Example Custom Identity Policies
Using a Custom Identity Policy with a System-defined Identity Policy for Multiple Cloud Services
If you want to assign FullAccessV5 permissions to a user but disallow them from accessing a specific service, such as Cloud Trace Service (CTS), you can create a custom identity policy for denying access to CTS and then attach this custom identity policy together with the FullAccessV5 policy to the IAM user. As an explicit deny in any policy overrides any allows, the principal can perform operations on all services except CTS.
Example identity policy denying access only to CTS:
{
"Version": "5.0",
"Statement": [
{
"Effect": "Deny",
"Action": [
"cts:*:*"
]
}
]
}
- "Action": indicates operations to be performed. Each action must be defined in the format "Service name:Resource type:Operation".
"cts:*:*": indicates operations on CTS. "*": indicates permissions for performing all operations on all types of resources.
- "Effect": determines whether to deny or allow the operations.
Using a Custom Identity Policy with a System-defined Identity Policy for a Specific Cloud Service
- If you want to assign full permissions for a specific cloud service, for example, Elastic Volume Service (EVS), to a user but disallow them from creating EVS disks, you can create a custom identity policy denying the evs:volumes:create action and then attach this custom identity policy together with the EVSFullAccessPolicy policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on EVS except creating EVS disks.
Example identity policy denying EVS disk creation:
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "evs:volumes:create" ] } ] }
- If you want to assign permissions of the CBRReadOnlyPolicy policy to all IAM users but forbid certain users from deleting specific CBR vaults, for example, forbidding users whose names start with TestUser from deleting buckets whose names start with vault, you can create a custom identity policy for denying such an operation, and attach both policies to the users. As an explicit deny in any policy overrides any allows, these users cannot delete vaults whose names start with vault.
Example identity policy disallowing users whose names start with TestUser from deleting vaults whose names start with vault:
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "cbr:vaults:delete" ], "Resource": [ "cbr:*:*:vault:vault*" ], "Condition": { "StringMatch": { "g:UserName": [ "TestUser*" ] } } } ] }
Using a Custom Identity Policy Only
You can create a custom identity policy and attach only this policy to a user.
- The following is an example identity policy that allows access only to ECS, EVS, VPC, ELB, and AOM.
{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "Action": [ "ecs:*:*", "evs:*:*", "vpc:*:*", "elb:*:*", "aom:*:*" ] }] }
- The following is an example identity policy that allows access to all services except for ECS, EVS, VPC, ELB, AOM, and APM.
{ "Version": "5.0", "Statement": [{ "Effect": "Allow", "NotAction": [ "ecs:*:*", "evs:*:*", "vpc:*:*", "elb:*:*", "aom:*:*", "apm:*:*" ] }] }
Allowing Access Based on Date and Time
This example shows how to create a custom identity policy that allows access to operations based on date and time. This identity policy restricts access that occurred between February 1, 2024 and March 1, 2024, inclusive.
When using this identity policy, replace the italic placeholder text in the example identity policy with your own information. Then, follow the instructions in Creating a Custom Identity Policy or Modifying or Deleting a Custom Identity Policy.
For details about how to use multiple conditions in the Condition element of an IAM identity policy, see Identity Policy Grammar.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"service-prefix:resource-name:action-name"
],
"Condition": {
"DateGreaterThan": {
"g:CurrentTime": [
"2024-02-01T00:00:00Z"
]
},
"DateLessThan": {
"g:CurrentTime": [
"2024-03-01T23:59:59Z"
]
}
}
}]
}
Allowing Specific Access Using MFA Within Specific Dates
This example shows how to create a custom identity policy that uses multiple conditions, which are evaluated using a logical AND. It allows full access to the service named service-prefix-1 and allows access to the actions action-name-a and action-name-b on the resource named resource-name-A in the service named service-prefix-2. These actions can be performed only between February 1, 2024, and March 1, 2024 by users who pass multi-factor authentication (MFA).
