IBM Cloud API Docs

Introduction

Last updated: 2023-09-08

With the IBM Cloud® Identity and Access Management (IAM) Policy Management API, you can create, update, view, and delete IAM policies. An IAM policy enables a subject to access a resource. These policies are used in access decisions when you call APIs for IAM-enabled services. For more information about how access management works, see Managing access in IBM Cloud.

There are three primary values in a policy: a subject, roles, and resources.

The subject is who or what is being granted access. The subject can be an IAM ID or an access group ID. The IAM ID is the ID of the entity that you are giving access to. The value can be a user or a service ID. The access group ID is the ID of the access group. An access group contains a set of users or service IDs. Access groups are the preferred method of managing access control. For more information, see Setting up access groups.

The following table shows the example formats for the supported subject types:

Type Attribute name Attribute value
User iam_id IBMid-123456...
Service ID iam_id iam-ServiceId-12345...
Access group access_group_id AccessGroupId-12345...

The second value in a policy in the role. A role is a collection of actions that can be taken on a resource. There are platform, service, and custom roles. For more information, see IAM roles. And, the final value of the policy is the targeted resources whether it's an entire service, resource group, or specific service instance.

Two types of policies are supported: access policies and authorization policies. For more information, see Create a policy.

With policy templates and assignments you can centrally manage the policies for child accounts in your organization from the root enterprise account. For more information, see Working with template versions and Best practices for assigning access in an enterprise.

SDKs for Java, Node, Python, and Go are available to make it easier to programmatically access the API from your code. The client libraries that are provided by the SDKs implement best practices for using the API and reduce the amount of code that you need to write. The tab for each language includes code examples that demonstrate how to use the client libraries. For more information about using the SDKs, see the IBM Cloud SDK Common project on GitHub.

Installing the Go SDK

Go modules (recommended): Add the following import in your code, and then run go build or go mod tidy

import (
	"github.com/IBM/platform-services-go-sdk/iampolicymanagementv1"
)

Go get

go get -u github.com/IBM/platform-services-go-sdk/iampolicymanagementv1

View on GitHub

https://github.com/IBM/platform-services-go-sdk

Installing the Java SDK

Maven

<dependency>
	<groupId>com.ibm.cloud</groupId>
	<artifactId>iam-policy-management</artifactId>
	<version>{version}</version>
</dependency>

Gradle

compile 'com.ibm.cloud:iam-policy-management:{version}'

Replace {version} in these examples with the release version.

View on GitHub

https://github.com/IBM/platform-services-java-sdk

Installing the Node SDK

npm install ibm-platform-services

View on GitHub

https://github.com/IBM/platform-services-node-sdk

Installing the Python SDK

pip install --upgrade "ibm-platform-services"

View on GitHub

https://github.com/IBM/platform-services-python-sdk

Endpoint URLs

The IAM Policy Management API uses the following public global endpoint URL. When you call the API, add the path for each method to form the complete API endpoint for your requests.

https://iam.cloud.ibm.com

If you enabled service endpoints in your account, you can send API requests over the IBM Cloud private network at the following base endpoint URLs. For more information, see Enabling VRF and service endpoints.

  • Private endpoint URL for VPC infrastructure: https://private.iam.cloud.ibm.com
  • Private endpoint URLs for classic infrastructure:
    • Dallas: https://private.us-south.iam.cloud.ibm.com
    • Washington DC: https://private.us-east.iam.cloud.ibm.com

Authentication

Authorization to the IAM Policy Management API is enforced by using an IBM Cloud IAM access token. The token is used to to determine the actions that a user or service ID has access to when they use the API.

Obtaining an IAM token for an authenticated user or service ID is described in the IAM Identity Services API documentation.

To use the API, add a valid IAM token to the HTTP Authorization request header, for example, -H 'Authorization: Bearer <TOKEN>'.

When you use the SDK, configure an IAM authenticator with the IAM API key. The authenticator automatically obtains the IAM access token for the API key and includes it with each request. You can construct an authenticator in either of two ways:

  • Programmatically by constructing an IAM authenticator instance and supplying your IAM API key
  • By defining the API key in external configuration properties and then using the SDK authenticator factory to construct an IAM authenticator that uses the configured IAM API key

In this example of using external configuration properties, an IAM authenticator instance is created with the configured API key, and then the service client is constructed with this authenticator instance and the configured service URL.

For more information, see the Authentication section of the IBM Cloud SDK Common documentation.

Any access, such as IAM actions, that is required to call a method is listed per individual method. The IAM actions associated with basic tasks for working with policies, including create, update, and delete actions, are inherited by the platform roles that can be assigned for each IAM-enabled service. For more information about the required IAM actions for custom roles and how they map to the access roles, see the list of actions and roles for the role management service.

To retrieve your access token:

curl -X POST    "https://iam.cloud.ibm.com/identity/token"    --header 'Content-Type: application/x-www-form-urlencoded'    --header 'Accept: application/json'    --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey'    --data-urlencode 'apikey=<API_KEY>'

Replace <API_KEY> with your IAM API key.

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_POLICY_MANAGEMENT_URL=<SERVICE_URL>
export IAM_POLICY_MANAGEMENT_AUTHTYPE=iam
export IAM_POLICY_MANAGEMENT_APIKEY=<API_KEY>

Example of constructing the service client

import {
    "github.com/IBM/platform-services-go-sdk/iampolicymanagementv1"
}
...
serviceClientOptions := &iampolicymanagementv1.IamPolicyManagementV1Options{}
serviceClient, err := iampolicymanagementv1.NewIamPolicyManagementV1UsingExternalConfig(serviceClientOptions)

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_POLICY_MANAGEMENT_URL=<SERVICE_URL>
export IAM_POLICY_MANAGEMENT_AUTHTYPE=iam
export IAM_POLICY_MANAGEMENT_APIKEY=<API_KEY>

Example of constructing the service client

import com.ibm.cloud.platform_services.iam_policy_management.v1.IamPolicyManagement;
...
IamPolicyManagement serviceClient = IamPolicyManagement.newInstance();

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_POLICY_MANAGEMENT_URL=<SERVICE_URL>
export IAM_POLICY_MANAGEMENT_AUTHTYPE=iam
export IAM_POLICY_MANAGEMENT_APIKEY=<API_KEY>

Example of constructing the service client

const IamPolicyManagementV1 = require('ibm-platform-services/iam-policy-management/v1');
...
const serviceClient = IamPolicyManagementV1.newInstance({});

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_POLICY_MANAGEMENT_URL=<SERVICE_URL>
export IAM_POLICY_MANAGEMENT_AUTHTYPE=iam
export IAM_POLICY_MANAGEMENT_APIKEY=<API_KEY>

Example of constructing the service client

from ibm_platform_services import IamPolicyManagementV1
...
service_client = IamPolicyManagementV1.new_instance()

Auditing

You can monitor API activity within your account by using the IBM Cloud® Activity Tracker service. You can track when specific API methods are called by reviewing generated events in Activity Tracker.

If an event is tracked for a method, you can find it listed with the method. For more information about how to track IAM activity, see Auditing events for IAM.

Error handling

The Policy Management APIs return standard HTTP status codes to indicate the success or failure of a request. The format of the response is represented in JSON as follows:

{
    "trace": "cd4f7573121a4cf99f0079f8482b3d6b",
    "errors": [
        {
            "code": "invalid_token",
            "message": "The provided IAM token is invalid."
        }
    ],
    "status_code": 401
}

If an operation cannot be fulfilled, an appropriate 400 or 500 series HTTP response is returned from the server. The operations that are defined in the Reference section describe example errors that can be returned from a failed request. All responses from the IAM Policy Management API are in the JSON format.

Here are potential error codes that the API can return.

HTTP Error Code Description Recovery
200 Success The request was successful.
201 Created The resource was successfully created.
204 No Content The request was successful. No response body is provided.
400 Bad Request The input parameters in the request body are either incomplete or in the wrong format. Be sure to include all required parameters in your request.
401 Unauthorized You are not authorized to make this request. The token is either invalid, missing or expired. Get a new valid token and try again.
403 Forbidden The token is valid, but the subject of the token is not authorized to perform the operation. If this error persists, contact the account owner to check your permissions.
404 Not Found The requested resource can't be found.
409 Conflict The entity is already in the requested state.
415 Unsupported Media Type Request body sent was formatted by using an unsupported media type.
429 Too Many Requests Too many requests have been made within a given time window. Wait the time in seconds indicated in the Retry-After response header before calling the API again.
500 Service Unavailable IAM Policy Management Point is currently unavailable. Your request can't be processed. Wait a few minutes and try again.

Additional headers

Some additional headers might be required to make successful requests to the API. Those additional headers are:

Transaction-Id

An optional transaction ID can be passed to your request, which can be useful for tracking calls through multiple services by using one identifier. The header key must be set to Transaction-Id and the value is anything that you choose.

If no transaction ID is passed in, then a random ID is generated.

Sorting

Sorting is available on the policies listing APIs. Use a sort query parameter set to the field name you want the results sorted by. All the top level policy fields are supported.

To reverse sort, add a - prefix to the field name.

For example, for the GET /v1/policies endpoint, a query parameter of sort=last_modified_at sorts the returned policies in ascending date and time order by last_modified_at. Meanwhile a query parameter of sort=-last_modified_at returns the policies in descending date and time order by last_modified_at.

Policy data enrichment

Currently two options are available: display and include_last_permit. By including query parameter format=display, the API returns the list of all actions included in each of the policy roles.

"roles": [
            {
              "role_id": "crn:v1:bluemix:public:iam::::role:Administrator",
              "display_name": "Administrator",
              "description": "Administrators can change object metadata or visibility for private services added to the account and can restrict the visibility of a public service.",
              "actions": [
                {
                  "id": "global-search-tagging.resource.read",
                  "displayName": "Find cloud resources",
                  "description": "The ability to find the resource using Global Search and Tagging search API."
                },
                {
                  "id": "iam.policy.read",
                  "displayName": "IAM Policy Read",
                  "description": "The ability to see policies."
                },
                {
                  "id": "iam.policy.create",
                  "displayName": "IAM Policy Create",
                  "description": "The ability to create policies."
                }
              ]
            }
          ],

Including the query parameter format=include_last_permit returns details of when the policy last granted a permit decision and the number of times it has done so.

{
   "id": "03b5696c-6844-430f-a3b1-8f2d0de53218",
   "type": "access",
   "subjects": ...,
   "roles": ...,
   "resources": ...,
   "last_permit_at": "2020-10-16T22:17:40.832Z",
   "last_permit_frequency": 18
},

This data is provided for informational purposes only. The last permit data only include records begining from end of October 2020.

Rate limiting

A response with status 429 Too Many Requests is returned if too many requests are made within a time window. The response includes a Retry-After header to indicate the time in seconds to wait before sending the next request.

Related APIs

When you work with the Policy Management API, it might be helpful to be aware of other IAM services. See Identity Services to learn about API key, service ID, and token creation. See Access groups to create groups and manage memberships.

Methods

Get policies by attributes

Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.

Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.

Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.

Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.

Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.

GET /v1/policies
(iamPolicyManagement *IamPolicyManagementV1) ListPolicies(listPoliciesOptions *ListPoliciesOptions) (result *PolicyCollection, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) ListPoliciesWithContext(ctx context.Context, listPoliciesOptions *ListPoliciesOptions) (result *PolicyCollection, response *core.DetailedResponse, err error)
ServiceCall<PolicyCollection> listPolicies(ListPoliciesOptions listPoliciesOptions)
listPolicies(params)
list_policies(
        self,
        account_id: str,
        *,
        accept_language: Optional[str] = None,
        iam_id: Optional[str] = None,
        access_group_id: Optional[str] = None,
        type: Optional[str] = None,
        service_type: Optional[str] = None,
        tag_name: Optional[str] = None,
        tag_value: Optional[str] = None,
        sort: Optional[str] = None,
        format: Optional[str] = None,
        state: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

  • iam.policy.read

Auditing

Calling this method generates the following auditing event.

  • iam-am.policy.read

Request

Instantiate the ListPoliciesOptions struct and set the fields to provide parameter values for the ListPolicies method.

Use the ListPoliciesOptions.Builder to create a ListPoliciesOptions object that contains the parameter values for the listPolicies method.

Custom Headers

  • Accept-Language
    string

    Language code for translations

    • default - English
    • de - German (Standard)
    • en - English
    • es - Spanish (Spain)
    • fr - French (Standard)
    • it - Italian (Standard)
    • ja - Japanese
    • ko - Korean
    • pt-br - Portuguese (Brazil)
    • zh-cn - Chinese (Simplified, PRC)
    • zh-tw - (Chinese, Taiwan)

    Possible values: length ≥ 1

    Default: default

Query Parameters

  • account_id
    Required*
    string

    The account GUID that the policies belong to.

  • iam_id
    string

    Optional IAM ID used to identify the subject.

  • access_group_id
    string

    Optional access group id.

  • type
    string

    Optional type of policy.

    Allowable values: [access,authorization]

  • service_type
    string

    Optional type of service.

    Allowable values: [service,platform_service]

  • tag_name
    string

    Optional name of the access tag in the policy.

  • tag_value
    string

    Optional value of the access tag in the policy.

  • sort
    string

    Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field. Example '-last_modified_at'

    Allowable values: [id,type,href,created_at,created_by_id,last_modified_at,last_modified_by_id,state]

  • format
    string

    Include additional data per policy returned

    • include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
    • display - returns the list of all actions included in each of the policy roles

    Allowable values: [include_last_permit,display]

  • state
    string

    The state of the policy.

    • active - returns active policies
    • deleted - returns non-active policies

    Allowable values: [active,deleted]

  • limit
    integer

    The number of documents to include in collection.

    Possible values: 1 ≤ value ≤ 100

    Default: 50

  • start
    string

    Page token that refers to the page of collection to return.

    Possible values: 9 ≤ length ≤ 100, Value must match regular expression ^[-A-Za-z0-9+/]*$

parameter

WithContext method only

ListPoliciesOptions

The ListPolicies options.

ListPoliciesOptions

The listPolicies options.

parameters

  • accountId
    Required*
    string

    The account GUID that the policies belong to.

  • acceptLanguage
    string

    Language code for translations

    • default - English
    • de - German (Standard)
    • en - English
    • es - Spanish (Spain)
    • fr - French (Standard)
    • it - Italian (Standard)
    • ja - Japanese
    • ko - Korean
    • pt-br - Portuguese (Brazil)
    • zh-cn - Chinese (Simplified, PRC)
    • zh-tw - (Chinese, Taiwan).

    Possible values: length ≥ 1

    Default: default

  • iamId
    string

    Optional IAM ID used to identify the subject.

  • accessGroupId
    string

    Optional access group id.

  • type
    string

    Optional type of policy.

    Allowable values: [access,authorization]

  • serviceType
    string

    Optional type of service.

    Allowable values: [service,platform_service]

  • tagName
    string

    Optional name of the access tag in the policy.

  • tagValue
    string

    Optional value of the access tag in the policy.

  • sort
    string

    Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field. Example '-last_modified_at'.

    Allowable values: [id,type,href,created_at,created_by_id,last_modified_at,last_modified_by_id,state]

  • format
    string

    Include additional data per policy returned

    • include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
    • display - returns the list of all actions included in each of the policy roles.

    Allowable values: [include_last_permit,display]

  • state
    string

    The state of the policy.

    • active - returns active policies
    • deleted - returns non-active policies.

    Allowable values: [active,deleted]

parameters

  • account_id
    Required*
    str

    The account GUID that the policies belong to.

  • accept_language
    str

    Language code for translations

    • default - English
    • de - German (Standard)
    • en - English
    • es - Spanish (Spain)
    • fr - French (Standard)
    • it - Italian (Standard)
    • ja - Japanese
    • ko - Korean
    • pt-br - Portuguese (Brazil)
    • zh-cn - Chinese (Simplified, PRC)
    • zh-tw - (Chinese, Taiwan).

    Possible values: length ≥ 1

    Default: default

  • iam_id
    str

    Optional IAM ID used to identify the subject.

  • access_group_id
    str

    Optional access group id.

  • type
    str

    Optional type of policy.

    Allowable values: [access,authorization]

  • service_type
    str

    Optional type of service.

    Allowable values: [service,platform_service]

  • tag_name
    str

    Optional name of the access tag in the policy.

  • tag_value
    str

    Optional value of the access tag in the policy.

  • sort
    str

    Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field. Example '-last_modified_at'.

    Allowable values: [id,type,href,created_at,created_by_id,last_modified_at,last_modified_by_id,state]

  • format
    str

    Include additional data per policy returned

    • include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
    • display - returns the list of all actions included in each of the policy roles.

    Allowable values: [include_last_permit,display]

  • state
    str

    The state of the policy.

    • active - returns active policies
    • deleted - returns non-active policies.

    Allowable values: [active,deleted]

  • curl -X GET 'https://iam.cloud.ibm.com/v1/policies?account_id=$ACCOUNT_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
  • options := iamPolicyManagementService.NewListPoliciesOptions(
  exampleAccountID,
)
options.SetIamID(exampleUserID)
options.SetFormat("include_last_permit")

policyList, response, err := iamPolicyManagementService.ListPolicies(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyList, "", "  ")
fmt.Println(string(b))
  • ListPoliciesOptions options = new ListPoliciesOptions.Builder()
        .accountId(exampleAccountId)
        .iamId(EXAMPLE_USER_ID)
        .format("include_last_permit")
        .build();

Response<PolicyCollection> response = service.listPolicies(options).execute();
PolicyCollection policyCollection = response.getResult();

System.out.println(policyCollection);
  • const params = {
  accountId: exampleAccountId,
  iamId: exampleUserId,
  format: 'include_last_permit',
};

try {
  const res = await iamPolicyManagementService.listPolicies(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
  • policy_list = iam_policy_management_service.list_policies(
  account_id=example_account_id, iam_id=example_user_id, format='include_last_permit'
).get_result()

print(json.dumps(policy_list, indent=2))

Response

Response Body

PolicyCollection

A collection of policies.

PolicyCollection

A collection of policies.

PolicyCollection

A collection of policies.

PolicyCollection

A collection of policies.

PolicyCollection

A collection of policies.

Status Code

  • 200

    Policies retrieval successful.

  • 400

    The request you made is not valid.

  • 401

    The token you provided is not valid.

  • 406

    The requested resource(s) cannot be formatted using the requested media type(s).

  • 429

    Too many requests have been made within a given time window.

Example responses
  • {
  "policies": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "type": "access",
      "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
      "subjects": [
        {
          "attributes": [
            {
              "name": "iam_id",
              "value": "IBMid-123453user"
            }
          ]
        }
      ],
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ],
      "resources": [
        {
          "attributes": [
            {
              "name": "accountId",
              "value": "ACCOUNT_ID",
              "operator": "stringEquals"
            },
            {
              "name": "serviceName",
              "value": "SERVICE_NAME",
              "operator": "stringEquals"
            }
          ]
        }
      ],
      "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "state": "active"
    }
  ]
}
  • {
  "policies": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "type": "access",
      "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
      "subjects": [
        {
          "attributes": [
            {
              "name": "iam_id",
              "value": "IBMid-123453user"
            }
          ]
        }
      ],
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ],
      "resources": [
        {
          "attributes": [
            {
              "name": "accountId",
              "value": "ACCOUNT_ID",
              "operator": "stringEquals"
            },
            {
              "name": "serviceName",
              "value": "SERVICE_NAME",
              "operator": "stringEquals"
            }
          ]
        }
      ],
      "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "state": "active"
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}

Create a policy

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

POST /v1/policies
(iamPolicyManagement *IamPolicyManagementV1) CreatePolicy(createPolicyOptions *CreatePolicyOptions) (result *Policy, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) CreatePolicyWithContext(ctx context.Context, createPolicyOptions *CreatePolicyOptions) (result *Policy, response *core.DetailedResponse, err error)
ServiceCall<Policy> createPolicy(CreatePolicyOptions createPolicyOptions)
createPolicy(params)
create_policy(
        self,
        type: str,
        subjects: List['PolicySubject'],
        roles: List['PolicyRole'],
        resources: List['PolicyResource'],
        *,
        description: Optional[str] = None,
        accept_language: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

  • iam.policy.create

Auditing

Calling this method generates the following auditing event.

  • iam-am.policy.create

Request

Instantiate the CreatePolicyOptions struct and set the fields to provide parameter values for the CreatePolicy method.

Use the CreatePolicyOptions.Builder to create a CreatePolicyOptions object that contains the parameter values for the createPolicy method.

Custom Headers

  • Accept-Language
    string

    Language code for translations

    • default - English
    • de - German (Standard)
    • en - English
    • es - Spanish (Spain)
    • fr - French (Standard)
    • it - Italian (Standard)
    • ja - Japanese
    • ko - Korean
    • pt-br - Portuguese (Brazil)
    • zh-cn - Chinese (Simplified, PRC)
    • zh-tw - (Chinese, Taiwan)

    Possible values: length ≥ 1

    Default: default

Request Body

Required*
PolicyRequest

A policy to be created.

parameter

WithContext method only

CreatePolicyOptions

The CreatePolicy options.

CreatePolicyOptions

The createPolicy options.

parameters

  • type
    Required*
    string

    The policy type; either 'access' or 'authorization'.

    Possible values: 6 ≤ length ≤ 13, Value must match regular expression /^[a-z]+$/

  • subjects
    Required*

    The subjects associated with a policy.

    Possible values: number of items = 1

  • roles
    Required*

    A set of role cloud resource names (CRNs) granted by the policy.

    Possible values: number of items ≥ 1

  • resources
    Required*

    The resources associated with a policy.

    Possible values: number of items = 1

  • description
    string

    Customer-defined description.

    Possible values: 1 ≤ length ≤ 300

  • acceptLanguage
    string

    Language code for translations

    • default - English
    • de - German (Standard)
    • en - English
    • es - Spanish (Spain)
    • fr - French (Standard)
    • it - Italian (Standard)
    • ja - Japanese
    • ko - Korean
    • pt-br - Portuguese (Brazil)
    • zh-cn - Chinese (Simplified, PRC)
    • zh-tw - (Chinese, Taiwan).

    Possible values: length ≥ 1

    Default: default

parameters

  • type
    Required*
    str

    The policy type; either 'access' or 'authorization'.

    Possible values: 6 ≤ length ≤ 13, Value must match regular expression /^[a-z]+$/

  • subjects
    Required*

    The subjects associated with a policy.

    Possible values: number of items = 1

  • roles
    Required*

    A set of role cloud resource names (CRNs) granted by the policy.

    Possible values: number of items ≥ 1

  • resources
    Required*

    The resources associated with a policy.

    Possible values: number of items = 1

  • description
    str

    Customer-defined description.

    Possible values: 1 ≤ length ≤ 300

  • accept_language
    str

    Language code for translations

    • default - English
    • de - German (Standard)
    • en - English
    • es - Spanish (Spain)
    • fr - French (Standard)
    • it - Italian (Standard)
    • ja - Japanese
    • ko - Korean
    • pt-br - Portuguese (Brazil)
    • zh-cn - Chinese (Simplified, PRC)
    • zh-tw - (Chinese, Taiwan).

    Possible values: length ≥ 1

    Default: default

  • curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "Editor role for SERVICE_NAME\'s RESOURCE_NAME",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Editor"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "$SERVICE_NAME"
        },
        {
          "name": "resource",
          "value": "$RESOURCE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ]
}'
  • subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr(exampleAccountID),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceType"),
  Value:    core.StringPtr("service"),
  Operator: core.StringPtr("stringEquals"),
}
policyResourceTag := &iampolicymanagementv1.ResourceTag{
  Name:     core.StringPtr("project"),
  Value:    core.StringPtr("prototype"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute},
  Tags: []iampolicymanagementv1.ResourceTag{*policyResourceTag},
}

options := iamPolicyManagementService.NewCreatePolicyOptions(
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*policyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyID = *policy.ID
fmt.Println(string(b))
  • SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
        .name("iam_id")
        .value(EXAMPLE_USER_ID)
        .build();

PolicySubject policySubjects = new PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

PolicyRole policyRoles = new PolicyRole.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Viewer")
        .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
        .name("accountId")
        .value(exampleAccountId)
        .operator("stringEquals")
        .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
        .name("serviceType")
        .value("service")
        .operator("stringEquals")
        .build();

ResourceTag policyResourceTag = new ResourceTag.Builder()
        .name("project")
        .value("prototype")
        .operator("stringEquals")
        .build();

PolicyResource policyResources = new PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceNameResourceAttribute)
        .addTags(policyResourceTag)
        .build();

CreatePolicyOptions options = new CreatePolicyOptions.Builder()
        .type("access")
        .subjects(Arrays.asList(policySubjects))
        .roles(Arrays.asList(policyRoles))
        .resources(Arrays.asList(policyResources))
        .build();

Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();

examplePolicyId = policy.getId();

System.out.println(policy);
  • const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: exampleUserId,
      },
    ],
  },
];
const policyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'serviceType',
  value: 'service',
  operator: 'stringEquals',
};
const policyResourceTag = {
  name: 'project',
  operator: 'stringEquals',
  value: 'prototype',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
    tags: [policyResourceTag],
  },
];
const params = {
  type: 'access',
  subjects: policySubjects,
  roles: policyRoles,
  resources: policyResources,
};

try {
  const res = await iamPolicyManagementService.createPolicy(params);
  examplePolicyId = res.result.id;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
  • policy_subjects = PolicySubject(attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
policy_roles = PolicyRole(role_id='crn:v1:bluemix:public:iam::::role:Viewer')
account_id_resource_attribute = ResourceAttribute(name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(name='serviceType', value='service')
policy_resource_tag = ResourceTag(name='project', value='prototype')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute, service_name_resource_attribute], tags=[policy_resource_tag]
)

policy = iam_policy_management_service.create_policy(
  type='access', subjects=[policy_subjects], roles=[policy_roles], resources=[policy_resources]
).get_result()

global example_policy_id
example_policy_id = policy['id']
print(json.dumps(policy, indent=2))

Response

Response Body

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Status Code

  • 201

    Policy creation successful.

  • 400

    Policy input is invalid.

  • 401

    The token you provided is not valid.

  • 403

    You do not have access to create the policy.

  • 406

    The requested resource(s) cannot be formatted using the requested media type(s).

  • 409

    A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.

  • 415

    Request body sent was formatted using an unsupported media type.

  • 422

    Exceeded maximum policies quota.

  • 429

    Too many requests have been made within a given time window.

Example responses
  • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ],
      "tags": [
        {
          "name": "project",
          "value": "moonshot",
          "operator": "stringEquals"
        },
        {
          "name": "pipeline",
          "value": "test",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
  • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ],
      "tags": [
        {
          "name": "project",
          "value": "moonshot",
          "operator": "stringEquals"
        },
        {
          "name": "pipeline",
          "value": "test",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to create policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to create policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policies quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policies quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}

Update a policy

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

PUT /v1/policies/{policy_id}
(iamPolicyManagement *IamPolicyManagementV1) ReplacePolicy(replacePolicyOptions *ReplacePolicyOptions) (result *Policy, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) ReplacePolicyWithContext(ctx context.Context, replacePolicyOptions *ReplacePolicyOptions) (result *Policy, response *core.DetailedResponse, err error)
ServiceCall<Policy> replacePolicy(ReplacePolicyOptions replacePolicyOptions)
replacePolicy(params)
replace_policy(
        self,
        policy_id: str,
        if_match: str,
        type: str,
        subjects: List['PolicySubject'],
        roles: List['PolicyRole'],
        resources: List['PolicyResource'],
        *,
        description: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

  • iam.policy.update

Auditing

Calling this method generates the following auditing event.

  • iam-am.policy.update

Request

Instantiate the ReplacePolicyOptions struct and set the fields to provide parameter values for the ReplacePolicy method.

Use the ReplacePolicyOptions.Builder to create a ReplacePolicyOptions object that contains the parameter values for the replacePolicy method.

Custom Headers

  • If-Match
    Required*
    string

    The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.

Path Parameters

  • policy_id
    Required*
    string

    The policy ID.

Request Body

Required*
PolicyRequest

Updated policy content to be saved.

parameter

WithContext method only

ReplacePolicyOptions

The ReplacePolicy options.

ReplacePolicyOptions

The replacePolicy options.

parameters

  • policyId
    Required*
    string

    The policy ID.

  • ifMatch
    Required*
    string

    The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.

  • type
    Required*
    string

    The policy type; either 'access' or 'authorization'.

    Possible values: 6 ≤ length ≤ 13, Value must match regular expression /^[a-z]+$/

  • subjects
    Required*

    The subjects associated with a policy.

    Possible values: number of items = 1

  • roles
    Required*

    A set of role cloud resource names (CRNs) granted by the policy.

    Possible values: number of items ≥ 1

  • resources
    Required*

    The resources associated with a policy.

    Possible values: number of items = 1

  • description
    string

    Customer-defined description.

    Possible values: 1 ≤ length ≤ 300

parameters

  • policy_id
    Required*
    str

    The policy ID.

  • if_match
    Required*
    str

    The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.

  • type
    Required*
    str

    The policy type; either 'access' or 'authorization'.

    Possible values: 6 ≤ length ≤ 13, Value must match regular expression /^[a-z]+$/

  • subjects
    Required*

    The subjects associated with a policy.

