IAM Identity Policy-based Authorization Reference

IAM provides system-defined identity policies to define typical cloud service permissions. You can also create custom identity policies using the actions supported by cloud services for more refined access control.

In addition to IAM, the Organizations service also provides Service Control Policies (SCPs) to set access control policies.

SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.

To learn more about how IAM is different from Organizations for access control, see How IAM Is Different from Organizations for Access Control?.

This section describes the elements used by IAM custom identity policies and Organizations SCPs. The elements include actions, resources, and conditions.

For details about how to use these elements to edit an IAM custom identity policy, see Creating a Custom Identity Policy.
For details about how to use these elements to edit a custom SCP, see Creating an SCP.

Actions

Actions are specific operations that are allowed or denied in an identity policy.

The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in an identity policy.
The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your identity policy statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your identity policy statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by IAM, see Resources.
The Condition Key column contains keys that you can specify in the Condition element of an identity policy statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by IAM, see Conditions.
The Alias column lists the policy actions that are configured in identity policies. With these actions, you can use APIs for policy-based authorization. For details, see Policies and Identity Policies.

The following table lists the actions that you can define in identity policy statements for IAM.

**Table 1** Actions supported by IAM
Action	Description	Access Level	Resource Type (*: required)	Condition Key	Alias
iam::listAccessKeys	Grants permission to list permanent access keys.	List	-	-	iam:credentials:listCredentials
iam::createAccessKey	Grants permission to create a permanent access key.	Write	-	-	iam:credentials:createCredential
iam::getAccessKey	Grants permission to query a permanent access key.	Read	-	-	iam:credentials:getCredential
iam::updateAccessKey	Grants permission to update a permanent access key.	Write	-	-	iam:credentials:updateCredential
iam::deleteAccessKey	Grants permission to delete a permanent access key.	Write	-	-	iam:credentials:deleteCredential
iam:projects:list	Grants permission to list projects.	List	-	-	iam:projects:listProjects
iam:projects:create	Grants permission to create a project.	Write	-	-	iam:projects:createProject
iam:projects:listForUser	Grants permission to list projects of a specified user.	List	-	-	iam:projects:listProjectsForUser
iam:projects:update	Grants permission to update a project.	Write	-	-	iam:projects:updateProject
iam:groups:list	Grants permission to list groups.	List	-	-	iam:groups:listGroups
iam:groups:create	Grants permission to create a group.	Write	-	-	iam:groups:createGroup
iam:groups:get	Grants permission to query a group.	Read	-	-	iam:groups:getGroup
iam:groups:delete	Grants permission to delete a group.	Write	-	-	iam:groups:deleteGroup
iam:groups:update	Grants permission to update a group.	Write	-	-	iam:groups:updateGroup
iam:groups:removeUser	Grants permission to remove user from a group.	Write	-	-	iam:permissions:removeUserFromGroup
iam:groups:listUsers	Grants permission to list users of a specified group.	List	-	-	iam:users:listUsersForGroup
iam:groups:checkUser	Grants permission to query whether a user is in the group.	Read	-	-	iam:permissions:checkUserInGroup
iam:groups:addUser	Grants permission to add user to a group.	Write	-	-	iam:permissions:addUserToGroup
iam:users:create	Grants permission to create a user.	Write	-	-	iam:users:createUser
iam:users:get	Grants permission to query a user.	Read	-	-	iam:users:getUser
iam:users:update	Grants permission to update a user.	Write	-	-	iam:users:updateUser
iam:users:list	Grants permission to list users.	List	-	-	iam:users:listUsers
iam:users:delete	Grants permission to delete a user.	Write	-	-	iam:users:deleteUser
iam:users:listGroups	Grants permission to list groups of a specified user.	List	-	-	iam:groups:listGroupsForUser
iam:users:listVirtualMFADevices	Grants permission to list virtual MFA devices of a specified user.	List	-	-	iam:mfa:listVirtualMFADevices
iam:users:createVirtualMFADevice	Grants permission to create a virtual MFA device.	Write	-	-	iam:mfa:createVirtualMFADevice
iam:users:deleteVirtualMFADevice	Grants permission to delete a virtual MFA device.	Write	-	-	iam:mfa:deleteVirtualMFADevice
iam:users:getVirtualMFADevice	Grants permission to query a virtual MFA device.	Read	-	-	iam:mfa:getVirtualMFADevice
iam:users:bindVirtualMFADevice	Grants permission to bind a virtual MFA device.	Write	-	-	iam:mfa:bindMFADevice
iam:users:unbindVirtualMFADevice	Grants permission to unbind a virtual MFA device.	Write	-	-	iam:mfa:unbindMFADevice
