

Action

Description

Access Level

Resource Type (*: required)

Condition Key

Alias

iam::listAccessKeys

Grants permission to list permanent access keys.

list

-

-

-

iam::createAccessKey

Grants permission to create a permanent access key.

write

-

-

-

iam::getAccessKey

Grants permission to query a permanent access key.

read

-

-

iam:credentials:getCredential

iam::updateAccessKey

Grants permission to update a permanent access key.

write

-

-

-

iam::deleteAccessKey

Grants permission to delete a permanent access key.

write

-

-

-

iam:projects:list

Grants permission to list projects.

list

-

-

iam:projects:listProjects

iam:projects:create

Grants permission to create a project.

write

-

-

iam:projects:createProject

iam:projects:listForUser

Grants permission to list projects of a specified user.

list

-

-

iam:projects:listProjectsForUser

iam:projects:update

Grants permission to update a project.

write

-

-

iam:projects:updateProject

iam:groups:list

Grants permission to list groups.

list

-

-

-

iam:groups:create

Grants permission to create a group.

write

-

-

-

iam:groups:get

Grants permission to query a group.

read

-

-

-

iam:groups:delete

Grants permission to delete a group.

write

-

-

-

iam:groups:update

Grants permission to update a group.

write

-

-

-

iam:groups:removeUser

Grants permission to remove a user from a group.

write

-

-

-

iam:groups:listUsers

Grants permission to list users of a specified group.

list

-

-

iam:users:listUsersForGroup

iam:groups:checkUser

Grants permission to query whether a user is in the group.

read

-

-

iam:permissions:checkUserInGroup

iam:groups:addUser

Grants permission to add a user to a group.

write

-

-

-

iam:users:create

Grants permission to create a user.

write

-

-

-

iam:users:get

Grants permission to query a user.

read

-

-

-

iam:users:update

Grants permission to update a user.

write

-

-

-

iam:users:list

Grants permission to list users.

list

-

-

-

iam:users:delete

Grants permission to delete a user.

write

-

-

-

iam:users:listGroups

Grants permission to list groups of a specified user.

list

-

-

iam:groups:listGroupsForUser

iam:users:listVirtualMFADevices

Grants permission to list virtual MFA devices of a specified user.

list

-

-

-

iam:users:createVirtualMFADevice

Grants permission to create a secret key for a virtual MFA device.

write

-

-

-

iam:users:deleteVirtualMFADevice

Grants permission to delete a virtual MFA device.

write

-

-

-

iam:users:getVirtualMFADevice

Grants permission to query a virtual MFA device.

read

-

-

iam:mfa:getVirtualMFADevice

iam:users:bindVirtualMFADevice

Grants permission to bind a virtual MFA device.

write

-

-

iam:mfa:bindMFADevice

iam:users:unbindVirtualMFADevice

Grants permission to unbind a virtual MFA device.

write

-

-

iam:mfa:unbindMFADevice

iam:identityProviders:list

Grants permission to list identity providers.

list

-

-

iam:identityProviders:listIdentityProviders

iam:identityProviders:get

Grants permission to query an identity provider.

read

-

-

iam:identityProviders:getIdentityProvider

iam:identityProviders:create

Grants permission to create an identity provider.

write

-

-

iam:identityProviders:createIdentityProvider

iam:identityProviders:delete

Grants permission to delete an identity provider.

write

-

-

iam:identityProviders:deleteIdentityProvider

iam:identityProviders:update

Grants permission to update an identity provider.

write

-

-

iam:identityProviders:updateIdentityProvider

iam:identityProviders:listMappings

Grants permission to list mappings of an identity provider.

list

-

-

-

iam:identityProviders:getMapping

Grants permission to query a mapping of an identity provider.

read

-

-

-

iam:identityProviders:createMapping

Grants permission to create a mapping for an identity provider.

write

-

-

-

iam:identityProviders:deleteMapping

Grants permission to delete a mapping of an identity provider.

write

-

-

-

iam:identityProviders:updateMapping

Grants permission to update a mapping of an identity provider.

write

-

-

-

iam:identityProviders:listProtocols

Grants permission to list protocols of an identity provider.

