IAM Policy Management | IBM Cloud API Docs

Introduction

Last updated: 2023-09-08

With the IBM Cloud® Identity and Access Management (IAM) Policy Management API, you can create, update, view, and delete IAM policies. An IAM policy enables a subject to access a resource. These policies are used in access decisions when you call APIs for IAM-enabled services. For more information about how access management works, see Managing access in IBM Cloud.

There are three primary values in a policy: a subject, roles, and resources.

The subject is who or what is being granted access. The subject can be an IAM ID or an access group ID. The IAM ID is the ID of the entity that you are giving access to. The value can be a user or a service ID. The access group ID is the ID of the access group. An access group contains a set of users or service IDs. Access groups are the preferred method of managing access control. For more information, see Setting up access groups.

The following table shows the example formats for the supported subject types:

Type	Attribute name	Attribute value
User	iam_id	`IBMid-123456...`
Service ID	iam_id	`iam-ServiceId-12345...`
Access group	access_group_id	`AccessGroupId-12345...`

The second value in a policy in the role. A role is a collection of actions that can be taken on a resource. There are platform, service, and custom roles. For more information, see IAM roles. And, the final value of the policy is the targeted resources whether it's an entire service, resource group, or specific service instance.

Two types of policies are supported: access policies and authorization policies. For more information, see Create a policy.

With policy templates and assignments you can centrally manage the policies for child accounts in your organization from the root enterprise account. For more information, see Working with template versions and Best practices for assigning access in an enterprise.

SDKs for Java, Node, Python, and Go are available to make it easier to programmatically access the API from your code. The client libraries that are provided by the SDKs implement best practices for using the API and reduce the amount of code that you need to write. The tab for each language includes code examples that demonstrate how to use the client libraries. For more information about using the SDKs, see the IBM Cloud SDK Common project on GitHub.

Installing the Go SDK

Go modules (recommended): Add the following import in your code, and then run go build or go mod tidy

import (
	"github.com/IBM/platform-services-go-sdk/iampolicymanagementv1"
)

Go get

go get -u github.com/IBM/platform-services-go-sdk/iampolicymanagementv1

View on GitHub

https://github.com/IBM/platform-services-go-sdk

Installing the Java SDK

Maven

<dependency>
	<groupId>com.ibm.cloud</groupId>
	<artifactId>iam-policy-management</artifactId>
	<version>{version}</version>
</dependency>
Copy to clipboard

Gradle

compile 'com.ibm.cloud:iam-policy-management:{version}'

Replace {version} in these examples with the release version.

View on GitHub

https://github.com/IBM/platform-services-java-sdk

Installing the Node SDK

npm install ibm-platform-services

View on GitHub

https://github.com/IBM/platform-services-node-sdk

Installing the Python SDK

pip install --upgrade "ibm-platform-services"

View on GitHub

https://github.com/IBM/platform-services-python-sdk

Endpoint URLs

The IAM Policy Management API uses the following public global endpoint URL. When you call the API, add the path for each method to form the complete API endpoint for your requests.

https://iam.cloud.ibm.com

If you enabled service endpoints in your account, you can send API requests over the IBM Cloud private network at the following base endpoint URLs. For more information, see Enabling VRF and service endpoints.

Private endpoint URL for VPC infrastructure: https://private.iam.cloud.ibm.com
Private endpoint URLs for classic infrastructure:
- Sydney: https://private.au-syd.iam.cloud.ibm.com
- Sao Paulo: https://private.br-sao.iam.cloud.ibm.com
- Montreal: https://private.ca-mon.iam.cloud.ibm.com
- Toronto: https://private.ca-tor.iam.cloud.ibm.com
- Frankfurt DC: https://private.eu-de.iam.cloud.ibm.com
- London: https://private.eu-gb.iam.cloud.ibm.com
- Madrid: https://private.eu-es.iam.cloud.ibm.com
- Tokyo: https://private.jp-tok.iam.cloud.ibm.com
- Osaka: https://private.jp-osa.iam.cloud.ibm.com
- Washington DC: https://private.us-east.iam.cloud.ibm.com
- Dallas: https://private.us-south.iam.cloud.ibm.com

Authentication

Authorization to the IAM Policy Management API is enforced by using an IBM Cloud IAM access token. The token is used to to determine the actions that a user or service ID has access to when they use the API.

Obtaining an IAM token for an authenticated user or service ID is described in the IAM Identity Services API documentation.

To use the API, add a valid IAM token to the HTTP Authorization request header, for example, -H 'Authorization: Bearer <TOKEN>'.

When you use the SDK, configure an IAM authenticator with the IAM API key. The authenticator automatically obtains the IAM access token for the API key and includes it with each request. You can construct an authenticator in either of two ways:

Programmatically by constructing an IAM authenticator instance and supplying your IAM API key
By defining the API key in external configuration properties and then using the SDK authenticator factory to construct an IAM authenticator that uses the configured IAM API key

In this example of using external configuration properties, an IAM authenticator instance is created with the configured API key, and then the service client is constructed with this authenticator instance and the configured service URL.

For more information, see the Authentication section of the IBM Cloud SDK Common documentation.

Any access, such as IAM actions, that is required to call a method is listed per individual method. The IAM actions associated with basic tasks for working with policies, including create, update, and delete actions, are inherited by the platform roles that can be assigned for each IAM-enabled service. For more information about the required IAM actions for custom roles and how they map to the access roles, see the list of actions and roles for the role management service.

To retrieve your access token:

curl -X POST    "https://iam.cloud.ibm.com/identity/token"    --header 'Content-Type: application/x-www-form-urlencoded'    --header 'Accept: application/json'    --data-urlencode 'grant_type=urn:ibm:params:oauth:grant-type:apikey'    --data-urlencode 'apikey=<API_KEY>'
Copy to clipboard

Replace <API_KEY> with your IAM API key.

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_POLICY_MANAGEMENT_URL=<SERVICE_URL>
export IAM_POLICY_MANAGEMENT_AUTHTYPE=iam
export IAM_POLICY_MANAGEMENT_APIKEY=<API_KEY>
Copy to clipboard

Example of constructing the service client

import {
    "github.com/IBM/platform-services-go-sdk/iampolicymanagementv1"
}
...
serviceClientOptions := &iampolicymanagementv1.IamPolicyManagementV1Options{}
serviceClient, err := iampolicymanagementv1.NewIamPolicyManagementV1UsingExternalConfig(serviceClientOptions)

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_POLICY_MANAGEMENT_URL=<SERVICE_URL>
export IAM_POLICY_MANAGEMENT_AUTHTYPE=iam
export IAM_POLICY_MANAGEMENT_APIKEY=<API_KEY>
Copy to clipboard

Example of constructing the service client

import com.ibm.cloud.platform_services.iam_policy_management.v1.IamPolicyManagement;
...
IamPolicyManagement serviceClient = IamPolicyManagement.newInstance();
Copy to clipboard

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_POLICY_MANAGEMENT_URL=<SERVICE_URL>
export IAM_POLICY_MANAGEMENT_AUTHTYPE=iam
export IAM_POLICY_MANAGEMENT_APIKEY=<API_KEY>
Copy to clipboard

Example of constructing the service client

const IamPolicyManagementV1 = require('ibm-platform-services/iam-policy-management/v1');
...
const serviceClient = IamPolicyManagementV1.newInstance({});
Copy to clipboard

Setting client options through external configuration

Example environment variables, where <SERVICE_URL> is the endpoint URL and <API_KEY> is your IAM API key

export IAM_POLICY_MANAGEMENT_URL=<SERVICE_URL>
export IAM_POLICY_MANAGEMENT_AUTHTYPE=iam
export IAM_POLICY_MANAGEMENT_APIKEY=<API_KEY>
Copy to clipboard

Example of constructing the service client

from ibm_platform_services import IamPolicyManagementV1
...
service_client = IamPolicyManagementV1.new_instance()

Auditing

You can monitor API activity within your account by using the IBM Cloud® Activity Tracker service. You can track when specific API methods are called by reviewing generated events in Activity Tracker.

If an event is tracked for a method, you can find it listed with the method. For more information about how to track IAM activity, see Auditing events for IAM.

Error handling

The Policy Management APIs return standard HTTP status codes to indicate the success or failure of a request. The format of the response is represented in JSON as follows:

{
    "trace": "cd4f7573121a4cf99f0079f8482b3d6b",
    "errors": [
        {
            "code": "invalid_token",
            "message": "The provided IAM token is invalid."
        }
    ],
    "status_code": 401
}

If an operation cannot be fulfilled, an appropriate 400 or 500 series HTTP response is returned from the server. The operations that are defined in the Reference section describe example errors that can be returned from a failed request. All responses from the IAM Policy Management API are in the JSON format.

Here are potential error codes that the API can return.

HTTP Error Code	Description	Recovery
`200`	Success	The request was successful.
`201`	Created	The resource was successfully created.
`204`	No Content	The request was successful. No response body is provided.
`400`	Bad Request	The input parameters in the request body are either incomplete or in the wrong format. Be sure to include all required parameters in your request.
`401`	Unauthorized	You are not authorized to make this request. The token is either invalid, missing or expired. Get a new valid token and try again.
`403`	Forbidden	The token is valid, but the subject of the token is not authorized to perform the operation. If this error persists, contact the account owner to check your permissions.
`404`	Not Found	The requested resource can't be found.
`409`	Conflict	The entity is already in the requested state.
`415`	Unsupported Media Type	Request body sent was formatted by using an unsupported media type.
`429`	Too Many Requests	Too many requests have been made within a given time window. Wait the time in seconds indicated in the `Retry-After` response header before calling the API again.
`500`	Service Unavailable	IAM Policy Management Point is currently unavailable. Your request can't be processed. Wait a few minutes and try again.

Additional headers

Some additional headers might be required to make successful requests to the API. Those additional headers are:

Transaction-Id

An optional transaction ID can be passed to your request, which can be useful for tracking calls through multiple services by using one identifier. The header key must be set to Transaction-Id and the value is anything that you choose.

If no transaction ID is passed in, then a random ID is generated.

Sorting

Sorting is available on the policies listing APIs. Use a sort query parameter set to the field name you want the results sorted by. All the top level policy fields are supported.

To reverse sort, add a - prefix to the field name.

For example, for the GET /v1/policies endpoint, a query parameter of sort=last_modified_at sorts the returned policies in ascending date and time order by last_modified_at. Meanwhile a query parameter of sort=-last_modified_at returns the policies in descending date and time order by last_modified_at.

Policy data enrichment

Currently two options are available: display and include_last_permit. By including query parameter format=display, the API returns the list of all actions included in each of the policy roles.

"roles": [
            {
              "role_id": "crn:v1:bluemix:public:iam::::role:Administrator",
              "display_name": "Administrator",
              "description": "Administrators can change object metadata or visibility for private services added to the account and can restrict the visibility of a public service.",
              "actions": [
                {
                  "id": "global-search-tagging.resource.read",
                  "displayName": "Find cloud resources",
                  "description": "The ability to find the resource using Global Search and Tagging search API."
                },
                {
                  "id": "iam.policy.read",
                  "displayName": "IAM Policy Read",
                  "description": "The ability to see policies."
                },
                {
                  "id": "iam.policy.create",
                  "displayName": "IAM Policy Create",
                  "description": "The ability to create policies."
                }
              ]
            }
          ],

Including the query parameter format=include_last_permit returns details of when the policy last granted a permit decision and the number of times it has done so.