iam:identityProviders:list	Grants permission to list identity providers.	List	-	-	iam:identityProviders:listIdentityProviders
iam:identityProviders:get	Grants permission to query an identity provider.	Read	-	-	iam:identityProviders:getIdentityProvider
iam:identityProviders:create	Grants permission to create an identity provider.	Write	-	-	iam:identityProviders:createIdentityProvider
iam:identityProviders:delete	Grants permission to delete an identity provider.	Write	-	-	iam:identityProviders:deleteIdentityProvider
iam:identityProviders:update	Grants permission to update an identity provider.	Write	-	-	iam:identityProviders:updateIdentityProvider
iam:identityProviders:listMappings	Grants permission to list mappings of an identity provider.	List	-	-	-
iam:identityProviders:getMapping	Grants permission to query mapping of an identity provider.	Read	-	-	-
iam:identityProviders:createMapping	Grants permission to create mapping of an identity provider.	Write	-	-	-
iam:identityProviders:deleteMapping	Grants permission to delete mapping of an identity provider.	Write	-	-	-
iam:identityProviders:updateMapping	Grants permission to update mapping of an identity provider.	Write	-	-	-
iam:identityProviders:listProtocols	Grants permission to list protocols of an identity provider.	List	-	-	-
iam:identityProviders:getProtocol	Grants permission to query protocol of an identity provider.	Read	-	-	-
iam:identityProviders:createProtocol	Grants permission to create protocol of an identity provider.	Write	-	-	-
iam:identityProviders:deleteProtocol	Grants permission to delete protocol of an identity provider.	Write	-	-	-
iam:identityProviders:updateProtocol	Grants permission to update a protocol of an identity provider.	Write	-	-	-
iam:identityProviders:getSAMLMetadata	Grants permission to query SAML metadata file of an identity provider.	Read	-	-	iam:identityProviders:getIDPMetadata
iam:identityProviders:createSAMLMetadata	Grants permission to create SAML metadata file of an identity provider.	Write	-	-	iam:identityProviders:createIDPMetadata
iam:identityProviders:getOIDCConfig	Grants permission to query OIDC configuration of an identity provider.	Read	-	-	iam:identityProviders:getOpenIDConnectConfig
iam:identityProviders:createOIDCConfig	Grants permission to create OIDC configuration of an identity provider.	Write	-	-	iam:identityProviders:createOpenIDConnectConfig
iam:identityProviders:updateOIDCConfig	Grants permission to update OIDC configuration of an identity provider.	Write	-	-	iam:identityProviders:updateOpenIDConnectConfig
iam:securityPolicies:getProtectPolicy	Grants permission to query an operation protection policy.	Read	-	-	-
iam:securityPolicies:updateProtectPolicy	Grants permission to update an operation protection policy.	Write	-	-	-
iam:securityPolicies:getPasswordPolicy	Grants permission to query a password policy.	Read	-	-	-
iam:securityPolicies:updatePasswordPolicy	Grants permission to update a password policy.	Write	-	-	-
iam:securityPolicies:getLoginPolicy	Grants permission to query a login policy.	Read	-	-	-
iam:securityPolicies:updateLoginPolicy	Grants permission to update a login policy.	Write	-	-	-
iam:securityPolicies:getConsoleAclPolicy	Grants permission to query a console access policy.	Read	-	-	-
iam:securityPolicies:updateConsoleAclPolicy	Grants permission to modify a console access policy.	Write	-	-	-
iam:securityPolicies:getApiAclPolicy	Grants permission to query an API access policy.	Read	-	-	-
iam:securityPolicies:updateApiAclPolicy	Grants permission to update an API access policy.	Write	-	-	-
iam:securityPolicies:getPrivacyTransferPolicy	Grants permission to query a privacy transfer policy.	Read	-	-	-
iam:securityPolicies:updatePrivacyTransferPolicy	Grants permission to update a privacy transfer policy.	Write	-	-	-
iam:users:listLoginProtectSettings	Grants permission to list user login protect settings of the domain.	List	-	-	iam:users:listUserLoginProtects
iam:users:getLoginProtectSetting	Grants permission to get the login protect setting.	Read	-	-	iam:users:getUserLoginProtect
iam:users:updateLoginProtectSetting	Grants permission to update the login protect setting.	Write	-	-	iam:users:setUserLoginProtect
iam:quotas:list	Grants permission to list quotas.	List	-	-	iam:quotas:listQuotas
iam:quotas:listForProject	Grants permission to list quotas of a specified project.	List	-	-	iam:quotas:listQuotasForProject
iam:agencies:pass	Grants permission to pass an agency to a service.	Permission_management	agency *	-	-
iam:roles:list	Grants permission to list roles.	List	-	-	iam:roles:listRoles
iam:roles:get	Grants permission to get role detail.	Read	-	-	iam:roles:getRole
iam::listRoleAssignments	Grants permission to query tenant assignment records.	List	-	-	iam:permissions:listRoleAssignments
iam:groups:listRolesOnDomain	Grants permission to query user group permissions in global services.	List	-	-	iam:permissions:listRolesForGroupOnDomain