When using this identity policy, replace the italic placeholder text in the example identity policy with your own information. Then, follow the instructions in Creating a Custom Identity Policy or Modifying or Deleting a Custom Identity Policy.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"service-prefix-1:*:*",
"service-prefix-2:resource-name-A:action-name-a",
"service-prefix-2:resource-name-A:action-name-b"
],
"Condition": {
"Bool": {
"g:MFAPresent": [
"true"
]
},
"DateGreaterThan": {
"g:CurrentTime": [
"2024-02-01T00:00:00Z"
]
},
"DateLessThan": {
"g:CurrentTime": [
"2024-03-01T23:59:59Z"
]
}
}
}]
}
Denying Access to Huawei Cloud Based on the Source IP Address
This example denies requests to all actions on the account when the request is from principals outside the specified IP address range. This policy is useful when your company's IP address is within the specified range. In this example, only access from the IP address range 192.0.2.0/24 or 10.27.128.0/24 is allowed.
Exercise caution when using negative conditions, for example, NotIpAddress, in identity policy statements that contain "Effect": "Deny". The actions specified in the identity policy statement are explicitly denied under the specified negative conditions. This identity policy does not allow any actions. You can use this identity policy together with other policies that allow specific actions under the specified conditions. When other identity policies explicitly allow actions under the specified conditions, principals can make requests from within the IP address range. Huawei Cloud can also use the principals' credentials to make requests. When a principal makes a request from outside the allowed IP address range, the request is denied.
For details about using the g:SourceIp condition key and information about when g:SourceIp may not work in your identity policy, see Identity Policy Grammar.
{
"Version": "5.0",
"Statement": [{
"Effect": "Deny",
"Action": [
"*:*:*"
],
"Condition": {
"NotIpAddress": {
"g:SourceIp": [
"192.0.2.0/24",
"10.27.128.0/24"
]
}
}
}]
}
Denying Access to Huawei Cloud Based on the Requested Region
This example uses the g:RequestedRegion condition key to create a custom identity policy that denies access to any actions outside the specified region. This identity policy defines permissions for programmatic access and console access. In this example, the access will be denied unless it originates from the ap-southeast-1, cn-north-1, or cn-north-4 region.
When using this identity policy, replace the italic placeholder text in the example identity policy with your own information. Then, follow the instructions in Creating a Custom Identity Policy or Modifying or Deleting a Custom Identity Policy.
{
"Version": "5.0",
"Statement": [{
"Effect": "Deny",
"Action": [
"*:*:*"
],
"Condition": {
"StringNotEquals": {
"g:RequestedRegion": [
"ap-southeast-1",
"cn-north-1",
"cn-north-4"
]
}
}
}]
}
Denying Access to Huawei Cloud Resources in Other Accounts
This example creates a custom identity policy that denies access to resources not owned by your account.
When using this identity policy, replace the italic placeholder text in the example identity policy with your own information. Then, follow the instructions in Creating a Custom Identity Policy or Modifying or Deleting a Custom Identity Policy.
{
"Version": "5.0",
"Statement": [{
"Effect": "Deny",
"Action": [
"*:*:*"
],
"Condition": {
"StringNotEquals": {
"g:ResourceAccount": [
"111122223333"
]
}
}
}]
}
Denying Access to Huawei Cloud Resources from Non-specified IAM Users
This example creates a custom identity policy that denies non-specified IAM users to access to Huawei Cloud resources. This identity policy defines permissions for programmatic access and console access. In this example, the request will be denied unless it comes from the IAM user whose ID is 111122223333.
When using this identity policy, replace the italic placeholder text in the example identity policy with your own information. Then, follow the instructions in Creating a Custom Identity Policy or Modifying or Deleting a Custom Identity Policy.