{
   "id": "03b5696c-6844-430f-a3b1-8f2d0de53218",
   "type": "access",
   "subjects": ...,
   "roles": ...,
   "resources": ...,
   "last_permit_at": "2020-10-16T22:17:40.832Z",
   "last_permit_frequency": 18
},

This data is provided for informational purposes only. The last permit data only include records begining from end of October 2020.

Rate limiting

A response with status 429 Too Many Requests is returned if too many requests are made within a time window. The response includes a Retry-After header to indicate the time in seconds to wait before sending the next request.

When you work with the Policy Management API, it might be helpful to be aware of other IAM services. See Identity Services to learn about API key, service ID, and token creation. See Access groups to create groups and manage memberships.

Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.

GET /v1/policies

(iamPolicyManagement *IamPolicyManagementV1) ListPolicies(listPoliciesOptions *ListPoliciesOptions) (result *PolicyCollection, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) ListPoliciesWithContext(ctx context.Context, listPoliciesOptions *ListPoliciesOptions) (result *PolicyCollection, response *core.DetailedResponse, err error)

ServiceCall<PolicyCollection> listPolicies(ListPoliciesOptions listPoliciesOptions)
Copy to clipboard

listPolicies(params)

list_policies(
        self,
        account_id: str,
        *,
        accept_language: Optional[str] = None,
        iam_id: Optional[str] = None,
        access_group_id: Optional[str] = None,
        type: Optional[str] = None,
        service_type: Optional[str] = None,
        tag_name: Optional[str] = None,
        tag_value: Optional[str] = None,
        sort: Optional[str] = None,
        format: Optional[str] = None,
        state: Optional[str] = None,
        limit: Optional[int] = None,
        start: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.read

Auditing

Calling this method generates the following auditing event.

iam-am.policy.read

Request

Instantiate the ListPoliciesOptions struct and set the fields to provide parameter values for the ListPolicies method.

Use the ListPoliciesOptions.Builder to create a ListPoliciesOptions object that contains the parameter values for the listPolicies method.

Custom Headers

Accept-Language
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan)
Possible values: length ≥ 1
Default: default

Query Parameters

account_id
Required*
string
The account GUID that the policies belong to.
iam_id
string
Optional IAM ID used to identify the subject.
access_group_id
string
Optional access group id.
type
string
Optional type of policy.

Allowable values: [access,authorization]
service_type
string
Optional type of service.

Allowable values: [service,platform_service]
tag_name
string
Optional name of the access tag in the policy.
tag_value
string
Optional value of the access tag in the policy.
sort
string
Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field. Example '-last_modified_at'

Allowable values: [type,href,created_at,created_by_id,last_modified_at,last_modified_by_id,state]
format
string
Include additional data per policy returned
- include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
- display - returns the list of all actions included in each of the policy roles
Allowable values: [include_last_permit,display]
state
string
The state of the policy.
- active - returns active policies
- deleted - returns non-active policies
Allowable values: [active,deleted]
limit
integer
The number of documents to include in the collection.

Possible values: 1 ≤ value ≤ 100
Default: 50
start
string
Page token that refers to the page of the collection to return.

Possible values: 9 ≤ length ≤ 100, Value must match regular expression ^[-A-Za-z0-9+/]*$

parameter

WithContext method only

ListPoliciesOptions

The ListPolicies options.

ListPoliciesOptions

The listPolicies options.

parameters

accountId
Required*
string
The account GUID that the policies belong to.
acceptLanguage
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default
iamId
string
Optional IAM ID used to identify the subject.
accessGroupId
string
Optional access group id.
type
string
Optional type of policy.

Allowable values: [access,authorization]
serviceType
string
Optional type of service.

Allowable values: [service,platform_service]
tagName
string
Optional name of the access tag in the policy.
tagValue
string
Optional value of the access tag in the policy.
sort
string
Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field. Example '-last_modified_at'.

Allowable values: [type,href,created_at,created_by_id,last_modified_at,last_modified_by_id,state]
format
string
Include additional data per policy returned
- include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
- display - returns the list of all actions included in each of the policy roles.
Allowable values: [include_last_permit,display]
state
string
The state of the policy.
- active - returns active policies
- deleted - returns non-active policies.
Allowable values: [active,deleted]
limit
number
The number of documents to include in the collection.

Possible values: 1 ≤ value ≤ 100
Default: 50
start
string
Page token that refers to the page of the collection to return.

Possible values: 9 ≤ length ≤ 100, Value must match regular expression /^[-A-Za-z0-9+\/]*$/

parameters

account_id
Required*
str
The account GUID that the policies belong to.
accept_language
str
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default
iam_id
str
Optional IAM ID used to identify the subject.
access_group_id
str
Optional access group id.
type
str
Optional type of policy.

Allowable values: [access,authorization]
service_type
str
Optional type of service.

Allowable values: [service,platform_service]
tag_name
str
Optional name of the access tag in the policy.
tag_value
str
Optional value of the access tag in the policy.
sort
str
Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field. Example '-last_modified_at'.

Allowable values: [type,href,created_at,created_by_id,last_modified_at,last_modified_by_id,state]
format
str
Include additional data per policy returned
- include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
- display - returns the list of all actions included in each of the policy roles.
Allowable values: [include_last_permit,display]
state
str
The state of the policy.
- active - returns active policies
- deleted - returns non-active policies.
Allowable values: [active,deleted]
limit
int
The number of documents to include in the collection.

Possible values: 1 ≤ value ≤ 100
Default: 50
start
str
Page token that refers to the page of the collection to return.

Possible values: 9 ≤ length ≤ 100, Value must match regular expression /^[-A-Za-z0-9+\/]*$/

Example request

curl -X GET 'https://iam.cloud.ibm.com/v1/policies?account_id=$ACCOUNT_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewListPoliciesOptions(
  exampleAccountID,
)
options.SetIamID(exampleUserID)
options.SetFormat("include_last_permit")

policyList, response, err := iamPolicyManagementService.ListPolicies(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyList, "", "  ")
fmt.Println(string(b))
Copy to clipboard

Example request

ListPoliciesOptions options = new ListPoliciesOptions.Builder()
        .accountId(exampleAccountId)
        .iamId(EXAMPLE_USER_ID)
        .format("include_last_permit")
        .build();

Response<PolicyCollection> response = service.listPolicies(options).execute();
PolicyCollection policyCollection = response.getResult();

System.out.println(policyCollection);

Example request

const params = {
  accountId: exampleAccountId,
  iamId: exampleUserId,
  format: 'include_last_permit',
};

try {
  const res = await iamPolicyManagementService.listPolicies(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

policy_list = iam_policy_management_service.list_policies(
  account_id=example_account_id, iam_id=example_user_id, format='include_last_permit'
).get_result()

print(json.dumps(policy_list, indent=2))
Copy to clipboard

Response

Response Body

PolicyCollection

A collection of policies.

PolicyCollection

A collection of policies.

PolicyCollection

A collection of policies.

PolicyCollection

A collection of policies.

PolicyCollection

A collection of policies.

Status Code

200
Policies retrieval successful.
400
The request you made is not valid.
401
The token that you provided is not valid.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
429
Too many requests are within a time window.

Example responses

Status 200

{
  "policies": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "type": "access",
      "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
      "subjects": [
        {
          "attributes": [
            {
              "name": "iam_id",
              "value": "IBMid-123453user"
            }
          ]
        }
      ],
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ],
      "resources": [
        {
          "attributes": [
            {
              "name": "accountId",
              "value": "ACCOUNT_ID",
              "operator": "stringEquals"
            },
            {
              "name": "serviceName",
              "value": "SERVICE_NAME",
              "operator": "stringEquals"
            }
          ]
        }
      ],
      "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "state": "active"
    }
  ]
}
Copy to clipboard

Success example

{
  "policies": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "type": "access",
      "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
      "subjects": [
        {
          "attributes": [
            {
              "name": "iam_id",
              "value": "IBMid-123453user"
            }
          ]
        }
      ],
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ],
      "resources": [
        {
          "attributes": [
            {
              "name": "accountId",
              "value": "ACCOUNT_ID",
              "operator": "stringEquals"
            },
            {
              "name": "serviceName",
              "value": "SERVICE_NAME",
              "operator": "stringEquals"
            }
          ]
        }
      ],
      "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "state": "active"
    }
  ]
}
Copy to clipboard

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. There are two types of policies: access and authorization. A policy administrator might want to create an access policy which grants access to a user, service-id, or an access group. They might also want to create an authorization policy and setup access between services.

Access

To create an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. The IAM Services group (IAM) is a subset of account management services that includes the IAM platform services IAM Identity, IAM Access Management, IAM Users Management, IAM Groups, and future IAM services. If the subject is a locked service-id, the request will fail.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes may support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

POST /v1/policies

(iamPolicyManagement *IamPolicyManagementV1) CreatePolicy(createPolicyOptions *CreatePolicyOptions) (result *Policy, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) CreatePolicyWithContext(ctx context.Context, createPolicyOptions *CreatePolicyOptions) (result *Policy, response *core.DetailedResponse, err error)

ServiceCall<Policy> createPolicy(CreatePolicyOptions createPolicyOptions)
Copy to clipboard

createPolicy(params)

create_policy(
        self,
        type: str,
        subjects: List['PolicySubject'],
        roles: List['PolicyRole'],
        resources: List['PolicyResource'],
        *,
        description: Optional[str] = None,
        accept_language: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.create

Auditing

Calling this method generates the following auditing event.

iam-am.policy.create

Request

Instantiate the CreatePolicyOptions struct and set the fields to provide parameter values for the CreatePolicy method.

Use the CreatePolicyOptions.Builder to create a CreatePolicyOptions object that contains the parameter values for the createPolicy method.

Custom Headers

Accept-Language
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan)
Possible values: length ≥ 1
Default: default

Request Body

Required*

PolicyRequest

A policy to be created.

parameter

WithContext method only

CreatePolicyOptions

The CreatePolicy options.

CreatePolicyOptions

The createPolicy options.

parameters

type
Required*
string
The policy type; either 'access' or 'authorization'.

Possible values: 6 ≤ length ≤ 13, Value must match regular expression /^[a-z]+$/
subjects
Required*
The subjects associated with a policy.

Possible values: number of items = 1
roles
Required*
A set of role Cloud Resource Names (CRNs) granted by the policy.

Possible values: number of items ≥ 1
resources
Required*
The resources associated with a policy.

Possible values: number of items = 1
description
string
Customer-defined description.

Possible values: 1 ≤ length ≤ 300
acceptLanguage
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default

parameters

type
Required*
str
The policy type; either 'access' or 'authorization'.

Possible values: 6 ≤ length ≤ 13, Value must match regular expression /^[a-z]+$/
subjects
Required*
The subjects associated with a policy.

Possible values: number of items = 1
roles
Required*
A set of role Cloud Resource Names (CRNs) granted by the policy.

Possible values: number of items ≥ 1
resources
Required*
The resources associated with a policy.