iam:groups:listRolesOnProject	Grants permission to query user group permissions in project services.	List	-	-	iam:permissions:listRolesForGroupOnProject
iam:groups:grantRoleOnDomain	Grants permission to grant global service permissions to a user group.	Write	-	-	iam:permissions:grantRoleToGroupOnDomain
iam:groups:grantRoleOnProject	Grants permission to grant project level service to a user group.	Write	-	-	iam:permissions:grantRoleToGroupOnProject
iam:groups:checkRoleOnDomain	Grants permission to query whether a user group has global service permissions.	Read	-	-	iam:permissions:checkRoleForGroupOnDomain
iam:groups:checkRoleOnProject	Grants permission to query whether a user group has the project service permission.	Read	-	-	iam:permissions:checkRoleForGroupOnProject
iam:groups:listRoles	Grants permission to query permissions of a user group.	List	-	-	iam:permissions:listRolesForGroup
iam:groups:checkRole	Grants permission to query whether a user group has specified permissions.	Read	-	-	iam:permissions:checkRoleForGroup
iam:groups:revokeRole	Grants permission to remove specified permissions from a user group.	Write	-	-	iam:permissions:revokeRoleFromGroup
iam:groups:revokeRoleOnDomain	Grants permission to remove global service permissions from a user group.	Write	-	-	iam:permissions:revokeRoleFromGroupOnDomain
iam:groups:revokeRoleOnProject	Grants permission to remove project service permissions from a user group.	Write	-	-	iam:permissions:revokeRoleFromGroupOnProject
iam:groups:grantRole	Grants permission to grant specified permissions to a user group.	Write	-	-	iam:permissions:grantRoleToGroup
iam:roles:create	Grants permission to create custom policies.	Write	-	-	iam:roles:createRole
iam:roles:update	Grants permission to create custom policies.	Write	-	-	iam:roles:updateRole
iam:roles:delete	Grants permission to delete custom policies.	Write	-	-	iam:roles:deleteRole
iam:agencies:list	Grants permission to list agencies.	List	-	-	iam:agencies:listAgencies
iam:agencies:listSwitchAgencyHistories	Grants permission to list the history of switching agency.	List	-	-	-
iam:agencies:get	Grants permission to query agency details.	Read	-	-	iam:agencies:getAgency
iam:agencies:create	Grants permission to create agency.	Write	-	-	iam:agencies:createAgency
iam:agencies:update	Grants permission to modify agency.	Write	-	-	iam:agencies:updateAgency
iam:agencies:delete	Grants permission to delete agency.	Write	-	-	iam:agencies:deleteAgency
iam:agencies:listRolesOnDomain	Grants permission to query global service permissions of an agency.	List	-	-	iam:permissions:listRolesForAgencyOnDomain
iam:agencies:listRolesOnProject	Grants permission to query project permissions of an agency.	List	-	-	iam:permissions:listRolesForAgencyOnProject
iam:agencies:grantRoleOnDomain	Grants permission to grant global service permissions to agencies.	Write	-	-	iam:permissions:grantRoleToAgencyOnDomain
iam:agencies:grantRoleOnProject	Grants permission to grant project services permissions to agencies.	Write	-	-	iam:permissions:grantRoleToAgencyOnProject
iam:agencies:checkRoleOnDomain	Grants permission to query whether an agency has global service permissions.	Read	-	-	iam:permissions:checkRoleForAgencyOnDomain
iam:agencies:checkRoleOnProject	Grants permission to query whether an agency has project service permissions.	Read	-	-	iam:permissions:checkRoleForAgencyOnProject
iam:agencies:revokeRoleOnDomain	Grants permission to remove agency global service permissions.	Write	-	-	iam:permissions:revokeRoleFromAgencyOnDomain
iam:agencies:revokeRoleOnProject	Grants permission to remove agency project service permissions.	Write	-	-	iam:permissions:revokeRoleFromAgencyOnProject
iam:agencies:listRoles	Grants permission to list permissions of agency.	List	-	-	iam:permissions:listRolesForAgency
iam:agencies:grantRole	Grants permission to grant the specified permissions to an agency.	Write	-	-	iam:permissions:grantRoleToAgency
iam:agencies:checkRole	Grants permission to check whether an agency has specified permissions.	Read	-	-	iam:permissions:checkRoleForAgency
iam:agencies:revokeRole	Grants permission to remove specified permissions of an agency.	Write	-	-	iam:permissions:revokeRoleFromAgency
iam::listGroupsAssignedEnterpriseProject	Grants permission to query permissions of a user group associated with an enterprise project.	List	-	-	iam:permissions:listGroupsOnEnterpriseProject
iam:groups:listRolesOnEnterpriseProject	Grants permission to query permissions of a user group associated with an enterprise project.	List	-	-	iam:permissions:listRolesForGroupOnEnterpriseProject
iam:groups:grantRoleOnEnterpriseProject	Grants permission to grant permissions to a user group associated with an enterprise project.	Write	-	-	iam:permissions:grantRoleToGroupOnEnterpriseProject
iam:groups:revokeRoleOnEnterpriseProject	Grants permission to delete permissions of a user group associated with an enterprise project.	Write	-	-	iam:permissions:revokeRoleFromGroupOnEnterpriseProject
iam:groups:listAssignedEnterpriseProjects	Grants permission to query enterprise projects of group.	List	-	-	iam:permissions:listEnterpriseProjectsForGroup