{
"Version": "5.0",
"Statement": [{
"Effect": "Deny",
"Action": [
"*:*:*"
],
"Condition": {
"StringNotEquals": {
"g:UserId": [
"111122223333"
]
}
}
}]
}
Allowing or Denying Access to Multiple Services
This example creates an identity policy that allows access to multiple services and limited access in IAM. This identity policy defines permissions for programmatic access and console access.
When using this identity policy, replace the configuration in the example identity policy with your own information. Then, follow the instructions in Creating a Custom Identity Policy or Modifying or Deleting a Custom Identity Policy.
This example identity policy grants limited read-only permissions for IAM and full permissions for STS, and denies full permissions to ECS example123.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:securitypolicies:getPasswordPolicyV5",
"iam:securitypolicies:getLoginPolicyV5",
"iam:credentials:showAccessKeyLastUsedV5",
"iam:users:showLoginProfileV5",
"iam:users:getUserV5",
"iam:users:showUserLastLoginV5",
"iam:groups:getGroupV5",
"iam:policies:getV5",
"iam:policies:getVersionV5",
"iam:agencies:getServiceLinkedAgencyDeletionStatusV5",
"iam:agencies:getV5",
"iam::getAsymmetricSignatureSwitchV5"
]
},
{
"Effect": "Allow",
"Action": [
"STS:*:*"
]
},
{
"Effect": "Deny",
"Action": [
"ecs:*:*"
],
"Resource": [
"ecs:*:*:capacityReservations:example123"
]
}
]
}
Adding a Specific Tag to a User with a Specific Tag
This example creates a custom identity policy that allows adding the tag key Department with the tag value Marketing, Development, or QualityAssurance to an IAM user. The IAM user must already contain the tag key-value pair JobFunction=Manager. You can use this identity policy to require that a manager should belong to only one of the three departments. This identity policy defines permissions for programmatic access and console access.
When using this identity policy, replace the configuration in the example identity policy with your own information. Then, follow the instructions in Creating a Custom Identity Policy or Modifying or Deleting a Custom Identity Policy.
The iam::tagForResourceV5 action grants permission to set resource tags for all IAM users in your account.
The first condition uses the ForAllValues:StringEquals condition operator. If the tag key in the request matches the key in the identity policy, the condition returns true. This means that the request must have the unique tag key Department. For more information about using ForAllValues, see the descriptions about ForAllValues in multivalued condition keys.
The second condition uses the StringEquals conditional operator. This condition returns true if both parts of the condition are true. The user to be tagged must already have the JobFunction=Manager tag. The request must include the Department tag key with one of the listed tag values.
The iam::listTagsForResourceV5 action grants permission to list resource tags for all IAM users in your account.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam::tagForResourceV5"
],
"Condition": {
"ForAllValues:StringEquals": {
"g:TagKeys": [
"Department"
]
},
"StringEquals": {
"g:ResourceTag/JobFunction": [
"Manager"
],
"g:RequestTag/Department": [
"Marketing",
"Development",
"QualityAssurance"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam::listTagsForResourceV5"
]
}
]
}
Managing a Specific Tag
This example shows how to create a custom identity policy that allows IAM principals (IAM users and trust agencies) to add and remove IAM tags with the Department tag key. This identity policy does not limit the value of the Department tag.
When using this identity policy, replace the configuration in the example identity policy with your own information. Then, follow the instructions in Creating a Custom Identity Policy or Modifying or Deleting a Custom Identity Policy.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam::tagForResourceV5",
"iam::untagForResourceV5"
],
"Condition": {
"ForAllValues:StringEquals": {
"g:TagKeys": [
"Department"
]
}
}
}]
}
Allowing Users to Set Account Password Policies
This example shows how to create a custom identity policy that allows IAM users to view and update their password policies. The password policy includes the minimum password length, maximum number of consecutive identical characters in a password, and disallowing previously used passwords.
For details about how to set a password policy, see Password Policy.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:securitypolicies:getPasswordPolicyV5",
"iam:securitypolicies:updatePasswordPolicyV5"
]
}]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