    Possible values: number of items = 1

  • roles
    Required*

    A set of role cloud resource names (CRNs) granted by the policy.

    Possible values: number of items ≥ 1

  • resources
    Required*

    The resources associated with a policy.

    Possible values: number of items = 1

  • description
    str

    Customer-defined description.

    Possible values: 1 ≤ length ≤ 300

  • curl -X PUT 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "type": "access",
  "description": "Viewer role for for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "$SERVICE_NAME"
        }
      ]
    }
  ]
}'
  • subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr(exampleAccountID),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceType"),
  Value:    core.StringPtr("service"),
  Operator: core.StringPtr("stringEquals"),
}
policyResourceTag := &iampolicymanagementv1.ResourceTag{
  Name:     core.StringPtr("project"),
  Value:    core.StringPtr("prototype"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute},
  Tags: []iampolicymanagementv1.ResourceTag{*policyResourceTag},
}
updatedPolicyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Editor"),
}

options := iamPolicyManagementService.NewReplacePolicyOptions(
  examplePolicyID,
  examplePolicyETag,
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*updatedPolicyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.ReplacePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyETag = response.GetHeaders().Get("ETag")
fmt.Println(string(b))
  • SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
        .name("iam_id")
        .value(EXAMPLE_USER_ID)
        .build();

PolicySubject policySubjects = new PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
        .name("accountId")
        .value(exampleAccountId)
        .operator("stringEquals")
        .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
        .name("serviceType")
        .value("service")
        .operator("stringEquals")
        .build();

ResourceTag policyResourceTag = new ResourceTag.Builder()
        .name("project")
        .value("prototype")
        .operator("stringEquals")
        .build();

PolicyResource policyResources = new PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceNameResourceAttribute)
        .addTags(policyResourceTag)
        .build();

PolicyRole updatedPolicyRole = new PolicyRole.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Editor")
        .build();

ReplacePolicyOptions options = new ReplacePolicyOptions.Builder()
        .type("access")
        .policyId(examplePolicyId)
        .ifMatch(examplePolicyEtag)
        .subjects(new ArrayList<PolicySubject>(Arrays.asList(policySubjects)))
        .roles(new ArrayList<PolicyRole>(Arrays.asList(updatedPolicyRole)))
        .resources(new ArrayList<PolicyResource>(Arrays.asList(policyResources)))
        .build();

Response<Policy> response = service.replacePolicy(options).execute();
Policy policy = response.getResult();

examplePolicyEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policy);
  • const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: exampleUserId,
      },
    ],
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'serviceType',
  value: 'service',
  operator: 'stringEquals',
};
const policyResourceTag = {
  name: 'project',
  operator: 'stringEquals',
  value: 'prototype',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
    tags: [policyResourceTag],
  },
];
const updatedPolicyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:iam::::role:Editor',
  },
];
const params = {
  type: 'access',
  policyId: examplePolicyId,
  ifMatch: examplePolicyETag,
  subjects: policySubjects,
  roles: updatedPolicyRoles,
  resources: policyResources,
};

try {
  const res = await iamPolicyManagementService.replacePolicy(params);
  examplePolicyETag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
  • policy_subjects = PolicySubject(attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
account_id_resource_attribute = ResourceAttribute(name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(name='serviceType', value='service')
policy_resource_tag = ResourceTag(name='project', value='prototype')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute, service_name_resource_attribute], tags=[policy_resource_tag]
)
updated_policy_roles = PolicyRole(role_id='crn:v1:bluemix:public:iam::::role:Editor')

response = iam_policy_management_service.replace_policy(
  type='access',
  policy_id=example_policy_id,
  if_match=example_policy_etag,
  subjects=[policy_subjects],
  roles=[updated_policy_roles],
  resources=[policy_resources],
)
policy = response.get_result()
global example_updated_policy_etag
example_updated_policy_etag = response.get_headers().get("Etag")

print(json.dumps(policy, indent=2))

Response

Response Body

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Status Code

  • 200

    Policy update successful.

  • 400

    Policy input is invalid.

  • 401

    The token you provided is not valid.

  • 403

    You do not have access to update the policy.

  • 404

    Policy was not found.

  • 406

    The requested resource(s) cannot be formatted using the requested media type(s).

  • 409

    A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.

  • 415

    Request body sent was formatted using an unsupported media type.

  • 429

    Too many requests have been made within a given time window.

Example responses
  • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
  • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy and delete the existing one."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy and delete the existing one."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to update policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to update policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}

Retrieve a policy by ID

Retrieve a policy by providing a policy ID.

Retrieve a policy by providing a policy ID.

Retrieve a policy by providing a policy ID.

Retrieve a policy by providing a policy ID.

Retrieve a policy by providing a policy ID.

GET /v1/policies/{policy_id}
(iamPolicyManagement *IamPolicyManagementV1) GetPolicy(getPolicyOptions *GetPolicyOptions) (result *PolicyTemplateMetaData, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) GetPolicyWithContext(ctx context.Context, getPolicyOptions *GetPolicyOptions) (result *PolicyTemplateMetaData, response *core.DetailedResponse, err error)
ServiceCall<PolicyTemplateMetaData> getPolicy(GetPolicyOptions getPolicyOptions)
getPolicy(params)
get_policy(
        self,
        policy_id: str,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

  • iam.policy.read

Auditing

Calling this method generates the following auditing event.

  • iam-am.policy.read

Request

Instantiate the GetPolicyOptions struct and set the fields to provide parameter values for the GetPolicy method.

Use the GetPolicyOptions.Builder to create a GetPolicyOptions object that contains the parameter values for the getPolicy method.

Path Parameters

  • policy_id
    Required*
    string

    The policy ID.

parameter

WithContext method only

GetPolicyOptions

The GetPolicy options.

GetPolicyOptions

The getPolicy options.

parameters

  • policyId
    Required*
    string

    The policy ID.

parameters

  • policy_id
    Required*
    str

    The policy ID.

  • curl -X GET 'https://iam.cloud.ibm.com/v1/policies/$POLICY_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
  • options := iamPolicyManagementService.NewGetPolicyOptions(
  examplePolicyID,
)

policy, response, err := iamPolicyManagementService.GetPolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyETag = response.GetHeaders().Get("ETag")
fmt.Println(string(b))
  • GetPolicyOptions options = new GetPolicyOptions.Builder()
        .policyId(examplePolicyId)
        .build();

Response<PolicyTemplateMetaData> response = service.getPolicy(options).execute();
PolicyTemplateMetaData policy = response.getResult();

examplePolicyEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policy);
  • const params = {
  policyId: examplePolicyId,
};

try {
  const res = await iamPolicyManagementService.getPolicy(params);
  examplePolicyETag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
  • response = iam_policy_management_service.get_policy(policy_id=example_policy_id)
policy = response.get_result()
global example_policy_etag
example_policy_etag = response.get_headers().get("Etag")

print(json.dumps(policy, indent=2))

Response

Response Body

PolicyTemplateMetaData

The core set of properties associated with a policy.

PolicyTemplateMetaData

The core set of properties associated with a policy.

PolicyTemplateMetaData

The core set of properties associated with a policy.

PolicyTemplateMetaData

The core set of properties associated with a policy.

PolicyTemplateMetaData

The core set of properties associated with a policy.

Status Code

  • 200

    Policy retrieval successful.

  • 401

    The token you provided is not valid.

  • 403

    You do not have access to retrieve the policy.

  • 404

    Policy was not found.

  • 406

    The requested resource(s) cannot be formatted using the requested media type(s).

  • 429

    Too many requests have been made within a given time window.

Example responses
  • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
  • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}

Delete a policy by ID

Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.

Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.

Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.

Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.

Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.

DELETE /v1/policies/{policy_id}
(iamPolicyManagement *IamPolicyManagementV1) DeletePolicy(deletePolicyOptions *DeletePolicyOptions) (response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) DeletePolicyWithContext(ctx context.Context, deletePolicyOptions *DeletePolicyOptions) (response *core.DetailedResponse, err error)
ServiceCall<Void> deletePolicy(DeletePolicyOptions deletePolicyOptions)
deletePolicy(params)
delete_policy(
        self,
        policy_id: str,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

  • iam.policy.delete

Auditing

Calling this method generates the following auditing event.

  • iam-am.policy.delete

Request

Instantiate the DeletePolicyOptions struct and set the fields to provide parameter values for the DeletePolicy method.

Use the DeletePolicyOptions.Builder to create a DeletePolicyOptions object that contains the parameter values for the deletePolicy method.

Path Parameters

  • policy_id
    Required*
    string

    The policy ID.

parameter

WithContext method only

DeletePolicyOptions

The DeletePolicy options.

DeletePolicyOptions

The deletePolicy options.

parameters

  • policyId
    Required*
    string

    The policy ID.

parameters

  • policy_id
    Required*
    str

    The policy ID.

  • curl -X DELETE 'https://iam.cloud.ibm.com/v1/policies/$POLICY_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
  • options := iamPolicyManagementService.NewDeletePolicyOptions(
  examplePolicyID,
)

response, err := iamPolicyManagementService.DeletePolicy(options)
if err != nil {
  panic(err)
}
  • DeletePolicyOptions options = new DeletePolicyOptions.Builder()
        .policyId(examplePolicyId)
        .build();

Response<Void> response = service.deletePolicy(options).execute();
  • const params = {
  policyId: examplePolicyId,
};

try {
  await iamPolicyManagementService.deletePolicy(params);
} catch (err) {
  console.warn(err);
}
  • response = iam_policy_management_service.delete_policy(policy_id=example_policy_id).get_result()

print(json.dumps(response, indent=2))

Response

Status Code

  • 204

    Policy deletion successful.

  • 400

    Policy was not valid to delete.

  • 401

    The token you provided is not valid.

  • 403

    You do not have access to delete the policy.

  • 404

    Policy was not found.

  • 429

    Too many requests have been made within a given time window.

Example responses
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a locked service id, cannot perform action"
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a locked service id, cannot perform action"
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}

Restore a deleted policy by ID

Restore a policy that has recently been deleted. A policy administrator might want to restore a deleted policy. To restore a policy, use "state": "active" in the body.

Restore a policy that has recently been deleted. A policy administrator might want to restore a deleted policy. To restore a policy, use "state": "active" in the body.

Restore a policy that has recently been deleted. A policy administrator might want to restore a deleted policy. To restore a policy, use "state": "active" in the body.

Restore a policy that has recently been deleted. A policy administrator might want to restore a deleted policy. To restore a policy, use "state": "active" in the body.

Restore a policy that has recently been deleted. A policy administrator might want to restore a deleted policy. To restore a policy, use "state": "active" in the body.

PATCH /v1/policies/{policy_id}
(iamPolicyManagement *IamPolicyManagementV1) UpdatePolicyState(updatePolicyStateOptions *UpdatePolicyStateOptions) (result *Policy, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) UpdatePolicyStateWithContext(ctx context.Context, updatePolicyStateOptions *UpdatePolicyStateOptions) (result *Policy, response *core.DetailedResponse, err error)
ServiceCall<Policy> updatePolicyState(UpdatePolicyStateOptions updatePolicyStateOptions)
updatePolicyState(params)
update_policy_state(
        self,
        policy_id: str,
        if_match: str,
        *,
        state: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

  • iam.policy.create

Auditing

Calling this method generates the following auditing event.

  • iam-am.policy.update

Request

Instantiate the UpdatePolicyStateOptions struct and set the fields to provide parameter values for the UpdatePolicyState method.

Use the UpdatePolicyStateOptions.Builder to create a UpdatePolicyStateOptions object that contains the parameter values for the updatePolicyState method.

Custom Headers

  • If-Match
    Required*
    string

    The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.

Path Parameters

  • policy_id
    Required*
    string

    The policy ID.

Request Body

Required*
PatchPolicyRequest

Policy attribute to be updated.

parameter

WithContext method only

UpdatePolicyStateOptions

The UpdatePolicyState options.

UpdatePolicyStateOptions

The updatePolicyState options.

parameters

  • policyId
    Required*
    string

    The policy ID.

  • ifMatch
    Required*
    string

    The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.

  • state
    string

    The policy state.

    Allowable values: [active,deleted]

parameters

  • policy_id
    Required*
    str

    The policy ID.

  • if_match
    Required*
    str

    The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.

  • state
    str

    The policy state.

    Allowable values: [active,deleted]

  • curl -X PATCH 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "state": "active",
}'
  • options := iamPolicyManagementService.NewUpdatePolicyStateOptions(
  examplePolicyID,
  examplePolicyETag,
)

options.SetState("active")

policy, response, err := iamPolicyManagementService.UpdatePolicyState(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))
  • UpdatePolicyStateOptions updatePolicyStateOptions = new UpdatePolicyStateOptions.Builder()
        .policyId(examplePolicyId)
        .ifMatch(examplePolicyEtag)
        .state("active")
        .build();

Response<Policy> response = service.updatePolicyState(updatePolicyStateOptions).execute();
Policy policy = response.getResult();

System.out.println(policy);
  • const params = {
  policyId: examplePolicyId,
  ifMatch: examplePolicyETag,
  state: 'active'
};

try {
  const res = await iamPolicyManagementService.updatePolicyState(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
  • policy = iam_policy_management_service.update_policy_state(
  policy_id=example_policy_id, if_match=example_updated_policy_etag, state='active'
).get_result()

print(json.dumps(policy, indent=2))

Response

Response Body

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Status Code

  • 200

    Policy successfully restored.

  • 400

    Policy input is invalid.

  • 401

    The token you provided is not valid.

  • 403

    You do not have access to update the policy.

  • 404

    Policy was not found.

  • 406

    The requested resource(s) cannot be formatted using the requested media type(s).

  • 415

    Request body sent was formatted using an unsupported media type.

  • 429

    Too many requests have been made within a given time window.

Example responses
  • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
  • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check missing parameters."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check missing parameters."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}

Get roles by filters

Get roles based on the filters. While managing roles, you may want to retrieve roles and filter by usages. This can be done through query parameters. Currently, we only support the following attributes: account_id, service_name, service_group_id, source_service_name and policy_type. Both service_name and service_group_id attributes are mutually exclusive. Only roles that match the filter and that the caller has read access to are returned. If the caller does not have read access to any roles an empty array is returned.

Get roles based on the filters. While managing roles, you may want to retrieve roles and filter by usages. This can be done through query parameters. Currently, we only support the following attributes: account_id, service_name, service_group_id, source_service_name and policy_type. Both service_name and service_group_id attributes are mutually exclusive. Only roles that match the filter and that the caller has read access to are returned. If the caller does not have read access to any roles an empty array is returned.

Get roles based on the filters. While managing roles, you may want to retrieve roles and filter by usages. This can be done through query parameters. Currently, we only support the following attributes: account_id, service_name, service_group_id, source_service_name and policy_type. Both service_name and service_group_id attributes are mutually exclusive. Only roles that match the filter and that the caller has read access to are returned. If the caller does not have read access to any roles an empty array is returned.

Get roles based on the filters. While managing roles, you may want to retrieve roles and filter by usages. This can be done through query parameters. Currently, we only support the following attributes: account_id, service_name, service_group_id, source_service_name and policy_type. Both service_name and service_group_id attributes are mutually exclusive. Only roles that match the filter and that the caller has read access to are returned. If the caller does not have read access to any roles an empty array is returned.

Get roles based on the filters. While managing roles, you may want to retrieve roles and filter by usages. This can be done through query parameters. Currently, we only support the following attributes: account_id, service_name, service_group_id, source_service_name and policy_type. Both service_name and service_group_id attributes are mutually exclusive. Only roles that match the filter and that the caller has read access to are returned. If the caller does not have read access to any roles an empty array is returned.

GET /v2/roles
(iamPolicyManagement *IamPolicyManagementV1) ListRoles(listRolesOptions *ListRolesOptions) (result *RoleCollection, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) ListRolesWithContext(ctx context.Context, listRolesOptions *ListRolesOptions) (result *RoleCollection, response *core.DetailedResponse, err error)
ServiceCall<RoleCollection> listRoles(ListRolesOptions listRolesOptions)
listRoles(params)
list_roles(
        self,
        *,
        accept_language: Optional[str] = None,
        account_id: Optional[str] = None,
        service_name: Optional[str] = None,
        source_service_name: Optional[str] = None,
        policy_type: Optional[str] = None,
        service_group_id: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

  • iam.policy.read

Auditing

Calling this method generates the following auditing event.

  • iam-am.role.read

Request

Instantiate the ListRolesOptions struct and set the fields to provide parameter values for the ListRoles method.

Use the ListRolesOptions.Builder to create a ListRolesOptions object that contains the parameter values for the listRoles method.

Custom Headers

  • Accept-Language
    string

    Language code for translations

    • default - English
    • de - German (Standard)
    • en - English
    • es - Spanish (Spain)
    • fr - French (Standard)
    • it - Italian (Standard)
    • ja - Japanese
    • ko - Korean
    • pt-br - Portuguese (Brazil)
    • zh-cn - Chinese (Simplified, PRC)
    • zh-tw - (Chinese, Taiwan)

    Possible values: length ≥ 1

    Default: default

Query Parameters

  • account_id
    string

    Optional account GUID in which the roles belong to.

  • service_name
    string

    Optional name of IAM enabled service.

    Example: iam-groups

  • source_service_name
    string

    Optional name of source IAM enabled service.

    Example: iam-groups

  • policy_type
    string

    Optional Policy Type.

    Example: authorization

  • service_group_id
    string

    Optional id of service group.

    Example: IAM

parameter

WithContext method only

ListRolesOptions

The ListRoles options.

ListRolesOptions

The listRoles options.

parameters

  • acceptLanguage
    string

    Language code for translations

    • default - English
    • de - German (Standard)
    • en - English
    • es - Spanish (Spain)
    • fr - French (Standard)
    • it - Italian (Standard)
    • ja - Japanese
    • ko - Korean
    • pt-br - Portuguese (Brazil)
    • zh-cn - Chinese (Simplified, PRC)
    • zh-tw - (Chinese, Taiwan).

    Possible values: length ≥ 1

    Default: default

  • accountId
    string

    Optional account GUID in which the roles belong to.

  • serviceName
    string

    Optional name of IAM enabled service.

    Examples: 
  • sourceServiceName
    string
    Optional name of source IAM enabled service.
    

    Examples:  
  • policyType
    string
    Optional Policy Type.
    

    Examples:  
  • serviceGroupId
    string
    Optional id of service group.
    

    Examples:  
parameters
  • accept_language
    str
    Language code for translations
    

      

    • default - English
      • 

    • de -  German (Standard)
      • 

    • en - English
      • 

    • es - Spanish (Spain)
      • 

    • fr - French (Standard)
      • 

    • it - Italian (Standard)
      • 

    • ja - Japanese
      • 

    • ko - Korean
      • 

    • pt-br - Portuguese (Brazil)
      • 

    • zh-cn - Chinese (Simplified, PRC)
      • 

    • zh-tw - (Chinese, Taiwan).
      • 

    

    Possible values:  length ≥ 1
    Default: default
  • account_id
    str
    Optional account GUID in which the roles belong to.
    

  • service_name
    str
    Optional name of IAM enabled service.
    

    Examples:  
  • source_service_name
    str
    Optional name of source IAM enabled service.
    

    Examples:  
  • policy_type
    str
    Optional Policy Type.
    

    Examples:  
  • service_group_id
    str
    Optional id of service group.
    

    Examples:  
  • curl -X GET 'https://iam.cloud.ibm.com/v2/roles' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
  • options := iamPolicyManagementService.NewListRolesOptions()
options.SetAccountID(exampleAccountID)

roleList, response, err := iamPolicyManagementService.ListRoles(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(roleList, "", "  ")
fmt.Println(string(b))
  • ListRolesOptions options = new ListRolesOptions.Builder()
        .accountId(exampleAccountId)
        .build();

Response<RoleCollection> response = service.listRoles(options).execute();
RoleCollection roleCollection = response.getResult();

System.out.println(roleCollection);
  • const params = {
  accountId: exampleAccountId,
};

try {
  const res = await iamPolicyManagementService.listRoles(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
  • role_list = iam_policy_management_service.list_roles(account_id=example_account_id).get_result()

print(json.dumps(role_list, indent=2))
Response
Response Body
RoleCollection
A collection of roles returned by the 'list roles' operation.


RoleCollection
A collection of roles returned by the 'list roles' operation.


RoleCollection
A collection of roles returned by the 'list roles' operation.


RoleCollection
A collection of roles returned by the 'list roles' operation.


RoleCollection
A collection of roles returned by the 'list roles' operation.


Status Code
  • 200
    Roles retrieval successful.
    

  • 401
    The token you provided is not valid.
    

  • 404
    Resource was not found.
    

  • 406
    The requested resource(s) cannot be formatted using the requested media type(s).
    

  • 429
    Too many requests have been made within a given time window.
    

Example responses
  • {
  "custom_roles": [
    {
      "id": "12345678abcd1a2ba1b21234567890ab",
      "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
      "name": "Example",
      "display_name": "Example Role",
      "description": "Custom role for example",
      "service_name": "SERVICE_NAME",
      "account_id": "ACCOUNT_ID",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ],
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
    }
  ],
  "service_roles": [
    {
      "crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader",
      "display_name": "Reader",
      "description": "Reader role for example",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ]
    }
  ],
  "system_roles": [
    {
      "crn": "crn:v1:bluemix:public:iam::::role:Viewer",
      "display_name": "Viewer",
      "description": "Viewer role for example",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ]
    }
  ]
}
  • {
  "custom_roles": [
    {
      "id": "12345678abcd1a2ba1b21234567890ab",
      "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
      "name": "Example",
      "display_name": "Example Role",
      "description": "Custom role for example",
      "service_name": "SERVICE_NAME",
      "account_id": "ACCOUNT_ID",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ],
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
    }
  ],
  "service_roles": [
    {
      "crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader",
      "display_name": "Reader",
      "description": "Reader role for example",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ]
    }
  ],
  "system_roles": [
    {
      "crn": "crn:v1:bluemix:public:iam::::role:Viewer",
      "display_name": "Viewer",
      "description": "Viewer role for example",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ]
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "not_found",
      "message": "Not Found"
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "not_found",
      "message": "Not Found"
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Create a role
Creates a custom role for a specific service within the account. An account owner or a user assigned the Administrator role on the Role management service can create a custom role. Any number of actions for a single service can be mapped to the new role, but there must be at least one service-defined action to successfully create the new role.


Creates a custom role for a specific service within the account. An account owner or a user assigned the Administrator role on the Role management service can create a custom role. Any number of actions for a single service can be mapped to the new role, but there must be at least one service-defined action to successfully create the new role.


Creates a custom role for a specific service within the account. An account owner or a user assigned the Administrator role on the Role management service can create a custom role. Any number of actions for a single service can be mapped to the new role, but there must be at least one service-defined action to successfully create the new role.


Creates a custom role for a specific service within the account. An account owner or a user assigned the Administrator role on the Role management service can create a custom role. Any number of actions for a single service can be mapped to the new role, but there must be at least one service-defined action to successfully create the new role.


Creates a custom role for a specific service within the account. An account owner or a user assigned the Administrator role on the Role management service can create a custom role. Any number of actions for a single service can be mapped to the new role, but there must be at least one service-defined action to successfully create the new role.


POST /v2/roles
(iamPolicyManagement *IamPolicyManagementV1) CreateRole(createRoleOptions *CreateRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) CreateRoleWithContext(ctx context.Context, createRoleOptions *CreateRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)
ServiceCall<CustomRole> createRole(CreateRoleOptions createRoleOptions)
createRole(params)
create_role(
        self,
        display_name: str,
        actions: List[str],
        name: str,
        account_id: str,
        service_name: str,
        *,
        description: Optional[str] = None,
        accept_language: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Authorization
To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
  • iam-access-management.customRole.create
Auditing
Calling this method generates the following auditing event.
  • iam-am.role.create
Request
Instantiate the CreateRoleOptions struct and set the fields to provide parameter values for the CreateRole method.
Use the CreateRoleOptions.Builder to create a CreateRoleOptions object that contains the parameter values for the createRole method.
Custom Headers
  • Accept-Language
    string
    Language code for translations
    

      

    • default - English
      • 

    • de -  German (Standard)
      • 

    • en - English
      • 

    • es - Spanish (Spain)
      • 

    • fr - French (Standard)
      • 

    • it - Italian (Standard)
      • 

    • ja - Japanese
      • 

    • ko - Korean
      • 

    • pt-br - Portuguese (Brazil)
      • 

    • zh-cn - Chinese (Simplified, PRC)
      • 

    • zh-tw - (Chinese, Taiwan)
      • 

    

    Possible values:  length ≥ 1
    Default: default
Request Body
Required*
RolePostRequest
A role to be created.


parameter
WithContext method only
CreateRoleOptions
The CreateRole options.


CreateRoleOptions
The createRole options.


parameters
  • displayName
    Required*
    string
    The display name of the role that is shown in the console.
    

    Possible values:  1 ≤ length ≤ 50
  • actions
    Required*
    string[]
    The actions of the role. For more information, see IAM roles and actions.
    

    Possible values:  number of items ≥ 1, length ≥ 1
  • name
    Required*
    string
    The name of the role that is used in the CRN. Can only be alphanumeric and has to be capitalized.
    

    Possible values:  1 ≤ length ≤ 30, Value must match regular expression /^[A-Z]{1}[A-Za-z0-9]{0,29}$/
    Examples:  
  • accountId
    Required*
    string
    The account GUID.
    

  • serviceName
    Required*
    string
    The service name.
    

    Examples:  
  • description
    string
    The description of the role.
    

    Possible values:  1 ≤ length ≤ 250
  • acceptLanguage
    string
    Language code for translations
    

      

    • default - English
      • 

    • de -  German (Standard)
      • 

    • en - English
      • 

    • es - Spanish (Spain)
      • 

    • fr - French (Standard)
      • 

    • it - Italian (Standard)
      • 

    • ja - Japanese
      • 

    • ko - Korean
      • 

    • pt-br - Portuguese (Brazil)
      • 

    • zh-cn - Chinese (Simplified, PRC)
      • 

    • zh-tw - (Chinese, Taiwan).
      • 

    

    Possible values:  length ≥ 1
    Default: default
parameters
  • display_name
    Required*
    str
    The display name of the role that is shown in the console.
    

    Possible values:  1 ≤ length ≤ 50
  • actions
    Required*
    List[str]
    The actions of the role. For more information, see IAM roles and actions.
    

    Possible values:  number of items ≥ 1, length ≥ 1
  • name
    Required*
    str
    The name of the role that is used in the CRN. Can only be alphanumeric and has to be capitalized.
    

    Possible values:  1 ≤ length ≤ 30, Value must match regular expression /^[A-Z]{1}[A-Za-z0-9]{0,29}$/
    Examples:  
  • account_id
    Required*
    str
    The account GUID.
    

  • service_name
    Required*
    str
    The service name.
    

    Examples:  
  • description
    str
    The description of the role.
    

    Possible values:  1 ≤ length ≤ 250
  • accept_language
    str
    Language code for translations
    

      

    • default - English
      • 

    • de -  German (Standard)
      • 

    • en - English
      • 

    • es - Spanish (Spain)
      • 

    • fr - French (Standard)
      • 

    • it - Italian (Standard)
      • 

    • ja - Japanese
      • 

    • ko - Korean
      • 

    • pt-br - Portuguese (Brazil)
      • 

    • zh-cn - Chinese (Simplified, PRC)
      • 

    • zh-tw - (Chinese, Taiwan).
      • 

    

    Possible values:  length ≥ 1
    Default: default
  • curl -X POST 'https://iam.cloud.ibm.com/v2/roles' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "account_id": "ACCOUNT_ID",
  "service_name": "SERVICE_NAME",
  "actions":["ACTION_ID_1", "ACTION_ID_2"]
}'
  • options := iamPolicyManagementService.NewCreateRoleOptions(
  "IAM Groups read access",
  []string{"iam-groups.groups.read"},
  "ExampleRoleIAMGroups",
  exampleAccountID,
  exampleServiceName,
)

customRole, response, err := iamPolicyManagementService.CreateRole(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(customRole, "", "  ")
exampleCustomRoleID = *customRole.ID
fmt.Println(string(b))
  • CreateRoleOptions options = new CreateRoleOptions.Builder()
        .displayName("IAM Groups read access")
        .actions(Arrays.asList("iam-groups.groups.read"))
        .name("ExampleRoleIAMGroups")
        .accountId(exampleAccountId)
        .serviceName(EXAMPLE_SERVICE_NAME)
        .build();

Response<CustomRole> response = service.createRole(options).execute();
CustomRole customRole = response.getResult();

exampleCustomRoleId = customRole.getId();

System.out.println(customRole);
  • const params = {
  displayName: exampleCustomRoleDipslayName,
  actions: ['iam-groups.groups.read'],
  name: 'ExampleRoleIAMGroups',
  accountId: exampleAccountId,
  serviceName: exampleServiceName,
};

try {
  const res = await iamPolicyManagementService.createRole(params);
  exampleCustomRoleId = res.result.id;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
  • custom_role = iam_policy_management_service.create_role(
  display_name='IAM Groups read access',
  actions=['iam-groups.groups.read'],
  name='ExampleRoleIAMGroups',
  account_id=example_account_id,
  service_name=example_service_name,
).get_result()

global example_custom_role_id
example_custom_role_id = custom_role["id"]

print(json.dumps(custom_role, indent=2))
Response
Response Body
CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


Status Code
  • 201
    Role creation successful.
    