Possible values: number of items = 1
description
str
Customer-defined description.

Possible values: 1 ≤ length ≤ 300
accept_language
str
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default

Example request

curl -X POST 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "Editor role for SERVICE_NAME\'s RESOURCE_NAME",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Editor"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "$SERVICE_NAME"
        },
        {
          "name": "resource",
          "value": "$RESOURCE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ]
}'
Copy to clipboard

Example request

subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
policyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr(exampleAccountID),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceType"),
  Value:    core.StringPtr("service"),
  Operator: core.StringPtr("stringEquals"),
}
policyResourceTag := &iampolicymanagementv1.ResourceTag{
  Name:     core.StringPtr("project"),
  Value:    core.StringPtr("prototype"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute},
  Tags: []iampolicymanagementv1.ResourceTag{*policyResourceTag},
}

options := iamPolicyManagementService.NewCreatePolicyOptions(
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*policyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.CreatePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyID = *policy.ID
fmt.Println(string(b))
Copy to clipboard

Example request

SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
        .name("iam_id")
        .value(EXAMPLE_USER_ID)
        .build();

PolicySubject policySubjects = new PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

PolicyRole policyRoles = new PolicyRole.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Viewer")
        .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
        .name("accountId")
        .value(exampleAccountId)
        .operator("stringEquals")
        .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
        .name("serviceType")
        .value("service")
        .operator("stringEquals")
        .build();

ResourceTag policyResourceTag = new ResourceTag.Builder()
        .name("project")
        .value("prototype")
        .operator("stringEquals")
        .build();

PolicyResource policyResources = new PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceNameResourceAttribute)
        .addTags(policyResourceTag)
        .build();

CreatePolicyOptions options = new CreatePolicyOptions.Builder()
        .type("access")
        .subjects(Arrays.asList(policySubjects))
        .roles(Arrays.asList(policyRoles))
        .resources(Arrays.asList(policyResources))
        .build();

Response<Policy> response = service.createPolicy(options).execute();
Policy policy = response.getResult();

examplePolicyId = policy.getId();

System.out.println(policy);
Copy to clipboard

Example request

const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: exampleUserId,
      },
    ],
  },
];
const policyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'serviceType',
  value: 'service',
  operator: 'stringEquals',
};
const policyResourceTag = {
  name: 'project',
  operator: 'stringEquals',
  value: 'prototype',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
    tags: [policyResourceTag],
  },
];
const params = {
  type: 'access',
  subjects: policySubjects,
  roles: policyRoles,
  resources: policyResources,
};

try {
  const res = await iamPolicyManagementService.createPolicy(params);
  examplePolicyId = res.result.id;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
Copy to clipboard

Example request

policy_subjects = PolicySubject(attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
policy_roles = PolicyRole(role_id='crn:v1:bluemix:public:iam::::role:Viewer')
account_id_resource_attribute = ResourceAttribute(name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(name='serviceType', value='service')
policy_resource_tag = ResourceTag(name='project', value='prototype')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute, service_name_resource_attribute], tags=[policy_resource_tag]
)

policy = iam_policy_management_service.create_policy(
  type='access', subjects=[policy_subjects], roles=[policy_roles], resources=[policy_resources]
).get_result()

global example_policy_id
example_policy_id = policy['id']
print(json.dumps(policy, indent=2))
Copy to clipboard

Response

Response Body

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Status Code

201
Policy creation successful.
400
Policy input is invalid.
401
The token that you provided is not valid.
403
You do not have access to create the policy.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
409
A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.
415
The request body sent was formatted that uses an unsupported media type.
422
Exceeded maximum policies quota.
429
Too many requests are within a time window.

Example responses

Status 201

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ],
      "tags": [
        {
          "name": "project",
          "value": "moonshot",
          "operator": "stringEquals"
        },
        {
          "name": "pipeline",
          "value": "test",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
Copy to clipboard

Success example

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ],
      "tags": [
        {
          "name": "project",
          "value": "moonshot",
          "operator": "stringEquals"
        },
        {
          "name": "pipeline",
          "value": "test",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
Copy to clipboard

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 409

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to create policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to create policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Status 415

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Status 422

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policies quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policies quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy. The policy type cannot be changed (You cannot change an access policy to an authorization policy).

Access

To update an access policy, use "type": "access" in the body. The possible subject attributes are iam_id and access_group_id. Use the iam_id subject attribute for assigning access for a user or service-id. Use the access_group_id subject attribute for assigning access for an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, or resourceGroupId attribute and the accountId attribute.` If the subject is a locked service-id, the request will fail.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals and the stringMatch operators are available. Resource attributes might support one or both operators. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

PUT /v1/policies/{policy_id}

(iamPolicyManagement *IamPolicyManagementV1) ReplacePolicy(replacePolicyOptions *ReplacePolicyOptions) (result *Policy, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) ReplacePolicyWithContext(ctx context.Context, replacePolicyOptions *ReplacePolicyOptions) (result *Policy, response *core.DetailedResponse, err error)

ServiceCall<Policy> replacePolicy(ReplacePolicyOptions replacePolicyOptions)
Copy to clipboard

replacePolicy(params)

replace_policy(
        self,
        policy_id: str,
        if_match: str,
        type: str,
        subjects: List['PolicySubject'],
        roles: List['PolicyRole'],
        resources: List['PolicyResource'],
        *,
        description: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.update

Auditing

Calling this method generates the following auditing event.

iam-am.policy.update

Request

Instantiate the ReplacePolicyOptions struct and set the fields to provide parameter values for the ReplacePolicy method.

Use the ReplacePolicyOptions.Builder to create a ReplacePolicyOptions object that contains the parameter values for the replacePolicy method.

Custom Headers

If-Match
Required*
string
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.

Path Parameters

policy_id
Required*
string
The policy ID.

Request Body

Required*

PolicyRequest

Updated policy content to be saved.

parameter

WithContext method only

ReplacePolicyOptions

The ReplacePolicy options.

ReplacePolicyOptions

The replacePolicy options.

parameters

policyId
Required*
string
The policy ID.
ifMatch
Required*
string
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.
type
Required*
string
The policy type; either 'access' or 'authorization'.

Possible values: 6 ≤ length ≤ 13, Value must match regular expression /^[a-z]+$/
subjects
Required*
The subjects associated with a policy.

Possible values: number of items = 1
roles
Required*
A set of role Cloud Resource Names (CRNs) granted by the policy.

Possible values: number of items ≥ 1
resources
Required*
The resources associated with a policy.

Possible values: number of items = 1
description
string
Customer-defined description.

Possible values: 1 ≤ length ≤ 300

parameters

policy_id
Required*
str
The policy ID.
if_match
Required*
str
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.
type
Required*
str
The policy type; either 'access' or 'authorization'.

Possible values: 6 ≤ length ≤ 13, Value must match regular expression /^[a-z]+$/
subjects
Required*
The subjects associated with a policy.

Possible values: number of items = 1
roles
Required*
A set of role Cloud Resource Names (CRNs) granted by the policy.

Possible values: number of items ≥ 1
resources
Required*
The resources associated with a policy.

Possible values: number of items = 1
description
str
Customer-defined description.

Possible values: 1 ≤ length ≤ 300

Example request

curl -X PUT 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "type": "access",
  "description": "Viewer role for for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles":[
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources":[
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "$ACCOUNT_ID"
        },
        {
          "name": "serviceName",
          "value": "$SERVICE_NAME"
        }
      ]
    }
  ]
}'
Copy to clipboard

Example request

subjectAttribute := &iampolicymanagementv1.SubjectAttribute{
  Name:  core.StringPtr("iam_id"),
  Value: &exampleUserID,
}
policySubjects := &iampolicymanagementv1.PolicySubject{
  Attributes: []iampolicymanagementv1.SubjectAttribute{*subjectAttribute},
}
accountIDResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("accountId"),
  Value:    core.StringPtr(exampleAccountID),
  Operator: core.StringPtr("stringEquals"),
}
serviceNameResourceAttribute := &iampolicymanagementv1.ResourceAttribute{
  Name:     core.StringPtr("serviceType"),
  Value:    core.StringPtr("service"),
  Operator: core.StringPtr("stringEquals"),
}
policyResourceTag := &iampolicymanagementv1.ResourceTag{
  Name:     core.StringPtr("project"),
  Value:    core.StringPtr("prototype"),
  Operator: core.StringPtr("stringEquals"),
}
policyResources := &iampolicymanagementv1.PolicyResource{
  Attributes: []iampolicymanagementv1.ResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute},
  Tags: []iampolicymanagementv1.ResourceTag{*policyResourceTag},
}
updatedPolicyRoles := &iampolicymanagementv1.PolicyRole{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Editor"),
}

options := iamPolicyManagementService.NewReplacePolicyOptions(
  examplePolicyID,
  examplePolicyETag,
  "access",
  []iampolicymanagementv1.PolicySubject{*policySubjects},
  []iampolicymanagementv1.PolicyRole{*updatedPolicyRoles},
  []iampolicymanagementv1.PolicyResource{*policyResources},
)

policy, response, err := iamPolicyManagementService.ReplacePolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyETag = response.GetHeaders().Get("ETag")
fmt.Println(string(b))
Copy to clipboard

Example request

SubjectAttribute subjectAttribute = new SubjectAttribute.Builder()
        .name("iam_id")
        .value(EXAMPLE_USER_ID)
        .build();

PolicySubject policySubjects = new PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

ResourceAttribute accountIdResourceAttribute = new ResourceAttribute.Builder()
        .name("accountId")
        .value(exampleAccountId)
        .operator("stringEquals")
        .build();

ResourceAttribute serviceNameResourceAttribute = new ResourceAttribute.Builder()
        .name("serviceType")
        .value("service")
        .operator("stringEquals")
        .build();

ResourceTag policyResourceTag = new ResourceTag.Builder()
        .name("project")
        .value("prototype")
        .operator("stringEquals")
        .build();

PolicyResource policyResources = new PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceNameResourceAttribute)
        .addTags(policyResourceTag)
        .build();

PolicyRole updatedPolicyRole = new PolicyRole.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Editor")
        .build();

ReplacePolicyOptions options = new ReplacePolicyOptions.Builder()
        .type("access")
        .policyId(examplePolicyId)
        .ifMatch(examplePolicyEtag)
        .subjects(new ArrayList<PolicySubject>(Arrays.asList(policySubjects)))
        .roles(new ArrayList<PolicyRole>(Arrays.asList(updatedPolicyRole)))
        .resources(new ArrayList<PolicyResource>(Arrays.asList(policyResources)))
        .build();

Response<Policy> response = service.replacePolicy(options).execute();
Policy policy = response.getResult();

examplePolicyEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policy);
Copy to clipboard