iam:users:listAssignedEnterpriseProjects	Grants permission to query enterprise projects of user.	List	-	-	iam:permissions:listEnterpriseProjectsForUser
iam::listUsersAssignedEnterpriseProject	Grants permission to query users directly associated with an enterprise project.	List	-	-	iam:permissions:listUsersForEnterpriseProject
iam:users:listRolesOnEnterpriseProject	Grants permission to query permissions of a user directly associated with an enterprise project.	List	-	-	iam:permissions:listRolesForUserOnEnterpriseProject
iam:users:grantRoleOnEnterpriseProject	Grants permission to grant permissions to an enterprise project based on users.	Write	-	-	iam:permissions:grantRoleToUserOnEnterpriseProject
iam:users:revokeRoleOnEnterpriseProject	Grants permission to delete permissions of a user directly associated with an enterprise project.	Write	-	-	iam:permissions:revokeRoleFromUserOnEnterpriseProject
iam:agencies:grantRoleOnEnterpriseProject	Grants permission to grant permissions to an enterprise project based on agencies.	Write	-	-	iam:permissions:grantRoleToAgencyOnEnterpriseProject
iam:agencies:revokeRoleOnEnterpriseProject	Grants permission to delete permissions of an agency associated with an enterprise project.	Write	-	-	iam:permissions:revokeRoleFromAgencyOnEnterpriseProject
iam:mfa:listMFADevicesV5	Grants permission to list MFA devices.	List	mfa *	-	-
iam:mfa:createVirtualMFADeviceV5	Grants permission to create a virtual MFA device.	Write	mfa *	-	-
iam:mfa:deleteVirtualMFADeviceV5	Grants permission to delete a virtual MFA device.	Write	mfa *	-	-
iam:mfa:enableV5	Grants permission to enable a MFA device.	Write	mfa *	-	-
iam:mfa:disableV5	Grants permission to disable a MFA device.	Write	mfa *	-	-
iam:securitypolicies:getPasswordPolicyV5	Grants permission to retrieve information about the password policy.	Read	-	-	-
iam:securitypolicies:updatePasswordPolicyV5	Grants permission to update the password policy.	Write	-	-	-
iam:securitypolicies:getLoginPolicyV5	Grants permission to retrieve information about the login policy.	Read	-	-	-
iam:securitypolicies:updateLoginPolicyV5	Grants permission to update the login policy.	Write	-	-	-
iam:credentials:listCredentialsV5	Grants permission to list permanent access keys for an IAM user.	List	user *	g:ResourceTag/<tag-key>	-
iam:credentials:showAccessKeyLastUsedV5	Grants permission to retrieve information about when the specified access key was last used.	Read	user *	g:ResourceTag/<tag-key>	-
iam:credentials:createCredentialV5	Grants permission to create a permanent access key for an IAM user.	Write	user *	g:ResourceTag/<tag-key>	-
iam:credentials:updateCredentialV5	Grants permission to update a permanent access key for an IAM user.	Write	user *	g:ResourceTag/<tag-key>	-
iam:credentials:deleteCredentialV5	Grants permission to delete a permanent access key for an IAM user.	Write	user *	g:ResourceTag/<tag-key>	-
iam:users:changePasswordV5	Grants permission to an IAM user to change own password.	Write	user *	g:ResourceTag/<tag-key>	-
iam:users:showLoginProfileV5	Grants permission to retrieve information about the login profile of an IAM user.	Read	user *	g:ResourceTag/<tag-key>	-
iam:users:createLoginProfileV5	Grants permission to create login profile for an IAM user.	Write	user *	g:ResourceTag/<tag-key>	-
iam:users:updateLoginProfileV5	Grants permission to update login profile for an IAM user.	Write	user *	g:ResourceTag/<tag-key>	-
iam:users:deleteLoginProfileV5	Grants permission to delete login profile for an IAM user.	Write	user *	g:ResourceTag/<tag-key>	-
iam:users:listUsersV5	Grants permission to list IAM users.	List	user *	-	-
iam:users:getUserV5	Grants permission to retrieve information about an IAM user.	Read	user *	g:ResourceTag/<tag-key>	-
iam:users:showUserLastLoginV5	Grants permission to retrieve information about when the specified IAM user key was logined.	Read	user *	g:ResourceTag/<tag-key>	-
iam:users:createUserV5	Grants permission to create an IAM user.	Write	user *	-	-
iam:users:updateUserV5	Grants permission to update an IAM user.	Write	user *	g:ResourceTag/<tag-key>	-
iam:users:deleteUserV5	Grants permission to delete an IAM user.	Write	user *	g:ResourceTag/<tag-key>	-
iam:groups:listGroupsV5	Grants permission to list groups.	List	group *	-	-
iam:groups:getGroupV5	Grants permission to retrieve information about a group.	Read	group *	-	-
iam:groups:createGroupV5	Grants permission to create a group.	Write	group *	-	-
iam:groups:updateGroupV5	Grants permission to update a group.	Write	group *	-	-
iam:groups:deleteGroupV5	Grants permission to delete a group.	Write	group *	-	-
iam:permissions:addUserToGroupV5	Grants permission to add an IAM user to a group.	Write	group *	-	-
iam:permissions:removeUserFromGroupV5	Grants permission to remove an IAM user from a group.	Write	group *	-	-
iam:policies:listV5	Grants permission to list identity policies.	List	policy *	-	-
iam:policies:getV5	Grants permission to retrieve information about an identity policy.	Read	policy *	-	-