  • 400
    Role input is invalid.
    

  • 401
    The token you provided is not valid.
    

  • 403
    You don't have access to create the role. You must be assigned the Administrator role on the Role management service.
    

  • 406
    The requested resource(s) cannot be formatted using the requested media type(s).
    

  • 409
    A role already exists with the same name or actions in the account. You can update that role or delete it and create a new one.
    

  • 415
    Request body sent was formatted using an unsupported media type.
    

  • 422
    Exceeded maximum roles quota.
    

  • 429
    Too many requests have been made within a given time window.
    

Example responses
  • {
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
  • {
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "The role name conflicts with an existing system-defined role name. Choose a different name."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "The role name conflicts with an existing system-defined role name. Choose a different name."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested role. You must be assigned the Administrator role on the Role management service."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested role. You must be assigned the Administrator role on the Role management service."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_conflict_error",
      "message": "This role name is already in use. Update the existing one or change the role name to be unique.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "role": "ROLE"
        }
      },
      "status_code": 409
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_conflict_error",
      "message": "This role name is already in use. Update the existing one or change the role name to be unique.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "role": "ROLE"
        }
      },
      "status_code": 409
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum roles quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum roles quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Update a role
Update a custom role. A role administrator might want to update an existing role by updating the display name, description, or the actions that are mapped to the role. The name, account_id, and service_name can't be changed.


Update a custom role. A role administrator might want to update an existing role by updating the display name, description, or the actions that are mapped to the role. The name, account_id, and service_name can't be changed.


Update a custom role. A role administrator might want to update an existing role by updating the display name, description, or the actions that are mapped to the role. The name, account_id, and service_name can't be changed.


Update a custom role. A role administrator might want to update an existing role by updating the display name, description, or the actions that are mapped to the role. The name, account_id, and service_name can't be changed.


Update a custom role. A role administrator might want to update an existing role by updating the display name, description, or the actions that are mapped to the role. The name, account_id, and service_name can't be changed.


PUT /v2/roles/{role_id}
(iamPolicyManagement *IamPolicyManagementV1) ReplaceRole(replaceRoleOptions *ReplaceRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) ReplaceRoleWithContext(ctx context.Context, replaceRoleOptions *ReplaceRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)
ServiceCall<CustomRole> replaceRole(ReplaceRoleOptions replaceRoleOptions)
replaceRole(params)
replace_role(
        self,
        role_id: str,
        if_match: str,
        display_name: str,
        actions: List[str],
        *,
        description: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Authorization
To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
  • iam-access-management.customRole.update
Auditing
Calling this method generates the following auditing event.
  • iam-am.role.update
Request
Instantiate the ReplaceRoleOptions struct and set the fields to provide parameter values for the ReplaceRole method.
Use the ReplaceRoleOptions.Builder to create a ReplaceRoleOptions object that contains the parameter values for the replaceRole method.
Custom Headers
  • If-Match
    Required*
    string
    The revision number for updating a role and must match the ETag value of the existing role.
The Etag can be retrieved using the GET /v2/roles/{role_id} API and looking at the ETag response header.
    

Path Parameters
  • role_id
    Required*
    string
    The role ID.
    

Request Body
Required*
Role
Updated role content to be saved.


parameter
WithContext method only
ReplaceRoleOptions
The ReplaceRole options.


ReplaceRoleOptions
The replaceRole options.


parameters
  • roleId
    Required*
    string
    The role ID.
    

  • ifMatch
    Required*
    string
    The revision number for updating a role and must match the ETag value of the existing role. The Etag can be retrieved using the GET /v2/roles/{role_id} API and looking at the ETag response header.
    

  • displayName
    Required*
    string
    The display name of the role that is shown in the console.
    

    Possible values:  1 ≤ length ≤ 50
  • actions
    Required*
    string[]
    The actions of the role. For more information, see IAM roles and actions.
    

    Possible values:  number of items ≥ 1, length ≥ 1
  • description
    string
    The description of the role.
    

    Possible values:  1 ≤ length ≤ 250
parameters
  • role_id
    Required*
    str
    The role ID.
    

  • if_match
    Required*
    str
    The revision number for updating a role and must match the ETag value of the existing role. The Etag can be retrieved using the GET /v2/roles/{role_id} API and looking at the ETag response header.
    

  • display_name
    Required*
    str
    The display name of the role that is shown in the console.
    

    Possible values:  1 ≤ length ≤ 50
  • actions
    Required*
    List[str]
    The actions of the role. For more information, see IAM roles and actions.
    

    Possible values:  number of items ≥ 1, length ≥ 1
  • description
    str
    The description of the role.
    

    Possible values:  1 ≤ length ≤ 250
  • curl -X PUT 'https://iam.cloud.ibm.com/v2/roles' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "display_name": "Example Role",
  "description": "Custom role for example",
  "actions":["ACTION_ID_1", "ACTION_ID_2"]
}'
  • updatedRoleActions := []string{"iam-groups.groups.read", "iam-groups.groups.list"}

options := iamPolicyManagementService.NewReplaceRoleOptions(
  exampleCustomRoleID,
  exampleCustomRoleETag,
  "ExampleRoleIAMGroups",
  updatedRoleActions,
)

customRole, response, err := iamPolicyManagementService.ReplaceRole(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(customRole, "", "  ")
fmt.Println(string(b))
  • List<String> updatedRoleActions = Arrays.asList("iam-groups.groups.read", "iam-groups.groups.list");
ReplaceRoleOptions options = new ReplaceRoleOptions.Builder()
        .roleId(exampleCustomRoleId)
        .ifMatch(exampleCustomRoleEtag)
        .displayName("IAM Groups read access")
        .actions(updatedRoleActions)
        .build();

Response<CustomRole> response = service.replaceRole(options).execute();
CustomRole customRole = response.getResult();

System.out.println(customRole);
  • const updatedRoleActions = ['iam-groups.groups.read', 'iam-groups.groups.list'];
const params = {
  roleId: exampleCustomRoleId,
  ifMatch: exampleCustomRoleEtag,
  displayName: exampleCustomRoleDipslayName,
  actions: updatedRoleActions,
};

try {
  const res = await iamPolicyManagementService.replaceRole(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
  • updated_role_actions = ['iam-groups.groups.read', 'iam-groups.groups.list']
custom_role = iam_policy_management_service.replace_role(
  role_id=example_custom_role_id,
  if_match=example_custom_role_etag,
  actions=updated_role_actions,
  display_name='IAM Groups read access',
).get_result()

print(json.dumps(custom_role, indent=2))
Response
Response Body
CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


Status Code
  • 200
    Role update successful.
    

  • 400
    Role input is invalid.
    

  • 401
    The token you provided is not valid.
    

  • 403
    You do not have access to update the role.
    

  • 404
    Role was not found.
    

  • 406
    The requested resource(s) cannot be formatted using the requested media type(s).
    

  • 409
    A role already exists with the same actions and account_id. You can update that role or delete it and create a new one.
    

  • 415
    Request body sent was formatted using an unsupported media type.
    

  • 429
    Too many requests have been made within a given time window.
    

Example responses
  • {
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
  • {
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "In order to update an existing role, a rev value must be provided."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "In order to update an existing role, a rev value must be provided."
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested role."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested role."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with Id ROLE_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with Id ROLE_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_conflict_error",
      "message": "The role wasn't updated.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "role": "ROLE"
        }
      },
      "status_code": 409
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_conflict_error",
      "message": "The role wasn't updated.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "role": "ROLE"
        }
      },
      "status_code": 409
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Retrieve a role by ID
Retrieve a role by providing a role ID.


Retrieve a role by providing a role ID.


Retrieve a role by providing a role ID.


Retrieve a role by providing a role ID.


Retrieve a role by providing a role ID.


GET /v2/roles/{role_id}
(iamPolicyManagement *IamPolicyManagementV1) GetRole(getRoleOptions *GetRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) GetRoleWithContext(ctx context.Context, getRoleOptions *GetRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)
ServiceCall<CustomRole> getRole(GetRoleOptions getRoleOptions)
getRole(params)
get_role(
        self,
        role_id: str,
        **kwargs,
    ) -> DetailedResponse
Auditing
Calling this method generates the following auditing event.
  • iam-am.role.read
Request
Instantiate the GetRoleOptions struct and set the fields to provide parameter values for the GetRole method.
Use the GetRoleOptions.Builder to create a GetRoleOptions object that contains the parameter values for the getRole method.
Path Parameters
  • role_id
    Required*
    string
    The role ID.
    

parameter
WithContext method only
GetRoleOptions
The GetRole options.


GetRoleOptions
The getRole options.


parameters
  • roleId
    Required*
    string
    The role ID.
    

parameters
  • role_id
    Required*
    str
    The role ID.
    

  • curl -X GET 'https://iam.cloud.ibm.com/v2/roles/$ROLE_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
  • options := iamPolicyManagementService.NewGetRoleOptions(
  exampleCustomRoleID,
)

customRole, response, err := iamPolicyManagementService.GetRole(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(customRole, "", "  ")
exampleCustomRoleETag = response.Headers.Get("ETag")
fmt.Println(string(b))
  • GetRoleOptions options = new GetRoleOptions.Builder()
        .roleId(exampleCustomRoleId)
        .build();

Response<CustomRole> response = service.getRole(options).execute();
CustomRole customRole = response.getResult();

exampleCustomRoleEtag = response.getHeaders().values("Etag").get(0);

System.out.println(customRole);
  • const params = {
  roleId: exampleCustomRoleId,
};

try {
  const res = await iamPolicyManagementService.getRole(params);
  exampleCustomRoleEtag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
  • response = iam_policy_management_service.get_role(role_id=example_custom_role_id)
custom_role = response.get_result()

global example_custom_role_etag
example_custom_role_etag = response.get_headers().get("Etag")

print(json.dumps(custom_role, indent=2))
Response
Response Body
CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


CustomRole
An additional set of properties associated with a role.


Status Code
  • 200
    Role retrieval successful.
    

  • 401
    The token you provided is not valid.
    

  • 403
    You do not have access to retrieve the role.
    

  • 404
    Role was not found.
    

  • 406
    The requested resource(s) cannot be formatted using the requested media type(s).
    

  • 429
    Too many requests have been made within a given time window.
    

Example responses
  • {
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
  • {
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested role."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested role."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with Id ROLE_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with Id ROLE_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Delete a role by ID
Delete a role by providing a role ID.


Delete a role by providing a role ID.


Delete a role by providing a role ID.


Delete a role by providing a role ID.


Delete a role by providing a role ID.


DELETE /v2/roles/{role_id}
(iamPolicyManagement *IamPolicyManagementV1) DeleteRole(deleteRoleOptions *DeleteRoleOptions) (response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) DeleteRoleWithContext(ctx context.Context, deleteRoleOptions *DeleteRoleOptions) (response *core.DetailedResponse, err error)
ServiceCall<Void> deleteRole(DeleteRoleOptions deleteRoleOptions)
deleteRole(params)
delete_role(
        self,
        role_id: str,
        **kwargs,
    ) -> DetailedResponse
Authorization
To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
  • iam-access-management.customRole.delete
Auditing
Calling this method generates the following auditing event.
  • iam-am.role.delete
Request
Instantiate the DeleteRoleOptions struct and set the fields to provide parameter values for the DeleteRole method.
Use the DeleteRoleOptions.Builder to create a DeleteRoleOptions object that contains the parameter values for the deleteRole method.
Path Parameters
  • role_id
    Required*
    string
    The role ID.
    

parameter
WithContext method only
DeleteRoleOptions
The DeleteRole options.


DeleteRoleOptions
The deleteRole options.


parameters
  • roleId
    Required*
    string
    The role ID.
    

parameters
  • role_id
    Required*
    str
    The role ID.
    

  • curl -X DELETE 'https://iam.cloud.ibm.com/v2/roles/$ROLE_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
  • options := iamPolicyManagementService.NewDeleteRoleOptions(
  exampleCustomRoleID,
)

response, err := iamPolicyManagementService.DeleteRole(options)
if err != nil {
  panic(err)
}
  • DeleteRoleOptions options = new DeleteRoleOptions.Builder()
  .roleId(exampleCustomRoleId)
  .build();

Response<Void> response = service.deleteRole(options).execute();
  • const params = {
  roleId: exampleCustomRoleId,
};

try {
  await iamPolicyManagementService.deleteRole(params);
} catch (err) {
  console.warn(err);
}
  • response = iam_policy_management_service.delete_role(role_id=example_custom_role_id).get_result()

print(json.dumps(response, indent=2))
Response
Status Code
  • 204
    Role deletion successful.
    

  • 401
    The token you provided is not valid.
    

  • 403
    You do not have access to delete the role.
    

  • 404
    Role was not found.
    

  • 429
    Too many requests have been made within a given time window.
    

Example responses
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested role."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested role."
    }
  ],
  "status_code": 403
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with Id ROLE_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with Id ROLE_ID not found."
    }
  ],
  "status_code": 404
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Get policies by attributes
Beta
Get policies and filter by attributes.
While managing policies, you might want to retrieve
policies in the account and filter by attribute values.
This can be done through query parameters.
The following attributes are supported:
account_id, iam_id, access_group_id, type, service_type, sort, format and state.
account_id is a required query parameter.
Only policies that have the specified attributes and that
the caller has read access to are returned.
If the caller does not have read access to any policies an empty array
is returned.


Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.


Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.


Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.


Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.


GET /v2/policies
(iamPolicyManagement *IamPolicyManagementV1) ListV2Policies(listV2PoliciesOptions *ListV2PoliciesOptions) (result *V2PolicyCollection, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) ListV2PoliciesWithContext(ctx context.Context, listV2PoliciesOptions *ListV2PoliciesOptions) (result *V2PolicyCollection, response *core.DetailedResponse, err error)
ServiceCall<V2PolicyCollection> listV2Policies(ListV2PoliciesOptions listV2PoliciesOptions)
listV2Policies(params)
list_v2_policies(
        self,
        account_id: str,
        *,
        accept_language: Optional[str] = None,
        iam_id: Optional[str] = None,
        access_group_id: Optional[str] = None,
        type: Optional[str] = None,
        service_type: Optional[str] = None,
        service_name: Optional[str] = None,
        service_group_id: Optional[str] = None,
        sort: Optional[str] = None,
        format: Optional[str] = None,
        state: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Authorization
To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
  • iam.policy.read
Auditing
Calling this method generates the following auditing event.
  • iam-am.policy.read
Request
Instantiate the ListV2PoliciesOptions struct and set the fields to provide parameter values for the ListV2Policies method.
Use the ListV2PoliciesOptions.Builder to create a ListV2PoliciesOptions object that contains the parameter values for the listV2Policies method.
Custom Headers
  • Accept-Language
    string
    Language code for translations
    

      

    • default - English
      • 

    • de -  German (Standard)
      • 

    • en - English
      • 

    • es - Spanish (Spain)
      • 

    • fr - French (Standard)
      • 

    • it - Italian (Standard)
      • 

    • ja - Japanese
      • 

    • ko - Korean
      • 

    • pt-br - Portuguese (Brazil)
      • 

    • zh-cn - Chinese (Simplified, PRC)
      • 

    • zh-tw - (Chinese, Taiwan)
      • 

    

    Possible values:  length ≥ 1
    Default: default
Query Parameters
  • account_id
    Required*
    string
    The account GUID in which the policies belong to.
    

    Possible values:  length ≥ 1
  • iam_id
    string
    Optional IAM ID used to identify the subject.
    

    Possible values:  length ≥ 1
  • access_group_id
    string
    Optional access group id.
    

    Possible values:  length ≥ 1
  • type
    string
    Optional type of policy.
    

    Allowable values: [access,authorization]
  • service_type
    string
    Optional type of service.
    

    Allowable values: [service,platform_service]
  • service_name
    string
    Optional name of service.
    

    Possible values:  length ≥ 1
  • service_group_id
    string
    Optional ID of service group.
    

    Possible values:  length ≥ 1
  • sort
    string
    Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field, for example, '-last_modified_at'.
Note that last permit information is only included when 'format=include_last_permit', for example, "format=include_last_permit&sort=last_permit_at"
Example fields that can be sorted on:
    

      

    • 'id'
      • 

    • 'type'
      • 

    • 'href'
      • 

    • 'created_at'
      • 

    • 'created_by_id'
      • 

    • 'last_modified_at'
      • 

    • 'last_modified_by_id'
      • 

    • 'state'
      • 

    • 'last_permit_at'
      • 

    • 'last_permit_frequency'
      • 

    

  • format
    string
    Include additional data per policy returned
    

      

    • include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
      • 

    • display - returns the list of all actions included in each of the policy roles and translations for all relevant fields
      • 

    

    Allowable values: [include_last_permit,display]
  • state
    string
    The state of the policy.
    

      

    • active - returns active policies
      • 

    • deleted - returns non-active policies
      • 

    

    Allowable values: [active,deleted]
  • limit
    integer
    The number of documents to include in collection.
    

    Possible values:  1 ≤ value ≤ 100
    Default: 50
  • start
    string
    Page token that refers to the page of collection to return.
    

    Possible values:  9 ≤ length ≤ 100, Value must match regular expression ^[-A-Za-z0-9+/]*$
parameter
WithContext method only
ListV2PoliciesOptions
The ListV2Policies options.


ListV2PoliciesOptions
The listV2Policies options.


parameters
  • accountId
    Required*
    string
    The account GUID in which the policies belong to.
    

    Possible values:  length ≥ 1
  • acceptLanguage
    string
    Language code for translations
    

      

    • default - English
      • 

    • de -  German (Standard)
      • 

    • en - English
      • 

    • es - Spanish (Spain)
      • 

    • fr - French (Standard)
      • 

    • it - Italian (Standard)
      • 

    • ja - Japanese
      • 

    • ko - Korean
      • 

    • pt-br - Portuguese (Brazil)
      • 

    • zh-cn - Chinese (Simplified, PRC)
      • 

    • zh-tw - (Chinese, Taiwan).
      • 

    

    Possible values:  length ≥ 1
    Default: default
  • iamId
    string
    Optional IAM ID used to identify the subject.
    

    Possible values:  length ≥ 1
  • accessGroupId
    string
    Optional access group id.
    

    Possible values:  length ≥ 1
  • type
    string
    Optional type of policy.
    

    Allowable values: [access,authorization]
  • serviceType
    string
    Optional type of service.
    

    Allowable values: [service,platform_service]
  • serviceName
    string
    Optional name of service.
    

    Possible values:  length ≥ 1
  • serviceGroupId
    string
    Optional ID of service group.
    

    Possible values:  length ≥ 1
  • sort
    string
    Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field, for example, '-last_modified_at'. Note that last permit information is only included when 'format=include_last_permit', for example, "format=include_last_permit&sort=last_permit_at" Example fields that can be sorted on:
    

      

    • 'id'
      • 

    • 'type'
      • 

    • 'href'
      • 

    • 'created_at'
      • 

    • 'created_by_id'
      • 

    • 'last_modified_at'
      • 

    • 'last_modified_by_id'
      • 

    • 'state'
      • 

    • 'last_permit_at'
      • 

    • 'last_permit_frequency'.
      • 

    

  • format
    string
    Include additional data per policy returned
    

      

    • include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
      • 

    • display - returns the list of all actions included in each of the policy roles and translations for all relevant fields.
      • 

    

    Allowable values: [include_last_permit,display]
  • state
    string
    The state of the policy.
    

      

    • active - returns active policies
      • 

    • deleted - returns non-active policies.
      • 

    

    Allowable values: [active,deleted]
parameters
  • account_id
    Required*
    str
    The account GUID in which the policies belong to.
    

    Possible values:  length ≥ 1
  • accept_language
    str
    Language code for translations
    

      

    • default - English
      • 

    • de -  German (Standard)
      • 

    • en - English
      • 

    • es - Spanish (Spain)
      • 

    • fr - French (Standard)
      • 

    • it - Italian (Standard)
      • 

    • ja - Japanese
      • 

    • ko - Korean
      • 

    • pt-br - Portuguese (Brazil)
      • 

    • zh-cn - Chinese (Simplified, PRC)
      • 

    • zh-tw - (Chinese, Taiwan).
      • 

    

    Possible values:  length ≥ 1
    Default: default
  • iam_id
    str
    Optional IAM ID used to identify the subject.
    

    Possible values:  length ≥ 1
  • access_group_id
    str
    Optional access group id.
    

    Possible values:  length ≥ 1
  • type
    str
    Optional type of policy.
    

    Allowable values: [access,authorization]
  • service_type
    str
    Optional type of service.
    

    Allowable values: [service,platform_service]
  • service_name
    str
    Optional name of service.
    

    Possible values:  length ≥ 1
  • service_group_id
    str
    Optional ID of service group.
    

    Possible values:  length ≥ 1
  • sort
    str
    Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field, for example, '-last_modified_at'. Note that last permit information is only included when 'format=include_last_permit', for example, "format=include_last_permit&sort=last_permit_at" Example fields that can be sorted on:
    

      

    • 'id'
      • 

    • 'type'
      • 

    • 'href'
      • 

    • 'created_at'
      • 

    • 'created_by_id'
      • 

    • 'last_modified_at'
      • 

    • 'last_modified_by_id'
      • 

    • 'state'
      • 

    • 'last_permit_at'
      • 

    • 'last_permit_frequency'.
      • 

    

  • format
    str
    Include additional data per policy returned
    

      

    • include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
      • 

    • display - returns the list of all actions included in each of the policy roles and translations for all relevant fields.
      • 

    

    Allowable values: [include_last_permit,display]
  • state
    str
    The state of the policy.
    

      

    • active - returns active policies
      • 

    • deleted - returns non-active policies.
      • 

    

    Allowable values: [active,deleted]
  • curl -X GET 'https://iam.cloud.ibm.com/v2/policies?account_id=$ACCOUNT_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
  • options := iamPolicyManagementService.NewListV2PoliciesOptions(
  exampleAccountID,
)
options.SetIamID(exampleUserID)
options.SetFormat("include_last_permit")
options.SetSort("-id")

policyList, response, err := iamPolicyManagementService.ListV2Policies(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyList, "", "  ")
fmt.Println(string(b))
  • ListV2PoliciesOptions options = new ListV2PoliciesOptions.Builder()
        .accountId(exampleAccountId)
        .iamId(EXAMPLE_USER_ID)
        .format("include_last_permit")
        .build();

Response<V2PolicyCollection> response = service.listV2Policies(options).execute();
V2PolicyCollection policyCollection = response.getResult();

System.out.println(policyCollection);
  • const params = {
  accountId: exampleAccountId,
  iamId: exampleUserId,
  format: 'include_last_permit',
};

try {
  const res = await iamPolicyManagementService.listV2Policies(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
  • policy_list = iam_policy_management_service.list_v2_policies(
  account_id=example_account_id, iam_id=example_user_id, format='include_last_permit'
).get_result()

print(json.dumps(policy_list, indent=2))
Response
Response Body
V2PolicyCollection
A collection of policies.


V2PolicyCollection
A collection of policies.


V2PolicyCollection
A collection of policies.


V2PolicyCollection
A collection of policies.


V2PolicyCollection
A collection of policies.


Status Code
  • 200
    Policies retrieval successful.
    

  • 400
    The request you made is not valid.
    

  • 401
    The token you provided is not valid.
    

  • 406
    The requested resource(s) cannot be formatted using the requested media type(s).
    

  • 429
    Too many requests have been made within a given time window.
    

Example responses
  • {
  "policies": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "type": "access",
      "description": "Viewer role access for all instances of key protect in the account during business hours.",
      "subject": {
        "attributes": [
          {
            "key": "iam_id",
            "operator": "stringEquals",
            "value": "IBMid-123453user"
          }
        ]
      },
      "control": {
        "grant": {
          "roles": [
            {
              "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
            }
          ]
        }
      },
      "resource": {
        "attributes": [
          {
            "key": "accountId",
            "operator": "stringEquals",
            "value": "100abcde100a41abc100aza678abc0zz"
          },
          {
            "key": "serviceName",
            "operator": "stringEquals",
            "value": "kms"
          }
        ]
      },
      "rule": {
        "operator": "and",
        "conditions": [
          {
            "key": "{{environment.attributes.day_of_week}}",
            "operator": "dayOfWeekAnyOf",
            "value": [
              "1+00:00",
              "2+00:00",
              "3+00:00",
              "4+00:00",
              "5+00:00"
            ]
          },
          {
            "key": "{{environment.attributes.current_time}}",
            "operator": "timeGreaterThanOrEquals",
            "value": "09:00:00+00:00"
          },
          {
            "key": "{{environment.attributes.current_time}}",
            "operator": "timeLessThanOrEquals",
            "value": "17:00:00+00:00"
          }
        ]
      },
      "pattern": "time-based-conditions:weekly:custom-hours",
      "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "IBMid-12345678",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "IBMid-12345678",
      "state": "active"
    }
  ]
}
  • {
  "policies": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "type": "access",
      "description": "Viewer role access for all instances of key protect in the account during business hours.",
      "subject": {
        "attributes": [
          {
            "key": "iam_id",
            "operator": "stringEquals",
            "value": "IBMid-123453user"
          }
        ]
      },
      "control": {
        "grant": {
          "roles": [
            {
              "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
            }
          ]
        }
      },
      "resource": {
        "attributes": [
          {
            "key": "accountId",
            "operator": "stringEquals",
            "value": "100abcde100a41abc100aza678abc0zz"
          },
          {
            "key": "serviceName",
            "operator": "stringEquals",
            "value": "kms"
          }
        ]
      },
      "rule": {
        "operator": "and",
        "conditions": [
          {
            "key": "{{environment.attributes.day_of_week}}",
            "operator": "dayOfWeekAnyOf",
            "value": [
              "1+00:00",
              "2+00:00",
              "3+00:00",
              "4+00:00",
              "5+00:00"
            ]
          },
          {
            "key": "{{environment.attributes.current_time}}",
            "operator": "timeGreaterThanOrEquals",
            "value": "09:00:00+00:00"
          },
          {
            "key": "{{environment.attributes.current_time}}",
            "operator": "timeLessThanOrEquals",
            "value": "17:00:00+00:00"
          }
        ]
      },
      "pattern": "time-based-conditions:weekly:custom-hours",
      "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "IBMid-12345678",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "IBMid-12345678",
      "state": "active"
    }
  ]
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
  • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Create a policy
Beta
Creates a policy to grant access between a subject and a resource.
Currently, there is one type of a v2/policy: access.
A policy administrator might want to create an access policy
that grants access to a user, service-id, or an access group.


Access


To create an access policy, use "type": "access" in the body.
The supported subject attributes are iam_id and access_group_id.
Use the iam_id subject attribute to assign access to a user or service-id.
Use the access_group_id subject attribute to assign access to an access group.
Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions.
Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation.
The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute.
In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator.
The possible combination operators are and and or.


Currently, we support two types of patterns:


    

  1. time-based: Used to specify a time-based restriction
    2. 



Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week).
For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:


  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }



You can use the following operators in the key and value pair:


  'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
  'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
  'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
  'dayOfWeekEquals', 'dayOfWeekAnyOf'



The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly".
For more information, see Time-based conditions operators and
Limiting access with time-based conditions.
If the subject is a locked service-id, the request will fail.


    

  1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
    2. 



Combine conditions to specify an attribute-based condition using AND/OR-based operators.


For example, a policy can grant access based on multiple conditions applied on the resource attributes below:


  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/*"
        }
      ]
  }



In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR
the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,
making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.


Authorization


Authorization policies are supported by services on a case by case basis.
Refer to service documentation to verify their support of authorization policies.
To create an authorization policy, use "type": "authorization" in the body.
The subject attributes must match the supported authorization subjects of the resource.
Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId
Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions.
The user must also have the same level of access or greater to the target resource in order to grant the role.
Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation.
Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.


Attribute Operators


Currently, only the stringEquals, stringMatch, and stringEquals operators are available.
For more information, see Assigning access by using wildcard policies.


Attribute Validations


Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.


Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: access. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group.


Access


To create an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.


Currently, we support two types of patterns:


    

  1. time-based: Used to specify a time-based restriction
    2. 



Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:


  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:



'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
'dayOfWeekEquals', 'dayOfWeekAnyOf'
``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and
Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.


    

  1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
    2. 



Combine conditions to specify an attribute-based condition using AND/OR-based operators.


For example, a policy can grant access based on multiple conditions applied on the resource attributes below:


  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }



In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR  the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,  making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.


Authorization


Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.


Attribute Operators


Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.


Attribute Validations


Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.


Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: access. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group.


Access


To create an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.


Currently, we support two types of patterns:


    

  1. time-based: Used to specify a time-based restriction
    2. 



Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:


  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:



'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
'dayOfWeekEquals', 'dayOfWeekAnyOf'
``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and
Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.


    

  1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
    2. 



Combine conditions to specify an attribute-based condition using AND/OR-based operators.


