Introduction
With the IAM Policy Management API you can create, update, view, and delete IAM policies. An IAM policy enables a subject to access a resource. These policies are used in access decisions when calling APIs for IAM enabled services. More details on IAM can be found at: IBM Cloud Identity and Access Management.
There are three primary values in a policy. The subject, roles, and resources.
The subject describes who is being granted access. The subject can be an iam_id or an access group id.
The iam_id of the entity that you are giving access to. This can be a user or a service id. The access
group id is the id of the access group. An access group contains a set of users or service ids. Access
groups are the preferred method of managing access control. See: Setting up access groups or IAM Access Groups.
Example format for supported subject types
| Type | Attribute name | Attribute value format example |
|---|---|---|
| User | iam_id | IBMid-123456... |
| Service ID | iam_id | iam-ServiceId-12345... |
| Access Group | access_group_id | AccessGroupId-12345... |
Two types of policies are supported access policies and authorization policies. These are described in more detail here: Create a policy
A role is a collection of actions that can be taken on a resource. Role details can be found here: IBM Cloud Identity and Access Management
Error Handling
The Policy Management APIs return standard HTTP status codes to indicate the success or failure of a request. The format of the response is represented in JSON as follows:
{
"trace": "cd4f7573121a4cf99f0079f8482b3d6b",
"errors": [
{
"code": "invalid_token",
"message": "The provided IAM token is invalid."
}
],
"status_code": 401
}
If an operation cannot be fulfilled, an appropriate 400 or 500 series HTTP response is returned from the server. The operations defined in the Reference section describe example errors that can be returned from a failed request. All responses from the IAM Policy Management API are in the JSON format.
Here are potential error codes that the API can return.
| HTTP Error Code | Description | Recovery |
|---|---|---|
200 |
Success | The request was successful. |
201 |
Created | The resource was successfully created. |
204 |
No Content | The request was successful. No response body is provided. |
400 |
Bad Request | The input parameters in the request body are either incomplete or in the wrong format. Be sure to include all required parameters in your request. |
401 |
Unauthorized | You are not authorized to make this request. The token is either invalid, missing or expired. Get a new valid token and try again. |
403 |
Forbidden | The token is valid, but the subject of the token is not authorized to perform the operation. If this error persists, contact the account owner to check your permissions. |
404 |
Not Found | The requested resource could not be found. |
409 |
Conflict | The entity is already in the requested state. |
415 |
Unsupported Media Type | Request body sent was formatted using an unsupported media type. |
429 |
Too Many Requests | Too many requests have been made within a given time window. Wait before calling the API again. |
500 |
Service Unavailable | IAM Policy Management Point is currently unavailable. Your request could not be processed. Wait a few minutes and try again. |
Authentication
Authorization to the IAM Policy Management API is enforced by using an IAM Access Token. The token is used to validate the identity of the caller and verify access to IAM API services. Obtaining an IAM Token for an authenticated User or Service ID is captured in the IAM Identity Service documentation.
Use of the IAM Policy Management REST API is done by adding a valid IAM Token to the HTTP Authorization request header. Example: -H 'Authorization: Bearer $TOKEN'
Transaction-Id:
An optional transaction id can be passed to your request, which can be useful for tracking calls through multiple services using one identifier. The header key must be set to Transaction-Id and the value is anything that you choose.
If no transaction id is passed in, then a random id is generated.
Methods
Get policies by attributes
Get policies and filter by attributes. While managing policies, you may want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. Currently, we only support the following attributes: account_id, iam_id, access_group_id, type, and service_type. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.
GET /v1/policiesCustom Headers
An IAM token
Translation language code
Query Parameters
The account guid in which the policies belong to.
The IAM ID used to identify the subject.
The access group id.
The type of policy (access or authorization).
The type of service.
curl -X GET \ 'https://iam.cloud.ibm.com/v1/policies?account_id=$ACCOUNT_ID' \ -H 'Authorization: Bearer $TOKEN'\ -H 'Content-Type: application/json'
The policy ID.
The policy type; either 'access' or 'authorization'.
The subject attribute values that must match in order for this policy to apply in a permission decision.
Constraints: number of items = 1
A set of role cloud resource names (CRNs) granted by the policy.
The attributes of the resource. Note that only one resource is allowed in a policy.
Constraints: number of items = 1
The href link back to the policy.
The iam ID of the entity that created the policy.
The UTC timestamp when the policy was created.
The iam ID of the entity that last modified the policy.
The UTC timestamp when the policy was last modified.
policies
Status Code
Policies retrieval successful.
The request you made is not valid.
The token you provided is not valid.
The requested resource(s) cannot be formatted using the requested media type(s).