list

-

-

-

iam:identityProviders:getProtocol

Grants permission to query a protocol of an identity provider.

read

-

-

-

iam:identityProviders:createProtocol

Grants permission to create a protocol for an identity provider.

write

-

-

-

iam:identityProviders:deleteProtocol

Grants permission to delete a protocol of an identity provider.

write

-

-

-

iam:identityProviders:updateProtocol

Grants permission to update a protocol of an identity provider.

write

-

-

-

iam:identityProviders:getSAMLMetadata

Grants permission to query a SAML metadata file of an identity provider.

read

-

-

iam:identityProviders:getIDPMetadata

iam:identityProviders:createSAMLMetadata

Grants permission to create a SAML metadata file for an identity provider.

write

-

-

iam:identityProviders:createIDPMetadata

iam:identityProviders:getOIDCConfig

Grants permission to query the OIDC configuration of an identity provider.

read

-

-

iam:identityProviders:getOpenIDConnectConfig

iam:identityProviders:createOIDCConfig

Grants permission to create the OIDC configuration of an identity provider.

write

-

-

iam:identityProviders:createOpenIDConnectConfig

iam:identityProviders:updateOIDCConfig

Grants permission to update the OIDC configuration of an identity provider.

write

-

-

iam:identityProviders:updateOpenIDConnectConfig

iam:securityPolicies:getProtectPolicy

Grants permission to query an operation protection policy.

read

-

-

-

iam:securityPolicies:updateProtectPolicy

Grants permission to update an operation protection policy.

write

-

-

-

iam:securityPolicies:getPasswordPolicy

Grants permission to query a password policy.

read

-

-

-

iam:securityPolicies:updatePasswordPolicy

Grants permission to update a password policy.

write

-

-

-

iam:securityPolicies:getLoginPolicy

Grants permission to query a login policy.

read

-

-

-

iam:securityPolicies:updateLoginPolicy

Grants permission to update a login policy.

write

-

-

-

iam:securityPolicies:getConsoleAclPolicy

Grants permission to query a console access policy.

read

-

-

-

iam:securityPolicies:updateConsoleAclPolicy

Grants permission to update a console access policy.

write

-

-

-

iam:securityPolicies:getApiAclPolicy

Grants permission to query an API access policy.

read

-

-

-

iam:securityPolicies:updateApiAclPolicy

Grants permission to update an API access policy.

write

-

-

-

iam:users:listLoginProtectSettings

Grants permission to list user login protection settings under a tenant.

list

-

-

iam:users:listUserLoginProtects

iam:users:getLoginProtectSetting

Grants permission to query login protection settings.

read

-

-

iam:users:getUserLoginProtect

iam:users:updateLoginProtectSetting

Grants permission to update login protection settings.

write

-

-

iam:users:setUserLoginProtect

iam:quotas:list

Grants permission to list quotas.

list

-

-

iam:quotas:listQuotas

iam:quotas:listForProject

Grants permission to list quotas of a specified project.

list

-

-

iam:quotas:listQuotasForProject

iam:agencies:pass

Grants permission to pass an agency to a cloud service.

permission_management

agency *

-

-

iam:roles:list

Grants permission to query a permission list.

list

-

-

iam:roles:listRoles

iam:roles:get

Grants permission to query permission details.

read

-

-

iam:roles:getRole

iam::listRoleAssignments

Grants permission to query authorization records of a tenant.

list

-

-

iam:permissions:listRoleAssignments

iam:groups:listRolesOnDomain

Grants permission to query group permissions in global services.

list

-

-

iam:permissions:listRolesForGroupOnDomain

iam:groups:listRolesOnProject

Grants permission to query group permissions in project services.

list

-

-

iam:permissions:listRolesForGroupOnProject

iam:groups:grantRoleOnDomain

Grants permission to grant global service permissions to a group.

write

-

-

iam:permissions:grantRoleToGroupOnDomain

iam:groups:grantRoleOnProject

Grants permission to grant project service permissions to a group.

write

-

-

iam:permissions:grantRoleToGroupOnProject

iam:groups:checkRoleOnDomain

Grants permission to query whether a group has global service permissions.