Example request

const policySubjects = [
  {
    attributes: [
      {
        name: 'iam_id',
        value: exampleUserId,
      },
    ],
  },
];
const accountIdResourceAttribute = {
  name: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const serviceNameResourceAttribute = {
  name: 'serviceType',
  value: 'service',
  operator: 'stringEquals',
};
const policyResourceTag = {
  name: 'project',
  operator: 'stringEquals',
  value: 'prototype',
};
const policyResources = [
  {
    attributes: [accountIdResourceAttribute, serviceNameResourceAttribute],
    tags: [policyResourceTag],
  },
];
const updatedPolicyRoles = [
  {
    role_id: 'crn:v1:bluemix:public:iam::::role:Editor',
  },
];
const params = {
  type: 'access',
  policyId: examplePolicyId,
  ifMatch: examplePolicyETag,
  subjects: policySubjects,
  roles: updatedPolicyRoles,
  resources: policyResources,
};

try {
  const res = await iamPolicyManagementService.replacePolicy(params);
  examplePolicyETag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
Copy to clipboard

Example request

policy_subjects = PolicySubject(attributes=[SubjectAttribute(name='iam_id', value=example_user_id)])
account_id_resource_attribute = ResourceAttribute(name='accountId', value=example_account_id)
service_name_resource_attribute = ResourceAttribute(name='serviceType', value='service')
policy_resource_tag = ResourceTag(name='project', value='prototype')
policy_resources = PolicyResource(
  attributes=[account_id_resource_attribute, service_name_resource_attribute], tags=[policy_resource_tag]
)
updated_policy_roles = PolicyRole(role_id='crn:v1:bluemix:public:iam::::role:Editor')

response = iam_policy_management_service.replace_policy(
  type='access',
  policy_id=example_policy_id,
  if_match=example_policy_etag,
  subjects=[policy_subjects],
  roles=[updated_policy_roles],
  resources=[policy_resources],
)
policy = response.get_result()
global example_updated_policy_etag
example_updated_policy_etag = response.get_headers().get("Etag")

print(json.dumps(policy, indent=2))
Copy to clipboard

Response

Response Body

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Status Code

200
Policy update successful.
400
Policy input is invalid.
401
The token that you provided is not valid.
403
You do not have access to update the policy.
404
The policy was not found.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
409
A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.
415
The request body sent was formatted that uses an unsupported media type.
429
Too many requests are within a time window.

Example responses

Status 200

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
Copy to clipboard

Success example

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
Copy to clipboard

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy and delete the existing one."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy and delete the existing one."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 409

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to update policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to update policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Status 415

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Retrieve a policy by providing a policy ID.

GET /v1/policies/{policy_id}

(iamPolicyManagement *IamPolicyManagementV1) GetPolicy(getPolicyOptions *GetPolicyOptions) (result *PolicyTemplateMetaData, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) GetPolicyWithContext(ctx context.Context, getPolicyOptions *GetPolicyOptions) (result *PolicyTemplateMetaData, response *core.DetailedResponse, err error)

ServiceCall<PolicyTemplateMetaData> getPolicy(GetPolicyOptions getPolicyOptions)
Copy to clipboard

getPolicy(params)

get_policy(
        self,
        policy_id: str,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.read

Auditing

Calling this method generates the following auditing event.

iam-am.policy.read

Request

Instantiate the GetPolicyOptions struct and set the fields to provide parameter values for the GetPolicy method.

Use the GetPolicyOptions.Builder to create a GetPolicyOptions object that contains the parameter values for the getPolicy method.

Path Parameters

policy_id
Required*
string
The policy ID.

parameter

WithContext method only

GetPolicyOptions

The GetPolicy options.

GetPolicyOptions

The getPolicy options.

parameters

policyId
Required*
string
The policy ID.

parameters

policy_id
Required*
str
The policy ID.

Example request

curl -X GET 'https://iam.cloud.ibm.com/v1/policies/$POLICY_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewGetPolicyOptions(
  examplePolicyID,
)

policy, response, err := iamPolicyManagementService.GetPolicy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyETag = response.GetHeaders().Get("ETag")
fmt.Println(string(b))
Copy to clipboard

Example request

GetPolicyOptions options = new GetPolicyOptions.Builder()
        .policyId(examplePolicyId)
        .build();

Response<PolicyTemplateMetaData> response = service.getPolicy(options).execute();
PolicyTemplateMetaData policy = response.getResult();

examplePolicyEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policy);
Copy to clipboard

Example request

const params = {
  policyId: examplePolicyId,
};

try {
  const res = await iamPolicyManagementService.getPolicy(params);
  examplePolicyETag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
Copy to clipboard

Example request

response = iam_policy_management_service.get_policy(policy_id=example_policy_id)
policy = response.get_result()
global example_policy_etag
example_policy_etag = response.get_headers().get("Etag")

print(json.dumps(policy, indent=2))
Copy to clipboard

Response

Response Body

PolicyTemplateMetaData

The core set of properties associated with a policy.

PolicyTemplateMetaData

The core set of properties associated with a policy.

PolicyTemplateMetaData

The core set of properties associated with a policy.

PolicyTemplateMetaData

The core set of properties associated with a policy.

PolicyTemplateMetaData

The core set of properties associated with a policy.

Status Code

200
Policy retrieval successful.
401
The token that you provided is not valid.
403
You do not have access to retrieve the policy.
404
The policy was not found.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
429
Too many requests are within a time window.

Example responses

Status 200

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
Copy to clipboard

Success example

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.

DELETE /v1/policies/{policy_id}

(iamPolicyManagement *IamPolicyManagementV1) DeletePolicy(deletePolicyOptions *DeletePolicyOptions) (response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) DeletePolicyWithContext(ctx context.Context, deletePolicyOptions *DeletePolicyOptions) (response *core.DetailedResponse, err error)

ServiceCall<Void> deletePolicy(DeletePolicyOptions deletePolicyOptions)
Copy to clipboard

deletePolicy(params)

delete_policy(
        self,
        policy_id: str,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.delete

Auditing

Calling this method generates the following auditing event.

iam-am.policy.delete

Request

Instantiate the DeletePolicyOptions struct and set the fields to provide parameter values for the DeletePolicy method.

Use the DeletePolicyOptions.Builder to create a DeletePolicyOptions object that contains the parameter values for the deletePolicy method.

Path Parameters

policy_id
Required*
string
The policy ID.

parameter

WithContext method only

DeletePolicyOptions

The DeletePolicy options.

DeletePolicyOptions

The deletePolicy options.

parameters

policyId
Required*
string
The policy ID.

parameters

policy_id
Required*
str
The policy ID.

Example request

curl -X DELETE 'https://iam.cloud.ibm.com/v1/policies/$POLICY_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewDeletePolicyOptions(
  examplePolicyID,
)

response, err := iamPolicyManagementService.DeletePolicy(options)
if err != nil {
  panic(err)
}
Copy to clipboard

Example request

DeletePolicyOptions options = new DeletePolicyOptions.Builder()
        .policyId(examplePolicyId)
        .build();

Response<Void> response = service.deletePolicy(options).execute();

Example request

const params = {
  policyId: examplePolicyId,
};

try {
  await iamPolicyManagementService.deletePolicy(params);
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

response = iam_policy_management_service.delete_policy(policy_id=example_policy_id).get_result()

print(json.dumps(response, indent=2))

Response

Status Code

204
Policy deletion successful.
400
Policy was not valid to delete.
401
The token that you provided is not valid.
403
You do not have access to delete the policy.
404
The policy was not found.
429
Too many requests are within a time window.

Example responses

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a locked service id, cannot perform action"
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a locked service id, cannot perform action"
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Restore a policy that has recently been deleted. A policy administrator might want to restore a deleted policy. To restore a policy, use "state": "active" in the body.

PATCH /v1/policies/{policy_id}

(iamPolicyManagement *IamPolicyManagementV1) UpdatePolicyState(updatePolicyStateOptions *UpdatePolicyStateOptions) (result *Policy, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) UpdatePolicyStateWithContext(ctx context.Context, updatePolicyStateOptions *UpdatePolicyStateOptions) (result *Policy, response *core.DetailedResponse, err error)

ServiceCall<Policy> updatePolicyState(UpdatePolicyStateOptions updatePolicyStateOptions)
Copy to clipboard

updatePolicyState(params)

update_policy_state(
        self,
        policy_id: str,
        if_match: str,
        *,
        state: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.create

Auditing

Calling this method generates the following auditing event.

iam-am.policy.update

Request

Instantiate the UpdatePolicyStateOptions struct and set the fields to provide parameter values for the UpdatePolicyState method.

Use the UpdatePolicyStateOptions.Builder to create a UpdatePolicyStateOptions object that contains the parameter values for the updatePolicyState method.

Custom Headers

If-Match
Required*
string
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.

Path Parameters

policy_id
Required*
string
The policy ID.

Request Body

Required*

PatchPolicyRequest

Policy attribute to be updated.

parameter

WithContext method only

UpdatePolicyStateOptions

The UpdatePolicyState options.

UpdatePolicyStateOptions

The updatePolicyState options.

parameters

policyId
Required*
string
The policy ID.
ifMatch
Required*
string
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.
state
string
The policy state.

Allowable values: [active,deleted]

parameters

policy_id
Required*
str
The policy ID.
if_match
Required*
str
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v1/policies/{policy_id} API and looking at the ETag response header.
state
str
The policy state.

Allowable values: [active,deleted]

Example request

curl -X PATCH 'https://iam.cloud.ibm.com/v1/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "state": "active",
}'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewUpdatePolicyStateOptions(
  examplePolicyID,
  examplePolicyETag,
)

options.SetState("active")

policy, response, err := iamPolicyManagementService.UpdatePolicyState(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))
Copy to clipboard

Example request

UpdatePolicyStateOptions updatePolicyStateOptions = new UpdatePolicyStateOptions.Builder()
        .policyId(examplePolicyId)
        .ifMatch(examplePolicyEtag)
        .state("active")
        .build();

Response<Policy> response = service.updatePolicyState(updatePolicyStateOptions).execute();
Policy policy = response.getResult();

System.out.println(policy);

Example request

const params = {
  policyId: examplePolicyId,
  ifMatch: examplePolicyETag,
  state: 'active'
};

try {
  const res = await iamPolicyManagementService.updatePolicyState(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
Copy to clipboard

Example request

policy = iam_policy_management_service.update_policy_state(
  policy_id=example_policy_id, if_match=example_updated_policy_etag, state='active'
).get_result()

print(json.dumps(policy, indent=2))
Copy to clipboard

Response

Response Body

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Policy

The core set of properties associated with a policy.

Status Code

200
Policy successfully restored.
400
Policy input is invalid.
401
The token that you provided is not valid.
403
You do not have access to update the policy.
404
The policy was not found.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
415
The request body sent was formatted that uses an unsupported media type.
429
Too many requests are within a time window.

Example responses

Status 200

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
Copy to clipboard

Success example

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of SERVICE_NAME in the account.",
  "subjects": [
    {
      "attributes": [
        {
          "name": "iam_id",
          "value": "IBMid-123453user"
        }
      ]
    }
  ],
  "roles": [
    {
      "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
    }
  ],
  "resources": [
    {
      "attributes": [
        {
          "name": "accountId",
          "value": "ACCOUNT_ID",
          "operator": "stringEquals"
        },
        {
          "name": "serviceName",
          "value": "SERVICE_NAME",
          "operator": "stringEquals"
        }
      ]
    }
  ],
  "href": "https://iam.cloud.ibm.com/v1/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "state": "active"
}
Copy to clipboard

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check missing parameters."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check missing parameters."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 415

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Get roles based on the filters. While managing roles, you may want to retrieve roles and filter by usages. This can be done through query parameters. Currently, we only support the following attributes: account_id, service_name, service_group_id, source_service_name and policy_type. Both service_name and service_group_id attributes are mutually exclusive. Only roles that match the filter and that the caller has read access to are returned. If the caller does not have read access to any roles an empty array is returned.