iam:policies:createV5	Grants permission to create a custom identity policy.	Permission_management	policy *	-	-
iam:policies:deleteV5	Grants permission to delete a custom identity policy.	Permission_management	policy *	-	-
iam:policies:listVersionsV5	Grants permission to list versions for an identity policy.	List	policy *	-	-
iam:policies:getVersionV5	Grants permission to retrieve information about a version of an identity policy.	Read	policy *	-	-
iam:policies:createVersionV5	Grants permission to create a new version for a custom identity policy.	Permission_management	policy *	-	-
iam:policies:deleteVersionV5	Grants permission to delete a version for a custom identity policy.	Permission_management	policy *	-	-
iam:policies:setDefaultVersionV5	Grants permission to set default version for a custom identity policy.	Permission_management	policy *	-	-
iam:agencies:attachPolicyV5	Grants permission to attach an identity policy to an agency or a trust agency.	Permission_management	agency *	g:ResourceTag/<tag-key>	-
iam:agencies:attachPolicyV5		Permission_management	-	iam:PolicyURN	-
iam:groups:attachPolicyV5	Grants permission to attach an identity policy to a group.	Permission_management	group *	-	-
iam:groups:attachPolicyV5	Grants permission to attach an identity policy to a group.	Permission_management	-	iam:PolicyURN	-
iam:users:attachPolicyV5	Grants permission to attach an identity policy to an IAM user.	Permission_management	user *	g:ResourceTag/<tag-key>	-
iam:users:attachPolicyV5		Permission_management	-	iam:PolicyURN	-
iam:agencies:detachPolicyV5	Grants permission to detach an identity policy from an agency or a trust agency.	Permission_management	agency *	g:ResourceTag/<tag-key>	-
iam:agencies:detachPolicyV5		Permission_management	-	iam:PolicyURN	-
iam:groups:detachPolicyV5	Grants permission to detach an identity policy from a group.	Permission_management	group *	-	-
iam:groups:detachPolicyV5		Permission_management	-	iam:PolicyURN	-
iam:users:detachPolicyV5	Grants permission to detach an identity policy from an IAM user.	Permission_management	user *	g:ResourceTag/<tag-key>	-
iam:users:detachPolicyV5		Permission_management	-	iam:PolicyURN	-
iam:policies:listEntitiesV5	Grants permission to list attached entities for an identity policy.	List	policy *	-	-
iam:agencies:listAttachedPoliciesV5	Grants permission to list attached identity policies for an agency or a trust agency.	List	agency *	g:ResourceTag/<tag-key>	-
iam:groups:listAttachedPoliciesV5	Grants permission to list attached identity policies for a group.	List	group *	-	-
iam:users:listAttachedPoliciesV5	Grants permission to list attached identity policies for an IAM user.	List	user *	g:ResourceTag/<tag-key>	-
iam:agencies:createServiceLinkedAgencyV5	Grants permission to create a service linked agency that allows a cloud service to perform actions on your behalf.	Write	agency *	-	-
iam:agencies:createServiceLinkedAgencyV5		Write	-	iam:ServicePrincipal	-
iam:agencies:deleteServiceLinkedAgencyV5	Grants permission to delete a service linked agency.	Write	agency *	g:ResourceTag/<tag-key>	-
iam:agencies:deleteServiceLinkedAgencyV5	Grants permission to delete a service linked agency.	Write	-	iam:ServicePrincipal	-
iam:agencies:getServiceLinkedAgencyDeletionStatusV5	Grants permission to retrieve deletion status of a service linked agency.	Read	agency *	-	-
iam:agencies:listV5	Grants permission to list agencies and trust agencies.	List	agency *	-	-
iam:agencies:getV5	Grants permission to retrieve information about an agency or a trust agency.	Read	agency *	g:ResourceTag/<tag-key>	-
iam:agencies:createV5	Grants permission to create a trust agency.	Write	agency *	-	-
iam:agencies:updateV5	Grants permission to update a trust agency.	Write	agency *	g:ResourceTag/<tag-key>	-
iam:agencies:deleteV5	Grants permission to delete a trust agency.	Write	agency *	g:ResourceTag/<tag-key>	-
iam:agencies:updateTrustPolicyV5	Grants permission to update the trust policy of a trust agency.	Write	agency *	g:ResourceTag/<tag-key>	-
iam::listTagsForResourceV5	Grants permission to list tags for a resource.	List	agency	g:ResourceTag/<tag-key>	-
iam::listTagsForResourceV5	Grants permission to list tags for a resource.	List	user	g:ResourceTag/<tag-key>	-
iam::tagForResourceV5	Grants permission to tag a resource.	Tagging	agency	g:ResourceTag/<tag-key>	-
			user	g:ResourceTag/<tag-key>
			-	g:RequestTag/<tag-key> g:TagKeys
iam::untagForResourceV5	Grants permission to untag a resource.	Tagging	agency	g:ResourceTag/<tag-key>	-
			user	g:ResourceTag/<tag-key>
			-	g:RequestTag/<tag-key> g:TagKeys
iam::getAccountSummaryV5	Grants permission to retrieve information about IAM entity usage and IAM quotas in the IAM account.	List	-	-	-
iam::getAsymmetricSignatureSwitchV5	Grants permission to query asymmetric signature switch status of security token.	Read	-	-	-
iam::setAsymmetricSignatureSwitchV5	Grants permission to set asymmetric signature switch status of security token.	Write	-	-	-