For example, a policy can grant access based on multiple conditions applied on the resource attributes below:


  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }



In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR  the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,  making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.


Authorization


Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.


Attribute Operators


Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.


Attribute Validations


Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.


Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: access. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group.


Access


To create an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.


Currently, we support two types of patterns:


    

  1. time-based: Used to specify a time-based restriction
    2. 



Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:


  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:



'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
'dayOfWeekEquals', 'dayOfWeekAnyOf'
``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and
Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.


    

  1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
    2. 



Combine conditions to specify an attribute-based condition using AND/OR-based operators.


For example, a policy can grant access based on multiple conditions applied on the resource attributes below:


  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }



In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR  the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,  making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.


Authorization


Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.


Attribute Operators


Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.


Attribute Validations


Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.


Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: access. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group.


Access


To create an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.


Currently, we support two types of patterns:


    

  1. time-based: Used to specify a time-based restriction
    2. 



Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:


  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:



'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
'dayOfWeekEquals', 'dayOfWeekAnyOf'
``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and
Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.


    

  1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
    2. 



Combine conditions to specify an attribute-based condition using AND/OR-based operators.


For example, a policy can grant access based on multiple conditions applied on the resource attributes below:


  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/*"
        }
      ]
  }



In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR  the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,  making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.


Authorization


Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.


Attribute Operators


Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.


Attribute Validations


Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.


POST /v2/policies
(iamPolicyManagement *IamPolicyManagementV1) CreateV2Policy(createV2PolicyOptions *CreateV2PolicyOptions) (result *V2Policy, response *core.DetailedResponse, err error)
(iamPolicyManagement *IamPolicyManagementV1) CreateV2PolicyWithContext(ctx context.Context, createV2PolicyOptions *CreateV2PolicyOptions) (result *V2Policy, response *core.DetailedResponse, err error)
ServiceCall<V2Policy> createV2Policy(CreateV2PolicyOptions createV2PolicyOptions)
createV2Policy(params)
create_v2_policy(
        self,
        control: 'Control',
        type: str,
        *,
        description: Optional[str] = None,
        subject: Optional['V2PolicySubject'] = None,
        resource: Optional['V2PolicyResource'] = None,
        pattern: Optional[str] = None,
        rule: Optional['V2PolicyRule'] = None,
        accept_language: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Authorization
To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
  • iam.policy.create
Auditing
Calling this method generates the following auditing event.
  • iam-am.policy.create
Request
Instantiate the CreateV2PolicyOptions struct and set the fields to provide parameter values for the CreateV2Policy method.
Use the CreateV2PolicyOptions.Builder to create a CreateV2PolicyOptions object that contains the parameter values for the createV2Policy method.
Custom Headers
  • Accept-Language
    string
    Language code for translations
    

      

    • default - English
      • 

    • de -  German (Standard)
      • 

    • en - English
      • 

    • es - Spanish (Spain)
      • 

    • fr - French (Standard)
      • 

    • it - Italian (Standard)
      • 

    • ja - Japanese
      • 

    • ko - Korean
      • 

    • pt-br - Portuguese (Brazil)
      • 

    • zh-cn - Chinese (Simplified, PRC)
      • 

    • zh-tw - (Chinese, Taiwan)
      • 

    

    Possible values:  length ≥ 1
    Default: default
Request Body
Required*
CreateUpdateV2PolicyRequest
A policy to be created.


parameter
WithContext method only
CreateV2PolicyOptions
The CreateV2Policy options.


CreateV2PolicyOptions
The createV2Policy options.


parameters
  • control
    Specifies the type of access granted by the policy.
    

  • type
    Required*
    string
    The policy type; either 'access' or 'authorization'.
    

    Allowable values: [access,authorization]
  • description
    string
    Description of the policy.
    

    Possible values:  1 ≤ length ≤ 300, Value must match regular expression /^.*$/
  • subject
    The subject attributes for whom the policy grants access.
    

  • resource
    The resource attributes to which the policy grants access.
    

  • pattern
    string
    Indicates pattern of rule, either 'time-based-conditions:once', 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'.
    

    Possible values:  1 ≤ length ≤ 42, Value must match regular expression /^[a-z:-]*$/
  • rule
    Rule that specifies additional access granted (e.g., time-based condition).
    

    • acceptLanguage
      string
      Language code for translations
      

        

      • default - English
        • 

      • de -  German (Standard)
        • 

      • en - English
        • 

      • es - Spanish (Spain)
        • 

      • fr - French (Standard)
        • 

      • it - Italian (Standard)
        • 

      • ja - Japanese
        • 

      • ko - Korean
        • 

      • pt-br - Portuguese (Brazil)
        • 

      • zh-cn - Chinese (Simplified, PRC)
        • 

      • zh-tw - (Chinese, Taiwan).
        • 

      

      Possible values:  length ≥ 1
      Default: default
    parameters
    • control
      Specifies the type of access granted by the policy.
      

    • type
      Required*
      str
      The policy type; either 'access' or 'authorization'.
      

      Allowable values: [access,authorization]
    • description
      str
      Description of the policy.
      

      Possible values:  1 ≤ length ≤ 300, Value must match regular expression /^.*$/
    • subject
      The subject attributes for whom the policy grants access.
      

    • resource
      The resource attributes to which the policy grants access.
      

    • pattern
      str
      Indicates pattern of rule, either 'time-based-conditions:once', 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'.
      

      Possible values:  1 ≤ length ≤ 42, Value must match regular expression /^[a-z:-]*$/
    • rule
      Rule that specifies additional access granted (e.g., time-based condition).
      

      • accept_language
        str
        Language code for translations
        

          

        • default - English
          • 

        • de -  German (Standard)
          • 

        • en - English
          • 

        • es - Spanish (Spain)
          • 

        • fr - French (Standard)
          • 

        • it - Italian (Standard)
          • 

        • ja - Japanese
          • 

        • ko - Korean
          • 

        • pt-br - Portuguese (Brazil)
          • 

        • zh-cn - Chinese (Simplified, PRC)
          • 

        • zh-tw - (Chinese, Taiwan).
          • 

        

        Possible values:  length ≥ 1
        Default: default
      • curl -X POST 'https://iam.cloud.ibm.com/v2/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "Editor role for SERVICE_NAME\'s RESOURCE_NAME",
  "subject": [
    {
      "attributes": [
        {
          "key": "iam_id",
          "operator": "stringEquals",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Editor"
        }
      ],
    },
  },
  "resource": [
    {
      "attributes": [
        {
          "key": "accountId",
          "operator": "stringEquals",
          "value": "$ACCOUNT_ID"
        },
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "$SERVICE_NAME"
        },
        {
          "key": "resource",
          "operator": "stringEquals"
          "value": "$RESOURCE_NAME",
        }
      ]
    }
  ],
  "rule" :{
    "key": "{{environment.attributes.day_of_week}}",
    "operator": "dayOfWeekAnyOf",
    "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
  },
  "pattern": "time-based-conditions:weekly:all-day"
}'
      • subjectAttribute := &iampolicymanagementv1.V2PolicySubjectAttribute{
  Key:      core.StringPtr("iam_id"),
  Operator: core.StringPtr("stringEquals"),
  Value:    &exampleUserID,
}
policySubject := &iampolicymanagementv1.V2PolicySubject{
  Attributes: []iampolicymanagementv1.V2PolicySubjectAttribute{*subjectAttribute},
}
policyRole := &iampolicymanagementv1.Roles{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
v2PolicyGrant := &iampolicymanagementv1.Grant{
  Roles: []iampolicymanagementv1.Roles{*policyRole},
}
v2PolicyControl := &iampolicymanagementv1.Control{
  Grant: v2PolicyGrant,
}
accountIDResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("accountId"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr(exampleAccountID),
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("serviceType"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr("service"),
}
policyResourceTag := &iampolicymanagementv1.V2PolicyResourceTag{
  Key:      core.StringPtr("project"),
  Value:    core.StringPtr("prototype"),
  Operator: core.StringPtr("stringEquals"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
  Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute},
  Tags: []iampolicymanagementv1.V2PolicyResourceTag{*policyResourceTag},
}
weeklyConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.day_of_week}}"),
  Operator: core.StringPtr("dayOfWeekAnyOf"),
  Value:    []string{"1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"},
}
startConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.current_time}}"),
  Operator: core.StringPtr("timeGreaterThanOrEquals"),
  Value:    core.StringPtr("09:00:00+00:00"),
}
endConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.current_time}}"),
  Operator: core.StringPtr("timeLessThanOrEquals"),
  Value:    core.StringPtr("17:00:00+00:00"),
}
policyRule := &iampolicymanagementv1.V2PolicyRule{
  Operator: core.StringPtr("and"),
  Conditions: []iampolicymanagementv1.NestedConditionIntf{
    weeklyConditionAttribute, startConditionAttribute, endConditionAttribute},
}

options := iamPolicyManagementService.NewCreateV2PolicyOptions(
  v2PolicyControl,
  "access",
)
options.SetSubject(policySubject)
options.SetResource(policyResource)
options.SetRule(policyRule)
options.SetPattern(*core.StringPtr("time-based-conditions:weekly:custom-hours"))

policy, response, err := iamPolicyManagementService.CreateV2Policy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyID = *policy.ID
fmt.Println(string(b))
      • V2PolicySubjectAttribute subjectAttribute = new V2PolicySubjectAttribute.Builder()
        .key("iam_id")
        .value(EXAMPLE_USER_ID)
        .operator("stringEquals")
        .build();

V2PolicySubject policySubject = new V2PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

V2PolicyResourceAttribute accountIdResourceAttribute = new V2PolicyResourceAttribute.Builder()
        .key("accountId")
        .value(exampleAccountId)
        .operator("stringEquals")
        .build();

V2PolicyResourceAttribute serviceNameResourceAttribute = new V2PolicyResourceAttribute.Builder()
        .key("serviceType")
        .value("service")
        .operator("stringEquals")
        .build();

V2PolicyResourceTag policyResourceTag = new V2PolicyResourceTag.Builder()
        .key("project")
        .value("prototype")
        .operator("stringEquals")
        .build();

V2PolicyResource policyResource = new V2PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceNameResourceAttribute)
        .addTags(policyResourceTag)
        .build();

Roles policyRoles = new Roles.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Viewer")
        .build();

Grant policyGrant = new Grant.Builder()
        .roles(Arrays.asList(policyRoles))
        .build();

Control control = new Control.Builder()
        .grant(policyGrant)
        .build();

NestedConditionRuleAttribute weeklyConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.day_of_week}}")
        .value(new ArrayList<String>(Arrays.asList("1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00")))
        .operator("dayOfWeekAnyOf")
        .build();

NestedConditionRuleAttribute startConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.current_time}}")
        .value("09:00:00+00:00")
        .operator("timeGreaterThanOrEquals")
        .build();

NestedConditionRuleAttribute endConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.current_time}}")
        .value("17:00:00+00:00")
        .operator("timeLessThanOrEquals")
        .build();

V2PolicyRuleRuleWithNestedConditions policyRule = new V2PolicyRuleRuleWithNestedConditions.Builder()
        .operator("and")
        .conditions(new ArrayList<NestedCondition>(Arrays.asList(weeklyConditionAttribute, startConditionAttribute, endConditionAttribute)))
        .build();

CreateV2PolicyOptions options = new CreateV2PolicyOptions.Builder()
        .type("access")
        .subject(policySubject)
        .control(control)
        .resource(policyResource)
        .rule(policyRule)
        .pattern("time-based-conditions:weekly:custom-hours")
        .build();

Response<V2Policy> response = service.createV2Policy(options).execute();
V2Policy policy = response.getResult();

exampleV2PolicyId = policy.getId();

System.out.println(policy);
      • const policySubject = {
  attributes: [
    {
      key: 'iam_id',
      operator: 'stringEquals',
      value: exampleUserId,
    },
  ],
};
const policyResourceAccountAttribute = {
  key: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const policyResourceServiceAttribute = {
  key: 'serviceType',
  operator: 'stringEquals',
  value: 'service',
};
const policyResource = {
  attributes: [policyResourceAccountAttribute, policyResourceServiceAttribute]
};
const policyControl = {
  grant: {
    roles: [{
      role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
    }],
  }
};
const policyRule = {
  operator: 'and',
  conditions: [
      {
          key: '{{environment.attributes.day_of_week}}',
          operator: 'dayOfWeekAnyOf',
          value: ['1+00:00', '2+00:00', '3+00:00', '4+00:00', '5+00:00'],
      },
      {
          key: '{{environment.attributes.current_time}}',
          operator: 'timeGreaterThanOrEquals',
          value: '09:00:00+00:00',
      },
      {
          key: '{{environment.attributes.current_time}}',
          operator: 'timeLessThanOrEquals',
          value: '17:00:00+00:00',
      },
  ],
}
const policyPattern = 'time-based-conditions:weekly:custom-hours'
const params = {
  type: 'access',
  subject: policySubject,
  control: policyControl,
  resource: policyResource,
  rule: policyRule,
  pattern: policyPattern,
};

try {
  const res = await iamPolicyManagementService.createV2Policy(params);
  examplePolicyId = res.result.id;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
      • policy_subject = V2PolicySubject(
  attributes=[V2PolicySubjectAttribute(key='iam_id', value=example_user_id, operator='stringEquals')]
)
policy_role = PolicyRole(role_id='crn:v1:bluemix:public:iam::::role:Viewer')
account_id_resource_attribute = V2PolicyResourceAttribute(
  key='accountId', value=example_account_id, operator='stringEquals'
)
service_name_resource_attribute = V2PolicyResourceAttribute(
  key='serviceType', value='service', operator='stringEquals'
)
policy_resource_tag = V2PolicyResourceTag(key='project', value='prototype', operator='stringEquals')
policy_resource = V2PolicyResource(
  attributes=[account_id_resource_attribute, service_name_resource_attribute], tags=[policy_resource_tag]
)
policy_control = Control(grant=Grant(roles=[policy_role]))
policy_rule = V2PolicyRuleRuleWithNestedConditions(
  operator='and',
  conditions=[
    RuleAttribute(
      key='{{environment.attributes.day_of_week}}',
      operator='dayOfWeekAnyOf',
      value=['1+00:00', '2+00:00', '3+00:00', '4+00:00', '5+00:00'],
    ),
    RuleAttribute(
      key='{{environment.attributes.current_time}}',
      operator='timeGreaterThanOrEquals',
      value='09:00:00+00:00',
    ),
    RuleAttribute(
      key='{{environment.attributes.current_time}}',
      operator='timeLessThanOrEquals',
      value='17:00:00+00:00',
    ),
  ],
)
policy_pattern = 'time-based-conditions:weekly:custom-hours'

policy = iam_policy_management_service.create_v2_policy(
  type='access',
  subject=policy_subject,
  control=policy_control,
  resource=policy_resource,
  rule=policy_rule,
  pattern=policy_pattern,
).get_result()

global example_policy_id
example_policy_id = policy['id']

print(json.dumps(policy, indent=2))
      Response
      Response Body
      V2Policy
      The core set of properties associated with the policy.
      

      V2Policy
      The core set of properties associated with the policy.
      

      V2Policy
      The core set of properties associated with the policy.
      

      V2Policy
      The core set of properties associated with the policy.
      

      V2Policy
      The core set of properties associated with the policy.
      

      Status Code
      • 201
        Policy creation successful.
        

      • 400
        Policy input is invalid.
        

      • 401
        The token you provided is not valid.
        

      • 403
        You do not have access to create the policy.
        

      • 406
        The requested resource(s) cannot be formatted using the requested media type(s).
        

      • 409
        A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.
        

      • 415
        Request body sent was formatted using an unsupported media type.
        

      • 422
        Exceeded maximum policies quota.
        

      • 429
        Too many requests have been made within a given time window.
        

      Example responses
      • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00",
          "5+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
      • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00",
          "5+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to create policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to create policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policies quota (4020) for account 100abcde100a41abc100aza678abc0zz."
    }
  ],
  "status_code": 422
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policies quota (4020) for account 100abcde100a41abc100aza678abc0zz."
    }
  ],
  "status_code": 422
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
      • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
      Update a policy
      Beta
      Update a policy to grant access between a subject and a resource.
A policy administrator might want to update an existing policy.
      

      Access
      

      To update an access policy, use "type": "access" in the body.
The supported subject attributes are iam_id and access_group_id.
Use the iam_id subject attribute to assign access to a user or service-id.
Use the access_group_id subject attribute to assign access to an access group.
Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions.
Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation.
The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute.
In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator.
The possible combination operators are and and or.
      

      Currently, we support two types of patterns:
      

        

      1. time-based: Used to specify a time-based restriction
        2. 

      

      Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week).
For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:
      

        "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }

      

      You can use the following operators in the key and value pair:
      

        'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
  'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
  'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
  'dayOfWeekEquals', 'dayOfWeekAnyOf'

      

      The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly".
For more information, see Time-based conditions operators and
Limiting access with time-based conditions.
If the subject is a locked service-id, the request will fail.
      

        

      1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
        2. 

      

      Combine conditions to specify an attribute-based condition using AND/OR-based operators.
      

      For example, a policy can grant access based on multiple conditions applied on the resource attributes below:
      

        "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/*"
        }
      ]
  }

      

      In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR
the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,
making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.
      

      Authorization
      

      To update an authorization policy, use "type": "authorization" in the body.
The subject attributes must match the supported authorization subjects of the resource.
Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId
Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions.
The user must also have the same level of access or greater to the target resource in order to grant the role.
Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation.
Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.
      

      Attribute Operators
      

      Currently, only the stringEquals, stringMatch, and stringEquals operators are available.
For more information, see Assigning access by using wildcard policies.
      

      Attribute Validations
      

      Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.
      

      Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy.
      

      Access
      

      To update an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.
      

      Currently, we support two types of patterns:
      

        

      1. time-based: Used to specify a time-based restriction
        2. 

      

      Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:
      

        "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

      

      'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
'dayOfWeekEquals', 'dayOfWeekAnyOf'
``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and
Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.
      

        

      1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
        2. 

      

      Combine conditions to specify an attribute-based condition using AND/OR-based operators.
      

      For example, a policy can grant access based on multiple conditions applied on the resource attributes below:
      

        "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }

      

      In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR  the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,  making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.
      

      Authorization
      

      To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.
      

      Attribute Operators
      

      Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.
      

      Attribute Validations
      

      Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.
      

      Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy.
      

      Access
      

      To update an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.
      

      Currently, we support two types of patterns:
      

        

      1. time-based: Used to specify a time-based restriction
        2. 

      

      Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:
      

        "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

      

      'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
'dayOfWeekEquals', 'dayOfWeekAnyOf'
``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and
Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.
      

        

      1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
        2. 

      

      Combine conditions to specify an attribute-based condition using AND/OR-based operators.
      

      For example, a policy can grant access based on multiple conditions applied on the resource attributes below:
      

        "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }

      

      In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR  the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,  making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.
      

      Authorization
      

      To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.
      

      Attribute Operators
      

      Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.
      

      Attribute Validations
      

      Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.
      

      Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy.
      

      Access
      

      To update an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.
      

      Currently, we support two types of patterns:
      

        

      1. time-based: Used to specify a time-based restriction
        2. 

      

      Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:
      

        "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

      

      'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
'dayOfWeekEquals', 'dayOfWeekAnyOf'
``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and
Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.
      

        

      1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
        2. 

      

      Combine conditions to specify an attribute-based condition using AND/OR-based operators.
      

      For example, a policy can grant access based on multiple conditions applied on the resource attributes below:
      

        "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }

      

      In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR  the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,  making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.
      

      Authorization
      

      To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.
      

      Attribute Operators
      

      Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.
      

      Attribute Validations
      

      Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.
      

      Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy.
      

      Access
      

      To update an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.
      

      Currently, we support two types of patterns:
      

        

      1. time-based: Used to specify a time-based restriction
        2. 

      

      Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:
      

        "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

      

      'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
'dayOfWeekEquals', 'dayOfWeekAnyOf'
``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and
Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.
      

        

      1. attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.
        2. 

      

      Combine conditions to specify an attribute-based condition using AND/OR-based operators.
      

      For example, a policy can grant access based on multiple conditions applied on the resource attributes below:
      

        "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/*"
        }
      ]
  }

      

      In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR  the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy,  making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.
      

      Authorization
      

      To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.
      

      Attribute Operators
      

      Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.
      

      Attribute Validations
      

      Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.
      

      PUT /v2/policies/{id}
      (iamPolicyManagement *IamPolicyManagementV1) ReplaceV2Policy(replaceV2PolicyOptions *ReplaceV2PolicyOptions) (result *V2Policy, response *core.DetailedResponse, err error)
      (iamPolicyManagement *IamPolicyManagementV1) ReplaceV2PolicyWithContext(ctx context.Context, replaceV2PolicyOptions *ReplaceV2PolicyOptions) (result *V2Policy, response *core.DetailedResponse, err error)
      ServiceCall<V2Policy> replaceV2Policy(ReplaceV2PolicyOptions replaceV2PolicyOptions)
      replaceV2Policy(params)
      replace_v2_policy(
        self,
        id: str,
        if_match: str,
        control: 'Control',
        type: str,
        *,
        description: Optional[str] = None,
        subject: Optional['V2PolicySubject'] = None,
        resource: Optional['V2PolicyResource'] = None,
        pattern: Optional[str] = None,
        rule: Optional['V2PolicyRule'] = None,
        **kwargs,
    ) -> DetailedResponse
      Authorization
      To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
      • iam.policy.update
      Auditing
      Calling this method generates the following auditing event.
      • iam-am.policy.update
      Request
      Instantiate the ReplaceV2PolicyOptions struct and set the fields to provide parameter values for the ReplaceV2Policy method.
      Use the ReplaceV2PolicyOptions.Builder to create a ReplaceV2PolicyOptions object that contains the parameter values for the replaceV2Policy method.
      Custom Headers
      • If-Match
        Required*
        string
        The revision number for updating a policy and must match the ETag value of the existing policy.
The Etag can be retrieved using the GET /v2/policies/{id} API and looking at the ETag response header.
        

        Possible values:  length ≥ 1
      Path Parameters
      • id
        Required*
        string
        The policy ID.
        

        Possible values:  length ≥ 1
      Request Body
      Required*
      CreateUpdateV2PolicyRequest
      Updated policy content to be saved.
      

      parameter
      WithContext method only
      ReplaceV2PolicyOptions
      The ReplaceV2Policy options.
      

      ReplaceV2PolicyOptions
      The replaceV2Policy options.
      

      parameters
      • id
        Required*
        string
        The policy ID.
        

        Possible values:  length ≥ 1
      • ifMatch
        Required*
        string
        The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v2/policies/{id} API and looking at the ETag response header.
        

        Possible values:  length ≥ 1
      • control
        Specifies the type of access granted by the policy.
        

      • type
        Required*
        string
        The policy type; either 'access' or 'authorization'.
        

        Allowable values: [access,authorization]
      • description
        string
        Description of the policy.
        

        Possible values:  1 ≤ length ≤ 300, Value must match regular expression /^.*$/
      • subject
        The subject attributes for whom the policy grants access.
        

      • resource
        The resource attributes to which the policy grants access.
        

      • pattern
        string
        Indicates pattern of rule, either 'time-based-conditions:once', 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'.
        

        Possible values:  1 ≤ length ≤ 42, Value must match regular expression /^[a-z:-]*$/
      • rule
        Rule that specifies additional access granted (e.g., time-based condition).
        

        parameters
        • id
          Required*
          str
          The policy ID.
          

          Possible values:  length ≥ 1
        • if_match
          Required*
          str
          The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v2/policies/{id} API and looking at the ETag response header.
          

          Possible values:  length ≥ 1
        • control
          Specifies the type of access granted by the policy.
          

        • type
          Required*
          str
          The policy type; either 'access' or 'authorization'.
          

          Allowable values: [access,authorization]
        • description
          str
          Description of the policy.
          

          Possible values:  1 ≤ length ≤ 300, Value must match regular expression /^.*$/
        • subject
          The subject attributes for whom the policy grants access.
          

        • resource
          The resource attributes to which the policy grants access.
          

        • pattern
          str
          Indicates pattern of rule, either 'time-based-conditions:once', 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'.
          

          Possible values:  1 ≤ length ≤ 42, Value must match regular expression /^[a-z:-]*$/
        • rule
          Rule that specifies additional access granted (e.g., time-based condition).
          

          • curl -X PUT 'https://iam.cloud.ibm.com/v2/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "type": "access",
  "description": "Viewer role for for all instances of SERVICE_NAME in the account.",
  "subject": [
    {
      "attributes": [
        {
          "key": "iam_id",
          "operator": "stringEquals",
          "value": "IBMid-123453user"
        }
      ]
    }'
  ],
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ],
    },
  },
  "resource": [
    {
      "attributes": [
        {
          "key": "accountId",
          "operator": "stringEquals",
          "value": "$ACCOUNT_ID"
        },
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "$SERVICE_NAME"
        }
      ]
    }
  ],
  "rule": {
    "key": "{{environment.attributes.day_of_week}}",
    "operator": "dayOfWeekAnyOf",
    "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
  },
  "pattern": "time-based-conditions:weekly:all-day"
}'
          • subjectAttribute := &iampolicymanagementv1.V2PolicySubjectAttribute{
  Key:      core.StringPtr("iam_id"),
  Operator: core.StringPtr("stringEquals"),
  Value:    &exampleUserID,
}
policySubject := &iampolicymanagementv1.V2PolicySubject{
  Attributes: []iampolicymanagementv1.V2PolicySubjectAttribute{*subjectAttribute},
}
updatedPolicyRole := &iampolicymanagementv1.Roles{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Editor"),
}
v2PolicyGrant := &iampolicymanagementv1.Grant{
  Roles: []iampolicymanagementv1.Roles{*updatedPolicyRole},
}
v2PolicyControl := &iampolicymanagementv1.Control{
  Grant: v2PolicyGrant,
}
accountIDResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("accountId"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr(exampleAccountID),
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("serviceType"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr("service"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
  Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute},
}

options := iamPolicyManagementService.NewReplaceV2PolicyOptions(
  examplePolicyID,
  examplePolicyETag,
  v2PolicyControl,
  "access",
)
weeklyConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.day_of_week}}"),
  Operator: core.StringPtr("dayOfWeekAnyOf"),
  Value:    []string{"1+00:00", "2+00:00", "3+00:00", "4+00:00"},
}
startConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.current_time}}"),
  Operator: core.StringPtr("timeGreaterThanOrEquals"),
  Value:    core.StringPtr("09:00:00+00:00"),
}
endConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.current_time}}"),
  Operator: core.StringPtr("timeLessThanOrEquals"),
  Value:    core.StringPtr("17:00:00+00:00"),
}
policyRule := &iampolicymanagementv1.V2PolicyRule{
  Operator: core.StringPtr("and"),
  Conditions: []iampolicymanagementv1.NestedConditionIntf{
    weeklyConditionAttribute, startConditionAttribute, endConditionAttribute},
}
options.SetRule(policyRule)
options.SetPattern(*core.StringPtr("time-based-conditions:weekly:custom-hours"))
options.SetSubject(policySubject)
options.SetResource(policyResource)

policy, response, err := iamPolicyManagementService.ReplaceV2Policy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))
          • V2PolicySubjectAttribute subjectAttribute = new V2PolicySubjectAttribute.Builder()
        .key("iam_id")
        .value(EXAMPLE_USER_ID)
        .operator("stringEquals")
        .build();

V2PolicySubject policySubject = new V2PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

V2PolicyResourceAttribute accountIdResourceAttribute = new V2PolicyResourceAttribute.Builder()
        .key("accountId")
        .value(exampleAccountId)
        .operator("stringEquals")
        .build();

V2PolicyResourceAttribute serviceNameResourceAttribute = new V2PolicyResourceAttribute.Builder()
        .key("serviceType")
        .value("service")
        .operator("stringEquals")
        .build();

V2PolicyResourceTag policyResourceTag = new V2PolicyResourceTag.Builder()
        .key("project")
        .value("prototype")
        .operator("stringEquals")
        .build();

V2PolicyResource policyResource = new V2PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceNameResourceAttribute)
        .addTags(policyResourceTag)
        .build();

Roles updatedPolicyRole = new Roles.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Editor")
        .build();
Grant policyGrant = new Grant.Builder()
        .roles(Arrays.asList(updatedPolicyRole))
        .build();

Control policyControl = new Control.Builder()
        .grant(policyGrant)
        .build();

NestedConditionRuleAttribute weeklyConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.day_of_week}}")
        .value(new ArrayList<String>(Arrays.asList("1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00")))
        .operator("dayOfWeekAnyOf")
        .build();

NestedConditionRuleAttribute startConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.current_time}}")
        .value("09:00:00+00:00")
        .operator("timeGreaterThanOrEquals")
        .build();

NestedConditionRuleAttribute endConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.current_time}}")
        .value("17:00:00+00:00")
        .operator("timeLessThanOrEquals")
        .build();

V2PolicyRuleRuleWithNestedConditions policyRule = new V2PolicyRuleRuleWithNestedConditions.Builder()
        .operator("and")
        .conditions(new ArrayList<NestedCondition>(Arrays.asList(weeklyConditionAttribute, startConditionAttribute, endConditionAttribute)))
        .build();

ReplaceV2PolicyOptions options = new ReplaceV2PolicyOptions.Builder()
        .type("access")
        .id(exampleV2PolicyId)
        .ifMatch(exampleV2PolicyEtag)
        .subject(policySubject)
        .control(policyControl)
        .resource(policyResource)
        .rule(policyRule)
        .pattern("time-based-conditions:weekly:custom-hours")
        .build();

Response<V2Policy> response = service.replaceV2Policy(options).execute();
V2Policy policy = response.getResult();

exampleV2PolicyEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policy);
          • const policySubject = {
  attributes: [
    {
      key: 'iam_id',
      operator: 'stringEquals',
      value: exampleUserId,
    },
  ],
};
const policyResourceAccountAttribute = {
  key: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const policyResourceServiceAttribute = {
  key: 'serviceType',
  operator: 'stringEquals',
  value: 'service',
};
const policyResource = {
  attributes: [policyResourceAccountAttribute, policyResourceServiceAttribute]
};
const updatedPolicyControl = {
  grant: {
    roles: [{
      role_id: 'crn:v1:bluemix:public:iam::::role:Editor',
    }],
  }
};
const policyRule = {
  operator: 'and',
  conditions: [
      {
          key: '{{environment.attributes.day_of_week}}',
          operator: 'dayOfWeekAnyOf',
          value: ['1+00:00', '2+00:00', '3+00:00', '4+00:00', '5+00:00'],
      },
      {
          key: '{{environment.attributes.current_time}}',
          operator: 'timeGreaterThanOrEquals',
          value: '09:00:00+00:00',
      },
      {
          key: '{{environment.attributes.current_time}}',
          operator: 'timeLessThanOrEquals',
          value: '17:00:00+00:00',
      },
  ],
}
const policyPattern = 'time-based-conditions:weekly:custom-hours'
const params = {
  type: 'access',
  id: examplePolicyId,
  ifMatch: examplePolicyETag,
  subject: policySubject,
  control: updatedPolicyControl,
  resource: policyResource,
  rule: policyRule,
  pattern: policyPattern,
};

try {
  const res = await iamPolicyManagementService.replaceV2Policy(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
          • policy_subject = V2PolicySubject(
  attributes=[V2PolicySubjectAttribute(key='iam_id', value=example_user_id, operator='stringEquals')]
)
updated_policy_role = PolicyRole(role_id='crn:v1:bluemix:public:iam::::role:Editor')
account_id_resource_attribute = V2PolicyResourceAttribute(
  key='accountId', value=example_account_id, operator='stringEquals'
)
service_name_resource_attribute = V2PolicyResourceAttribute(
  key='serviceType', value='service', operator='stringEquals'
)
policy_resource_tag = V2PolicyResourceTag(key='project', value='prototype', operator='stringEquals')
policy_resource = PolicyResource(
  attributes=[account_id_resource_attribute, service_name_resource_attribute], tags=[policy_resource_tag]
)
policy_control = Control(grant=Grant(roles=[updated_policy_role]))
policy_rule = V2PolicyRuleRuleWithNestedConditions(
  operator='and',
  conditions=[
    RuleAttribute(
      key='{{environment.attributes.day_of_week}}',
      operator='dayOfWeekAnyOf',
      value=['1+00:00', '2+00:00', '3+00:00', '4+00:00', '5+00:00'],
    ),
    RuleAttribute(
      key='{{environment.attributes.current_time}}',
      operator='timeGreaterThanOrEquals',
      value='09:00:00+00:00',
    ),
    RuleAttribute(
      key='{{environment.attributes.current_time}}',
      operator='timeLessThanOrEquals',
      value='17:00:00+00:00',
    ),
  ],
)
policy_pattern = 'time-based-conditions:weekly:custom-hours'

response = iam_policy_management_service.replace_v2_policy(
  type='access',
  id=example_policy_id,
  if_match=example_policy_etag,
  subject=policy_subject,
  control=policy_control,
  resource=policy_resource,
  rule=policy_rule,
  pattern=policy_pattern,
)
policy = response.get_result()

print(json.dumps(policy, indent=2))
          Response
          Response Body
          V2Policy
          The core set of properties associated with the policy.
          