read

-

-

iam:permissions:checkRoleForGroupOnDomain

iam:groups:checkRoleOnProject

Grants permission to query whether a group has project service permissions.

read

-

-

iam:permissions:checkRoleForGroupOnProject

iam:groups:listRoles

Grants permission to query permissions of a group.

list

-

-

iam:permissions:listRolesForGroup

iam:groups:checkRole

Grants permission to query whether a group has specified permissions.

read

-

-

iam:permissions:checkRoleForGroup

iam:groups:revokeRole

Grants permission to remove specified permissions from a group.

write

-

-

iam:permissions:revokeRoleFromGroup

iam:groups:revokeRoleOnDomain

Grants permission to remove global service permissions from a group.

write

-

-

iam:permissions:revokeRoleFromGroupOnDomain

iam:groups:revokeRoleOnProject

Grants permission to remove project service permissions from a group.

write

-

-

iam:permissions:revokeRoleFromGroupOnProject

iam:groups:grantRole

Grants permission to grant specified permissions to a group.

write

-

-

iam:permissions:grantRoleToGroup

iam:roles:create

Grants permission to create a custom policy.

write

-

-

iam:roles:createRole

iam:roles:update

Grants permission to update a custom policy.

write

-

-

iam:roles:updateRole

iam:roles:delete

Grants permission to delete a custom policy.

write

-

-

iam:roles:deleteRole

iam:agencies:list

Grants permission to list agencies.

list

-

-

iam:agencies:listAgencies

iam:agencies:get

Grants permission to query details of a specified agency.

read

-

-

iam:agencies:getAgency

iam:agencies:create

Grants permission to create an agency.

write

-

-

iam:agencies:createAgency

iam:agencies:update

Grants permission to update an agency.

write

-

-

iam:agencies:updateAgency

iam:agencies:delete

Grants permission to delete an agency.

write

-

-

iam:agencies:deleteAgency

iam:agencies:listRolesOnDomain

Grants permission to query global service permissions of an agency.

list

-

-

iam:permissions:listRolesForAgencyOnDomain

iam:agencies:listRolesOnProject

Grants permission to query the permissions of a specified project for an agency.

list

-

-

iam:permissions:listRolesForAgencyOnProject

iam:agencies:grantRoleOnDomain

Grants permission to grant global service permissions to an agency.

write

-

-

iam:permissions:grantRoleToAgencyOnDomain

iam:agencies:grantRoleOnProject

Grants permission to grant project service permissions to an agency.

write

-

-

iam:permissions:grantRoleToAgencyOnProject

iam:agencies:checkRoleOnDomain

Grants permission to query whether an agency has global service permissions.

read

-

-

iam:permissions:checkRoleForAgencyOnDomain

iam:agencies:checkRoleOnProject

Grants permission to query whether an agency has project service permissions.

read

-

-

iam:permissions:checkRoleForAgencyOnProject

iam:agencies:revokeRoleOnDomain

Grants permission to remove global service permissions from an agency.

write

-

-

iam:permissions:revokeRoleFromAgencyOnDomain

iam:agencies:revokeRoleOnProject

Grants permission to remove project service permissions from an agency.

write

-

-

iam:permissions:revokeRoleFromAgencyOnProject

iam:agencies:listRoles

Grants permission to query permissions of an agency.

list

-

-

iam:permissions:listRolesForAgency

iam:agencies:grantRole

Grants permission to grant specified permissions to an agency.

write

-

-

iam:permissions:grantRoleToAgency

iam:agencies:checkRole

Grants permission to query whether an agency has specified permissions.

read

-

-

iam:permissions:checkRoleForAgency

iam:agencies:revokeRole

Grants permission to remove specified permissions from an agency.

write

-

-

iam:permissions:revokeRoleFromAgency

iam::listGroupsAssignedEnterpriseProject

Grants permission to query permissions of a group associated with an enterprise project.

list

-

-

iam:permissions:listGroupsOnEnterpriseProject

iam:groups:listRolesOnEnterpriseProject

Grants permission to query permissions of a group associated with an enterprise project.