Each API of IAM usually supports one or more actions. Table 2 lists the supported actions and dependencies.

**Table 2** Actions and dependencies supported by IAM APIs
API	Action	Dependencies
GET /v3.0/OS-CREDENTIAL/credentials	iam::listAccessKeys	-
POST /v3.0/OS-CREDENTIAL/credentials	iam::createAccessKey	-
GET /v3.0/OS-CREDENTIAL/credentials/{access_key}	iam::getAccessKey	-
PUT /v3.0/OS-CREDENTIAL/credentials/{access_key}	iam::updateAccessKey	-
DELETE /v3.0/OS-CREDENTIAL/credentials/{access_key}	iam::deleteAccessKey	-
GET /v3.0/OS-QUOTA/domains/{domain_id}	iam:quotas:list	-
GET /v3.0/OS-QUOTA/projects/{project_id}	iam:quotas:listForProject	-
GET /v3/projects	iam:projects:list	-
POST /v3/projects	iam:projects:create	-
GET /v3/users/{user_id}/projects	iam:projects:listForUser	-
PATCH /v3/projects/{project_id}	iam:projects:update	-
PUT /v3-ext/projects/{project_id}	iam:projects:update	-
GET /v3/groups	iam:groups:list	-
POST /v3/groups	iam:groups:create	-
GET /v3/groups/{group_id}	iam:groups:get	-
DELETE /v3/groups/{group_id}	iam:groups:delete	-
PATCH /v3/groups/{group_id}	iam:groups:update	-
GET /v3/groups/{group_id}/users	iam:groups:listUsers	-
HEAD /v3/groups/{group_id}/users/{user_id}	iam:groups:checkUser	-
PUT /v3/groups/{group_id}/users/{user_id}	iam:groups:addUser	-
DELETE /v3/groups/{group_id}/users/{user_id}	iam:groups:removeUser	-
POST /v3.0/OS-USER/users	iam:users:create	-
GET /v3.0/OS-USER/users/{user_id}	iam:users:get	-
PUT /v3.0/OS-USER/users/{user_id}	iam:users:update	-
PUT /v3.0/OS-USER/users/{user_id}/info	iam:users:update	-
GET /v3/users	iam:users:list	-
POST /v3/users	iam:users:create	-
GET /v3/users/{user_id}	iam:users:get	-
DELETE /v3/users/{user_id}	iam:users:delete	-
PATCH /v3/users/{user_id}	iam:users:update	-
GET /v3/users/{user_id}/groups	iam:users:listGroups	-
GET /v3.0/OS-MFA/virtual-mfa-devices	iam:users:listVirtualMFADevices	-
POST /v3.0/OS-MFA/virtual-mfa-devices	iam:users:createVirtualMFADevice	-
DELETE /v3.0/OS-MFA/virtual-mfa-devices	iam:users:deleteVirtualMFADevice	-
GET /v3.0/OS-MFA/users/{user_id}/virtual-mfa-device	iam:users:getVirtualMFADevice	-
PUT /v3.0/OS-MFA/mfa-devices/bind	iam:users:bindVirtualMFADevice	-
PUT /v3.0/OS-MFA/mfa-devices/unbind	iam:users:unbindVirtualMFADevice	-
GET /v3.0/OS-USER/login-protects	iam:users:listLoginProtectSettings	-
GET /v3.0/OS-USER/users/{user_id}/login-protect	iam:users:getLoginProtectSetting	-
PUT /v3.0/OS-USER/users/{user_id}/login-protect	iam:users:updateLoginProtectSetting	-
GET /v3/OS-FEDERATION/identity_providers	iam:identityProviders:list	-
GET /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:get	-
PUT /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:create	-
DELETE /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:delete	-
PATCH /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:update	-
GET /v3/OS-FEDERATION/mappings	iam:identityProviders:listMappings	-
GET /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:getMapping	-
PUT /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:createMapping	-
DELETE /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:deleteMapping	-
PATCH /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:updateMapping	-
GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols	iam:identityProviders:listProtocols	-
GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:getProtocol	-
PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:createProtocol	-
DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:deleteProtocol	-
PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:updateProtocol	-
GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata	iam:identityProviders:getSAMLMetadata	-
POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata	iam:identityProviders:createSAMLMetadata	-
GET /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config	iam:identityProviders:getOIDCConfig	-
POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config	iam:identityProviders:createOIDCConfig	-
PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config	iam:identityProviders:updateOIDCConfig	-
GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy	iam:securityPolicies:getProtectPolicy	-
PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy	iam:securityPolicies:updateProtectPolicy	-
GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy	iam:securityPolicies:getPasswordPolicy	-
PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy	iam:securityPolicies:updatePasswordPolicy	-
GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy	iam:securityPolicies:getLoginPolicy	-
PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy	iam:securityPolicies:updateLoginPolicy	-
GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy	iam:securityPolicies:getConsoleAclPolicy	-
PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy	iam:securityPolicies:updateConsoleAclPolicy	-
GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy	iam:securityPolicies:getApiAclPolicy	-
PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy	iam:securityPolicies:updateApiAclPolicy	-
GET /v3/roles	iam:roles:list	-
GET /v3/roles/{role_id}	iam:roles:get	-
GET /v3.0/OS-PERMISSION/role-assignments	iam::listRoleAssignments	-
GET /v3/domains/{domain_id}/groups/{group_id}/roles	iam:groups:listRolesOnDomain	-
GET /v3/projects/{project_id}/groups/{group_id}/roles	iam:groups:listRolesOnProject	-
PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}	iam:groups:grantRoleOnDomain	-
PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	iam:groups:grantRoleOnProject	-
HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}	iam:groups:checkRoleOnDomain	-
HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	iam:groups:checkRoleOnProject	-
GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects	iam:groups:listRoles	-
HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects	iam:groups:checkRole	-
DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects	iam:groups:revokeRole	-
DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}	iam:groups:revokeRoleOnDomain	-
DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	iam:groups:revokeRoleOnProject	-
PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects	iam:groups:grantRole	-
GET /v3.0/OS-ROLE/roles	iam:roles:list	-
GET /v3.0/OS-ROLE/roles/{role_id}	iam:roles:get	-
POST /v3.0/OS-ROLE/roles	iam:roles:create	-
POST /v3.0/OS-ROLE/roles	iam:roles:create	-
PATCH /v3.0/OS-ROLE/roles/{role_id}	iam:roles:update	-
PATCH /v3.0/OS-ROLE/roles/{role_id}	iam:roles:update	-
DELETE /v3.0/OS-ROLE/roles/{role_id}	iam:roles:delete	-
GET /v3.0/OS-AGENCY/agencies	iam:agencies:list	-
GET /v3.0/OS-AGENCY/agencies/{agency_id}	iam:agencies:get	-
POST /v3.0/OS-AGENCY/agencies	iam:agencies:create	-
PUT /v3.0/OS-AGENCY/agencies/{agency_id}	iam:agencies:update	-