{ "policies": [ { "id": "12345678-abcd-1a2b-a1b2-1234567890ab", "type": "access", "subjects": [ { "attributes": [ { "name": "iam_id", "value": "IBMid-123453user" } ] } ], "roles": [ { "roles_id": "crn:v1:bluemix:public:iam::::role:Viewer" } ], "resources": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "value": "SERVICE_NAME" } ] } ], "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab", "created_at": "2018-08-30T14:09:09.907Z", "created_by_id": "USER ID", "last_modified_at": "2018-08-30T14:09:09.907Z", "last_modified_by_id": "USER ID" } ] }{ "trace": "f23a0d5d3835406bb4a946b7e017600a", "errors": [ { "code": "missing_required_query_parameter", "message": "'account_id' is a required query parameter" } ], "status_code": 400 }{ "trace": "12345678-abcd-1a2b-a1b2-1234567890ab", "errors": [ { "code": "invalid_token", "message": "The provided IAM token is invalid." } ], "status_code": 401 }{ "trace": "cb2a0d5d3835406bb4a946b7e017600a", "errors": [ { "code": "unable_to_process", "message": "The requested resource(s) can only be formatted using the 'application/json' media type." } ], "status_code": 406 }
Create a policy
Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.
Access
To create an access policy, use "type": "access" in the body.
The possible subject attributes are iam_id and access_group_id.
Use the iam_id subject attribute for assigning access for a user or service-id.
Use the access_group_id subject attribute for assigning access for an access group.
The roles must be a subset of a service's or the platform's supported roles.
The resource attributes must be a subset of a service's or the platform's supported attributes.
The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.`
If the subject is a locked service-id, the request will fail.
Authorization
Authorization policies are supported by services on a case by case basis.
Refer to service documentation to verify their support of authorization policies.
To create an authorization policy, use "type": "authorization" in the body.
The subject attributes must match the supported authorization subjects of the resource.
Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId
The policy roles must be a subset of the supported authorization roles supported by the target service.
The user must also have the same level of access or greater to the target resource in order to grant the role.
The resource attributes must be a subset of a service's or the platform's supported attributes.
Both the policy subject and the policy resource must include the serviceName and accountId attributes.
POST /v1/policiesCustom Headers
An IAM token
A policy to be created.
The policy type; either 'access' or 'authorization'.
The subject attribute values that must match in order for this policy to apply in a permission decision.
Constraints: number of items = 1
A set of role cloud resource names (CRNs) granted by the policy.
Constraints: number of items = 1
The attributes of the resource. Note that only one resource is allowed in a policy.
Constraints: number of items = 1
curl -X POST \ 'https://iam.cloud.ibm.com/v1/policies' \ -H 'Authorization: $TOKEN'\ -H 'Content-Type: application/json'\ -d '{ "type": "access", "subjects": [ { "attributes": [ { "name": "iam_id", "value": "IBMid-123453user" } ] }' ], "roles":[ { "role_id": "crn:v1:bluemix:public:iam::::role:Editor" } ], "resources":[ { "attributes": [ { "name": "accountId", "value": "$ACCOUNT_ID" }, { "name": "serviceName", "value": "$SERVICE_NAME" } ] } ] }'
The policy ID.
The policy type; either 'access' or 'authorization'.
The subject attribute values that must match in order for this policy to apply in a permission decision.
Constraints: number of items = 1
A set of role cloud resource names (CRNs) granted by the policy.
The attributes of the resource. Note that only one resource is allowed in a policy.
Constraints: number of items = 1
The href link back to the policy.
The iam ID of the entity that created the policy.
The UTC timestamp when the policy was created.
The iam ID of the entity that last modified the policy.
The UTC timestamp when the policy was last modified.
Status Code
Policy creation successful.
Policy input is invalid.
The token you provided is not valid.
You do not have access to create the policy.
The requested resource(s) cannot be formatted using the requested media type(s).
A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.
Request body sent was formatted using an unsupported media type.
{ "id": "12345678-abcd-1a2b-a1b2-1234567890ab", "type": "access", "subjects": [ { "attributes": [ { "name": "iam_id", "value": "IBMid-123453user" } ] } ], "roles": [ { "roles_id": "crn:v1:bluemix:public:iam::::role:Viewer" } ], "resources": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "value": "SERVICE_NAME" } ] } ], "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab", "created_at": "2018-08-30T14:09:09.907Z", "created_by_id": "USER ID", "last_modified_at": "2018-08-30T14:09:09.907Z", "last_modified_by_id": "USER ID" }{ "trace": "b62f8b6764c44a97975cbef65041ce74", "errors": [ { "code": "invalid_body", "message": "The following role(s) had multiple entries: crn:v1:bluemix:public:iam::::role:Viewer" } ], "status_code": 403 }{ "trace": "12345678-abcd-1a2b-a1b2-1234567890ab", "errors": [ { "code": "invalid_token", "message": "The provided IAM token is invalid." } ], "status_code": 401 }{ "trace": "a0ef9bfadddb419aa0ff3844023d4421", "errors": [ { "code": "insufficent_permissions", "message": "You are not allowed to create the requested policy." } ], "status_code": 403 }{ "trace": "cb2a0d5d3835406bb4a946b7e017600a", "errors": [ { "code": "unable_to_process", "message": "The requested resource(s) can only be formatted using the 'application/json' media type." } ], "status_code": 406 }{ "trace": "a0ef9bfadddb419aa0ff3844023d4421", "errors": [ { "code": "policy_conflict_error", "message": "Failed to create policy.", "details": { "conflicts_with": { "etag": "1-847833cec3bf3f3c3231d8f9492febac", "policy": "POLICY" } }, "status_code": 409 } ] }{ "trace": "64e9d4d538a9433982d1d97304ce05f6", "errors": [ { "code": "unsupported_content_type", "message": "The supported media type for this API is 'application/json'." } ], "status_code": 415 }
Update a policy
Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).