GET /v2/roles

(iamPolicyManagement *IamPolicyManagementV1) ListRoles(listRolesOptions *ListRolesOptions) (result *RoleCollection, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) ListRolesWithContext(ctx context.Context, listRolesOptions *ListRolesOptions) (result *RoleCollection, response *core.DetailedResponse, err error)

ServiceCall<RoleCollection> listRoles(ListRolesOptions listRolesOptions)
Copy to clipboard

listRoles(params)

list_roles(
        self,
        *,
        accept_language: Optional[str] = None,
        account_id: Optional[str] = None,
        service_name: Optional[str] = None,
        source_service_name: Optional[str] = None,
        policy_type: Optional[str] = None,
        service_group_id: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.read

Auditing

Calling this method generates the following auditing event.

iam-am.role.read

Request

Instantiate the ListRolesOptions struct and set the fields to provide parameter values for the ListRoles method.

Use the ListRolesOptions.Builder to create a ListRolesOptions object that contains the parameter values for the listRoles method.

Custom Headers

Accept-Language
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan)
Possible values: length ≥ 1
Default: default

Query Parameters

account_id
string
Optional account GUID in which the roles belong to.
service_name
string
Optional name of IAM enabled service.

Example: iam-groups
source_service_name
string
Optional name of source IAM enabled service.

Example: iam-groups
policy_type
string
Optional Policy Type.

Example: authorization
service_group_id
string
Optional id of service group.

Example: IAM

parameter

WithContext method only

ListRolesOptions

The ListRoles options.

ListRolesOptions

The listRoles options.

parameters

acceptLanguage
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default
accountId
string
Optional account GUID in which the roles belong to.
serviceName
string
Optional name of IAM enabled service.
Examples:
sourceServiceName
string
Optional name of source IAM enabled service.
Examples:
policyType
string
Optional Policy Type.
Examples:
serviceGroupId
string
Optional id of service group.
Examples:

parameters

accept_language
str
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default
account_id
str
Optional account GUID in which the roles belong to.
service_name
str
Optional name of IAM enabled service.
Examples:
source_service_name
str
Optional name of source IAM enabled service.
Examples:
policy_type
str
Optional Policy Type.
Examples:
service_group_id
str
Optional id of service group.
Examples:

Example request

curl -X GET 'https://iam.cloud.ibm.com/v2/roles' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewListRolesOptions()
options.SetAccountID(exampleAccountID)

roleList, response, err := iamPolicyManagementService.ListRoles(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(roleList, "", "  ")
fmt.Println(string(b))
Copy to clipboard

Example request

ListRolesOptions options = new ListRolesOptions.Builder()
        .accountId(exampleAccountId)
        .build();

Response<RoleCollection> response = service.listRoles(options).execute();
RoleCollection roleCollection = response.getResult();

System.out.println(roleCollection);

Example request

const params = {
  accountId: exampleAccountId,
};

try {
  const res = await iamPolicyManagementService.listRoles(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

role_list = iam_policy_management_service.list_roles(account_id=example_account_id).get_result()

print(json.dumps(role_list, indent=2))

Response

Response Body

RoleCollection

A collection of roles returned by the 'list roles' operation.

RoleCollection

A collection of roles returned by the 'list roles' operation.

RoleCollection

A collection of roles returned by the 'list roles' operation.

RoleCollection

A collection of roles returned by the 'list roles' operation.

RoleCollection

A collection of roles returned by the 'list roles' operation.

Status Code

200
Roles retrieval successful.
401
The token that you provided is not valid.
404
Resource was not found.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
429
Too many requests are within a time window.

Example responses

Status 200

{
  "custom_roles": [
    {
      "id": "12345678abcd1a2ba1b21234567890ab",
      "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
      "name": "Example",
      "display_name": "Example Role",
      "description": "Custom role for example",
      "service_name": "SERVICE_NAME",
      "account_id": "ACCOUNT_ID",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ],
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
    }
  ],
  "service_roles": [
    {
      "crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader",
      "display_name": "Reader",
      "description": "Reader role for example",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ]
    }
  ],
  "system_roles": [
    {
      "crn": "crn:v1:bluemix:public:iam::::role:Viewer",
      "display_name": "Viewer",
      "description": "Viewer role for example",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ]
    }
  ]
}
Copy to clipboard

Success example

{
  "custom_roles": [
    {
      "id": "12345678abcd1a2ba1b21234567890ab",
      "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
      "name": "Example",
      "display_name": "Example Role",
      "description": "Custom role for example",
      "service_name": "SERVICE_NAME",
      "account_id": "ACCOUNT_ID",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ],
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "USER_ID",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "USER_ID",
      "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
    }
  ],
  "service_roles": [
    {
      "crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader",
      "display_name": "Reader",
      "description": "Reader role for example",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ]
    }
  ],
  "system_roles": [
    {
      "crn": "crn:v1:bluemix:public:iam::::role:Viewer",
      "display_name": "Viewer",
      "description": "Viewer role for example",
      "actions": [
        "ACTION_ID_1",
        "ACTION_ID_2"
      ]
    }
  ]
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "not_found",
      "message": "Not Found"
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "not_found",
      "message": "Not Found"
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Creates a custom role for a specific service within the account. An account owner or a user assigned the Administrator role on the Role management service can create a custom role. Any number of actions for a single service can be mapped to the new role, but there must be at least one service-defined action to successfully create the new role.

POST /v2/roles

(iamPolicyManagement *IamPolicyManagementV1) CreateRole(createRoleOptions *CreateRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) CreateRoleWithContext(ctx context.Context, createRoleOptions *CreateRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)

ServiceCall<CustomRole> createRole(CreateRoleOptions createRoleOptions)
Copy to clipboard

createRole(params)

create_role(
        self,
        display_name: str,
        actions: List[str],
        name: str,
        account_id: str,
        service_name: str,
        *,
        description: Optional[str] = None,
        accept_language: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam-access-management.customRole.create

Auditing

Calling this method generates the following auditing event.

iam-am.role.create

Request

Instantiate the CreateRoleOptions struct and set the fields to provide parameter values for the CreateRole method.

Use the CreateRoleOptions.Builder to create a CreateRoleOptions object that contains the parameter values for the createRole method.

Custom Headers

Accept-Language
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan)
Possible values: length ≥ 1
Default: default

Request Body

Required*

RolePostRequest

A role to be created.

parameter

WithContext method only

CreateRoleOptions

The CreateRole options.

CreateRoleOptions

The createRole options.

parameters

displayName
Required*
string
The display the name of the role that is shown in the console.

Possible values: 1 ≤ length ≤ 50
actions
Required*
string[]
The actions of the role. For more information, see IAM roles and actions.

Possible values: number of items ≥ 1, length ≥ 1
name
Required*
string
The name of the role that is used in the CRN. This must be alphanumeric and capitalized.

Possible values: 1 ≤ length ≤ 30, Value must match regular expression /^[A-Z]{1}[A-Za-z0-9]{0,29}$/
Examples:
accountId
Required*
string
The account GUID.
serviceName
Required*
string
The service name.
Examples:
description
string
The description of the role.

Possible values: 1 ≤ length ≤ 250
acceptLanguage
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default

parameters

display_name
Required*
str
The display the name of the role that is shown in the console.

Possible values: 1 ≤ length ≤ 50
actions
Required*
List[str]
The actions of the role. For more information, see IAM roles and actions.

Possible values: number of items ≥ 1, length ≥ 1
name
Required*
str
The name of the role that is used in the CRN. This must be alphanumeric and capitalized.

Possible values: 1 ≤ length ≤ 30, Value must match regular expression /^[A-Z]{1}[A-Za-z0-9]{0,29}$/
Examples:
account_id
Required*
str
The account GUID.
service_name
Required*
str
The service name.
Examples:
description
str
The description of the role.

Possible values: 1 ≤ length ≤ 250
accept_language
str
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default

Example request

curl -X POST 'https://iam.cloud.ibm.com/v2/roles' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "account_id": "ACCOUNT_ID",
  "service_name": "SERVICE_NAME",
  "actions":["ACTION_ID_1", "ACTION_ID_2"]
}'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewCreateRoleOptions(
  "IAM Groups read access",
  []string{"iam-groups.groups.read"},
  "ExampleRoleIAMGroups",
  exampleAccountID,
  exampleServiceName,
)

customRole, response, err := iamPolicyManagementService.CreateRole(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(customRole, "", "  ")
exampleCustomRoleID = *customRole.ID
fmt.Println(string(b))
Copy to clipboard

Example request

CreateRoleOptions options = new CreateRoleOptions.Builder()
        .displayName("IAM Groups read access")
        .actions(Arrays.asList("iam-groups.groups.read"))
        .name("ExampleRoleIAMGroups")
        .accountId(exampleAccountId)
        .serviceName(EXAMPLE_SERVICE_NAME)
        .build();

Response<CustomRole> response = service.createRole(options).execute();
CustomRole customRole = response.getResult();

exampleCustomRoleId = customRole.getId();

System.out.println(customRole);
Copy to clipboard

Example request

const params = {
  displayName: exampleCustomRoleDipslayName,
  actions: ['iam-groups.groups.read'],
  name: 'ExampleRoleIAMGroups',
  accountId: exampleAccountId,
  serviceName: exampleServiceName,
};

try {
  const res = await iamPolicyManagementService.createRole(params);
  exampleCustomRoleId = res.result.id;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

custom_role = iam_policy_management_service.create_role(
  display_name='IAM Groups read access',
  actions=['iam-groups.groups.read'],
  name='ExampleRoleIAMGroups',
  account_id=example_account_id,
  service_name=example_service_name,
).get_result()

global example_custom_role_id
example_custom_role_id = custom_role["id"]

print(json.dumps(custom_role, indent=2))
Copy to clipboard

Response

Response Body

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

Status Code

201
Role creation successful.
400
Role input is invalid.
401
The token that you provided is not valid.
403
You don't have access to create the role. You must be assigned the Administrator role on the Role management service.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
409
A role already exists with the same name or actions in the account. You can update that role or delete it and create a new one.
415
The request body sent was formatted that uses an unsupported media type.
422
Exceeded maximum roles quota.
429
Too many requests are within a time window.

Example responses

Status 201

{
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
Copy to clipboard

Success example

{
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
Copy to clipboard

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "The role name conflicts with an existing system-defined role name. Choose a different name."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "The role name conflicts with an existing system-defined role name. Choose a different name."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested role. You must be assigned the Administrator role on the Role management service."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested role. You must be assigned the Administrator role on the Role management service."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 409

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_conflict_error",
      "message": "This role name is already in use. Update the existing one or change the role name to be unique.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "role": "ROLE"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_conflict_error",
      "message": "This role name is already in use. Update the existing one or change the role name to be unique.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "role": "ROLE"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Status 415

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Status 422

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum roles quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum roles quota (<limit>) for account <account_id>."
    }
  ],
  "status_code": 422
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Update a custom role. A role administrator might want to update an existing role by updating the display name, description, or the actions that are mapped to the role. The name, account_id, and service_name can't be changed.