          V2Policy
          The core set of properties associated with the policy.
          

          V2Policy
          The core set of properties associated with the policy.
          

          V2Policy
          The core set of properties associated with the policy.
          

          V2Policy
          The core set of properties associated with the policy.
          

          Status Code
          • 200
            Policy update successful.
            

          • 400
            Policy input is invalid.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to update the policy.
            

          • 404
            Policy was not found.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 409
            A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.
            

          • 415
            Request body sent was formatted using an unsupported media type.
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours, except Friday.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours, except Friday.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy and delete the existing one."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy and delete the existing one."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to update policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to update policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Retrieve a policy by ID
          Beta
          Retrieve a policy by providing a policy ID.
          

          Retrieve a policy by providing a policy ID.
          

          Retrieve a policy by providing a policy ID.
          

          Retrieve a policy by providing a policy ID.
          

          Retrieve a policy by providing a policy ID.
          

          GET /v2/policies/{id}
          (iamPolicyManagement *IamPolicyManagementV1) GetV2Policy(getV2PolicyOptions *GetV2PolicyOptions) (result *V2PolicyTemplateMetaData, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) GetV2PolicyWithContext(ctx context.Context, getV2PolicyOptions *GetV2PolicyOptions) (result *V2PolicyTemplateMetaData, response *core.DetailedResponse, err error)
          ServiceCall<V2PolicyTemplateMetaData> getV2Policy(GetV2PolicyOptions getV2PolicyOptions)
          getV2Policy(params)
          get_v2_policy(
        self,
        id: str,
        *,
        format: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam.policy.read
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policy.read
          Request
          Instantiate the GetV2PolicyOptions struct and set the fields to provide parameter values for the GetV2Policy method.
          Use the GetV2PolicyOptions.Builder to create a GetV2PolicyOptions object that contains the parameter values for the getV2Policy method.
          Path Parameters
          • id
            Required*
            string
            The policy ID.
            

            Possible values:  length ≥ 1
          Query Parameters
          • format
            string
            Include additional data for policy returned
            

              

            • include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
              • 

            • display - returns the list of all actions included in each of the policy roles and translations for all relevant fields
              • 

            

            Allowable values: [include_last_permit,display]
          parameter
          WithContext method only
          GetV2PolicyOptions
          The GetV2Policy options.
          

          GetV2PolicyOptions
          The getV2Policy options.
          

          parameters
          • id
            Required*
            string
            The policy ID.
            

            Possible values:  length ≥ 1
          • format
            string
            Include additional data for policy returned
            

              

            • include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
              • 

            • display - returns the list of all actions included in each of the policy roles and translations for all relevant fields.
              • 

            

            Allowable values: [include_last_permit,display]
          parameters
          • id
            Required*
            str
            The policy ID.
            

            Possible values:  length ≥ 1
          • format
            str
            Include additional data for policy returned
            

              

            • include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
              • 

            • display - returns the list of all actions included in each of the policy roles and translations for all relevant fields.
              • 

            

            Allowable values: [include_last_permit,display]
          • curl -X GET 'https://iam.cloud.ibm.com/v2/policies/$POLICY_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • options := iamPolicyManagementService.NewGetV2PolicyOptions(
  examplePolicyID,
)

policy, response, err := iamPolicyManagementService.GetV2Policy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyETag = response.GetHeaders().Get("ETag")
fmt.Println(string(b))
          • GetV2PolicyOptions options = new GetV2PolicyOptions.Builder()
        .id(exampleV2PolicyId)
        .build();

Response<V2PolicyTemplateMetaData> response = service.getV2Policy(options).execute();
V2PolicyTemplateMetaData policy = response.getResult();

exampleV2PolicyEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policy);


GetV2PolicyOptions options = new GetV2PolicyOptions.Builder()
        .id(exampleAssignmentPolicyId)
        .build();

Response<V2PolicyTemplateMetaData> response = service.getV2Policy(options).execute();
V2PolicyTemplateMetaData policy = response.getResult();

System.out.println(policy.getTemplate());
          • const params = {
  id: examplePolicyId,
};

try {
  const res = await iamPolicyManagementService.getV2Policy(params);
  examplePolicyETag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}


const params = {
  id: exampleAssignmentPolicyId,
};

try {
  const res = await iamPolicyManagementService.getV2Policy(params);
  examplePolicyETag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
          • response = iam_policy_management_service.get_v2_policy(id=example_policy_id)
policy = response.get_result()

global example_policy_etag
example_policy_etag = response.get_headers().get("Etag")

print(json.dumps(policy, indent=2))
          Response
          Response Body
          V2PolicyTemplateMetaData
          The core set of properties associated with the policy.
          

          V2PolicyTemplateMetaData
          The core set of properties associated with the policy.
          

          V2PolicyTemplateMetaData
          The core set of properties associated with the policy.
          

          V2PolicyTemplateMetaData
          The core set of properties associated with the policy.
          

          V2PolicyTemplateMetaData
          The core set of properties associated with the policy.
          

          Status Code
          • 200
            Policy retrieval successful.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to retrieve the policy.
            

          • 404
            Policy was not found.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00",
          "5+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00",
          "5+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Delete a policy by ID
          Beta
          Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID
contains a locked service ID.
If the subject of the policy is a locked service-id, the request will fail.
          

          Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.
          

          Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.
          

          Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.
          

          Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.
          

          DELETE /v2/policies/{id}
          (iamPolicyManagement *IamPolicyManagementV1) DeleteV2Policy(deleteV2PolicyOptions *DeleteV2PolicyOptions) (response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) DeleteV2PolicyWithContext(ctx context.Context, deleteV2PolicyOptions *DeleteV2PolicyOptions) (response *core.DetailedResponse, err error)
          ServiceCall<Void> deleteV2Policy(DeleteV2PolicyOptions deleteV2PolicyOptions)
          deleteV2Policy(params)
          delete_v2_policy(
        self,
        id: str,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam.policy.delete
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policy.delete
          Request
          Instantiate the DeleteV2PolicyOptions struct and set the fields to provide parameter values for the DeleteV2Policy method.
          Use the DeleteV2PolicyOptions.Builder to create a DeleteV2PolicyOptions object that contains the parameter values for the deleteV2Policy method.
          Path Parameters
          • id
            Required*
            string
            The policy ID.
            

            Possible values:  length ≥ 1
          parameter
          WithContext method only
          DeleteV2PolicyOptions
          The DeleteV2Policy options.
          

          DeleteV2PolicyOptions
          The deleteV2Policy options.
          

          parameters
          • id
            Required*
            string
            The policy ID.
            

            Possible values:  length ≥ 1
          parameters
          • id
            Required*
            str
            The policy ID.
            

            Possible values:  length ≥ 1
          • curl -X DELETE 'https://iam.cloud.ibm.com/v2/policies/$POLICY_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • options := iamPolicyManagementService.NewDeleteV2PolicyOptions(
  examplePolicyID,
)

response, err := iamPolicyManagementService.DeleteV2Policy(options)
if err != nil {
  panic(err)
}
          • const params = {
  id: examplePolicyId,
};

try {
  await iamPolicyManagementService.deleteV2Policy(params);
} catch (err) {
  console.warn(err);
}
          • response = iam_policy_management_service.delete_v2_policy(id=example_policy_id).get_result()

print(json.dumps(response, indent=2))
          Response
          Status Code
          • 204
            Policy deletion successful.
            

          • 400
            Policy was not valid to delete.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to delete the policy.
            

          • 404
            Policy was not found.
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a locked service id, cannot perform action"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a locked service id, cannot perform action"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          List policy templates by attributes
          List policy templates and filter by attributes by using query parameters.
The following attributes are supported:
account_id, policy_service_name, policy_service_type, policy_service_group_id and policy_type.
account_id is a required query parameter.
These attributes policy_service_name, policy_service_type and policy_service_group_id are mutually exclusive.
Only policy templates that have the specified attributes and that
the caller has read access to are returned.
If the caller does not have read access to any policy templates an empty array
is returned.
          

          List policy templates and filter by attributes by using query parameters. The following attributes are supported:
account_id, policy_service_name, policy_service_type, policy_service_group_id and policy_type.
account_id is a required query parameter. These attributes policy_service_name, policy_service_type and policy_service_group_id are mutually exclusive. Only policy templates that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy templates an empty array is returned.
          

          List policy templates and filter by attributes by using query parameters. The following attributes are supported:
account_id, policy_service_name, policy_service_type, policy_service_group_id and policy_type.
account_id is a required query parameter. These attributes policy_service_name, policy_service_type and policy_service_group_id are mutually exclusive. Only policy templates that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy templates an empty array is returned.
          

          List policy templates and filter by attributes by using query parameters. The following attributes are supported:
account_id, policy_service_name, policy_service_type, policy_service_group_id and policy_type.
account_id is a required query parameter. These attributes policy_service_name, policy_service_type and policy_service_group_id are mutually exclusive. Only policy templates that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy templates an empty array is returned.
          

          List policy templates and filter by attributes by using query parameters. The following attributes are supported:
account_id, policy_service_name, policy_service_type, policy_service_group_id and policy_type.
account_id is a required query parameter. These attributes policy_service_name, policy_service_type and policy_service_group_id are mutually exclusive. Only policy templates that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy templates an empty array is returned.
          

          GET /v1/policy_templates
          (iamPolicyManagement *IamPolicyManagementV1) ListPolicyTemplates(listPolicyTemplatesOptions *ListPolicyTemplatesOptions) (result *PolicyTemplateCollection, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) ListPolicyTemplatesWithContext(ctx context.Context, listPolicyTemplatesOptions *ListPolicyTemplatesOptions) (result *PolicyTemplateCollection, response *core.DetailedResponse, err error)
          ServiceCall<PolicyTemplateCollection> listPolicyTemplates(ListPolicyTemplatesOptions listPolicyTemplatesOptions)
          listPolicyTemplates(params)
          list_policy_templates(
        self,
        account_id: str,
        *,
        accept_language: Optional[str] = None,
        state: Optional[str] = None,
        name: Optional[str] = None,
        policy_service_type: Optional[str] = None,
        policy_service_name: Optional[str] = None,
        policy_service_group_id: Optional[str] = None,
        policy_type: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.read
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.read
          Request
          Instantiate the ListPolicyTemplatesOptions struct and set the fields to provide parameter values for the ListPolicyTemplates method.
          Use the ListPolicyTemplatesOptions.Builder to create a ListPolicyTemplatesOptions object that contains the parameter values for the listPolicyTemplates method.
          Custom Headers
          • Accept-Language
            string
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan)
              • 

            

            Possible values:  length ≥ 1
            Default: default
          Query Parameters
          • account_id
            Required*
            string
            The account GUID that the policy templates belong to.
            

            Possible values:  1 ≤ length ≤ 32, Value must match regular expression ^[A-Za-z0-9-]*$
          • state
            string
            The policy template state.
            

            Allowable values: [active,deleted]
          • name
            string
            The policy template name.
            

            Possible values:  1 ≤ length ≤ 100
          • policy_service_type
            string
            Service type, Optional.
            

            Allowable values: [service,platform_service]
          • policy_service_name
            string
            Service name, Optional.
            

            Possible values:  length ≥ 1
          • policy_service_group_id
            string
            Service group id, Optional.
            

            Possible values:  length ≥ 1
          • policy_type
            string
            Policy type, Optional.
            

            Allowable values: [access,authorization]
          • limit
            integer
            The number of documents to include in collection.
            

            Possible values:  1 ≤ value ≤ 100
            Default: 50
          • start
            string
            Page token that refers to the page of collection to return.
            

            Possible values:  9 ≤ length ≤ 100, Value must match regular expression ^[-A-Za-z0-9+/]*$
          parameter
          WithContext method only
          ListPolicyTemplatesOptions
          The ListPolicyTemplates options.
          

          ListPolicyTemplatesOptions
          The listPolicyTemplates options.
          

          parameters
          • accountId
            Required*
            string
            The account GUID that the policy templates belong to.
            

            Possible values:  1 ≤ length ≤ 32, Value must match regular expression /^[A-Za-z0-9-]*$/
          • acceptLanguage
            string
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan).
              • 

            

            Possible values:  length ≥ 1
            Default: default
          • state
            string
            The policy template state.
            

            Allowable values: [active,deleted]
          • name
            string
            The policy template name.
            

            Possible values:  1 ≤ length ≤ 100
          • policyServiceType
            string
            Service type, Optional.
            

            Allowable values: [service,platform_service]
          • policyServiceName
            string
            Service name, Optional.
            

            Possible values:  length ≥ 1
          • policyServiceGroupId
            string
            Service group id, Optional.
            

            Possible values:  length ≥ 1
          • policyType
            string
            Policy type, Optional.
            

            Allowable values: [access,authorization]
          parameters
          • account_id
            Required*
            str
            The account GUID that the policy templates belong to.
            

            Possible values:  1 ≤ length ≤ 32, Value must match regular expression /^[A-Za-z0-9-]*$/
          • accept_language
            str
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan).
              • 

            

            Possible values:  length ≥ 1
            Default: default
          • state
            str
            The policy template state.
            

            Allowable values: [active,deleted]
          • name
            str
            The policy template name.
            

            Possible values:  1 ≤ length ≤ 100
          • policy_service_type
            str
            Service type, Optional.
            

            Allowable values: [service,platform_service]
          • policy_service_name
            str
            Service name, Optional.
            

            Possible values:  length ≥ 1
          • policy_service_group_id
            str
            Service group id, Optional.
            

            Possible values:  length ≥ 1
          • policy_type
            str
            Policy type, Optional.
            

            Allowable values: [access,authorization]
          • curl -X GET 'https://iam.cloud.ibm.com/v1/policy_templates?account_id=$ACCOUNT_ID&state=active' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • listPolicyTemplatesOptions := iamPolicyManagementService.NewListPolicyTemplatesOptions(
  exampleAccountID,
)

policyTemplateCollection, response, err := iamPolicyManagementService.ListPolicyTemplates(listPolicyTemplatesOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyTemplateCollection, "", "  ")
fmt.Println(string(b))
          • ListPolicyTemplatesOptions listPolicyTemplatesOptions = new ListPolicyTemplatesOptions.Builder()
  .accountId(exampleAccountId)
  .build();

Response<PolicyTemplateCollection> response = service.listPolicyTemplates(listPolicyTemplatesOptions).execute();
PolicyTemplateCollection policyTemplateCollection = response.getResult();

System.out.println(policyTemplateCollection);
          • const params = {
  accountId: exampleAccountId,
};

let res;
try {
  res = await iamPolicyManagementService.listPolicyTemplates(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
          • response = iam_policy_management_service.list_policy_templates(
  account_id=example_account_id,
)
policy_template_collection = response.get_result()

print(json.dumps(policy_template_collection, indent=2))
          Response
          Response Body
          PolicyTemplateCollection
          A collection of policy Templates.
          

          PolicyTemplateCollection
          A collection of policy Templates.
          

          PolicyTemplateCollection
          A collection of policy Templates.
          

          PolicyTemplateCollection
          A collection of policy Templates.
          

          PolicyTemplateCollection
          A collection of policy Templates.
          

          Status Code
          • 200
            Policy Templates retrieval successful.
            

          • 400
            The request you made is not valid.
            

          • 401
            The token you provided is not valid.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "policy_templates": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "name": "Service Viewer template",
      "description": "Viewer role for all instances of SERVICE_NAME in the account.",
      "version": "1",
      "account_id": "000-000-000-001",
      "policy": {
        "type": "access",
        "description": "Viewer role access for all instances of key protect in the account during business hours.",
        "control": {
          "grant": {
            "roles": [
              {
                "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
              }
            ]
          }
        },
        "resource": {
          "attributes": [
            {
              "key": "serviceName",
              "operator": "stringEquals",
              "value": "kms"
            }
          ]
        },
        "rule": {
          "operator": "and",
          "conditions": [
            {
              "key": "{{environment.attributes.day_of_week}}",
              "operator": "dayOfWeekAnyOf",
              "value": [
                "1+00:00",
                "2+00:00",
                "3+00:00",
                "4+00:00",
                "5+00:00"
              ]
            },
            {
              "key": "{{environment.attributes.current_time}}",
              "operator": "timeGreaterThanOrEquals",
              "value": "09:00:00+00:00"
            },
            {
              "key": "{{environment.attributes.current_time}}",
              "operator": "timeLessThanOrEquals",
              "value": "17:00:00+00:00"
            }
          ]
        },
        "pattern": "time-based-conditions:weekly:custom-hours"
      },
      "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "state": "active"
    }
  ]
}
          • {
  "policy_templates": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "name": "Service Viewer template",
      "description": "Viewer role for all instances of SERVICE_NAME in the account.",
      "version": "1",
      "account_id": "000-000-000-001",
      "policy": {
        "type": "access",
        "description": "Viewer role access for all instances of key protect in the account during business hours.",
        "control": {
          "grant": {
            "roles": [
              {
                "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
              }
            ]
          }
        },
        "resource": {
          "attributes": [
            {
              "key": "serviceName",
              "operator": "stringEquals",
              "value": "kms"
            }
          ]
        },
        "rule": {
          "operator": "and",
          "conditions": [
            {
              "key": "{{environment.attributes.day_of_week}}",
              "operator": "dayOfWeekAnyOf",
              "value": [
                "1+00:00",
                "2+00:00",
                "3+00:00",
                "4+00:00",
                "5+00:00"
              ]
            },
            {
              "key": "{{environment.attributes.current_time}}",
              "operator": "timeGreaterThanOrEquals",
              "value": "09:00:00+00:00"
            },
            {
              "key": "{{environment.attributes.current_time}}",
              "operator": "timeLessThanOrEquals",
              "value": "17:00:00+00:00"
            }
          ]
        },
        "pattern": "time-based-conditions:weekly:custom-hours"
      },
      "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "state": "active"
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Create a policy template
          Create a policy template. Policy templates define a policy without requiring a subject, and you can use them to grant access to multiple subjects.
          

          Create a policy template. Policy templates define a policy without requiring a subject, and you can use them to grant access to multiple subjects.
          

          Create a policy template. Policy templates define a policy without requiring a subject, and you can use them to grant access to multiple subjects.
          

          Create a policy template. Policy templates define a policy without requiring a subject, and you can use them to grant access to multiple subjects.
          

          Create a policy template. Policy templates define a policy without requiring a subject, and you can use them to grant access to multiple subjects.
          

          POST /v1/policy_templates
          (iamPolicyManagement *IamPolicyManagementV1) CreatePolicyTemplate(createPolicyTemplateOptions *CreatePolicyTemplateOptions) (result *PolicyTemplateLimitData, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) CreatePolicyTemplateWithContext(ctx context.Context, createPolicyTemplateOptions *CreatePolicyTemplateOptions) (result *PolicyTemplateLimitData, response *core.DetailedResponse, err error)
          ServiceCall<PolicyTemplateLimitData> createPolicyTemplate(CreatePolicyTemplateOptions createPolicyTemplateOptions)
          createPolicyTemplate(params)
          create_policy_template(
        self,
        name: str,
        account_id: str,
        policy: 'TemplatePolicy',
        *,
        description: Optional[str] = None,
        committed: Optional[bool] = None,
        accept_language: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.create
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.create
          Request
          Instantiate the CreatePolicyTemplateOptions struct and set the fields to provide parameter values for the CreatePolicyTemplate method.
          Use the CreatePolicyTemplateOptions.Builder to create a CreatePolicyTemplateOptions object that contains the parameter values for the createPolicyTemplate method.
          Custom Headers
          • Accept-Language
            string
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan)
              • 

            

            Possible values:  length ≥ 1
            Default: default
          Request Body
          Required*
          PolicyTemplateRequest
          A policy template to be created.
          

          parameter
          WithContext method only
          CreatePolicyTemplateOptions
          The CreatePolicyTemplate options.
          

          CreatePolicyTemplateOptions
          The createPolicyTemplate options.
          

          parameters
          • name
            Required*
            string
            Required field when creating a new template. Otherwise this field is optional. If the field is included it will change the name value for all existing versions of the template.
            

            Possible values:  1 ≤ length ≤ 100, Value must match regular expression /^.*$/
          • accountId
            Required*
            string
            Enterprise account ID where this template will be created.
            

            Possible values:  1 ≤ length ≤ 32, Value must match regular expression /^[A-Za-z0-9-]*$/
          • policy
            The core set of properties associated with the template's policy objet.
            

          • description
            string
            Description of the policy template. This is shown to users in the enterprise account. Use this to describe the purpose or context of the policy for enterprise users managing IAM templates.
            

            Possible values:  0 ≤ length ≤ 300, Value must match regular expression /^.*$/
          • committed
            boolean
            Committed status of the template.
            

          • acceptLanguage
            string
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan).
              • 

            

            Possible values:  length ≥ 1
            Default: default
          parameters
          • name
            Required*
            str
            Required field when creating a new template. Otherwise this field is optional. If the field is included it will change the name value for all existing versions of the template.
            

            Possible values:  1 ≤ length ≤ 100, Value must match regular expression /^.*$/
          • account_id
            Required*
            str
            Enterprise account ID where this template will be created.
            

            Possible values:  1 ≤ length ≤ 32, Value must match regular expression /^[A-Za-z0-9-]*$/
          • policy
            The core set of properties associated with the template's policy objet.
            

          • description
            str
            Description of the policy template. This is shown to users in the enterprise account. Use this to describe the purpose or context of the policy for enterprise users managing IAM templates.
            

            Possible values:  0 ≤ length ≤ 300, Value must match regular expression /^.*$/
          • committed
            bool
            Committed status of the template.
            

          • accept_language
            str
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan).
              • 

            

            Possible values:  length ≥ 1
            Default: default
          • curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "name": "IKSEditor",
  "description": "Grant Editor Role on SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "policy": {
     "type": "access",
     "description": "Grant Editor Role on SERVICE_NAMEe",
     "control": {
        "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Editor"
          }
        ],
      },
    },
    "resource": [
      {
        "attributes": [
          {
            "key": "serviceName",
            "operator": "stringEquals",
            "value": "$SERVICE_NAME"
          }
        ]
      }
    ],
    "rule" :{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
    "pattern": "time-based-conditions:weekly:all-day"
}'
          • policyRole := &iampolicymanagementv1.Roles{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
v2PolicyGrant := &iampolicymanagementv1.Grant{
  Roles: []iampolicymanagementv1.Roles{*policyRole},
}
v2PolicyControl := &iampolicymanagementv1.Control{
  Grant: v2PolicyGrant,
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("serviceName"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr("iam-access-management"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
  Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
    *serviceNameResourceAttribute},
}

templatePolicyModel := &iampolicymanagementv1.TemplatePolicy{
  Type:        core.StringPtr("access"),
  Description: core.StringPtr("Test Template"),
  Resource:    policyResource,
  Control:     v2PolicyControl,
}

createPolicyTemplateOptions := iamPolicyManagementService.NewCreatePolicyTemplateOptions(
  examplePolicyTemplateName,
  exampleAccountID,
  templatePolicyModel,
)

policyTemplate, response, err := iamPolicyManagementService.CreatePolicyTemplate(createPolicyTemplateOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyTemplate, "", "  ")
examplePolicyTemplateID = *policyTemplate.ID
fmt.Println(string(b))
          • V2PolicyResourceAttribute v2PolicyResourceAttributeModel = new V2PolicyResourceAttribute.Builder()
  .key("serviceType")
  .operator("stringEquals")
  .value("service")
  .build();
V2PolicyResource v2PolicyResourceModel = new V2PolicyResource.Builder()
  .attributes(java.util.Arrays.asList(v2PolicyResourceAttributeModel))
  .build();
Roles rolesModel = new Roles.Builder()
  .roleId("crn:v1:bluemix:public:iam::::role:Viewer")
  .build();
Grant grantModel = new Grant.Builder()
  .roles(java.util.Arrays.asList(rolesModel))
  .build();
Control controlModel = new Control.Builder()
  .grant(grantModel)
  .build();
TemplatePolicy templatePolicyModel = new TemplatePolicy.Builder()
  .type("access")
  .resource(v2PolicyResourceModel)
  .control(controlModel)
  .build();
CreatePolicyTemplateOptions createPolicyTemplateOptions = new CreatePolicyTemplateOptions.Builder()
  .name("SDKExamplesTest")
  .accountId(exampleAccountId)
  .policy(templatePolicyModel)
  .build();

Response<PolicyTemplateLimitData> response = service.createPolicyTemplate(createPolicyTemplateOptions).execute();
PolicyTemplateLimitData policyTemplate = response.getResult();

exampleTemplateId = policyTemplate.getId();
exampleTemplateVersion = policyTemplate.getVersion();

System.out.println(policyTemplate);
          • // Request models needed by this operation.