Access
To update an access policy, use "type": "access" in the body.
The possible subject attributes are iam_id and access_group_id.
Use the iam_id subject attribute for assigning access for a user or service-id.
Use the access_group_id subject attribute for assigning access for an access group.
The roles must be a subset of a service's or the platform's supported roles.
The resource attributes must be a subset of a service's or the platform's supported attributes.
The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.`
If the subject is a locked service-id, the request will fail.
Authorization
To update an authorization policy, use "type": "authorization" in the body.
The subject attributes must match the supported authorization subjects of the resource.
Multiple subject attributes might be provided. The following attributes are supported:
serviceName, serviceInstance, region, resourceType, resource, accountId
The policy roles must be a subset of the supported authorization roles supported by the target service.
The user must also have the same level of access or greater to the target resource in order to grant the role.
The resource attributes must be a subset of a service's or the platform's supported attributes.
Both the policy subject and the policy resource must include the serviceName and accountId attributes.
PUT /v1/policies/{policyId}Custom Headers
An IAM token
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policyId} API and looking at the ETag response header.
Path Parameters
The policy ID
Updated policy content to be saved.
The policy type; either 'access' or 'authorization'.
The subject attribute values that must match in order for this policy to apply in a permission decision.
Constraints: number of items = 1
A set of role cloud resource names (CRNs) granted by the policy.
Constraints: number of items = 1
The attributes of the resource. Note that only one resource is allowed in a policy.
Constraints: number of items = 1
curl -X PUT \ 'https://iam.cloud.ibm.com/v1/policies' \ -H 'Authorization: Bearer $TOKEN'\ -H 'Content-Type: application/json'\ -H 'If-Match: $ETAG'\ -d '{ "type": "access", "subjects": [ { "attributes": [ { "name": "iam_id", "value": "IBMid-123453user" } ] }' ], "roles":[ { "role_id": "crn:v1:bluemix:public:iam::::role:Viewer" } ], "resources":[ { "attributes": [ { "name": "accountId", "value": "$ACCOUNT_ID" }, { "name": "serviceName", "value": "$SERVICE_NAME" } ] } ] }'
The policy ID.
The policy type; either 'access' or 'authorization'.
The subject attribute values that must match in order for this policy to apply in a permission decision.
Constraints: number of items = 1
A set of role cloud resource names (CRNs) granted by the policy.
The attributes of the resource. Note that only one resource is allowed in a policy.
Constraints: number of items = 1
The href link back to the policy.
The iam ID of the entity that created the policy.
The UTC timestamp when the policy was created.
The iam ID of the entity that last modified the policy.
The UTC timestamp when the policy was last modified.
Status Code
Policy update successful.
Policy input is invalid.
The token you provided is not valid.
You do not have access to update the policy.
The requested resource(s) cannot be formatted using the requested media type(s).
A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.
Request body sent was formatted using an unsupported media type.