PUT /v2/roles/{role_id}

(iamPolicyManagement *IamPolicyManagementV1) ReplaceRole(replaceRoleOptions *ReplaceRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) ReplaceRoleWithContext(ctx context.Context, replaceRoleOptions *ReplaceRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)

ServiceCall<CustomRole> replaceRole(ReplaceRoleOptions replaceRoleOptions)
Copy to clipboard

replaceRole(params)

replace_role(
        self,
        role_id: str,
        if_match: str,
        display_name: str,
        actions: List[str],
        *,
        description: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam-access-management.customRole.update

Auditing

Calling this method generates the following auditing event.

iam-am.role.update

Request

Instantiate the ReplaceRoleOptions struct and set the fields to provide parameter values for the ReplaceRole method.

Use the ReplaceRoleOptions.Builder to create a ReplaceRoleOptions object that contains the parameter values for the replaceRole method.

Custom Headers

If-Match
Required*
string
The revision number for updating a role and must match the ETag value of the existing role. The Etag can be retrieved using the GET /v2/roles/{role_id} API and looking at the ETag response header.

Path Parameters

role_id
Required*
string
The role ID.

Request Body

Required*

Role

Updated role content to be saved.

parameter

WithContext method only

ReplaceRoleOptions

The ReplaceRole options.

ReplaceRoleOptions

The replaceRole options.

parameters

roleId
Required*
string
The role ID.
ifMatch
Required*
string
The revision number for updating a role and must match the ETag value of the existing role. The Etag can be retrieved using the GET /v2/roles/{role_id} API and looking at the ETag response header.
displayName
Required*
string
The display the name of the role that is shown in the console.

Possible values: 1 ≤ length ≤ 50
actions
Required*
string[]
The actions of the role. For more information, see IAM roles and actions.

Possible values: number of items ≥ 1, length ≥ 1
description
string
The description of the role.

Possible values: 1 ≤ length ≤ 250

parameters

role_id
Required*
str
The role ID.
if_match
Required*
str
The revision number for updating a role and must match the ETag value of the existing role. The Etag can be retrieved using the GET /v2/roles/{role_id} API and looking at the ETag response header.
display_name
Required*
str
The display the name of the role that is shown in the console.

Possible values: 1 ≤ length ≤ 50
actions
Required*
List[str]
The actions of the role. For more information, see IAM roles and actions.

Possible values: number of items ≥ 1, length ≥ 1
description
str
The description of the role.

Possible values: 1 ≤ length ≤ 250

Example request

curl -X PUT 'https://iam.cloud.ibm.com/v2/roles' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "display_name": "Example Role",
  "description": "Custom role for example",
  "actions":["ACTION_ID_1", "ACTION_ID_2"]
}'
Copy to clipboard

Example request

updatedRoleActions := []string{"iam-groups.groups.read", "iam-groups.groups.list"}

options := iamPolicyManagementService.NewReplaceRoleOptions(
  exampleCustomRoleID,
  exampleCustomRoleETag,
  "ExampleRoleIAMGroups",
  updatedRoleActions,
)

customRole, response, err := iamPolicyManagementService.ReplaceRole(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(customRole, "", "  ")
fmt.Println(string(b))
Copy to clipboard

Example request

List<String> updatedRoleActions = Arrays.asList("iam-groups.groups.read", "iam-groups.groups.list");
ReplaceRoleOptions options = new ReplaceRoleOptions.Builder()
        .roleId(exampleCustomRoleId)
        .ifMatch(exampleCustomRoleEtag)
        .displayName("IAM Groups read access")
        .actions(updatedRoleActions)
        .build();

Response<CustomRole> response = service.replaceRole(options).execute();
CustomRole customRole = response.getResult();

System.out.println(customRole);
Copy to clipboard

Example request

const updatedRoleActions = ['iam-groups.groups.read', 'iam-groups.groups.list'];
const params = {
  roleId: exampleCustomRoleId,
  ifMatch: exampleCustomRoleEtag,
  displayName: exampleCustomRoleDipslayName,
  actions: updatedRoleActions,
};

try {
  const res = await iamPolicyManagementService.replaceRole(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

updated_role_actions = ['iam-groups.groups.read', 'iam-groups.groups.list']
custom_role = iam_policy_management_service.replace_role(
  role_id=example_custom_role_id,
  if_match=example_custom_role_etag,
  actions=updated_role_actions,
  display_name='IAM Groups read access',
).get_result()

print(json.dumps(custom_role, indent=2))
Copy to clipboard

Response

Response Body

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

Status Code

200
Role update successful.
400
Role input is invalid.
401
The token that you provided is not valid.
403
You do not have access to update the role.
404
Role was not found.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
409
A role already exists with the same actions and account_id. You can update that role or delete it and create a new one.
415
The request body sent was formatted that uses an unsupported media type.
429
Too many requests are within a time window.

Example responses

Status 200

{
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
Copy to clipboard

Success example

{
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
Copy to clipboard

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "In order to update an existing role, a rev value must be provided."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "In order to update an existing role, a rev value must be provided."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested role."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested role."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with ID ROLE_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with ID ROLE_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 409

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_conflict_error",
      "message": "The role wasn't updated.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "role": "ROLE"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_conflict_error",
      "message": "The role wasn't updated.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "role": "ROLE"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Status 415

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Retrieve a role by providing a role ID.

GET /v2/roles/{role_id}

(iamPolicyManagement *IamPolicyManagementV1) GetRole(getRoleOptions *GetRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) GetRoleWithContext(ctx context.Context, getRoleOptions *GetRoleOptions) (result *CustomRole, response *core.DetailedResponse, err error)

ServiceCall<CustomRole> getRole(GetRoleOptions getRoleOptions)
Copy to clipboard

getRole(params)

get_role(
        self,
        role_id: str,
        **kwargs,
    ) -> DetailedResponse

Auditing

Calling this method generates the following auditing event.

iam-am.role.read

Request

Instantiate the GetRoleOptions struct and set the fields to provide parameter values for the GetRole method.

Use the GetRoleOptions.Builder to create a GetRoleOptions object that contains the parameter values for the getRole method.

Path Parameters

role_id
Required*
string
The role ID.

parameter

WithContext method only

GetRoleOptions

The GetRole options.

GetRoleOptions

The getRole options.

parameters

roleId
Required*
string
The role ID.

parameters

role_id
Required*
str
The role ID.

Example request

curl -X GET 'https://iam.cloud.ibm.com/v2/roles/$ROLE_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewGetRoleOptions(
  exampleCustomRoleID,
)

customRole, response, err := iamPolicyManagementService.GetRole(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(customRole, "", "  ")
exampleCustomRoleETag = response.Headers.Get("ETag")
fmt.Println(string(b))
Copy to clipboard

Example request

GetRoleOptions options = new GetRoleOptions.Builder()
        .roleId(exampleCustomRoleId)
        .build();

Response<CustomRole> response = service.getRole(options).execute();
CustomRole customRole = response.getResult();

exampleCustomRoleEtag = response.getHeaders().values("Etag").get(0);

System.out.println(customRole);
Copy to clipboard

Example request

const params = {
  roleId: exampleCustomRoleId,
};

try {
  const res = await iamPolicyManagementService.getRole(params);
  exampleCustomRoleEtag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

response = iam_policy_management_service.get_role(role_id=example_custom_role_id)
custom_role = response.get_result()

global example_custom_role_etag
example_custom_role_etag = response.get_headers().get("Etag")

print(json.dumps(custom_role, indent=2))
Copy to clipboard

Response

Response Body

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

CustomRole

An additional set of properties associated with a role.

Status Code

200
Role retrieval successful.
401
The token that you provided is not valid.
403
You do not have access to retrieve the role.
404
Role was not found.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
429
Too many requests are within a time window.

Example responses

Status 200

{
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
Copy to clipboard

Success example

{
  "id": "12345678abcd1a2ba1b21234567890ab",
  "crn": "crn:v1:bluemix:public:iam-access-management::::customRole:Example",
  "name": "Example",
  "display_name": "Example Role",
  "description": "Custom role for example",
  "service_name": "SERVICE_NAME",
  "account_id": "ACCOUNT_ID",
  "actions": [
    "ACTION_ID_1",
    "ACTION_ID_2"
  ],
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "USER_ID",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "USER_ID",
  "href": "https://iam.cloud.ibm.com/v2/roles/12345678abcd1a2ba1b21234567890ab"
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested role."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested role."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with ID ROLE_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with ID ROLE_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Delete a role by providing a role ID.

DELETE /v2/roles/{role_id}

(iamPolicyManagement *IamPolicyManagementV1) DeleteRole(deleteRoleOptions *DeleteRoleOptions) (response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) DeleteRoleWithContext(ctx context.Context, deleteRoleOptions *DeleteRoleOptions) (response *core.DetailedResponse, err error)

ServiceCall<Void> deleteRole(DeleteRoleOptions deleteRoleOptions)
Copy to clipboard

deleteRole(params)

delete_role(
        self,
        role_id: str,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam-access-management.customRole.delete

Auditing

Calling this method generates the following auditing event.

iam-am.role.delete

Request

Instantiate the DeleteRoleOptions struct and set the fields to provide parameter values for the DeleteRole method.

Use the DeleteRoleOptions.Builder to create a DeleteRoleOptions object that contains the parameter values for the deleteRole method.

Path Parameters

role_id
Required*
string
The role ID.

parameter

WithContext method only

DeleteRoleOptions

The DeleteRole options.

DeleteRoleOptions

The deleteRole options.

parameters

roleId
Required*
string
The role ID.

parameters

role_id
Required*
str
The role ID.

Example request

curl -X DELETE 'https://iam.cloud.ibm.com/v2/roles/$ROLE_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewDeleteRoleOptions(
  exampleCustomRoleID,
)

response, err := iamPolicyManagementService.DeleteRole(options)
if err != nil {
  panic(err)
}
Copy to clipboard

Example request

DeleteRoleOptions options = new DeleteRoleOptions.Builder()
  .roleId(exampleCustomRoleId)
  .build();

Response<Void> response = service.deleteRole(options).execute();

Example request

const params = {
  roleId: exampleCustomRoleId,
};

try {
  await iamPolicyManagementService.deleteRole(params);
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

response = iam_policy_management_service.delete_role(role_id=example_custom_role_id).get_result()

print(json.dumps(response, indent=2))

Response

Status Code

204
Role deletion successful.
401
The token that you provided is not valid.
403
You do not have access to delete the role.
404
Role was not found.
429
Too many requests are within a time window.

Example responses

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested role."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested role."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with ID ROLE_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "role_not_found",
      "message": "Role with ID ROLE_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Beta

Get policies and filter by attributes. While managing policies, you might want to retrieve policies in the account and filter by attribute values. This can be done through query parameters. The following attributes are supported: account_id, iam_id, access_group_id, type, service_type, sort, format and state. account_id is a required query parameter. Only policies that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policies an empty array is returned.