// V2PolicyResourceAttribute
const v2PolicyResourceAttributeModel = {
  key: 'serviceType',
  operator: 'stringEquals',
  value: 'service',
};

// V2PolicyResource
const v2PolicyResourceModel = {
  attributes: [v2PolicyResourceAttributeModel],
};

// Roles
const rolesModel = {
  role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
};

// Grant
const grantModel = {
  roles: [rolesModel],
};

// Control
const controlModel = {
  grant: grantModel,
};

// TemplatePolicy
const templatePolicyModel = {
  type: 'access',
  resource: v2PolicyResourceModel,
  control: controlModel,
};

const params = {
  name: 'SDKNodeExampleTemplate',
  accountId: exampleAccountId,
  policy: templatePolicyModel,
};

try {
  const res = await iamPolicyManagementService.createPolicyTemplate(params);
  exampleTemplateId = res.result.id;
  exampleTemplateVersion = res.result.version;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
          • v2_policy_resource_attribute_model = {
  'key': 'serviceType',
  'operator': 'stringEquals',
  'value': 'service',
}

v2_policy_resource_model = {
  'attributes': [v2_policy_resource_attribute_model],
}

roles_model = {
  'role_id': 'crn:v1:bluemix:public:iam::::role:Viewer',
}

grant_model = {
  'roles': [roles_model],
}

control_model = {
  'grant': grant_model,
}

template_policy_model = {
  'type': 'access',
  'resource': v2_policy_resource_model,
  'control': control_model,
}

response = iam_policy_management_service.create_policy_template(
  name='SDKExamplesTest',
  account_id=example_account_id,
  policy=template_policy_model,
)
policy_template = response.get_result()

global example_template_id
example_template_id = policy_template['id']
global example_template_version
example_template_version = policy_template['version']

print(json.dumps(policy_template, indent=2))
          Response
          Response Body
          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          Status Code
          • 201
            Policy Template creation successful.
            

          • 400
            Policy Template input is invalid.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to create the policy template.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 409
            A policy template already exists for the .... TBD
            

          • 415
            Request body sent was formatted using an unsupported media type.
            

          • 422
            Exceeded maximum policy templates quota.
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "version": "1",
  "account_id": "0000-0000-0001",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "counts": {
    "template": {
      "current": 1,
      "limit": 100
    },
    "version": {
      "current": 1,
      "limit": 100
    }
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "version": "1",
  "account_id": "0000-0000-0001",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "counts": {
    "template": {
      "current": 1,
      "limit": 100
    },
    "version": {
      "current": 1,
      "limit": 100
    }
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_conflict_error",
      "message": "Failed to create policy template.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policyTemplate": "POLICY_TEMPLATE"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_conflict_error",
      "message": "Failed to create policy template.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policyTemplate": "POLICY_TEMPLATE"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policy templates quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policy templates quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Retrieve latest version of a policy template
          Retrieve the latest version of a policy template by providing a policy template ID.
          

          Retrieve the latest version of a policy template by providing a policy template ID.
          

          Retrieve the latest version of a policy template by providing a policy template ID.
          

          Retrieve the latest version of a policy template by providing a policy template ID.
          

          Retrieve the latest version of a policy template by providing a policy template ID.
          

          GET /v1/policy_templates/{policy_template_id}
          (iamPolicyManagement *IamPolicyManagementV1) GetPolicyTemplate(getPolicyTemplateOptions *GetPolicyTemplateOptions) (result *PolicyTemplate, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) GetPolicyTemplateWithContext(ctx context.Context, getPolicyTemplateOptions *GetPolicyTemplateOptions) (result *PolicyTemplate, response *core.DetailedResponse, err error)
          ServiceCall<PolicyTemplate> getPolicyTemplate(GetPolicyTemplateOptions getPolicyTemplateOptions)
          getPolicyTemplate(params)
          get_policy_template(
        self,
        policy_template_id: str,
        *,
        state: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.read
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.read
          Request
          Instantiate the GetPolicyTemplateOptions struct and set the fields to provide parameter values for the GetPolicyTemplate method.
          Use the GetPolicyTemplateOptions.Builder to create a GetPolicyTemplateOptions object that contains the parameter values for the getPolicyTemplate method.
          Path Parameters
          • policy_template_id
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression ^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
          Query Parameters
          • state
            string
            The policy template state.
            

            Allowable values: [active,deleted]
          parameter
          WithContext method only
          GetPolicyTemplateOptions
          The GetPolicyTemplate options.
          

          GetPolicyTemplateOptions
          The getPolicyTemplate options.
          

          parameters
          • policyTemplateId
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • state
            string
            The policy template state.
            

            Allowable values: [active,deleted]
          parameters
          • policy_template_id
            Required*
            str
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • state
            str
            The policy template state.
            

            Allowable values: [active,deleted]
          • curl -X GET 'https://iam.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID&state=active' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • getPolicyTemplateOptions := iamPolicyManagementService.NewGetPolicyTemplateOptions(
  examplePolicyTemplateID,
)

policyTemplate, response, err := iamPolicyManagementService.GetPolicyTemplate(getPolicyTemplateOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyTemplate, "", "  ")
examplePolicyTemplateETag = response.GetHeaders().Get("ETag")
fmt.Println(string(b))
          • GetPolicyTemplateOptions getPolicyTemplateOptions = new GetPolicyTemplateOptions.Builder()
  .policyTemplateId(exampleTemplateId)
  .build();

Response<PolicyTemplate> response = service.getPolicyTemplate(getPolicyTemplateOptions).execute();
PolicyTemplate policyTemplate = response.getResult();

exampleTemplateEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policyTemplate);
          • const params = {
  policyTemplateId: exampleTemplateId,
};

let res;
try {
  res = await iamPolicyManagementService.getPolicyTemplate(params);
  exampleTemplateEtag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
          • print('example_template_id: ', example_template_id)
response = iam_policy_management_service.get_policy_template(
  policy_template_id=example_template_id,
)
policy_template = response.get_result()

global example_template_etag
example_template_etag = response.get_headers().get("Etag")

print(json.dumps(policy_template, indent=2))
          Response
          Response Body
          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          Status Code
          • 200
            Policy Template retrieval successful.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to retrieve the policy template.
            

          • 404
            Policy Template was not found.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "account_id": "0000-0000-0000-0001",
  "version": "2",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "account_id": "0000-0000-0000-0001",
  "version": "2",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Delete a policy template
          Delete a policy template by providing the policy template ID. This deletes all versions of this template. A policy template can't be deleted if any version of the template is assigned to one or more child accounts. You must remove the policy assignments first.
          

          Delete a policy template by providing the policy template ID. This deletes all versions of this template. A policy template can't be deleted if any version of the template is assigned to one or more child accounts. You must remove the policy assignments first.
          

          Delete a policy template by providing the policy template ID. This deletes all versions of this template. A policy template can't be deleted if any version of the template is assigned to one or more child accounts. You must remove the policy assignments first.
          

          Delete a policy template by providing the policy template ID. This deletes all versions of this template. A policy template can't be deleted if any version of the template is assigned to one or more child accounts. You must remove the policy assignments first.
          

          Delete a policy template by providing the policy template ID. This deletes all versions of this template. A policy template can't be deleted if any version of the template is assigned to one or more child accounts. You must remove the policy assignments first.
          

          DELETE /v1/policy_templates/{policy_template_id}
          (iamPolicyManagement *IamPolicyManagementV1) DeletePolicyTemplate(deletePolicyTemplateOptions *DeletePolicyTemplateOptions) (response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) DeletePolicyTemplateWithContext(ctx context.Context, deletePolicyTemplateOptions *DeletePolicyTemplateOptions) (response *core.DetailedResponse, err error)
          ServiceCall<Void> deletePolicyTemplate(DeletePolicyTemplateOptions deletePolicyTemplateOptions)
          deletePolicyTemplate(params)
          delete_policy_template(
        self,
        policy_template_id: str,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.delete
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.delete
          Request
          Instantiate the DeletePolicyTemplateOptions struct and set the fields to provide parameter values for the DeletePolicyTemplate method.
          Use the DeletePolicyTemplateOptions.Builder to create a DeletePolicyTemplateOptions object that contains the parameter values for the deletePolicyTemplate method.
          Path Parameters
          • policy_template_id
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression ^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
          parameter
          WithContext method only
          DeletePolicyTemplateOptions
          The DeletePolicyTemplate options.
          

          DeletePolicyTemplateOptions
          The deletePolicyTemplate options.
          

          parameters
          • policyTemplateId
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          parameters
          • policy_template_id
            Required*
            str
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • curl -X DELETE 'https://iam.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • deletePolicyTemplateOptions := iamPolicyManagementService.NewDeletePolicyTemplateOptions(
  examplePolicyTemplateID,
)

response, err := iamPolicyManagementService.DeletePolicyTemplate(deletePolicyTemplateOptions)
if err != nil {
  panic(err)
}
if response.StatusCode != 204 {
  fmt.Printf("\nUnexpected response status code received from DeletePolicyTemplate(): %d\n", response.StatusCode)
}
          • DeletePolicyTemplateOptions deletePolicyTemplateOptions = new DeletePolicyTemplateOptions.Builder()
  .policyTemplateId(exampleTemplateId)
  .build();

Response<Void> response = service.deletePolicyTemplate(deletePolicyTemplateOptions).execute();
          • const params = {
  policyTemplateId: exampleTemplateId,
};

try {
  await iamPolicyManagementService.deletePolicyTemplate(params);
} catch (err) {
  console.warn(err);
}
          • response = iam_policy_management_service.delete_policy_template(
  policy_template_id=example_template_id,
)
          Response
          Status Code
          • 204
            Policy Template deletion successful.
            

          • 400
            Policy Template was not valid to delete.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to delete the policy template.
            

          • 404
            Policy Template was not found.
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a version assigned to an account, cannot perform action"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a version assigned to an account, cannot perform action"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy template version."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy template version."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Create a new policy template version
          Create a new version of a policy template. Use this if you need to make updates to a policy template that is committed.
          

          Create a new version of a policy template. Use this if you need to make updates to a policy template that is committed.
          

          Create a new version of a policy template. Use this if you need to make updates to a policy template that is committed.
          

          Create a new version of a policy template. Use this if you need to make updates to a policy template that is committed.
          

          Create a new version of a policy template. Use this if you need to make updates to a policy template that is committed.
          

          POST /v1/policy_templates/{policy_template_id}/versions
          (iamPolicyManagement *IamPolicyManagementV1) CreatePolicyTemplateVersion(createPolicyTemplateVersionOptions *CreatePolicyTemplateVersionOptions) (result *PolicyTemplateLimitData, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) CreatePolicyTemplateVersionWithContext(ctx context.Context, createPolicyTemplateVersionOptions *CreatePolicyTemplateVersionOptions) (result *PolicyTemplateLimitData, response *core.DetailedResponse, err error)
          ServiceCall<PolicyTemplateLimitData> createPolicyTemplateVersion(CreatePolicyTemplateVersionOptions createPolicyTemplateVersionOptions)
          createPolicyTemplateVersion(params)
          create_policy_template_version(
        self,
        policy_template_id: str,
        policy: 'TemplatePolicy',
        *,
        name: Optional[str] = None,
        description: Optional[str] = None,
        committed: Optional[bool] = None,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.create
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.create
          Request
          Instantiate the CreatePolicyTemplateVersionOptions struct and set the fields to provide parameter values for the CreatePolicyTemplateVersion method.
          Use the CreatePolicyTemplateVersionOptions.Builder to create a CreatePolicyTemplateVersionOptions object that contains the parameter values for the createPolicyTemplateVersion method.
          Path Parameters
          • policy_template_id
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression ^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
          Request Body
          Required*
          PolicyTemplateVersionRequest
          A policy template to be created.
          

          parameter
          WithContext method only
          CreatePolicyTemplateVersionOptions
          The CreatePolicyTemplateVersion options.
          

          CreatePolicyTemplateVersionOptions
          The createPolicyTemplateVersion options.
          

          parameters
          • policyTemplateId
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • policy
            The core set of properties associated with the template's policy objet.
            

          • name
            string
            Required field when creating a new template. Otherwise this field is optional. If the field is included it will change the name value for all existing versions of the template.
            

            Possible values:  1 ≤ length ≤ 100, Value must match regular expression /^.*$/
          • description
            string
            Description of the policy template. This is shown to users in the enterprise account. Use this to describe the purpose or context of the policy for enterprise users managing IAM templates.
            

            Possible values:  0 ≤ length ≤ 300, Value must match regular expression /^.*$/
          • committed
            boolean
            Committed status of the template version.
            

          parameters
          • policy_template_id
            Required*
            str
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • policy
            The core set of properties associated with the template's policy objet.
            

          • name
            str
            Required field when creating a new template. Otherwise this field is optional. If the field is included it will change the name value for all existing versions of the template.
            

            Possible values:  1 ≤ length ≤ 100, Value must match regular expression /^.*$/
          • description
            str
            Description of the policy template. This is shown to users in the enterprise account. Use this to describe the purpose or context of the policy for enterprise users managing IAM templates.
            

            Possible values:  0 ≤ length ≤ 300, Value must match regular expression /^.*$/
          • committed
            bool
            Committed status of the template version.
            

          • curl -X POST 'https://iam.cloud.ibm.com/v1/policy_template/$TEMPLATE_ID/versions' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "name": "IKSEditor",
  "description": "Grant Editor Role on SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "policy": {
     "type": "access",
     "description": "Grant Editor Role on SERVICE_NAMEe",
     "control": {
        "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Editor"
          }
        ],
      },
    },
    "resource": [
      {
        "attributes": [
          {
            "key": "serviceName",
            "operator": "stringEquals",
            "value": "$SERVICE_NAME"
          }
        ]
      }
    ],
    "rule" :{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
    "pattern": "time-based-conditions:weekly:all-day"
}'
          • v2PolicyGrant := &iampolicymanagementv1.Grant{
  Roles: []iampolicymanagementv1.Roles{
    {core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer")},
    {core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator")},
  },
}

v2PolicyControl := &iampolicymanagementv1.Control{
  Grant: v2PolicyGrant,
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("serviceName"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr("watson"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
  Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
    *serviceNameResourceAttribute},
}

templatePolicyModel := &iampolicymanagementv1.TemplatePolicy{
  Type:        core.StringPtr("access"),
  Description: core.StringPtr("Test Template v2"),
  Resource:    policyResource,
  Control:     v2PolicyControl,
}

createPolicyTemplateVersionOptions := iamPolicyManagementService.NewCreatePolicyTemplateVersionOptions(
  examplePolicyTemplateID,
  templatePolicyModel,
)

policyTemplate, response, err := iamPolicyManagementService.CreatePolicyTemplateVersion(createPolicyTemplateVersionOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyTemplate, "", "  ")
examplePolicyTemplateETag = response.GetHeaders().Get("ETag")
examplePolicyTemplateVersion = *policyTemplate.Version
fmt.Println(string(b))
          • V2PolicyResourceAttribute v2PolicyResourceAttributeModel = new V2PolicyResourceAttribute.Builder()
  .key("serviceType")
  .operator("stringEquals")
  .value("service")
  .build();
V2PolicyResource v2PolicyResourceModel = new V2PolicyResource.Builder()
  .attributes(java.util.Arrays.asList(v2PolicyResourceAttributeModel))
  .build();
Roles rolesModel = new Roles.Builder()
  .roleId("crn:v1:bluemix:public:iam::::role:Viewer")
  .build();
Grant grantModel = new Grant.Builder()
  .roles(java.util.Arrays.asList(rolesModel))
  .build();
Control controlModel = new Control.Builder()
  .grant(grantModel)
  .build();
TemplatePolicy templatePolicyModel = new TemplatePolicy.Builder()
  .type("access")
  .resource(v2PolicyResourceModel)
  .control(controlModel)
  .build();
CreatePolicyTemplateVersionOptions createPolicyTemplateVersionOptions = new CreatePolicyTemplateVersionOptions.Builder()
  .policyTemplateId(exampleTemplateId)
  .policy(templatePolicyModel)
  .build();

Response<PolicyTemplateLimitData> response = service.createPolicyTemplateVersion(createPolicyTemplateVersionOptions).execute();
PolicyTemplateLimitData policyTemplate = response.getResult();

System.out.println(policyTemplate);
          • // Request models needed by this operation.

// V2PolicyResourceAttribute
const v2PolicyResourceAttributeModel = {
  key: 'serviceType',
  operator: 'stringEquals',
  value: 'service',
};

// V2PolicyResource
const v2PolicyResourceModel = {
  attributes: [v2PolicyResourceAttributeModel],
};

// Roles
const rolesModel = {
  role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
};

// Grant
const grantModel = {
  roles: [rolesModel],
};

// Control
const controlModel = {
  grant: grantModel,
};

// TemplatePolicy
const templatePolicyModel = {
  type: 'access',
  resource: v2PolicyResourceModel,
  control: controlModel,
};

const params = {
  policyTemplateId: exampleTemplateId,
  policy: templatePolicyModel,
};

let res;
try {
  res = await iamPolicyManagementService.createPolicyTemplateVersion(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
          • v2_policy_resource_attribute_model = {
  'key': 'serviceType',
  'operator': 'stringEquals',
  'value': 'service',
}

v2_policy_resource_model = {
  'attributes': [v2_policy_resource_attribute_model],
}

roles_model = {
  'role_id': 'crn:v1:bluemix:public:iam::::role:Viewer',
}

grant_model = {
  'roles': [roles_model],
}

control_model = {
  'grant': grant_model,
}

template_policy_model = {
  'type': 'access',
  'resource': v2_policy_resource_model,
  'control': control_model,
}

response = iam_policy_management_service.create_policy_template_version(
  policy_template_id=example_template_id,
  policy=template_policy_model,
)
policy_template = response.get_result()

print(json.dumps(policy_template, indent=2))
          Response
          Response Body
          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          PolicyTemplateLimitData
          The core set of properties associated with the policy template.
          

          Status Code
          • 201
            Policy Template creation successful.
            

          • 400
            Policy Template input is invalid.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to create the policy template.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 409
            A policy template already exists for the .... TBD
            

          • 415
            Request body sent was formatted using an unsupported media type.
            

          • 422
            Exceeded maximum policies templates quota.
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "account_id": "0000-0000-0000-0001",
  "version": "2",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "counts": {
    "template": {
      "current": 1,
      "limit": 100
    },
    "version": {
      "current": 1,
      "limit": 100
    }
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "account_id": "0000-0000-0000-0001",
  "version": "2",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "counts": {
    "template": {
      "current": 1,
      "limit": 100
    },
    "version": {
      "current": 1,
      "limit": 100
    }
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_conflict_error",
      "message": "Failed to create policy template.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policyTemplate": "POLICY_TEMPLATE"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_conflict_error",
      "message": "Failed to create policy template.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policyTemplate": "POLICY_TEMPLATE"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policy templates quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policy templates quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Retrieve policy template versions
          Retrieve the versions of a policy template by providing a policy template ID.
          

          Retrieve the versions of a policy template by providing a policy template ID.
          

          Retrieve the versions of a policy template by providing a policy template ID.
          

          Retrieve the versions of a policy template by providing a policy template ID.
          

          Retrieve the versions of a policy template by providing a policy template ID.
          

          GET /v1/policy_templates/{policy_template_id}/versions
          (iamPolicyManagement *IamPolicyManagementV1) ListPolicyTemplateVersions(listPolicyTemplateVersionsOptions *ListPolicyTemplateVersionsOptions) (result *PolicyTemplateVersionsCollection, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) ListPolicyTemplateVersionsWithContext(ctx context.Context, listPolicyTemplateVersionsOptions *ListPolicyTemplateVersionsOptions) (result *PolicyTemplateVersionsCollection, response *core.DetailedResponse, err error)
          ServiceCall<PolicyTemplateVersionsCollection> listPolicyTemplateVersions(ListPolicyTemplateVersionsOptions listPolicyTemplateVersionsOptions)
          listPolicyTemplateVersions(params)
          list_policy_template_versions(
        self,
        policy_template_id: str,
        *,
        state: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.read
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.read
          Request
          Instantiate the ListPolicyTemplateVersionsOptions struct and set the fields to provide parameter values for the ListPolicyTemplateVersions method.
          Use the ListPolicyTemplateVersionsOptions.Builder to create a ListPolicyTemplateVersionsOptions object that contains the parameter values for the listPolicyTemplateVersions method.
          Path Parameters
          • policy_template_id
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression ^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
          Query Parameters
          • state
            string
            The policy template state.
            

            Allowable values: [active,deleted]
          • limit
            integer
            The number of documents to include in collection.
            

            Possible values:  1 ≤ value ≤ 100
            Default: 50
          • start
            string
            Page token that refers to the page of collection to return.
            

            Possible values:  9 ≤ length ≤ 100, Value must match regular expression ^[-A-Za-z0-9+/]*$
          parameter
          WithContext method only
          ListPolicyTemplateVersionsOptions
          The ListPolicyTemplateVersions options.
          

          ListPolicyTemplateVersionsOptions
          The listPolicyTemplateVersions options.
          

          parameters
          • policyTemplateId
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • state
            string
            The policy template state.
            

            Allowable values: [active,deleted]
          parameters
          • policy_template_id
            Required*
            str
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • state
            str
            The policy template state.
            

            Allowable values: [active,deleted]
          • curl -X GET 'https://iam.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID/versions&state=active' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • listPolicyTemplateVersionsOptions := iamPolicyManagementService.NewListPolicyTemplateVersionsOptions(
  examplePolicyTemplateID,
)

policyTemplateVersionsCollection, response, err := iamPolicyManagementService.ListPolicyTemplateVersions(listPolicyTemplateVersionsOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyTemplateVersionsCollection, "", "  ")
fmt.Println(string(b))
          • ListPolicyTemplateVersionsOptions listPolicyTemplateVersionsOptions = new ListPolicyTemplateVersionsOptions.Builder()
  .policyTemplateId(exampleTemplateId)
  .build();

Response<PolicyTemplateVersionsCollection> response = service.listPolicyTemplateVersions(listPolicyTemplateVersionsOptions).execute();
PolicyTemplateVersionsCollection policyTemplateVersionsCollection = response.getResult();

System.out.println(policyTemplateVersionsCollection);
          • const params = {
  policyTemplateId: exampleTemplateId,
};

let res;
try {
  res = await iamPolicyManagementService.listPolicyTemplateVersions(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
          • response = iam_policy_management_service.list_policy_template_versions(
  policy_template_id=example_template_id,
)
policy_template_versions_collection = response.get_result()

print(json.dumps(policy_template_versions_collection, indent=2))
          Response
          Response Body
          PolicyTemplateVersionsCollection
          A collection of versions for a specific policy template.
          

          PolicyTemplateVersionsCollection
          A collection of versions for a specific policy template.
          

          PolicyTemplateVersionsCollection
          A collection of versions for a specific policy template.
          

          PolicyTemplateVersionsCollection
          A collection of versions for a specific policy template.
          

          PolicyTemplateVersionsCollection
          A collection of versions for a specific policy template.
          

          Status Code
          • 200
            Policy Template versions retrieval successful.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to retrieve the policy template.
            

          • 404
            Policy Template was not found.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "versions": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "name": "Service Viewer template",
      "description": "Viewer role for all instances of SERVICE_NAME in the account.",
      "account_id": "0000-0000-0000-0001",
      "version": "2",
      "committed": false,
      "policy": {
        "type": "access",
        "description": "Viewer role access for all instances of key protect in the account during business hours.",
        "control": {
          "grant": {
            "roles": [
              {
                "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
              }
            ]
          }
        },
        "resource": {
          "attributes": [
            {
              "key": "serviceName",
              "operator": "stringEquals",
              "value": "kms"
            }
          ]
        },
        "rule": {
          "operator": "and",
          "conditions": [
            {
              "key": "{{environment.attributes.day_of_week}}",
              "operator": "dayOfWeekAnyOf",
              "value": [
                "1+00:00",
                "2+00:00",
                "3+00:00",
                "4+00:00",
                "5+00:00"
              ]
            },
            {
              "key": "{{environment.attributes.current_time}}",
              "operator": "timeGreaterThanOrEquals",
              "value": "09:00:00+00:00"
            },
            {
              "key": "{{environment.attributes.current_time}}",
              "operator": "timeLessThanOrEquals",
              "value": "17:00:00+00:00"
            }
          ]
        },
        "pattern": "time-based-conditions:weekly:custom-hours"
      },
      "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "state": "active"
    }
  ]
}
          • {
  "versions": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "name": "Service Viewer template",
      "description": "Viewer role for all instances of SERVICE_NAME in the account.",
      "account_id": "0000-0000-0000-0001",
      "version": "2",
      "committed": false,
      "policy": {
        "type": "access",
        "description": "Viewer role access for all instances of key protect in the account during business hours.",
        "control": {
          "grant": {
            "roles": [
              {
                "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
              }
            ]
          }
        },
        "resource": {
          "attributes": [
            {
              "key": "serviceName",
              "operator": "stringEquals",
              "value": "kms"
            }
          ]
        },
        "rule": {
          "operator": "and",
          "conditions": [
            {
              "key": "{{environment.attributes.day_of_week}}",
              "operator": "dayOfWeekAnyOf",
              "value": [
                "1+00:00",
                "2+00:00",
                "3+00:00",
                "4+00:00",
                "5+00:00"
              ]
            },
            {
              "key": "{{environment.attributes.current_time}}",
              "operator": "timeGreaterThanOrEquals",
              "value": "09:00:00+00:00"
            },
            {
              "key": "{{environment.attributes.current_time}}",
              "operator": "timeLessThanOrEquals",
              "value": "17:00:00+00:00"
            }
          ]
        },
        "pattern": "time-based-conditions:weekly:custom-hours"
      },
      "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "state": "active"
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Update a policy template version
          Update a specific version of a policy template. You can use this only if the version isn't committed.
          

          Update a specific version of a policy template. You can use this only if the version isn't committed.
          

          Update a specific version of a policy template. You can use this only if the version isn't committed.
          

          Update a specific version of a policy template. You can use this only if the version isn't committed.
          

          Update a specific version of a policy template. You can use this only if the version isn't committed.
          

          PUT /v1/policy_templates/{policy_template_id}/versions/{version}
          (iamPolicyManagement *IamPolicyManagementV1) ReplacePolicyTemplate(replacePolicyTemplateOptions *ReplacePolicyTemplateOptions) (result *PolicyTemplate, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) ReplacePolicyTemplateWithContext(ctx context.Context, replacePolicyTemplateOptions *ReplacePolicyTemplateOptions) (result *PolicyTemplate, response *core.DetailedResponse, err error)
          ServiceCall<PolicyTemplate> replacePolicyTemplate(ReplacePolicyTemplateOptions replacePolicyTemplateOptions)
          replacePolicyTemplate(params)
          replace_policy_template(
        self,
        policy_template_id: str,
        version: str,
        if_match: str,
        policy: 'TemplatePolicy',
        *,
        name: Optional[str] = None,
        description: Optional[str] = None,
        committed: Optional[bool] = None,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.update
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.update
          Request
          Instantiate the ReplacePolicyTemplateOptions struct and set the fields to provide parameter values for the ReplacePolicyTemplate method.
          Use the ReplacePolicyTemplateOptions.Builder to create a ReplacePolicyTemplateOptions object that contains the parameter values for the replacePolicyTemplate method.
          Custom Headers
          • If-Match
            Required*
            string
            The revision number for updating a policy template version and must match the ETag value of the existing policy template version.
The Etag can be retrieved using the GET /v1/policy_templates/{policy_template_id}/versions/{version} API and looking at the ETag response header.
            

            Possible values:  length ≥ 1
          Path Parameters
          • policy_template_id
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression ^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
          • version
            Required*
            string
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression ^[0-9]*$
          Request Body
          Required*
          PolicyTemplateVersionRequest
          Updated policy template content to be saved.
          

          parameter
          WithContext method only
          ReplacePolicyTemplateOptions
          The ReplacePolicyTemplate options.
          

          ReplacePolicyTemplateOptions
          The replacePolicyTemplate options.
          

          parameters
          • policyTemplateId
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • version
            Required*
            string
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          • ifMatch
            Required*
            string
            The revision number for updating a policy template version and must match the ETag value of the existing policy template version. The Etag can be retrieved using the GET /v1/policy_templates/{policy_template_id}/versions/{version} API and looking at the ETag response header.
            

            Possible values:  length ≥ 1
          • policy
            The core set of properties associated with the template's policy objet.
            

          • name
            string
            Required field when creating a new template. Otherwise this field is optional. If the field is included it will change the name value for all existing versions of the template.
            

            Possible values:  1 ≤ length ≤ 100, Value must match regular expression /^.*$/
          • description
            string
            Description of the policy template. This is shown to users in the enterprise account. Use this to describe the purpose or context of the policy for enterprise users managing IAM templates.
            

            Possible values:  0 ≤ length ≤ 300, Value must match regular expression /^.*$/
          • committed
            boolean
            Committed status of the template version.
            

          parameters
          • policy_template_id
            Required*
            str
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • version
            Required*
            str
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          • if_match
            Required*
            str
            The revision number for updating a policy template version and must match the ETag value of the existing policy template version. The Etag can be retrieved using the GET /v1/policy_templates/{policy_template_id}/versions/{version} API and looking at the ETag response header.
            

            Possible values:  length ≥ 1
          • policy
            The core set of properties associated with the template's policy objet.
            

          • name
            str
            Required field when creating a new template. Otherwise this field is optional. If the field is included it will change the name value for all existing versions of the template.
            

            Possible values:  1 ≤ length ≤ 100, Value must match regular expression /^.*$/
          • description
            str
            Description of the policy template. This is shown to users in the enterprise account. Use this to describe the purpose or context of the policy for enterprise users managing IAM templates.
            