list

-

-

iam:permissions:listRolesForGroupOnEnterpriseProject

iam:groups:grantRoleOnEnterpriseProject

Grants permission to grant permissions to an enterprise project based on groups.

write

-

-

iam:permissions:grantRoleToGroupOnEnterpriseProject

iam:groups:revokeRoleOnEnterpriseProject

Grants permission to delete permissions of a group associated with an enterprise project.

write

-

-

iam:permissions:revokeRoleFromGroupOnEnterpriseProject

iam:groups:listAssignedEnterpriseProjects

Grants permission to query enterprise projects associated with a group.

list

-

-

iam:permissions:listEnterpriseProjectsForGroup

iam:users:listAssignedEnterpriseProjects

Grants permission to query enterprise projects associated with a user.

list

-

-

iam:permissions:listEnterpriseProjectsForUser

iam::listUsersAssignedEnterpriseProject

Grants permission to query users associated with an enterprise project.

list

-

-

iam:permissions:listUsersForEnterpriseProject

iam:users:listRolesOnEnterpriseProject

Grants permission to query permissions of a user associated with an enterprise project.

list

-

-

iam:permissions:listRolesForUserOnEnterpriseProject

iam:users:grantRoleOnEnterpriseProject

Grants permission to grant permissions to an enterprise project based on users.

write

-

-

iam:permissions:grantRoleToUserOnEnterpriseProject

iam:users:revokeRoleOnEnterpriseProject

Grants permission to delete permissions of a user associated with an enterprise project.

write

-

-

iam:permissions:revokeRoleFromUserOnEnterpriseProject

iam:agencies:grantRoleOnEnterpriseProject

Grants permission to grant permissions to an enterprise project based on agencies.

write

-

-

iam:permissions:grantRoleToAgencyOnEnterpriseProject

iam:agencies:revokeRoleOnEnterpriseProject

Grants permission to delete permissions of an agency associated with an enterprise project.

write

-

-

iam:permissions:revokeRoleFromAgencyOnEnterpriseProject

iam:mfa:listVirtualMFADevicesV5

Grants permission to list virtual MFA devices.

list

mfa *

-

-

iam:mfa:createVirtualMFADeviceV5

Grants permission to create a virtual MFA device.

write

mfa *

-

-

iam:mfa:deleteVirtualMFADeviceV5

Grants permission to delete a virtual MFA device.

write

mfa *

-

-

iam:mfa:enableV5

Grants permission to enable a virtual MFA device.

write

mfa *

-

-

iam:mfa:disableV5

Grants permission to disable a virtual MFA device.

write

mfa *

-

-

iam:securitypolicies:getPasswordPolicyV5

Grants permission to obtain password policy information.

read

-

-

-

iam:securitypolicies:updatePasswordPolicyV5

Grants permission to update a password policy.

write

-

-

-

iam:securitypolicies:getLoginPolicyV5

Grants permission to obtain login policy information.

read

-

-

-

iam:securitypolicies:updateLoginPolicyV5

Grants permission to update a login policy.

write

-

-

-

iam:credentials:listCredentialsV5

Grants permission to list permanent access keys for an IAM user.

list

user *

g:ResourceTag/<tag-key>

-

iam:credentials:showAccessKeyLastUsedV5

Grants permission to obtain the last use time of a specified permanent access key.

read

user *

g:ResourceTag/<tag-key>

-

iam:credentials:createCredentialV5

Grants permission to create a permanent access key for an IAM user.

write

user *

g:ResourceTag/<tag-key>

-

iam:credentials:updateCredentialV5

Grants permission to update a permanent access key for an IAM user.

write

user *

g:ResourceTag/<tag-key>

-

iam:credentials:deleteCredentialV5

Grants permission to delete a permanent access key for an IAM user.

write

user *

g:ResourceTag/<tag-key>

-

iam:users:changePasswordV5

Grants permission to change their own passwords for an IAM user.

write

user *

g:ResourceTag/<tag-key>

-

iam:users:showLoginProfileV5

Grants permission to obtain login information of an IAM user.