GET /v2/policies

(iamPolicyManagement *IamPolicyManagementV1) ListV2Policies(listV2PoliciesOptions *ListV2PoliciesOptions) (result *V2PolicyCollection, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) ListV2PoliciesWithContext(ctx context.Context, listV2PoliciesOptions *ListV2PoliciesOptions) (result *V2PolicyCollection, response *core.DetailedResponse, err error)

ServiceCall<V2PolicyCollection> listV2Policies(ListV2PoliciesOptions listV2PoliciesOptions)
Copy to clipboard

listV2Policies(params)

list_v2_policies(
        self,
        account_id: str,
        *,
        accept_language: Optional[str] = None,
        iam_id: Optional[str] = None,
        access_group_id: Optional[str] = None,
        type: Optional[str] = None,
        service_type: Optional[str] = None,
        service_name: Optional[str] = None,
        service_group_id: Optional[str] = None,
        sort: Optional[str] = None,
        format: Optional[str] = None,
        state: Optional[str] = None,
        limit: Optional[int] = None,
        start: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.read

Auditing

Calling this method generates the following auditing event.

iam-am.policy.read

Request

Instantiate the ListV2PoliciesOptions struct and set the fields to provide parameter values for the ListV2Policies method.

Use the ListV2PoliciesOptions.Builder to create a ListV2PoliciesOptions object that contains the parameter values for the listV2Policies method.

Custom Headers

Accept-Language
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan)
Possible values: length ≥ 1
Default: default

Query Parameters

account_id
Required*
string
The account GUID in which the policies belong to.

Possible values: length ≥ 1
iam_id
string
Optional IAM ID used to identify the subject.

Possible values: length ≥ 1
access_group_id
string
Optional access group id.

Possible values: length ≥ 1
type
string
Optional type of policy.

Allowable values: [access,authorization]
service_type
string
Optional type of service.

Allowable values: [service,platform_service]
service_name
string
Optional name of service.

Possible values: length ≥ 1
service_group_id
string
Optional ID of service group.

Possible values: length ≥ 1
sort
string
Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field, for example, '-last_modified_at'. Note that last permit information is only included when 'format=include_last_permit', for example, "format=include_last_permit&sort=last_permit_at" Example fields that can be sorted on:
- 'type'
- 'href'
- 'created_at'
- 'created_by_id'
- 'last_modified_at'
- 'last_modified_by_id'
- 'state'
- 'last_permit_at'
- 'last_permit_frequency'
format
string
Include additional data per policy returned
- include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
- display - returns the list of all actions included in each of the policy roles and translations for all relevant fields
Allowable values: [include_last_permit,display]
state
string
The state of the policy.
- active - returns active policies
- deleted - returns non-active policies
Allowable values: [active,deleted]
limit
integer
The number of documents to include in the collection.

Possible values: 1 ≤ value ≤ 100
Default: 50
start
string
Page token that refers to the page of the collection to return.

Possible values: 9 ≤ length ≤ 100, Value must match regular expression ^[-A-Za-z0-9+/]*$

parameter

WithContext method only

ListV2PoliciesOptions

The ListV2Policies options.

ListV2PoliciesOptions

The listV2Policies options.

parameters

accountId
Required*
string
The account GUID in which the policies belong to.

Possible values: length ≥ 1
acceptLanguage
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default
iamId
string
Optional IAM ID used to identify the subject.

Possible values: length ≥ 1
accessGroupId
string
Optional access group id.

Possible values: length ≥ 1
type
string
Optional type of policy.

Allowable values: [access,authorization]
serviceType
string
Optional type of service.

Allowable values: [service,platform_service]
serviceName
string
Optional name of service.

Possible values: length ≥ 1
serviceGroupId
string
Optional ID of service group.

Possible values: length ≥ 1
sort
string
Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field, for example, '-last_modified_at'. Note that last permit information is only included when 'format=include_last_permit', for example, "format=include_last_permit&sort=last_permit_at" Example fields that can be sorted on:
- 'type'
- 'href'
- 'created_at'
- 'created_by_id'
- 'last_modified_at'
- 'last_modified_by_id'
- 'state'
- 'last_permit_at'
- 'last_permit_frequency'.
format
string
Include additional data per policy returned
- include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
- display - returns the list of all actions included in each of the policy roles and translations for all relevant fields.
Allowable values: [include_last_permit,display]
state
string
The state of the policy.
- active - returns active policies
- deleted - returns non-active policies.
Allowable values: [active,deleted]
limit
number
The number of documents to include in the collection.

Possible values: 1 ≤ value ≤ 100
Default: 50
start
string
Page token that refers to the page of the collection to return.

Possible values: 9 ≤ length ≤ 100, Value must match regular expression /^[-A-Za-z0-9+\/]*$/

parameters

account_id
Required*
str
The account GUID in which the policies belong to.

Possible values: length ≥ 1
accept_language
str
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default
iam_id
str
Optional IAM ID used to identify the subject.

Possible values: length ≥ 1
access_group_id
str
Optional access group id.

Possible values: length ≥ 1
type
str
Optional type of policy.

Allowable values: [access,authorization]
service_type
str
Optional type of service.

Allowable values: [service,platform_service]
service_name
str
Optional name of service.

Possible values: length ≥ 1
service_group_id
str
Optional ID of service group.

Possible values: length ≥ 1
sort
str
Optional top level policy field to sort results. Ascending sort is default. Descending sort available by prepending '-' to field, for example, '-last_modified_at'. Note that last permit information is only included when 'format=include_last_permit', for example, "format=include_last_permit&sort=last_permit_at" Example fields that can be sorted on:
- 'type'
- 'href'
- 'created_at'
- 'created_by_id'
- 'last_modified_at'
- 'last_modified_by_id'
- 'state'
- 'last_permit_at'
- 'last_permit_frequency'.
format
str
Include additional data per policy returned
- include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
- display - returns the list of all actions included in each of the policy roles and translations for all relevant fields.
Allowable values: [include_last_permit,display]
state
str
The state of the policy.
- active - returns active policies
- deleted - returns non-active policies.
Allowable values: [active,deleted]
limit
int
The number of documents to include in the collection.

Possible values: 1 ≤ value ≤ 100
Default: 50
start
str
Page token that refers to the page of the collection to return.

Possible values: 9 ≤ length ≤ 100, Value must match regular expression /^[-A-Za-z0-9+\/]*$/

Example request

curl -X GET 'https://iam.cloud.ibm.com/v2/policies?account_id=$ACCOUNT_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewListV2PoliciesOptions(
  exampleAccountID,
)
options.SetIamID(exampleUserID)
options.SetFormat("include_last_permit")
options.SetSort("-id")

policyList, response, err := iamPolicyManagementService.ListV2Policies(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyList, "", "  ")
fmt.Println(string(b))
Copy to clipboard

Example request

ListV2PoliciesOptions options = new ListV2PoliciesOptions.Builder()
        .accountId(exampleAccountId)
        .iamId(EXAMPLE_USER_ID)
        .format("include_last_permit")
        .build();

Response<V2PolicyCollection> response = service.listV2Policies(options).execute();
V2PolicyCollection policyCollection = response.getResult();

System.out.println(policyCollection);

Example request

const params = {
  accountId: exampleAccountId,
  iamId: exampleUserId,
  format: 'include_last_permit',
};

try {
  const res = await iamPolicyManagementService.listV2Policies(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

policy_list = iam_policy_management_service.list_v2_policies(
  account_id=example_account_id, iam_id=example_user_id, format='include_last_permit'
).get_result()

print(json.dumps(policy_list, indent=2))
Copy to clipboard

Response

Response Body

V2PolicyCollection

A collection of policies.

V2PolicyCollection

A collection of policies.

V2PolicyCollection

A collection of policies.

V2PolicyCollection

A collection of policies.

V2PolicyCollection

A collection of policies.

Status Code

200
Policies retrieval successful.
400
The request you made is not valid.
401
The token that you provided is not valid.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
429
Too many requests are within a time window.

Example responses

Status 200

{
  "policies": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "type": "access",
      "description": "Viewer role access for all instances of key protect in the account during business hours.",
      "subject": {
        "attributes": [
          {
            "key": "iam_id",
            "operator": "stringEquals",
            "value": "IBMid-123453user"
          }
        ]
      },
      "control": {
        "grant": {
          "roles": [
            {
              "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
            }
          ]
        }
      },
      "resource": {
        "attributes": [
          {
            "key": "accountId",
            "operator": "stringEquals",
            "value": "100abcde100a41abc100aza678abc0zz"
          },
          {
            "key": "serviceName",
            "operator": "stringEquals",
            "value": "kms"
          }
        ]
      },
      "rule": {
        "operator": "and",
        "conditions": [
          {
            "key": "{{environment.attributes.day_of_week}}",
            "operator": "dayOfWeekAnyOf",
            "value": [
              "1+00:00",
              "2+00:00",
              "3+00:00",
              "4+00:00",
              "5+00:00"
            ]
          },
          {
            "key": "{{environment.attributes.current_time}}",
            "operator": "timeGreaterThanOrEquals",
            "value": "09:00:00+00:00"
          },
          {
            "key": "{{environment.attributes.current_time}}",
            "operator": "timeLessThanOrEquals",
            "value": "17:00:00+00:00"
          }
        ]
      },
      "pattern": "time-based-conditions:weekly:custom-hours",
      "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "IBMid-12345678",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "IBMid-12345678",
      "state": "active"
    }
  ]
}
Copy to clipboard

Success example

{
  "policies": [
    {
      "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
      "type": "access",
      "description": "Viewer role access for all instances of key protect in the account during business hours.",
      "subject": {
        "attributes": [
          {
            "key": "iam_id",
            "operator": "stringEquals",
            "value": "IBMid-123453user"
          }
        ]
      },
      "control": {
        "grant": {
          "roles": [
            {
              "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
            }
          ]
        }
      },
      "resource": {
        "attributes": [
          {
            "key": "accountId",
            "operator": "stringEquals",
            "value": "100abcde100a41abc100aza678abc0zz"
          },
          {
            "key": "serviceName",
            "operator": "stringEquals",
            "value": "kms"
          }
        ]
      },
      "rule": {
        "operator": "and",
        "conditions": [
          {
            "key": "{{environment.attributes.day_of_week}}",
            "operator": "dayOfWeekAnyOf",
            "value": [
              "1+00:00",
              "2+00:00",
              "3+00:00",
              "4+00:00",
              "5+00:00"
            ]
          },
          {
            "key": "{{environment.attributes.current_time}}",
            "operator": "timeGreaterThanOrEquals",
            "value": "09:00:00+00:00"
          },
          {
            "key": "{{environment.attributes.current_time}}",
            "operator": "timeLessThanOrEquals",
            "value": "17:00:00+00:00"
          }
        ]
      },
      "pattern": "time-based-conditions:weekly:custom-hours",
      "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
      "created_at": "2018-08-30T14:09:09.907Z",
      "created_by_id": "IBMid-12345678",
      "last_modified_at": "2018-08-30T14:09:09.907Z",
      "last_modified_by_id": "IBMid-12345678",
      "state": "active"
    }
  ]
}
Copy to clipboard

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "missing_required_query_parameter",
      "message": "'account_id' is a required query parameter"
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Beta

Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: access. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group.