DELETE /v3.0/OS-AGENCY/agencies/{agency_id}	iam:agencies:delete	-
GET /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles	iam:agencies:listRolesOnDomain	-
GET /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles	iam:agencies:listRolesOnProject	-
PUT /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}	iam:agencies:grantRoleOnDomain	-
PUT /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}	iam:agencies:grantRoleOnProject	-
HEAD /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}	iam:agencies:checkRoleOnDomain	-
HEAD /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}	iam:agencies:checkRoleOnProject	-
DELETE /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}	iam:agencies:revokeRoleOnDomain	-
DELETE /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}	iam:agencies:revokeRoleOnProject	-
GET /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/inherited_to_projects	iam:agencies:listRoles	-
PUT /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects	iam:agencies:grantRole	-
HEAD /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects	iam:agencies:checkRole	-
DELETE /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects	iam:agencies:revokeRole	-
GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups	iam::listGroupsAssignedEnterpriseProject	-
GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles	iam:groups:listRolesOnEnterpriseProject	-
PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}	iam:groups:grantRoleOnEnterpriseProject	-
DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}	iam:groups:revokeRoleOnEnterpriseProject	-
GET /v3.0/OS-PERMISSION/groups/{group_id}/enterprise-projects	iam:groups:listAssignedEnterpriseProjects	-
GET /v3.0/OS-PERMISSION/users/{user_id}/enterprise-projects	iam:users:listAssignedEnterpriseProjects	-
GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users	iam::listUsersAssignedEnterpriseProject	-
GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles	iam:users:listRolesOnEnterpriseProject	-
PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}	iam:users:grantRoleOnEnterpriseProject	-
DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}	iam:users:revokeRoleOnEnterpriseProject	-
PUT /v3.0/OS-PERMISSION/subjects/agency/scopes/enterprise-project/role-assignments	iam:agencies:grantRoleOnEnterpriseProject	-
DELETE /v3.0/OS-PERMISSION/subjects/agency/scopes/enterprise-project/role-assignments	iam:agencies:revokeRoleOnEnterpriseProject	-
GET /v5/asymmetric-signature-switch	iam::getAsymmetricSignatureSwitchV5	-
PUT /v5/asymmetric-signature-switch	iam::setAsymmetricSignatureSwitchV5	-
GET /v5/mfa-devices	iam:mfa:listMFADevicesV5	-
POST /v5/virtual-mfa-devices	iam:mfa:createVirtualMFADeviceV5	-
DELETE /v5/virtual-mfa-devices	iam:mfa:deleteVirtualMFADeviceV5	-
POST /v5/mfa-devices/enable	iam:mfa:enableV5	-
POST /v5/mfa-devices/disable	iam:mfa:disableV5	-
GET /v5/password-policy	iam:securitypolicies:getPasswordPolicyV5	-
PUT /v5/password-policy	iam:securitypolicies:updatePasswordPolicyV5	-
GET /v5/login-policy	iam:securitypolicies:getLoginPolicyV5	-
PUT /v5/login-policy	iam:securitypolicies:updateLoginPolicyV5	-
GET /v5/users/{user_id}/access-keys	iam:credentials:listCredentialsV5	-
GET /v5/users/{user_id}/access-keys/{access_key_id}/last-used	iam:credentials:showAccessKeyLastUsedV5	-
POST /v5/users/{user_id}/access-keys	iam:credentials:createCredentialV5	-
PUT /v5/users/{user_id}/access-keys/{access_key_id}	iam:credentials:updateCredentialV5	-
DELETE /v5/users/{user_id}/access-keys/{access_key_id}	iam:credentials:deleteCredentialV5	-
POST /v5/caller-password	iam:users:changePasswordV5	-
GET /v5/users/{user_id}/login-profile	iam:users:showLoginProfileV5	-
POST /v5/users/{user_id}/login-profile	iam:users:createLoginProfileV5	-
PUT /v5/users/{user_id}/login-profile	iam:users:updateLoginProfileV5	-
DELETE /v5/users/{user_id}/login-profile	iam:users:deleteLoginProfileV5	-
GET /v5/users	iam:users:listUsersV5	-
GET /v5/users/{user_id}	iam:users:getUserV5	-
GET /v5/users/{user_id}/last-login	iam:users:showUserLastLoginV5	-
POST /v5/users	iam:users:createUserV5	-
PUT /v5/users/{user_id}	iam:users:updateUserV5	-
DELETE /v5/users/{user_id}	iam:users:deleteUserV5	-
GET /v5/groups	iam:groups:listGroupsV5	-
GET /v5/groups/{group_id}	iam:groups:getGroupV5	-
POST /v5/groups	iam:groups:createGroupV5	-
PUT /v5/groups/{group_id}	iam:groups:updateGroupV5	-
DELETE /v5/groups/{group_id}	iam:groups:deleteGroupV5	-
POST /v5/groups/{group_id}/add-user	iam:permissions:addUserToGroupV5	-
POST /v5/groups/{group_id}/remove-user	iam:permissions:removeUserFromGroupV5	-
GET /v5/policies	iam:policies:listV5	-
GET /v5/policies/{policy_id}	iam:policies:getV5	-
POST /v5/policies	iam:policies:createV5	-
DELETE /v5/policies/{policy_id}	iam:policies:deleteV5	-
GET /v5/policies/{policy_id}/versions	iam:policies:listVersionsV5	-
GET /v5/policies/{policy_id}/versions/{version_id}	iam:policies:getVersionV5	-
POST /v5/policies/{policy_id}/versions	iam:policies:createVersionV5	-
DELETE /v5/policies/{policy_id}/versions/{version_id}	iam:policies:deleteVersionV5	-
POST /v5/policies/{policy_id}/versions/{version_id}/set-default	iam:policies:setDefaultVersionV5	-
POST /v5/policies/{policy_id}/attach-agency	iam:agencies:attachPolicyV5	-
POST /v5/policies/{policy_id}/attach-group	iam:groups:attachPolicyV5	-
POST /v5/policies/{policy_id}/attach-user	iam:users:attachPolicyV5	-
POST /v5/policies/{policy_id}/detach-agency	iam:agencies:detachPolicyV5	-
POST /v5/policies/{policy_id}/detach-group	iam:groups:detachPolicyV5	-
POST /v5/policies/{policy_id}/detach-user	iam:users:detachPolicyV5	-
GET /v5/policies/{policy_id}/attached-entities	iam:policies:listEntitiesV5	-
GET /v5/agencies/{agency_id}/attached-policies	iam:agencies:listAttachedPoliciesV5	-
GET /v5/groups/{group_id}/attached-policies	iam:groups:listAttachedPoliciesV5	-
GET /v5/users/{user_id}/attached-policies	iam:users:listAttachedPoliciesV5	-
PUT /v5/service-linked-agencies	iam:agencies:createServiceLinkedAgencyV5	-
DELETE /v5/service-linked-agencies/{agency_id}	iam:agencies:deleteServiceLinkedAgencyV5	-
GET /v5/service-linked-agencies/deletion-task/{deletion_task_id}	iam:agencies:getServiceLinkedAgencyDeletionStatusV5	-
GET /v5/agencies	iam:agencies:listV5	-
GET /v5/agencies/{agency_id}	iam:agencies:getV5	-
POST /v5/agencies	iam:agencies:createV5	-
PUT /v5/agencies/{agency_id}	iam:agencies:updateV5	-
DELETE /v5/agencies/{agency_id}	iam:agencies:deleteV5	-
PUT /v5/agencies/{agency_id}/trust-policy	iam:agencies:updateTrustPolicyV5	-
GET /v5/{resource_type}/{resource_id}/tags	iam::listTagsForResourceV5	-
POST /v5/{resource_type}/{resource_id}/tags/create	iam::tagForResourceV5	-
DELETE /v5/{resource_type}/{resource_id}/tags/delete	iam::untagForResourceV5	-
GET /v5/account-summary	iam::getAccountSummaryV5	-