read

user *

g:ResourceTag/<tag-key>

-

iam:users:createLoginProfileV5

Grants permission to create login information for an IAM user.

write

user *

g:ResourceTag/<tag-key>

-

iam:users:updateLoginProfileV5

Grants permission to update login information for an IAM user.

write

user *

g:ResourceTag/<tag-key>

-

iam:users:deleteLoginProfileV5

Grants permission to delete login information for an IAM user.

write

user *

g:ResourceTag/<tag-key>

-

iam:users:listUsersV5

Grants permission to list IAM users.

list

user *

-

-

iam:users:getUserV5

Grants permission to obtain information of an IAM user.

read

user *

g:ResourceTag/<tag-key>

-

iam:users:showUserLastLoginV5

Grants permission to obtain the last login time of an IAM user.

read

user *

g:ResourceTag/<tag-key>

-

iam:users:createUserV5

Grants permission to create an IAM user.

write

user *

-

-

iam:users:updateUserV5

Grants permission to update an IAM user.

write

user *

g:ResourceTag/<tag-key>

-

iam:users:deleteUserV5

Grants permission to delete an IAM user.

write

user *

g:ResourceTag/<tag-key>

-

iam:groups:listGroupsV5

Grants permission to list groups.

list

group *

-

-

iam:groups:getGroupV5

Grants permission to obtain group information.

read

group *

-

-

iam:groups:createGroupV5

Grants permission to create a group.

write

group *

-

-

iam:groups:updateGroupV5

Grants permission to update a group.

write

group *

-

-

iam:groups:deleteGroupV5

Grants permission to delete a group.

write

group *

-

-

iam:permissions:addUserToGroupV5

Grants permission to add an IAM user to a group.

write

group *

-

-

iam:permissions:removeUserFromGroupV5

Grants permission to remove an IAM user from a group.

write

group *

-

-

iam:policies:listV5

Grants permission to list identity policies.

list

policy *

-

-

iam:policies:getV5

Grants permission to obtain identity policy information.

read

policy *

-

-

iam:policies:createV5

Grants permission to create a custom identity policy.

permission_management

policy *

-

-

iam:policies:deleteV5

Grants permission to delete a custom identity policy.

permission_management

policy *

-

-

iam:policies:listVersionsV5

Grants permission to list identity policy versions.

list

policy *

-

-

iam:policies:getVersionV5

Grants permission to obtain identity policy version information.

read

policy *

-

-

iam:policies:createVersionV5

Grants permission to create a new version for a custom identity policy.

permission_management

policy *

-

-

iam:policies:deleteVersionV5

Grants permission to delete a version for a custom identity policy.

permission_management

policy *

-

-

iam:policies:setDefaultVersionV5

Grants permission to set the default version for a custom identity policy.

permission_management

policy *

-

-

iam:agencies:attachPolicyV5

Grants permission to attach an identity policy to an agency or trust agency.

permission_management

agency *

g:ResourceTag/<tag-key>

-

-

iam:PolicyURN

iam:groups:attachPolicyV5

Grants permission to attach an identity policy to a group.

permission_management

group *

-

-

-

iam:PolicyURN

iam:users:attachPolicyV5

Grants permission to attach an identity policy to an IAM user.

permission_management

user *

g:ResourceTag/<tag-key>

-

-

iam:PolicyURN

iam:agencies:detachPolicyV5

Grants permission to detach an identity policy from an agency or trust agency.

permission_management

agency *

g:ResourceTag/<tag-key>

-

-

iam:PolicyURN

iam:groups:detachPolicyV5

Grants permission to detach an identity policy from a group.

permission_management

group *

-

-

-

iam:PolicyURN

iam:users:detachPolicyV5

Grants permission to detach an identity policy from an IAM user.

permission_management

user *

g:ResourceTag/<tag-key>

-

-

iam:PolicyURN

iam:policies:listEntitiesV5

Grants permission to list all entities attached to an identity policy.

list

policy *

-

-

iam:agencies:listAttachedPoliciesV5

Grants permission to list the identity policies attached to an agency or trust agency.

list

agency *

g:ResourceTag/<tag-key>

-

iam:groups:listAttachedPoliciesV5

Grants permission to list the identity policies attached to a group.