            Possible values:  0 ≤ length ≤ 300, Value must match regular expression /^.*$/
          • committed
            bool
            Committed status of the template version.
            

          • curl -X PUT 'https://iam.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID/versions/$TEMPLATE_VERSION' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "type": "access",
  "description": "Viewer role for for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "$USER_ID"
        }
      ]
    }'
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "$SERVICE_NAME"
        }
      ]
    }
  ]
}'
          • v2PolicyGrant := &iampolicymanagementv1.Grant{
  Roles: []iampolicymanagementv1.Roles{
    {core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer")},
    {core.StringPtr("crn:v1:bluemix:public:iam::::role:Administrator")},
  },
}

v2PolicyControl := &iampolicymanagementv1.Control{
  Grant: v2PolicyGrant,
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("serviceName"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr("watson"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
  Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
    *serviceNameResourceAttribute},
}

templatePolicyModel := &iampolicymanagementv1.TemplatePolicy{
  Type:        core.StringPtr("access"),
  Description: core.StringPtr("Test Template v2"),
  Resource:    policyResource,
  Control:     v2PolicyControl,
}

replacePolicyTemplateOptions := iamPolicyManagementService.NewReplacePolicyTemplateOptions(
  examplePolicyTemplateID,
  examplePolicyTemplateVersion,
  examplePolicyTemplateETag,
  templatePolicyModel,
)

policyTemplate, response, err := iamPolicyManagementService.ReplacePolicyTemplate(replacePolicyTemplateOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyTemplate, "", "  ")
examplePolicyTemplateVersion = *policyTemplate.Version
examplePolicyTemplateETag = response.GetHeaders().Get("ETag")
fmt.Println(string(b))
          • V2PolicyResourceAttribute v2PolicyResourceAttributeModel = new V2PolicyResourceAttribute.Builder()
  .key("serviceType")
  .operator("stringEquals")
  .value("service")
  .build();
V2PolicyResource v2PolicyResourceModel = new V2PolicyResource.Builder()
  .attributes(java.util.Arrays.asList(v2PolicyResourceAttributeModel))
  .build();
Roles rolesModel = new Roles.Builder()
  .roleId("crn:v1:bluemix:public:iam::::role:Editor")
  .build();
Grant grantModel = new Grant.Builder()
  .roles(java.util.Arrays.asList(rolesModel))
  .build();
Control controlModel = new Control.Builder()
  .grant(grantModel)
  .build();
TemplatePolicy templatePolicyModel = new TemplatePolicy.Builder()
  .type("access")
  .resource(v2PolicyResourceModel)
  .control(controlModel)
  .build();
ReplacePolicyTemplateOptions replacePolicyTemplateOptions = new ReplacePolicyTemplateOptions.Builder()
  .policyTemplateId(exampleTemplateId)
  .version(exampleTemplateVersion)
  .ifMatch(exampleTemplateEtag)
  .policy(templatePolicyModel)
  .build();

Response<PolicyTemplate> response = service.replacePolicyTemplate(replacePolicyTemplateOptions).execute();
PolicyTemplate policyTemplate = response.getResult();

System.out.println(policyTemplate);
          • // Request models needed by this operation.

// V2PolicyResourceAttribute
const v2PolicyResourceAttributeModel = {
  key: 'serviceType',
  operator: 'stringEquals',
  value: 'service',
};

// V2PolicyResource
const v2PolicyResourceModel = {
  attributes: [v2PolicyResourceAttributeModel],
};

// Roles
const rolesModel = {
  role_id: 'crn:v1:bluemix:public:iam::::role:Editor',
};

// Grant
const grantModel = {
  roles: [rolesModel],
};

// Control
const controlModel = {
  grant: grantModel,
};

// TemplatePolicy
const templatePolicyModel = {
  type: 'access',
  resource: v2PolicyResourceModel,
  control: controlModel,
};

const params = {
  policyTemplateId: exampleTemplateId,
  version: exampleTemplateVersion,
  ifMatch: exampleTemplateEtag,
  policy: templatePolicyModel,
};

let res;
try {
  res = await iamPolicyManagementService.replacePolicyTemplate(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
          • v2_policy_resource_attribute_model = {
  'key': 'serviceType',
  'operator': 'stringEquals',
  'value': 'service',
}

v2_policy_resource_model = {
  'attributes': [v2_policy_resource_attribute_model],
}

roles_model = {
  'role_id': 'crn:v1:bluemix:public:iam::::role:Editor',
}

grant_model = {
  'roles': [roles_model],
}

control_model = {
  'grant': grant_model,
}

template_policy_model = {
  'type': 'access',
  'resource': v2_policy_resource_model,
  'control': control_model,
}

response = iam_policy_management_service.replace_policy_template(
  policy_template_id=example_template_id,
  version=example_template_version,
  if_match=example_template_etag,
  policy=template_policy_model,
)
policy_template = response.get_result()

print(json.dumps(policy_template, indent=2))
          Response
          Response Body
          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          Status Code
          • 200
            Policy Template version update successful.
            

          • 400
            Policy template input is invalid.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to update the policy template.
            

          • 404
            Policy Template was not found.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 409
            A policy template already exists ... TBD
            

          • 415
            Request body sent was formatted using an unsupported media type.
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "account_id": "0000-0000-0000-0001",
  "version": "2",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "account_id": "0000-0000-0000-0001",
  "version": "2",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy template and delete the existing one."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy template and delete the existing one."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_conflict_error",
      "message": "Failed to update policy template.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy_template": "POLICY_TEMPLATE"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_conflict_error",
      "message": "Failed to update policy template.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy_template": "POLICY_TEMPLATE"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Delete a policy template version
          Delete a specific version of a policy template by providing a policy template ID and version number. You can't delete a policy template version that is assigned to one or more child accounts. You must remove the policy assignments first.
          

          Delete a specific version of a policy template by providing a policy template ID and version number. You can't delete a policy template version that is assigned to one or more child accounts. You must remove the policy assignments first.
          

          Delete a specific version of a policy template by providing a policy template ID and version number. You can't delete a policy template version that is assigned to one or more child accounts. You must remove the policy assignments first.
          

          Delete a specific version of a policy template by providing a policy template ID and version number. You can't delete a policy template version that is assigned to one or more child accounts. You must remove the policy assignments first.
          

          Delete a specific version of a policy template by providing a policy template ID and version number. You can't delete a policy template version that is assigned to one or more child accounts. You must remove the policy assignments first.
          

          DELETE /v1/policy_templates/{policy_template_id}/versions/{version}
          (iamPolicyManagement *IamPolicyManagementV1) DeletePolicyTemplateVersion(deletePolicyTemplateVersionOptions *DeletePolicyTemplateVersionOptions) (response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) DeletePolicyTemplateVersionWithContext(ctx context.Context, deletePolicyTemplateVersionOptions *DeletePolicyTemplateVersionOptions) (response *core.DetailedResponse, err error)
          ServiceCall<Void> deletePolicyTemplateVersion(DeletePolicyTemplateVersionOptions deletePolicyTemplateVersionOptions)
          deletePolicyTemplateVersion(params)
          delete_policy_template_version(
        self,
        policy_template_id: str,
        version: str,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.delete
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.delete
          Request
          Instantiate the DeletePolicyTemplateVersionOptions struct and set the fields to provide parameter values for the DeletePolicyTemplateVersion method.
          Use the DeletePolicyTemplateVersionOptions.Builder to create a DeletePolicyTemplateVersionOptions object that contains the parameter values for the deletePolicyTemplateVersion method.
          Path Parameters
          • policy_template_id
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression ^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
          • version
            Required*
            string
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression ^[0-9]*$
          parameter
          WithContext method only
          DeletePolicyTemplateVersionOptions
          The DeletePolicyTemplateVersion options.
          

          DeletePolicyTemplateVersionOptions
          The deletePolicyTemplateVersion options.
          

          parameters
          • policyTemplateId
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • version
            Required*
            string
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          parameters
          • policy_template_id
            Required*
            str
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • version
            Required*
            str
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          • curl -X DELETE 'https://iam.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID/versions/$TEMPLATE_VERSION' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • deletePolicyTemplateVersionOptions := iamPolicyManagementService.NewDeletePolicyTemplateVersionOptions(
  examplePolicyTemplateID,
  examplePolicyTemplateVersion,
)

response, err := iamPolicyManagementService.DeletePolicyTemplateVersion(deletePolicyTemplateVersionOptions)
if err != nil {
  panic(err)
}
if response.StatusCode != 204 {
  fmt.Printf("\nUnexpected response status code received from DeletePolicyTemplateVersion(): %d\n", response.StatusCode)
}
          • DeletePolicyTemplateVersionOptions deletePolicyTemplateVersionOptions = new DeletePolicyTemplateVersionOptions.Builder()
  .policyTemplateId(exampleTemplateId)
  .version(exampleTemplateVersion)
  .build();

Response<Void> response = service.deletePolicyTemplateVersion(deletePolicyTemplateVersionOptions).execute();
          • const params = {
  policyTemplateId: exampleTemplateId,
  version: exampleTemplateVersion,
};

try {
  await iamPolicyManagementService.deletePolicyTemplateVersion(params);
} catch (err) {
  console.warn(err);
}
          Response
          Status Code
          • 204
            Policy Template deletion successful.
            

          • 400
            Policy Template was not valid to delete.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to delete the policy template.
            

          • 404
            Policy Template was not found.
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a version assigned to an account, cannot perform action"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a version assigned to an account, cannot perform action"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy template version."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy template version."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Retrieve a policy template version
          Retrieve a policy template by providing a policy template ID and version number.
          

          Retrieve a policy template by providing a policy template ID and version number.
          

          Retrieve a policy template by providing a policy template ID and version number.
          

          Retrieve a policy template by providing a policy template ID and version number.
          

          Retrieve a policy template by providing a policy template ID and version number.
          

          GET /v1/policy_templates/{policy_template_id}/versions/{version}
          (iamPolicyManagement *IamPolicyManagementV1) GetPolicyTemplateVersion(getPolicyTemplateVersionOptions *GetPolicyTemplateVersionOptions) (result *PolicyTemplate, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) GetPolicyTemplateVersionWithContext(ctx context.Context, getPolicyTemplateVersionOptions *GetPolicyTemplateVersionOptions) (result *PolicyTemplate, response *core.DetailedResponse, err error)
          ServiceCall<PolicyTemplate> getPolicyTemplateVersion(GetPolicyTemplateVersionOptions getPolicyTemplateVersionOptions)
          getPolicyTemplateVersion(params)
          get_policy_template_version(
        self,
        policy_template_id: str,
        version: str,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.read
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.read
          Request
          Instantiate the GetPolicyTemplateVersionOptions struct and set the fields to provide parameter values for the GetPolicyTemplateVersion method.
          Use the GetPolicyTemplateVersionOptions.Builder to create a GetPolicyTemplateVersionOptions object that contains the parameter values for the getPolicyTemplateVersion method.
          Path Parameters
          • policy_template_id
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression ^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
          • version
            Required*
            string
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression ^[0-9]*$
          parameter
          WithContext method only
          GetPolicyTemplateVersionOptions
          The GetPolicyTemplateVersion options.
          

          GetPolicyTemplateVersionOptions
          The getPolicyTemplateVersion options.
          

          parameters
          • policyTemplateId
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • version
            Required*
            string
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          parameters
          • policy_template_id
            Required*
            str
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • version
            Required*
            str
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          • curl -X GET 'https://iam.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID/versions/$TEMPLATE_VERSION' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • getPolicyTemplateVersionOptions := iamPolicyManagementService.NewGetPolicyTemplateVersionOptions(
  examplePolicyTemplateID,
  examplePolicyTemplateVersion,
)

policyTemplate, response, err := iamPolicyManagementService.GetPolicyTemplateVersion(getPolicyTemplateVersionOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyTemplate, "", "  ")
fmt.Println(string(b))
          • GetPolicyTemplateVersionOptions getPolicyTemplateVersionOptions = new GetPolicyTemplateVersionOptions.Builder()
  .policyTemplateId(exampleTemplateId)
  .version(exampleTemplateVersion)
  .build();

Response<PolicyTemplate> response = service.getPolicyTemplateVersion(getPolicyTemplateVersionOptions).execute();
PolicyTemplate policyTemplate = response.getResult();

exampleTemplateEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policyTemplate);
          • const params = {
  policyTemplateId: exampleTemplateId,
  version: exampleTemplateVersion,
};

let res;
try {
  res = await iamPolicyManagementService.getPolicyTemplateVersion(params);
  exampleTemplateEtag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
          • response = iam_policy_management_service.get_policy_template_version(
  policy_template_id=example_template_id,
  version=example_template_version,
)
policy_template = response.get_result()

global example_template_etag
example_template_etag = response.get_headers().get("Etag")

print(json.dumps(policy_template, indent=2))
          Response
          Response Body
          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          PolicyTemplate
          The core set of properties associated with the policy template.
          

          Status Code
          • 200
            Policy Template retrieval successful.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to retrieve the policy template.
            

          • 404
            Policy Template was not found.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "account_id": "0000-0000-0000-0001",
  "version": "2",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "name": "Service Viewer template",
  "description": "Viewer role for all instances of SERVICE_NAME in the account.",
  "account_id": "0000-0000-0000-0001",
  "version": "2",
  "committed": false,
  "policy": {
    "type": "access",
    "description": "Viewer role access for all instances of key protect in the account during business hours.",
    "control": {
      "grant": {
        "roles": [
          {
            "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
          }
        ]
      }
    },
    "resource": {
      "attributes": [
        {
          "key": "serviceName",
          "operator": "stringEquals",
          "value": "kms"
        }
      ]
    },
    "rule": {
      "operator": "and",
      "conditions": [
        {
          "key": "{{environment.attributes.day_of_week}}",
          "operator": "dayOfWeekAnyOf",
          "value": [
            "1+00:00",
            "2+00:00",
            "3+00:00",
            "4+00:00",
            "5+00:00"
          ]
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeGreaterThanOrEquals",
          "value": "09:00:00+00:00"
        },
        {
          "key": "{{environment.attributes.current_time}}",
          "operator": "timeLessThanOrEquals",
          "value": "17:00:00+00:00"
        }
      ]
    },
    "pattern": "time-based-conditions:weekly:custom-hours"
  },
  "href": "https://iam.cloud.ibm.com/v1/policy_templates/12345678-abcd-1a2b-a1b2-1234567890ab/versions/2",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Commit a policy template version
          Commit a policy template version. You can make no further changes to the policy template once it's committed. If you need to make updates after committing a version, create a new version.
          

          Commit a policy template version. You can make no further changes to the policy template once it's committed. If you need to make updates after committing a version, create a new version.
          

          Commit a policy template version. You can make no further changes to the policy template once it's committed. If you need to make updates after committing a version, create a new version.
          

          Commit a policy template version. You can make no further changes to the policy template once it's committed. If you need to make updates after committing a version, create a new version.
          

          Commit a policy template version. You can make no further changes to the policy template once it's committed. If you need to make updates after committing a version, create a new version.
          

          POST /v1/policy_templates/{policy_template_id}/versions/{version}/commit
          (iamPolicyManagement *IamPolicyManagementV1) CommitPolicyTemplate(commitPolicyTemplateOptions *CommitPolicyTemplateOptions) (response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) CommitPolicyTemplateWithContext(ctx context.Context, commitPolicyTemplateOptions *CommitPolicyTemplateOptions) (response *core.DetailedResponse, err error)
          ServiceCall<Void> commitPolicyTemplate(CommitPolicyTemplateOptions commitPolicyTemplateOptions)
          commitPolicyTemplate(params)
          commit_policy_template(
        self,
        policy_template_id: str,
        version: str,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-template.update
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyTemplate.update
          Request
          Instantiate the CommitPolicyTemplateOptions struct and set the fields to provide parameter values for the CommitPolicyTemplate method.
          Use the CommitPolicyTemplateOptions.Builder to create a CommitPolicyTemplateOptions object that contains the parameter values for the commitPolicyTemplate method.
          Path Parameters
          • policy_template_id
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression ^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
          • version
            Required*
            string
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression ^[0-9]*$
          parameter
          WithContext method only
          CommitPolicyTemplateOptions
          The CommitPolicyTemplate options.
          

          CommitPolicyTemplateOptions
          The commitPolicyTemplate options.
          

          parameters
          • policyTemplateId
            Required*
            string
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • version
            Required*
            string
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          parameters
          • policy_template_id
            Required*
            str
            The policy template ID.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • version
            Required*
            str
            The policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          • curl -X POST 'https://iam.cloud.ibm.com/v1/policy_templates/$TEMPLATE_ID/versions/$TEMLPATE_VERSION/commit' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{}'
          • commitPolicyTemplateOptions := iamPolicyManagementService.NewCommitPolicyTemplateOptions(
  examplePolicyTemplateID,
  examplePolicyTemplateVersion,
)

response, err := iamPolicyManagementService.CommitPolicyTemplate(commitPolicyTemplateOptions)
if err != nil {
  panic(err)
}
if response.StatusCode != 204 {
  fmt.Printf("\nUnexpected response status code received from CommitPolicyTemplate(): %d\n", response.StatusCode)
}
          • CommitPolicyTemplateOptions commitPolicyTemplateOptions = new CommitPolicyTemplateOptions.Builder()
  .policyTemplateId(exampleTemplateId)
  .version(exampleTemplateVersion)
  .build();

Response<Void> response = service.commitPolicyTemplate(commitPolicyTemplateOptions).execute();
          • const params = {
  policyTemplateId: exampleTemplateId,
  version: exampleTemplateVersion,
};

try {
  await iamPolicyManagementService.commitPolicyTemplate(params);
} catch (err) {
  console.warn(err);
}
          • response = iam_policy_management_service.commit_policy_template(
  policy_template_id=example_template_id,
  version=example_template_version,
)
          Response
          Status Code
          • 204
            Policy Template version update successful.
            

          • 400
            Policy template input is invalid.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to update the policy template.
            

          • 404
            Policy Template was not found.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 415
            Request body sent was formatted using an unsupported media type.
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy template and delete the existing one."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy template and delete the existing one."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy template."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_template_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Get policy template assignments
          Beta
          Get policy template assignments by attributes.
The following attributes are supported:
account_id, template_id, template_version, sort.
account_id is a required query parameter.
Only policy template assignments that have the specified attributes and that
the caller has read access to are returned.
If the caller does not have read access to any policy template assignments an empty array
is returned.
          

          Get policy template assignments by attributes. The following attributes are supported:
account_id, template_id, template_version, sort.
account_id is a required query parameter. Only policy template assignments that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy template assignments an empty array is returned.
          

          Get policy template assignments by attributes. The following attributes are supported:
account_id, template_id, template_version, sort.
account_id is a required query parameter. Only policy template assignments that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy template assignments an empty array is returned.
          

          Get policy template assignments by attributes. The following attributes are supported:
account_id, template_id, template_version, sort.
account_id is a required query parameter. Only policy template assignments that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy template assignments an empty array is returned.
          

          Get policy template assignments by attributes. The following attributes are supported:
account_id, template_id, template_version, sort.
account_id is a required query parameter. Only policy template assignments that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy template assignments an empty array is returned.
          

          GET /v1/policy_assignments
          (iamPolicyManagement *IamPolicyManagementV1) ListPolicyAssignments(listPolicyAssignmentsOptions *ListPolicyAssignmentsOptions) (result *PolicyTemplateAssignmentCollection, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) ListPolicyAssignmentsWithContext(ctx context.Context, listPolicyAssignmentsOptions *ListPolicyAssignmentsOptions) (result *PolicyTemplateAssignmentCollection, response *core.DetailedResponse, err error)
          ServiceCall<PolicyTemplateAssignmentCollection> listPolicyAssignments(ListPolicyAssignmentsOptions listPolicyAssignmentsOptions)
          listPolicyAssignments(params)
          list_policy_assignments(
        self,
        version: str,
        account_id: str,
        *,
        accept_language: Optional[str] = None,
        template_id: Optional[str] = None,
        template_version: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-assignment.read
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyAssignment.read
          Request
          Instantiate the ListPolicyAssignmentsOptions struct and set the fields to provide parameter values for the ListPolicyAssignments method.
          Use the ListPolicyAssignmentsOptions.Builder to create a ListPolicyAssignmentsOptions object that contains the parameter values for the listPolicyAssignments method.
          Custom Headers
          • Accept-Language
            string
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan)
              • 

            

            Possible values:  length ≥ 1
            Default: default
          Query Parameters
          • version
            Required*
            string
            specify version of response body format
            

            Allowable values: [1.0]
            Possible values:  length ≥ 1
          • account_id
            Required*
            string
            The account GUID in which the policies belong to.
            

            Possible values:  1 ≤ length ≤ 32, Value must match regular expression ^[A-Za-z0-9-]*$
          • template_id
            string
            Optional template id.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression ^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
          • template_version
            string
            Optional policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression ^[0-9]*$
          • limit
            integer
            The number of documents to include in collection.
            

            Possible values:  1 ≤ value ≤ 100
            Default: 50
          • start
            string
            Page token that refers to the page of collection to return.
            

            Possible values:  9 ≤ length ≤ 100, Value must match regular expression ^[-A-Za-z0-9+/]*$
          parameter
          WithContext method only
          ListPolicyAssignmentsOptions
          The ListPolicyAssignments options.
          

          ListPolicyAssignmentsOptions
          The listPolicyAssignments options.
          

          parameters
          • version
            Required*
            string
            specify version of response body format.
            

            Allowable values: [1.0]
            Possible values:  length ≥ 1
          • accountId
            Required*
            string
            The account GUID in which the policies belong to.
            

            Possible values:  1 ≤ length ≤ 32, Value must match regular expression /^[A-Za-z0-9-]*$/
          • acceptLanguage
            string
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan).
              • 

            

            Possible values:  length ≥ 1
            Default: default
          • templateId
            string
            Optional template id.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • templateVersion
            string
            Optional policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          parameters
          • version
            Required*
            str
            specify version of response body format.
            

            Allowable values: [1.0]
            Possible values:  length ≥ 1
          • account_id
            Required*
            str
            The account GUID in which the policies belong to.
            

            Possible values:  1 ≤ length ≤ 32, Value must match regular expression /^[A-Za-z0-9-]*$/
          • accept_language
            str
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan).
              • 

            

            Possible values:  length ≥ 1
            Default: default
          • template_id
            str
            Optional template id.
            

            Possible values:  1 ≤ length ≤ 51, Value must match regular expression /^policyTemplate-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/
          • template_version
            str
            Optional policy template version.
            

            Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
          • curl -X GET 'https://iam.cloud.ibm.com/v1/policy_assignments?account_id=$ACCOUNT_ID&version=1.0' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • listPolicyAssignmentsOptions := iamPolicyManagementService.NewListPolicyAssignmentsOptions(
  exampleAccountID,
)

polcyTemplateAssignmentCollection, response, err := iamPolicyManagementService.ListPolicyAssignments(listPolicyAssignmentsOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(polcyTemplateAssignmentCollection, "", "  ")
testPolicyAssignmentId = *polcyTemplateAssignmentCollection.Assignments[0].ID
fmt.Println(string(b))
          • ListPolicyAssignmentsOptions listPolicyAssignmentsOptions = new ListPolicyAssignmentsOptions.Builder()
  .accountId(exampleAccountId)
  .build();

Response<PolicyTemplateAssignmentCollection> response = service.listPolicyAssignments(listPolicyAssignmentsOptions).execute();
PolicyTemplateAssignmentCollection polcyTemplateAssignmentCollection = response.getResult();

exampleAssignmentId = polcyTemplateAssignmentCollection.getAssignments().get(0).getId();

System.out.println(polcyTemplateAssignmentCollection);
          • const params = {
  accountId: exampleAccountId,
};

let res;
try {
  res = await iamPolicyManagementService.listPolicyAssignments(params);
  exampleAssignmentId = res.result.assignments[0].id
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
          • response = iam_policy_management_service.list_policy_assignments(
  account_id=example_account_id,
)
polcy_template_assignment_collection = response.get_result()

global example_assignment_id
example_assignment_id = polcy_template_assignment_collection['assignments'][0]['id']

print(json.dumps(polcy_template_assignment_collection, indent=2))
          Response
          Response Body
          PolicyTemplateAssignmentCollection
          A collection of policies assignments.
          

          PolicyTemplateAssignmentCollection
          A collection of policies assignments.
          

          PolicyTemplateAssignmentCollection
          A collection of policies assignments.
          

          PolicyTemplateAssignmentCollection
          A collection of policies assignments.
          

          PolicyTemplateAssignmentCollection
          A collection of policies assignments.
          

          Status Code
          • 200
            Policy template assignments retrieval successful.
            

          • 400
            The request you made is not valid.
            

          • 401
            The token you provided is not valid.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "assignments": [
    {
      "id": "<uuid>",
      "account_id": "<account-id>",
      "template": {
        "id": "policyTemplate-12345678-abcd-1a2b-a1b2-1234567890ab",
        "version": "2"
      },
      "target": {
        "type": "Account",
        "id": "AccountId"
      },
      "status": "succeeded",
      "resources": [
        {
          "target": "Account-1",
          "policy": {
            "resource_created": {
              "id": "0000-0000-0000-0001"
            },
            "status": "succeeded"
          }
        }
      ],
      "href": "https://iam.cloud.ibm.com/v1/policy_assignments/1122-222",
      "created_at": "2022-07-23T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2022-07-23T14:09:09.907Z",
      "last_modified_by_id": "USER_ID"
    }
  ]
}
          • {
  "assignments": [
    {
      "id": "<uuid>",
      "account_id": "<account-id>",
      "template": {
        "id": "policyTemplate-12345678-abcd-1a2b-a1b2-1234567890ab",
        "version": "2"
      },
      "target": {
        "type": "Account",
        "id": "AccountId"
      },
      "status": "succeeded",
      "resources": [
        {
          "target": "Account-1",
          "policy": {
            "resource_created": {
              "id": "0000-0000-0000-0001"
            },
            "status": "succeeded"
          }
        }
      ],
      "href": "https://iam.cloud.ibm.com/v1/policy_assignments/1122-222",
      "created_at": "2022-07-23T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2022-07-23T14:09:09.907Z",
      "last_modified_by_id": "USER_ID"
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Create a policy authorization template assignment
          Beta
          Assign a policy template to child accounts and account groups. This creates the policy in the accounts and account groups that you specify.
          

          Assign a policy template to child accounts and account groups. This creates the policy in the accounts and account groups that you specify.
          

          Assign a policy template to child accounts and account groups. This creates the policy in the accounts and account groups that you specify.
          

          Assign a policy template to child accounts and account groups. This creates the policy in the accounts and account groups that you specify.
          

          Assign a policy template to child accounts and account groups. This creates the policy in the accounts and account groups that you specify.
          

          POST /v1/policy_assignments
          (iamPolicyManagement *IamPolicyManagementV1) CreatePolicyTemplateAssignment(createPolicyTemplateAssignmentOptions *CreatePolicyTemplateAssignmentOptions) (result *PolicyAssignmentV1Collection, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) CreatePolicyTemplateAssignmentWithContext(ctx context.Context, createPolicyTemplateAssignmentOptions *CreatePolicyTemplateAssignmentOptions) (result *PolicyAssignmentV1Collection, response *core.DetailedResponse, err error)
          ServiceCall<PolicyAssignmentV1Collection> createPolicyTemplateAssignment(CreatePolicyTemplateAssignmentOptions createPolicyTemplateAssignmentOptions)
          createPolicyTemplateAssignment(params)
          create_policy_template_assignment(
        self,
        version: str,
        target: 'AssignmentTargetDetails',
        options: 'PolicyAssignmentV1Options',
        templates: List['AssignmentTemplateDetails'],
        *,
        accept_language: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-assignment.create
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyAssignment.create
          Request
          Instantiate the CreatePolicyTemplateAssignmentOptions struct and set the fields to provide parameter values for the CreatePolicyTemplateAssignment method.
          Use the CreatePolicyTemplateAssignmentOptions.Builder to create a CreatePolicyTemplateAssignmentOptions object that contains the parameter values for the createPolicyTemplateAssignment method.
          Custom Headers
          • Accept-Language
            string
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan)
              • 

            

            Possible values:  length ≥ 1
            Default: default
          Query Parameters
          • version
            Required*
            string
            specify version of response body format
            

            Allowable values: [1.0]
            Possible values:  length ≥ 1
          Request Body
          Required*
          PolicyAssignmentV1Request
          A policy assignment to be created.
          

          parameter
          WithContext method only
          CreatePolicyTemplateAssignmentOptions
          The CreatePolicyTemplateAssignment options.
          

          CreatePolicyTemplateAssignmentOptions
          The createPolicyTemplateAssignment options.
          

          parameters
          • version
            Required*
            string
            specify version of response body format.
            

            Allowable values: [1.0]
            Possible values:  length ≥ 1
          • target
            assignment target account and type.
            

          • options
            The set of properties required for a policy assignment.
            

          • templates
            Required*
            List of template details for policy assignment.
            

            Possible values:  number of items = 1
          • acceptLanguage
            string
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan).
              • 

            

            Possible values:  length ≥ 1
            Default: default
          parameters
          • version
            Required*
            str
            specify version of response body format.
            