Resources

A resource type indicates the resources that an identity policy applies to. If you specify a resource type for any action in Table 3, the resource URN must be specified in the identity policy statements using that action, and the identity policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the identity policy applies to all resources. You can also set condition keys in an identity policy to define resource types.

The following table lists the resource types that you can define in identity policy statements for IAM.

**Table 3** Resource types supported by IAM
Resource Type	URN
agency	iam::<account-id>:agency:<agency-name-with-path>
policy	iam::<account-id>:policy:<policy-name-with-path>
user	iam::<account-id>:user:<user-name>
mfa	iam::<account-id>:mfa:<mfa-name>
group	iam::<account-id>:group:<group-name>

Conditions

Condition Key Overview

A Condition element lets you specify conditions for when an identity policy is in effect. It contains condition keys and operators.

The condition key that you specify can be a global condition key or a service-specific condition key.
- Global condition keys (with the g: prefix) apply to all actions. Cloud services do not need to provide user identity information. Instead, the system automatically obtains such information and authenticates users. For details, see Global Condition Keys.
- Service-specific condition keys (with the abbreviation of a service name plus a colon as the prefix, for example, iam) apply only to operations of the xx service. For details, see Table 4.
- The number of values associated with a condition key in the request context of an API call makes the condition key single-valued or multivalued. Single-valued condition keys have at most one value in the request context of an API call. Multivalued condition keys can have multiple values in the request context of an API call. For example, a request can originate from at most one VPC endpoint, so g:SourceVpce is a single-valued condition key. You can tag resources and include multiple tag key-value pairs in a request, so g:TagKeys is a multivalued condition key.
A condition operator, condition key, and a condition value together constitute a complete condition statement. An identity policy can be applied only when its request conditions are met. For supported condition operators, see operators.

Service-specific condition keys supported by IAM

The following table lists the condition keys that you can define in identity policies for IAM. You can include these condition keys to specify conditions for when your identity policy is in effect.

**Table 4** Service-specific condition keys supported by IAM
Service-specific Condition Key	Type	Single-valued/Multivalued	Description
iam:PolicyURN	string	Single-valued	Filters access by the URN of an identity policy.
iam:ServicePrincipal	string	Single-valued	Filters access by the service principal of the cloud service to which this service linked agency is passed.