list

group *

-

-

iam:users:listAttachedPoliciesV5

Grants permission to list the identity policies attached to an IAM user.

list

user *

g:ResourceTag/<tag-key>

-

iam:agencies:createServiceLinkedAgencyV5

Grants permission to create a service-linked agency to allow the cloud service to perform operations on your behalf.

write

agency *

-

-

-

iam:ServicePrincipal

iam:agencies:deleteServiceLinkedAgencyV5

Grants permission to delete a service-linked agency.

write

agency *

g:ResourceTag/<tag-key>

-

-

iam:ServicePrincipal

iam:agencies:getServiceLinkedAgencyDeletionStatusV5

Grants permission to obtain the deletion status of a service-linked agency.

read

agency *

-

-

iam:agencies:listV5

Grants permission to list agencies and trust agencies.

list

agency *

-

-

iam:agencies:getV5

Grants permission to obtain agencies and trust agencies.

read

agency *

g:ResourceTag/<tag-key>

-

iam:agencies:createV5

Grants permission to create a trust agency.

write

agency *

-

-

iam:agencies:updateV5

Grants permission to update a trust agency.

write

agency *

g:ResourceTag/<tag-key>

-

iam:agencies:deleteV5

Grants permission to delete a trust agency.

write

agency *

g:ResourceTag/<tag-key>

-

iam:agencies:updateTrustPolicyV5

Grants permission to update the trust policy of a trust agency.

write

agency *

g:ResourceTag/<tag-key>

-

iam::listTagsForResourceV5

Grants permission to list resource tags.

list

agency

g:ResourceTag/<tag-key>

-

user

g:ResourceTag/<tag-key>

iam::tagForResourceV5

Grants permission to set resource tags.

tagging

agency

g:ResourceTag/<tag-key>

-

user

g:ResourceTag/<tag-key>

-
  • g:RequestTag/<tag-key>
  • g:TagKeys

iam::untagForResourceV5

Grants permission to delete resource tags.

tagging

agency

g:ResourceTag/<tag-key>

-

user

g:ResourceTag/<tag-key>

-
  • g:RequestTag/<tag-key>
  • g:TagKeys

iam::getAccountSummaryV5

Grants permission to obtain the IAM entity usage and IAM quota of an account.

list

-

-

-

iam::getAsymmetricSignatureSwitchV5

Grants permission to obtain the asymmetric signature switch status of a temporary token.

read

-

-

-

iam::setAsymmetricSignatureSwitchV5

Grants permission to set the asymmetric signature switch status of a temporary token.

write

-

-

-

Each API of IAM usually supports one or more actions. Table 2 lists the supported actions and dependencies.