            Allowable values: [1.0]
            Possible values:  length ≥ 1
          • target
            assignment target account and type.
            

          • options
            The set of properties required for a policy assignment.
            

          • templates
            Required*
            List of template details for policy assignment.
            

            Possible values:  number of items = 1
          • accept_language
            str
            Language code for translations
            

              

            • default - English
              • 

            • de -  German (Standard)
              • 

            • en - English
              • 

            • es - Spanish (Spain)
              • 

            • fr - French (Standard)
              • 

            • it - Italian (Standard)
              • 

            • ja - Japanese
              • 

            • ko - Korean
              • 

            • pt-br - Portuguese (Brazil)
              • 

            • zh-cn - Chinese (Simplified, PRC)
              • 

            • zh-tw - (Chinese, Taiwan).
              • 

            

            Possible values:  length ≥ 1
            Default: default
          • curl -X POST 'https://iam.cloud.ibm.com/v1/policy_assignments?version=1.0' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
    "templates": [{
    "id": "template_id",
    "version": "template_version"
 }],
    "target": {
    "id": "target account",
    "type": "target type"
 },

          Response
          Response Body
          PolicyAssignmentV1Collection
          Policy assignment response.
          

          PolicyAssignmentV1Collection
          Policy assignment response.
          

          PolicyAssignmentV1Collection
          Policy assignment response.
          

          PolicyAssignmentV1Collection
          Policy assignment response.
          

          PolicyAssignmentV1Collection
          Policy assignment response.
          

          Status Code
          • 201
            Policy assignment creation successful.
            

          • 400
            Policy assignment input is invalid.
            

          • 401
            The token you provided is not valid.
            

          • 403
            You do not have access to create the policy.
            

          • 406
            The requested resource(s) cannot be formatted using the requested media type(s).
            

          • 409
            A policy assignment already exists for the given template id, version and target account.
            

          • 415
            Request body sent was formatted using an unsupported media type.
            

          • 429
            Too many requests have been made within a given time window.
            

          Example responses
          • {
  "assignments": [
    {
      "id": "<uuid>",
      "account_id": "<account-id>",
      "template": {
        "id": "policyTemplate-12345678-abcd-1a2b-a1b2-1234567890ab",
        "version": "1"
      },
      "target": {
        "type": "Account",
        "id": "AccountId"
      },
      "status": "succeeded",
      "resources": [
        {
          "target": {
            "type": "Account",
            "id": "Account-1"
          },
          "policy": {
            "resource_created": {
              "id": "0000-0000-0000-0001"
            },
            "status": "succeeded"
          }
        }
      ],
      "href": "https://iam.cloud.ibm.com/v1/policy_assignments/{assignment_id}",
      "created_at": "2022-07-23T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2022-07-23T14:09:09.907Z",
      "last_modified_by_id": "USER_ID"
    }
  ]
}
          • {
  "assignments": [
    {
      "id": "<uuid>",
      "account_id": "<account-id>",
      "template": {
        "id": "policyTemplate-12345678-abcd-1a2b-a1b2-1234567890ab",
        "version": "1"
      },
      "target": {
        "type": "Account",
        "id": "AccountId"
      },
      "status": "succeeded",
      "resources": [
        {
          "target": {
            "type": "Account",
            "id": "Account-1"
          },
          "policy": {
            "resource_created": {
              "id": "0000-0000-0000-0001"
            },
            "status": "succeeded"
          }
        }
      ],
      "href": "https://iam.cloud.ibm.com/v1/policy_assignments/{assignment_id}",
      "created_at": "2022-07-23T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2022-07-23T14:09:09.907Z",
      "last_modified_by_id": "USER_ID"
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_assignment_conflict_error",
      "message": "Failed to create policy assignment.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy_assignment": "POLICY_ASSIGNMENT"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_assignment_conflict_error",
      "message": "Failed to create policy assignment.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy_assignment": "POLICY_ASSIGNMENT"
        }
      },
      "status_code": 409
    }
  ]
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
          Retrieve a policy assignment
          Beta
          Retrieve a policy template assignment by providing a policy assignment ID.
          

          Retrieve a policy template assignment by providing a policy assignment ID.
          

          Retrieve a policy template assignment by providing a policy assignment ID.
          

          Retrieve a policy template assignment by providing a policy assignment ID.
          

          Retrieve a policy template assignment by providing a policy assignment ID.
          

          GET /v1/policy_assignments/{assignment_id}
          (iamPolicyManagement *IamPolicyManagementV1) GetPolicyAssignment(getPolicyAssignmentOptions *GetPolicyAssignmentOptions) (result GetPolicyAssignmentResponseIntf, response *core.DetailedResponse, err error)
          (iamPolicyManagement *IamPolicyManagementV1) GetPolicyAssignmentWithContext(ctx context.Context, getPolicyAssignmentOptions *GetPolicyAssignmentOptions) (result GetPolicyAssignmentResponseIntf, response *core.DetailedResponse, err error)
          ServiceCall<GetPolicyAssignmentResponse> getPolicyAssignment(GetPolicyAssignmentOptions getPolicyAssignmentOptions)
          getPolicyAssignment(params)
          get_policy_assignment(
        self,
        assignment_id: str,
        version: str,
        **kwargs,
    ) -> DetailedResponse
          Authorization
          To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
          • iam-access-management.policy-assignment.read
          Auditing
          Calling this method generates the following auditing event.
          • iam-am.policyAssignment.read
          Request
          Instantiate the GetPolicyAssignmentOptions struct and set the fields to provide parameter values for the GetPolicyAssignment method.
          Use the GetPolicyAssignmentOptions.Builder to create a GetPolicyAssignmentOptions object that contains the parameter values for the getPolicyAssignment method.
          Path Parameters
          • assignment_id
            Required*
            string
            The policy template assignment ID.
            

            Possible values:  1 ≤ length ≤ 53
          Query Parameters
          • version
            Required*
            string
            specify version of response body format
            

            Allowable values: [1.0]
            Possible values:  length ≥ 1
          parameter
          WithContext method only
          GetPolicyAssignmentOptions
          The GetPolicyAssignment options.
          

          GetPolicyAssignmentOptions
          The getPolicyAssignment options.
          

          parameters
          • assignmentId
            Required*
            string
            The policy template assignment ID.
            

            Possible values:  1 ≤ length ≤ 53
          • version
            Required*
            string
            specify version of response body format.
            

            Allowable values: [1.0]
            Possible values:  length ≥ 1
          parameters
          • assignment_id
            Required*
            str
            The policy template assignment ID.
            

            Possible values:  1 ≤ length ≤ 53
          • version
            Required*
            str
            specify version of response body format.
            

            Allowable values: [1.0]
            Possible values:  length ≥ 1
          • curl -X GET 'https://iam.cloud.ibm.com/v1/policy_assignments/$POLICY_ASSIGNMENT_ID?version=1.0' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
          • getPolicyAssignmentOptions := iamPolicyManagementService.NewGetPolicyAssignmentOptions(
  testPolicyAssignmentId,
)

policyAssignmentRecord, response, err := iamPolicyManagementService.GetPolicyAssignment(getPolicyAssignmentOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyAssignmentRecord, "", "  ")
assignmentPolicyID = *policyAssignmentRecord.Resources[0].Policy.ResourceCreated.ID
fmt.Println(string(b))
          • GetPolicyAssignmentOptions getPolicyAssignmentOptions = new GetPolicyAssignmentOptions.Builder()
  .assignmentId(exampleAssignmentId)
  .build();

Response<PolicyAssignment> response = service.getPolicyAssignment(getPolicyAssignmentOptions).execute();
PolicyAssignment policyAssignmentRecord = response.getResult();
PolicyAssignmentResources resource = policyAssignmentRecord.getResources().get(0);
PolicyAssignmentResourcePolicy policy = resource.getPolicy();
AssignmentResourceCreated resourceCreated = policy.getResourceCreated();
exampleAssignmentPolicyId = resourceCreated.getId();

System.out.println(policyAssignmentRecord);
          • const params = {
  assignmentId: exampleAssignmentId,
};

let res;
try {
  res = await iamPolicyManagementService.getPolicyAssignment(params);
  console.log(JSON.stringify(res.result, null, 2));
  exampleAssignmentPolicyId = res.result.resources[0].policy.resource_created.id;
} catch (err) {
  console.warn(err);
}
          • response = iam_policy_management_service.get_policy_assignment(
  assignment_id=example_assignment_id,
)
policy_assignment_record = response.get_result()

global example_assignment_policy_id
example_assignment_policy_id = policy_assignment_record['resources'][0]['policy']['resource_created']['id']

print(json.dumps(policy_assignment_record, indent=2))
          Response
          Response Body
          One of
            The set of properties associated with the policy template assignment.
            

            GetPolicyAssignmentResponse
              The set of properties associated with the policy template assignment.
              

              GetPolicyAssignmentResponse
                The set of properties associated with the policy template assignment.
                

                GetPolicyAssignmentResponse
                  The set of properties associated with the policy template assignment.
                  

                  GetPolicyAssignmentResponse
                    The set of properties associated with the policy template assignment.
                    

                    Status Code
                    • 200
                      Policy assignment retrieval successful.
                      

                    • 401
                      The token you provided is not valid.
                      

                    • 403
                      You do not have access to retrieve the policy assignment.
                      

                    • 404
                      Policy Template Assignment was not found.
                      

                    • 406
                      The requested resource(s) cannot be formatted using the requested media type(s).
                      

                    • 429
                      Too many requests have been made within a given time window.
                      

                    Example responses
                    • {
  "id": "<uuid>",
  "account_id": "<account-id>",
  "template": {
    "id": "policyTemplate-12345678-abcd-1a2b-a1b2-1234567890ab",
    "version": "1"
  },
  "target": {
    "type": "Account",
    "id": "AccountId"
  },
  "status": "succeeded",
  "resources": [
    {
      "target": {
        "type": "Account",
        "id": "Account-1"
      },
      "policy": {
        "resource_created": {
          "id": "0000-0000-0000-0001",
          "status": "succeeded"
        }
      }
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policy_assignments/{assignment_id}",
  "created_at": "2022-07-23T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2022-07-23T14:09:09.907Z",
  "last_modified_by_id": "USER_ID"
}
                    • {
  "id": "<uuid>",
  "account_id": "<account-id>",
  "template": {
    "id": "policyTemplate-12345678-abcd-1a2b-a1b2-1234567890ab",
    "version": "1"
  },
  "target": {
    "type": "Account",
    "id": "AccountId"
  },
  "status": "succeeded",
  "resources": [
    {
      "target": {
        "type": "Account",
        "id": "Account-1"
      },
      "policy": {
        "resource_created": {
          "id": "0000-0000-0000-0001",
          "status": "succeeded"
        }
      }
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policy_assignments/{assignment_id}",
  "created_at": "2022-07-23T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2022-07-23T14:09:09.907Z",
  "last_modified_by_id": "USER_ID"
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy assignment."
    }
  ],
  "status_code": 403
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy assignment."
    }
  ],
  "status_code": 403
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_assignment_not_found",
      "message": "Policy Assignment with Id POLICY_ASSIGNMENT_ID not found."
    }
  ],
  "status_code": 404
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_assignment_not_found",
      "message": "Policy Assignment with Id POLICY_ASSIGNMENT_ID not found."
    }
  ],
  "status_code": 404
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
                    Update a policy authorization type assignment
                    Beta
                    Update a policy assignment by providing a policy assignment ID.
                    

                    Update a policy assignment by providing a policy assignment ID.
                    

                    Update a policy assignment by providing a policy assignment ID.
                    

                    Update a policy assignment by providing a policy assignment ID.
                    

                    Update a policy assignment by providing a policy assignment ID.
                    

                    PATCH /v1/policy_assignments/{assignment_id}
                    (iamPolicyManagement *IamPolicyManagementV1) UpdatePolicyAssignment(updatePolicyAssignmentOptions *UpdatePolicyAssignmentOptions) (result *PolicyAssignmentV1, response *core.DetailedResponse, err error)
                    (iamPolicyManagement *IamPolicyManagementV1) UpdatePolicyAssignmentWithContext(ctx context.Context, updatePolicyAssignmentOptions *UpdatePolicyAssignmentOptions) (result *PolicyAssignmentV1, response *core.DetailedResponse, err error)
                    ServiceCall<PolicyAssignmentV1> updatePolicyAssignment(UpdatePolicyAssignmentOptions updatePolicyAssignmentOptions)
                    updatePolicyAssignment(params)
                    update_policy_assignment(
        self,
        assignment_id: str,
        version: str,
        if_match: str,
        template_version: str,
        **kwargs,
    ) -> DetailedResponse
                    Authorization
                    To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
                    • iam-access-management.policy-assignment.update
                    Auditing
                    Calling this method generates the following auditing event.
                    • iam-am.policyAssignment.update
                    Request
                    Instantiate the UpdatePolicyAssignmentOptions struct and set the fields to provide parameter values for the UpdatePolicyAssignment method.
                    Use the UpdatePolicyAssignmentOptions.Builder to create a UpdatePolicyAssignmentOptions object that contains the parameter values for the updatePolicyAssignment method.
                    Custom Headers
                    • If-Match
                      Required*
                      string
                      The revision number for updating a policy assignment and must match the ETag value of the existing policy assignment.
The Etag can be retrieved using the GET /v1/policy_assignments/{assignment_id} API and looking at the ETag response header.
                      

                    Path Parameters
                    • assignment_id
                      Required*
                      string
                      The policy template assignment ID.
                      

                      Possible values:  1 ≤ length ≤ 53
                    Query Parameters
                    • version
                      Required*
                      string
                      specify version of response body format
                      

                      Allowable values: [1.0]
                      Possible values:  length ≥ 1
                    Request Body
                    Required*
                    UpdatePolicyAssignmentRequest
                    A policy assignment to be created.
                    

                    parameter
                    WithContext method only
                    UpdatePolicyAssignmentOptions
                    The UpdatePolicyAssignment options.
                    

                    UpdatePolicyAssignmentOptions
                    The updatePolicyAssignment options.
                    

                    parameters
                    • assignmentId
                      Required*
                      string
                      The policy template assignment ID.
                      

                      Possible values:  1 ≤ length ≤ 53
                    • version
                      Required*
                      string
                      specify version of response body format.
                      

                      Allowable values: [1.0]
                      Possible values:  length ≥ 1
                    • ifMatch
                      Required*
                      string
                      The revision number for updating a policy assignment and must match the ETag value of the existing policy assignment. The Etag can be retrieved using the GET /v1/policy_assignments/{assignment_id} API and looking at the ETag response header.
                      

                    • templateVersion
                      Required*
                      string
                      The policy template version to update to.
                      

                      Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
                    parameters
                    • assignment_id
                      Required*
                      str
                      The policy template assignment ID.
                      

                      Possible values:  1 ≤ length ≤ 53
                    • version
                      Required*
                      str
                      specify version of response body format.
                      

                      Allowable values: [1.0]
                      Possible values:  length ≥ 1
                    • if_match
                      Required*
                      str
                      The revision number for updating a policy assignment and must match the ETag value of the existing policy assignment. The Etag can be retrieved using the GET /v1/policy_assignments/{assignment_id} API and looking at the ETag response header.
                      

                    • template_version
                      Required*
                      str
                      The policy template version to update to.
                      

                      Possible values:  1 ≤ length ≤ 2, Value must match regular expression /^[0-9]*$/
                    • curl -X PATCH 'https://iam.cloud.ibm.com/v1/policy_assignments/$POLICY_ASSIGNMENT_ID?version=1.0' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "template_version": "2",
}'
                    Response
                    Response Body
                    PolicyAssignmentV1
                    The set of properties associated with the policy template assignment.
                    

                    PolicyAssignmentV1
                    The set of properties associated with the policy template assignment.
                    

                    PolicyAssignmentV1
                    The set of properties associated with the policy template assignment.
                    

                    PolicyAssignmentV1
                    The set of properties associated with the policy template assignment.
                    

                    PolicyAssignmentV1
                    The set of properties associated with the policy template assignment.
                    

                    Status Code
                    • 200
                      Policy assignment update successful.
                      

                    • 401
                      The token you provided is not valid.
                      

                    • 403
                      You do not have access to retrieve the policy assignment.
                      

                    • 404
                      Policy Template Assignment was not found.
                      

                    • 406
                      The requested resource(s) cannot be formatted using the requested media type(s).
                      

                    • 429
                      Too many requests have been made within a given time window.
                      

                    Example responses
                    • {
  "id": "<uuid>",
  "account_id": "<account-id>",
  "template": {
    "id": "policyTemplate-12345678-abcd-1a2b-a1b2-1234567890ab",
    "version": "1"
  },
  "target": {
    "type": "Account",
    "id": "AccountId"
  },
  "status": "succeeded",
  "resources": [
    {
      "target": {
        "type": "Account",
        "id": "AccountId"
      },
      "policy": {
        "resource_created": {
          "id": "0000-0000-0000-0001"
        },
        "status": "succeeded"
      }
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policy_assignments/{assignment_id}",
  "created_at": "2022-07-23T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2022-07-23T14:09:09.907Z",
  "last_modified_by_id": "USER_ID"
}
                    • {
  "id": "<uuid>",
  "account_id": "<account-id>",
  "template": {
    "id": "policyTemplate-12345678-abcd-1a2b-a1b2-1234567890ab",
    "version": "1"
  },
  "target": {
    "type": "Account",
    "id": "AccountId"
  },
  "status": "succeeded",
  "resources": [
    {
      "target": {
        "type": "Account",
        "id": "AccountId"
      },
      "policy": {
        "resource_created": {
          "id": "0000-0000-0000-0001"
        },
        "status": "succeeded"
      }
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policy_assignments/{assignment_id}",
  "created_at": "2022-07-23T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2022-07-23T14:09:09.907Z",
  "last_modified_by_id": "USER_ID"
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy assignment."
    }
  ],
  "status_code": 403
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy assignment."
    }
  ],
  "status_code": 403
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_assignment_not_found",
      "message": "Policy Assignment with Id POLICY_ASSIGNMENT_ID not found."
    }
  ],
  "status_code": 404
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_assignment_not_found",
      "message": "Policy Assignment with Id POLICY_ASSIGNMENT_ID not found."
    }
  ],
  "status_code": 404
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
                    Remove a policy assignment
                    Beta
                    Remove a policy template assignment by providing a policy assignment ID. You can't delete a policy assignment if the status is "in_progress".
                    

                    Remove a policy template assignment by providing a policy assignment ID. You can't delete a policy assignment if the status is "in_progress".
                    

                    Remove a policy template assignment by providing a policy assignment ID. You can't delete a policy assignment if the status is "in_progress".
                    

                    Remove a policy template assignment by providing a policy assignment ID. You can't delete a policy assignment if the status is "in_progress".
                    

                    Remove a policy template assignment by providing a policy assignment ID. You can't delete a policy assignment if the status is "in_progress".
                    

                    DELETE /v1/policy_assignments/{assignment_id}
                    (iamPolicyManagement *IamPolicyManagementV1) DeletePolicyAssignment(deletePolicyAssignmentOptions *DeletePolicyAssignmentOptions) (response *core.DetailedResponse, err error)
                    (iamPolicyManagement *IamPolicyManagementV1) DeletePolicyAssignmentWithContext(ctx context.Context, deletePolicyAssignmentOptions *DeletePolicyAssignmentOptions) (response *core.DetailedResponse, err error)
                    ServiceCall<Void> deletePolicyAssignment(DeletePolicyAssignmentOptions deletePolicyAssignmentOptions)
                    deletePolicyAssignment(params)
                    delete_policy_assignment(
        self,
        assignment_id: str,
        **kwargs,
    ) -> DetailedResponse
                    Authorization
                    To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
                    • iam-access-management.policy-assignment.delete
                    Auditing
                    Calling this method generates the following auditing event.
                    • iam-am.policyAssignment.delete
                    Request
                    Instantiate the DeletePolicyAssignmentOptions struct and set the fields to provide parameter values for the DeletePolicyAssignment method.
                    Use the DeletePolicyAssignmentOptions.Builder to create a DeletePolicyAssignmentOptions object that contains the parameter values for the deletePolicyAssignment method.
                    Path Parameters
                    • assignment_id
                      Required*
                      string
                      The policy template assignment ID.
                      

                      Possible values:  1 ≤ length ≤ 53
                    parameter
                    WithContext method only
                    DeletePolicyAssignmentOptions
                    The DeletePolicyAssignment options.
                    

                    DeletePolicyAssignmentOptions
                    The deletePolicyAssignment options.
                    

                    parameters
                    • assignmentId
                      Required*
                      string
                      The policy template assignment ID.
                      

                      Possible values:  1 ≤ length ≤ 53
                    parameters
                    • assignment_id
                      Required*
                      str
                      The policy template assignment ID.
                      

                      Possible values:  1 ≤ length ≤ 53
                    • curl -X DELETE 'https://iam.cloud.ibm.com/v1/policy_assignments/$POLICY_ASSIGNMENT_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
                    Response
                    Status Code
                    • 204
                      Policy assignment deletion successful.
                      

                    • 400
                      Policy assignment was not in valid to delete.
                      

                    • 401
                      The token you provided is not valid.
                      

                    • 403
                      You do not have access to remove the policy assignment.
                      

                    • 404
                      Policy Template Assignment was not found.
                      

                    • 429
                      Too many requests have been made within a given time window.
                      

                    Example responses
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes an assignment with state \"in_progress\", cannot perform action"
    }
  ],
  "status_code": 400
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes an assignment with state \"in_progress\", cannot perform action"
    }
  ],
  "status_code": 400
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy assignment."
    }
  ],
  "status_code": 403
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy assignment."
    }
  ],
  "status_code": 403
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_assignment_not_found",
      "message": "Policy Assignment with Id POLICY_ASSIGNMENT_ID not found."
    }
  ],
  "status_code": 404
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_assignment_not_found",
      "message": "Policy Assignment with Id POLICY_ASSIGNMENT_ID not found."
    }
  ],
  "status_code": 404
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
                    Retrieve Access Management account settings by account ID
                    Retrieve Access Management settings for an account by providing the account ID.
                    

                    GET /v1/accounts/{account_id}/settings/access_management
                    Authorization
                    To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
                    • iam-access-management.settings.read
                    Request
                    Custom Headers
                    • Accept-Language
                      string
                      Language code for translations
                      

                        

                      • default - English
                        • 

                      • de -  German (Standard)
                        • 

                      • en - English
                        • 

                      • es - Spanish (Spain)
                        • 

                      • fr - French (Standard)
                        • 

                      • it - Italian (Standard)
                        • 

                      • ja - Japanese
                        • 

                      • ko - Korean
                        • 

                      • pt-br - Portuguese (Brazil)
                        • 

                      • zh-cn - Chinese (Simplified, PRC)
                        • 

                      • zh-tw - (Chinese, Taiwan)
                        • 

                      

                      Possible values:  length ≥ 1
                      Default: default
                    Path Parameters
                    • account_id
                      Required*
                      string
                      The account GUID that the settings belong to.
                      

                      Possible values:  1 ≤ length ≤ 1024, Value must match regular expression ^[A-Za-z0-9-_]+$
                    • curl -X GET "https://iam.cloud.ibm.com/v1/accounts/$ACCOUNT_ID/settings/access_management" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json'
                    Response
                    Response Body
                    AccountSettingsAccessManagement
                    The Access Management Account Settings that are currently set for the requested account.
                    

                    Status Code
                    • 200
                      Access Management account settings retrieval successful.
                      

                    • 401
                      The token you provided is not valid.
                      

                    • 403
                      You do not have access to retrieve the account settings.
                      

                    • 404
                      Resource was not found.
                      

                    • 406
                      The requested resource(s) cannot be formatted using the requested media type(s).
                      

                    • 429
                      Too many requests have been made within a given time window.
                      

                    Example responses
                    • {
  "external_account_identity_interaction": {
    "identity_types": {
      "user": {
        "state": "monitor",
        "external_allowed_accounts": [
          "100abcde100a41abc100aza678abc0zz",
          "87654321dcba1a2ba1b20987654321qw"
        ]
      },
      "service_id": {
        "state": "enabled",
        "external_allowed_accounts": []
      },
      "service": {
        "state": "monitor",
        "external_allowed_accounts": []
      }
    }
  }
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the access management account settings."
    }
  ],
  "status_code": 403
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "resource_not_found",
      "message": "account_id 100abcde100a41a?c100aza678abc0&z is malformed."
    }
  ],
  "status_code": 404
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
                    Update Access Management account settings by account ID
                    Update access management settings for an account.
                    

                    External Account Identity Interaction
                    

                    Update the way identities within an external account are allowed to interact with the requested account by providing:
                    

                      

                    • the account_id as a parameter
                      • 

                    • the external account ID(s) and state for the specific identity in the request body
                      • 

                    

                    External account identity interaction includes the following identity_types: user (user identities defined as IBMid's), service_id (defined as IAM ServiceIds), service (defined by a service’s CRN). To update an Identity’s setting, the state and external_allowed_accounts fields are required.
                    

                    Different identity states are:
                    

                      

                    • "enabled": An identity type is allowed to access resources in the account provided it has access policies on those resources.
                      • 

                    • "limited": An identity type is allowed to access resources in the account provided it has access policies on those resources AND it is associated with either the account the resources are in or one of the allowed accounts. This setting leverages the "external_allowed_accounts" list.
                      • 

                    • "monitor": Has no direct impact on an Identity’s access. Instead, it creates AT events for access decisions as if the account were in a limited “state”.
                      • 

                    

                    Note: The state "enabled" is a special case. In this case, access is given to all accounts and there is no need to specify a particular list. Therefore, when updating "state" to "enabled" for an identity type "external_allowed_accounts" should be left empty.
                    

                    PATCH /v1/accounts/{account_id}/settings/access_management
                    Authorization
                    To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.
                    • iam-access-management.settings.update
                    Request
                    Custom Headers
                    • If-Match
                      Required*
                      string
                      The revision number for updating Access Management Account Settings and must match the ETag value of the existing Access Management Account Settings.
The Etag can be retrieved using the GET /v1/accounts/{account_id}/settings/access_management API and looking at the ETag response header.
                      

                      Possible values:  5 ≤ length ≤ 43, Value must match regular expression ^[1-9]\d{0,9}-[\da-f]{32}|0-new$
                    • Accept-Language
                      string
                      Language code for translations
                      

                        

                      • default - English
                        • 

                      • de -  German (Standard)
                        • 

                      • en - English
                        • 

                      • es - Spanish (Spain)
                        • 

                      • fr - French (Standard)
                        • 

                      • it - Italian (Standard)
                        • 

                      • ja - Japanese
                        • 

                      • ko - Korean
                        • 

                      • pt-br - Portuguese (Brazil)
                        • 

                      • zh-cn - Chinese (Simplified, PRC)
                        • 

                      • zh-tw - (Chinese, Taiwan)
                        • 

                      

                      Possible values:  length ≥ 1
                      Default: default
                    Path Parameters
                    • account_id
                      Required*
                      string
                      The account GUID that the settings belong to.
                      

                      Possible values:  1 ≤ length ≤ 1024, Value must match regular expression ^[A-Za-z0-9-_]+$
                    Request Body
                    Required*
                    AccountSettingsAccessManagementPatch
                    Access Management Account Settings attribute to be updated.
                    

                    • curl -X PATCH "https://iam.cloud.ibm.com/v1/accounts/$ACCOUNT_ID/settings/access_management" -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "external_account_identity_interaction": {
    "identity_types": {
      "service_id": {
        "state": "monitor",
        "external_allowed_accounts": ["100abcde100a41abc100aza678abc0zz"]
      }
    
  }
}'
                    Response
                    Response Body
                    AccountSettingsAccessManagement
                    The Access Management Account Settings that are currently set for the requested account.
                    

                    Status Code
                    • 200
                      Access Management account settings update successful.
                      

                    • 400
                      Access Management Account settings input is invalid.
                      

                    • 401
                      The token you provided is not valid.
                      

                    • 403
                      You do not have access to retrieve the account settings.
                      

                    • 404
                      Resource was not found.
                      

                    • 406
                      The requested resource(s) cannot be formatted using the requested media type(s).
                      

                    • 429
                      Too many requests have been made within a given time window.
                      

                    Example responses
                    • {
  "external_account_identity_interaction": {
    "identity_types": {
      "user": {
        "state": "monitor",
        "external_allowed_accounts": [
          "100abcde100a41abc100aza678abc0zz",
          "87654321dcba1a2ba1b20987654321qw"
        ]
      },
      "service_id": {
        "state": "monitor",
        "external_allowed_accounts": [
          "100abcde100a41abc100aza678abc0zz"
        ]
      },
      "service": {
        "state": "monitor",
        "external_allowed_accounts": []
      }
    }
  }
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check missing parameters."
    }
  ],
  "status_code": 400
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create or update the access management account settings."
    }
  ],
  "status_code": 403
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "resource_not_found",
      "message": "account_id 100abcde100a41a?c100aza678abc0&z is malformed."
    }
  ],
  "status_code": 404
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can only be formatted using the 'application/json' media type."
    }
  ],
  "status_code": 406
}
                    • {
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
                    id=curlclassName=tab-item-selected