{ "id": "12345678-abcd-1a2b-a1b2-1234567890ab", "type": "access", "subjects": [ { "attributes": [ { "name": "iam_id", "value": "IBMid-123453user" } ] } ], "roles": [ { "roles_id": "crn:v1:bluemix:public:iam::::role:Viewer" } ], "resources": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "value": "SERVICE_NAME" } ] } ], "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab", "created_at": "2018-08-30T14:09:09.907Z", "created_by_id": "USER ID", "last_modified_at": "2018-08-30T14:09:09.907Z", "last_modified_by_id": "USER ID" }{ "trace": "a0ef9bfadddb419aa0ff3844023d4421", "errors": [ { "code": "invalid_body", "message": "A policy's type cannot be updated. Create a new policy and delete the existing one." } ], "status_code": 400 }{ "trace": "12345678-abcd-1a2b-a1b2-1234567890ab", "errors": [ { "code": "invalid_token", "message": "The provided IAM token is invalid." } ], "status_code": 401 }{ "trace": "6e25f4459c84467ab6923fa276428bd8", "errors": [ { "code": "insufficent_permissions", "message": "You are not allowed to update the requested policy." } ], "status_code": 403 }{ "trace": "cb2a0d5d3835406bb4a946b7e017600a", "errors": [ { "code": "unable_to_process", "message": "The requested resource(s) can only be formatted using the 'application/json' media type." } ], "status_code": 406 }{ "trace": "38e538a321a24bde9323a88ced8f8c98", "errors": [ { "code": "policy_conflict_error", "message": "Failed to update policy.", "details": { "conflicts_with": { "etag": "1-847833cec3bf3f3c3231d8f9492febac", "policy": "POLICY" } }, "status_code": 409 } ] }{ "trace": "64e9d4d538a9433982d1d97304ce05f6", "errors": [ { "code": "unsupported_content_type", "message": "The supported media type for this API is 'application/json'." } ], "status_code": 415 }
Custom Headers
An IAM token
Path Parameters
The policy ID
curl -X GET \ 'https://iam.cloud.ibm.com/v1/policies/$POLICY_ID' \ -H 'Authorization: Bearer $TOKEN'\ -H 'Content-Type: application/json'
The policy ID.
The policy type; either 'access' or 'authorization'.
The subject attribute values that must match in order for this policy to apply in a permission decision.
Constraints: number of items = 1
A set of role cloud resource names (CRNs) granted by the policy.
The attributes of the resource. Note that only one resource is allowed in a policy.
Constraints: number of items = 1
The href link back to the policy.
The iam ID of the entity that created the policy.
The UTC timestamp when the policy was created.
The iam ID of the entity that last modified the policy.
The UTC timestamp when the policy was last modified.
Status Code
Policy retrieval successful.
The token you provided is not valid.
You do not have access to retrieve the policy.
Policy was not found.
The requested resource(s) cannot be formatted using the requested media type(s).
{ "id": "12345678-abcd-1a2b-a1b2-1234567890ab", "type": "access", "subjects": [ { "attributes": [ { "name": "iam_id", "value": "IBMid-123453user" } ] } ], "roles": [ { "roles_id": "crn:v1:bluemix:public:iam::::role:Viewer" } ], "resources": [ { "attributes": [ { "name": "accountId", "value": "ACCOUNT_ID" }, { "name": "serviceName", "value": "SERVICE_NAME" } ] } ], "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab", "created_at": "2018-08-30T14:09:09.907Z", "created_by_id": "USER ID", "last_modified_at": "2018-08-30T14:09:09.907Z", "last_modified_by_id": "USER ID" }{ "trace": "12345678-abcd-1a2b-a1b2-1234567890ab", "errors": [ { "code": "invalid_token", "message": "The provided IAM token is invalid." } ], "status_code": 401 }{ "trace": "g3c529cc338a4cdab4b04831f5aeb23e", "errors": [ { "code": "insufficent_permissions", "message": "You are not allowed to retrieve the requested policy." } ], "status_code": 403 }{ "trace": "f3c529cc338a4cdab4b04831f5aeb23e", "errors": [ { "code": "policy_not_found", "message": "Policy with Id POLICY_ID not found." } ], "status_code": 404 }{ "trace": "cb2a0d5d3835406bb4a946b7e017600a", "errors": [ { "code": "unable_to_process", "message": "The requested resource(s) can only be formatted using the 'application/json' media type." } ], "status_code": 406 }
Delete a policy by ID
Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.
DELETE /v1/policies/{policyId}Custom Headers
An IAM token
Path Parameters
The policy ID
curl -X DELETE \ 'https://iam.cloud.ibm.com/v1/policies/$POLICY_ID' \ -H 'Authorization: Bearer $TOKEN'\ -H 'Content-Type: application/json'
Status Code
Policy deletion successful.
Policy was not valid to delete.
The token you provided is not valid.
You do not have access to delete the policy.
Policy was not found.
{ "trace": "26f0b2491ed6425c9e7b0c08a3a645f7", "errors": [ { "code": "invalid_body", "message": "Request includes a locked service id, cannot perform action" } ], "status_code": 400 }{ "trace": "12345678-abcd-1a2b-a1b2-1234567890ab", "errors": [ { "code": "invalid_token", "message": "The provided IAM token is invalid." } ], "status_code": 401 }{ "trace": "26f0b2491ed6425c9e7b0c08a3a645f7", "errors": [ { "code": "insufficent_permissions", "message": "You are not allowed to delete the requested policy." } ], "status_code": 403 }{ "trace": "9b4b2751c6dc4c91af4b209177f4be88", "errors": [ { "code": "policy_not_found", "message": "Policy with Id POLICY_ID not found." } ], "status_code": 404 }