Table 2 Actions and dependencies supported by IAM APIs

API

Action

Dependencies

GET /v3.0/OS-CREDENTIAL/credentials

iam::listAccessKeys

-

POST /v3.0/OS-CREDENTIAL/credentials

iam::createAccessKey

-

GET /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam::getAccessKey

-

PUT /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam::updateAccessKey

-

DELETE /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam::deleteAccessKey

-

GET /v3.0/OS-QUOTA/domains/{domain_id}

iam:quotas:list

-

GET /v3.0/OS-QUOTA/projects/{project_id}

iam:quotas:listForProject

-

GET /v3/projects

iam:projects:list

-

POST /v3/projects

iam:projects:create

-

GET /v3/users/{user_id}/projects

iam:projects:listForUser

-

PATCH /v3/projects/{project_id}

iam:projects:update

-

PUT /v3-ext/projects/{project_id}

iam:projects:update

-

GET /v3/groups

iam:groups:list

-

POST /v3/groups

iam:groups:create

-

GET /v3/groups/{group_id}

iam:groups:get

-

DELETE /v3/groups/{group_id}

iam:groups:delete

-

PATCH /v3/groups/{group_id}

iam:groups:update

-

GET /v3/groups/{group_id}/users

iam:groups:listUsers

-

HEAD /v3/groups/{group_id}/users/{user_id}

iam:groups:checkUser

-

PUT /v3/groups/{group_id}/users/{user_id}

iam:groups:addUser

-

DELETE /v3/groups/{group_id}/users/{user_id}

iam:groups:removeUser

-

POST /v3.0/OS-USER/users

iam:users:create

-

GET /v3.0/OS-USER/users/{user_id}

iam:users:get

-

PUT /v3.0/OS-USER/users/{user_id}

iam:users:update

-

PUT /v3.0/OS-USER/users/{user_id}/info

iam:users:update

-

GET /v3/users

iam:users:list

-

POST /v3/users

iam:users:create

-

GET /v3/users/{user_id}

iam:users:get

-

DELETE /v3/users/{user_id}

iam:users:delete

-

PATCH /v3/users/{user_id}

iam:users:update

-

GET /v3/users/{user_id}/groups

iam:users:listGroups

-

GET /v3.0/OS-MFA/virtual-mfa-devices

iam:users:listVirtualMFADevices

-

POST /v3.0/OS-MFA/virtual-mfa-devices

iam:users:createVirtualMFADevice

-

DELETE /v3.0/OS-MFA/virtual-mfa-devices

iam:users:deleteVirtualMFADevice

-

GET /v3.0/OS-MFA/users/{user_id}/virtual-mfa-device

iam:users:getVirtualMFADevice

-

PUT /v3.0/OS-MFA/mfa-devices/bind

iam:users:bindVirtualMFADevice

-

PUT /v3.0/OS-MFA/mfa-devices/unbind

iam:users:unbindVirtualMFADevice

-

GET /v3.0/OS-USER/login-protects

iam:users:listLoginProtectSettings

-

GET /v3.0/OS-USER/users/{user_id}/login-protect

iam:users:getLoginProtectSetting

-

PUT /v3.0/OS-USER/users/{user_id}/login-protect

iam:users:updateLoginProtectSetting

-

GET /v3/OS-FEDERATION/identity_providers

iam:identityProviders:list

-

GET /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:get

-

PUT /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:create

-

DELETE /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:delete

-

PATCH /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:update

-

GET /v3/OS-FEDERATION/mappings

iam:identityProviders:listMappings

-

GET /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:getMapping

-

PUT /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:createMapping

-

DELETE /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:deleteMapping

-

PATCH /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:updateMapping

-

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

iam:identityProviders:listProtocols

-

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:getProtocol

-

PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:createProtocol

-

DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:deleteProtocol

-

PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:updateProtocol

-

GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:getSAMLMetadata

-

POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:createSAMLMetadata

-

GET /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:getOIDCConfig

-

POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:createOIDCConfig

-

PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:updateOIDCConfig

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy

iam:securityPolicies:getProtectPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy

iam:securityPolicies:updateProtectPolicy

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy

iam:securityPolicies:getPasswordPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy

iam:securityPolicies:updatePasswordPolicy

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy

iam:securityPolicies:getLoginPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy

iam:securityPolicies:updateLoginPolicy

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy

iam:securityPolicies:getConsoleAclPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy

iam:securityPolicies:updateConsoleAclPolicy

-

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy

iam:securityPolicies:getApiAclPolicy

-

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy

iam:securityPolicies:updateApiAclPolicy

-

GET /v3/roles

iam:roles:list

-

GET /v3/roles/{role_id}

iam:roles:get

-

GET /v3.0/OS-PERMISSION/role-assignments

iam::listRoleAssignments

-

GET /v3/domains/{domain_id}/groups/{group_id}/roles

iam:groups:listRolesOnDomain

-

GET /v3/projects/{project_id}/groups/{group_id}/roles

iam:groups:listRolesOnProject

-

PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:groups:grantRoleOnDomain

-

PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:groups:grantRoleOnProject

-

HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:groups:checkRoleOnDomain

-

HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:groups:checkRoleOnProject

-

GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects

iam:groups:listRoles

-

HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:groups:checkRole

-

DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:groups:revokeRole

-

DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:groups:revokeRoleOnDomain

-

DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:groups:revokeRoleOnProject

-

PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:groups:grantRole

-

GET /v3.0/OS-ROLE/roles

iam:roles:list

-

GET /v3.0/OS-ROLE/roles/{role_id}

iam:roles:get

-

POST /v3.0/OS-ROLE/roles

iam:roles:create

-

POST /v3.0/OS-ROLE/roles

iam:roles:create

-

PATCH /v3.0/OS-ROLE/roles/{role_id}

iam:roles:update

-

PATCH /v3.0/OS-ROLE/roles/{role_id}

iam:roles:update

-

DELETE /v3.0/OS-ROLE/roles/{role_id}

iam:roles:delete

-

GET /v3.0/OS-AGENCY/agencies

iam:agencies:list

-

GET /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:get

-

POST /v3.0/OS-AGENCY/agencies

iam:agencies:create

-

PUT /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:update

-

DELETE /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:delete

-

GET /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles

iam:agencies:listRolesOnDomain

-

GET /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles

iam:agencies:listRolesOnProject

-

PUT /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:grantRoleOnDomain

-

PUT /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:grantRoleOnProject

-

HEAD /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:checkRoleOnDomain

-

HEAD /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:checkRoleOnProject

-

DELETE /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:revokeRoleOnDomain

-

DELETE /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:agencies:revokeRoleOnProject

-

GET /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/inherited_to_projects

iam:agencies:listRoles

-

PUT /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:agencies:grantRole

-

HEAD /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:agencies:checkRole

-

DELETE /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:agencies:revokeRole

-

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups

iam::listGroupsAssignedEnterpriseProject

-

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles

iam:groups:listRolesOnEnterpriseProject

-

PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:groups:grantRoleOnEnterpriseProject

-

DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:groups:revokeRoleOnEnterpriseProject

-

GET /v3.0/OS-PERMISSION/groups/{group_id}/enterprise-projects

iam:groups:listAssignedEnterpriseProjects

-

GET /v3.0/OS-PERMISSION/users/{user_id}/enterprise-projects

iam:users:listAssignedEnterpriseProjects

-

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users

iam::listUsersAssignedEnterpriseProject

-

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles

iam:users:listRolesOnEnterpriseProject

-

PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:users:grantRoleOnEnterpriseProject

-

DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:users:revokeRoleOnEnterpriseProject

-

PUT /v3.0/OS-PERMISSION/subjects/agency/scopes/enterprise-project/role-assignments

iam:agencies:grantRoleOnEnterpriseProject

-

DELETE /v3.0/OS-PERMISSION/subjects/agency/scopes/enterprise-project/role-assignments

iam:agencies:revokeRoleOnEnterpriseProject

-

Resources

A resource type indicates the resources that an SCP applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the SCP statements using that action, and the SCP applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the SCP applies to all resources. You can also set condition keys in an SCP to define resource types.

The following table lists the resource types that you can define in SCP statements for IAM.

Table 3 Resource types supported by IAM

Resource Type

URN

policy

iam::<account-id>:policy:<policy-name-with-path>

agency

iam::<account-id>:agency:<agency-name-with-path>

user

iam::<account-id>:user:<user-name>

group

iam::<account-id>:group:<group-name>

mfa

iam::<account-id>:mfa:<mfa-name>

Conditions

A Condition element lets you specify conditions for when an SCP is in effect. It contains condition keys and operators.

  • The condition key that you specify can be a global condition key or a service-specific condition key.
    • Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, IAM automatically obtains such information and authenticates users. For details, see Global Condition Keys.
    • Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, iam:) only apply to operations of the IAM service. For details, see Table 4.
    • The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
  • A condition operator, condition key, and a condition value together constitute a complete condition statement. An SCP can be applied only when its request conditions are met. For supported condition operators, see Condition operators.

The following table lists the condition keys that you can define in SCPs for IAM. You can include these condition keys to specify conditions for when your SCP is in effect.

Table 4 Service-specific condition keys supported by IAM

Service-specific Condition Key

Type

Single-valued/Multivalued

Description

iam:PolicyURN

string

Single-valued

Filters access by the URN of the identity policy

iam:ServicePrincipal

string

Single-valued

Filters access by the service ID of the cloud service transferred by the service-linked agency
Parent topic: Management & Governance