Access

To create an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }

You can use the following operators in the key and value pair:

  'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
  'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
  'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
  'dayOfWeekEquals', 'dayOfWeekAnyOf'

The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.

attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:

  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: access. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group.

Access

To create an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf'


The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the **`pattern`** is **`"time-based-conditions:weekly"`**. For more information, see [Time-based conditions operators](/docs/account?topic=account-iam-condition-properties&interface=ui#policy-condition-properties) and
[Limiting access with time-based conditions](/docs/account?topic=account-iam-time-based&interface=ui). If the subject is a locked service-id, the request will fail.

2. `attribute-based`: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:
```json
  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: access. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group.

Access

To create an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf'


The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the **`pattern`** is **`"time-based-conditions:weekly"`**. For more information, see [Time-based conditions operators](/docs/account?topic=account-iam-condition-properties&interface=ui#policy-condition-properties) and
[Limiting access with time-based conditions](/docs/account?topic=account-iam-time-based&interface=ui). If the subject is a locked service-id, the request will fail.

2. `attribute-based`: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:
```json
  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: access. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group.

Access

To create an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf'


The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the **`pattern`** is **`"time-based-conditions:weekly"`**. For more information, see [Time-based conditions operators](/docs/account?topic=account-iam-condition-properties&interface=ui#policy-condition-properties) and
[Limiting access with time-based conditions](/docs/account?topic=account-iam-time-based&interface=ui). If the subject is a locked service-id, the request will fail.

2. `attribute-based`: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:
```json
  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Creates a policy to grant access between a subject and a resource. Currently, there is one type of a v2/policy: access. A policy administrator might want to create an access policy that grants access to a user, service-id, or an access group.

Access

To create an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf'


The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the **`pattern`** is **`"time-based-conditions:weekly"`**. For more information, see [Time-based conditions operators](/docs/account?topic=account-iam-condition-properties&interface=ui#policy-condition-properties) and
[Limiting access with time-based conditions](/docs/account?topic=account-iam-time-based&interface=ui). If the subject is a locked service-id, the request will fail.

2. `attribute-based`: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:
```json
  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

Authorization policies are supported by services on a case by case basis. Refer to service documentation to verify their support of authorization policies. To create an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

POST /v2/policies

(iamPolicyManagement *IamPolicyManagementV1) CreateV2Policy(createV2PolicyOptions *CreateV2PolicyOptions) (result *V2Policy, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) CreateV2PolicyWithContext(ctx context.Context, createV2PolicyOptions *CreateV2PolicyOptions) (result *V2Policy, response *core.DetailedResponse, err error)

ServiceCall<V2Policy> createV2Policy(CreateV2PolicyOptions createV2PolicyOptions)
Copy to clipboard

createV2Policy(params)

create_v2_policy(
        self,
        control: 'Control',
        type: str,
        *,
        description: Optional[str] = None,
        subject: Optional['V2PolicySubject'] = None,
        resource: Optional['V2PolicyResource'] = None,
        pattern: Optional[str] = None,
        rule: Optional['V2PolicyRule'] = None,
        accept_language: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.create

Auditing

Calling this method generates the following auditing event.

iam-am.policy.create

Request

Instantiate the CreateV2PolicyOptions struct and set the fields to provide parameter values for the CreateV2Policy method.

Use the CreateV2PolicyOptions.Builder to create a CreateV2PolicyOptions object that contains the parameter values for the createV2Policy method.

Custom Headers

Accept-Language
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan)
Possible values: length ≥ 1
Default: default

Request Body

Required*

CreateUpdateV2PolicyRequest

A policy to be created.

parameter

WithContext method only

CreateV2PolicyOptions

The CreateV2Policy options.

CreateV2PolicyOptions

The createV2Policy options.

parameters

control
Specifies the type of access that is granted by the policy.
type
Required*
string
The policy type; either 'access' or 'authorization'.

Allowable values: [access,authorization]
description
string
Description of the policy.

Possible values: 1 ≤ length ≤ 300, Value must match regular expression /^.*$/
subject
The subject attributes for whom the policy grants access.
resource
The resource attributes to which the policy grants access.
pattern
string
Indicates pattern of rule, either 'time-based-conditions:once', 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'.

Possible values: 1 ≤ length ≤ 42, Value must match regular expression /^[a-z:-]*$/
rule
Rule that specifies additional access that is granted (For example, time-based condition).
Change Request Parameter List
acceptLanguage
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default

parameters

control
Specifies the type of access that is granted by the policy.
type
Required*
str
The policy type; either 'access' or 'authorization'.

Allowable values: [access,authorization]
description
str
Description of the policy.

Possible values: 1 ≤ length ≤ 300, Value must match regular expression /^.*$/
subject
The subject attributes for whom the policy grants access.
resource
The resource attributes to which the policy grants access.
pattern
str
Indicates pattern of rule, either 'time-based-conditions:once', 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'.

Possible values: 1 ≤ length ≤ 42, Value must match regular expression /^[a-z:-]*$/
rule
Rule that specifies additional access that is granted (For example, time-based condition).
Change Request Parameter List
accept_language
str
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default

Example request

curl -X POST 'https://iam.cloud.ibm.com/v2/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -d '{
  "type": "access",
  "description": "Editor role for SERVICE_NAME\'s RESOURCE_NAME",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Editor"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "$ACCOUNT_ID"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "$SERVICE_NAME"
      },
      {
        "key": "resource",
        "operator": "stringEquals",
        "value": "$RESOURCE_NAME"
      }
    ]
  },
  "rule" :{
    "key": "{{environment.attributes.day_of_week}}",
    "operator": "dayOfWeekAnyOf",
    "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
  },
  "pattern": "time-based-conditions:weekly:all-day"
}'
Copy to clipboard

Example request

subjectAttribute := &iampolicymanagementv1.V2PolicySubjectAttribute{
  Key:      core.StringPtr("iam_id"),
  Operator: core.StringPtr("stringEquals"),
  Value:    &exampleUserID,
}
policySubject := &iampolicymanagementv1.V2PolicySubject{
  Attributes: []iampolicymanagementv1.V2PolicySubjectAttribute{*subjectAttribute},
}
policyRole := &iampolicymanagementv1.Roles{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Viewer"),
}
v2PolicyGrant := &iampolicymanagementv1.Grant{
  Roles: []iampolicymanagementv1.Roles{*policyRole},
}
v2PolicyControl := &iampolicymanagementv1.Control{
  Grant: v2PolicyGrant,
}
accountIDResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("accountId"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr(exampleAccountID),
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("serviceType"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr("service"),
}
policyResourceTag := &iampolicymanagementv1.V2PolicyResourceTag{
  Key:      core.StringPtr("project"),
  Value:    core.StringPtr("prototype"),
  Operator: core.StringPtr("stringEquals"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
  Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute},
  Tags: []iampolicymanagementv1.V2PolicyResourceTag{*policyResourceTag},
}
weeklyConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.day_of_week}}"),
  Operator: core.StringPtr("dayOfWeekAnyOf"),
  Value:    []string{"1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"},
}
startConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.current_time}}"),
  Operator: core.StringPtr("timeGreaterThanOrEquals"),
  Value:    core.StringPtr("09:00:00+00:00"),
}
endConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.current_time}}"),
  Operator: core.StringPtr("timeLessThanOrEquals"),
  Value:    core.StringPtr("17:00:00+00:00"),
}
policyRule := &iampolicymanagementv1.V2PolicyRule{
  Operator: core.StringPtr("and"),
  Conditions: []iampolicymanagementv1.NestedConditionIntf{
    weeklyConditionAttribute, startConditionAttribute, endConditionAttribute},
}

options := iamPolicyManagementService.NewCreateV2PolicyOptions(
  v2PolicyControl,
  "access",
)
options.SetSubject(policySubject)
options.SetResource(policyResource)
options.SetRule(policyRule)
options.SetPattern(*core.StringPtr("time-based-conditions:weekly:custom-hours"))

policy, response, err := iamPolicyManagementService.CreateV2Policy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyID = *policy.ID
fmt.Println(string(b))
Copy to clipboard

Example request

V2PolicySubjectAttribute subjectAttribute = new V2PolicySubjectAttribute.Builder()
        .key("iam_id")
        .value(EXAMPLE_USER_ID)
        .operator("stringEquals")
        .build();

V2PolicySubject policySubject = new V2PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

V2PolicyResourceAttribute accountIdResourceAttribute = new V2PolicyResourceAttribute.Builder()
        .key("accountId")
        .value(exampleAccountId)
        .operator("stringEquals")
        .build();

V2PolicyResourceAttribute serviceNameResourceAttribute = new V2PolicyResourceAttribute.Builder()
        .key("serviceType")
        .value("service")
        .operator("stringEquals")
        .build();

V2PolicyResourceTag policyResourceTag = new V2PolicyResourceTag.Builder()
        .key("project")
        .value("prototype")
        .operator("stringEquals")
        .build();

V2PolicyResource policyResource = new V2PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceNameResourceAttribute)
        .addTags(policyResourceTag)
        .build();

Roles policyRoles = new Roles.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Viewer")
        .build();

Grant policyGrant = new Grant.Builder()
        .roles(Arrays.asList(policyRoles))
        .build();

Control control = new Control.Builder()
        .grant(policyGrant)
        .build();

NestedConditionRuleAttribute weeklyConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.day_of_week}}")
        .value(new ArrayList<String>(Arrays.asList("1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00")))
        .operator("dayOfWeekAnyOf")
        .build();

NestedConditionRuleAttribute startConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.current_time}}")
        .value("09:00:00+00:00")
        .operator("timeGreaterThanOrEquals")
        .build();

NestedConditionRuleAttribute endConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.current_time}}")
        .value("17:00:00+00:00")
        .operator("timeLessThanOrEquals")
        .build();

V2PolicyRuleRuleWithNestedConditions policyRule = new V2PolicyRuleRuleWithNestedConditions.Builder()
        .operator("and")
        .conditions(new ArrayList<NestedCondition>(Arrays.asList(weeklyConditionAttribute, startConditionAttribute, endConditionAttribute)))
        .build();

CreateV2PolicyOptions options = new CreateV2PolicyOptions.Builder()
        .type("access")
        .subject(policySubject)
        .control(control)
        .resource(policyResource)
        .rule(policyRule)
        .pattern("time-based-conditions:weekly:custom-hours")
        .build();

Response<V2Policy> response = service.createV2Policy(options).execute();
V2Policy policy = response.getResult();

exampleV2PolicyId = policy.getId();

System.out.println(policy);
Copy to clipboard

Example request

const policySubject = {
  attributes: [
    {
      key: 'iam_id',
      operator: 'stringEquals',
      value: exampleUserId,
    },
  ],
};
const policyResourceAccountAttribute = {
  key: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const policyResourceServiceAttribute = {
  key: 'serviceType',
  operator: 'stringEquals',
  value: 'service',
};
const policyResource = {
  attributes: [policyResourceAccountAttribute, policyResourceServiceAttribute]
};
const policyControl = {
  grant: {
    roles: [{
      role_id: 'crn:v1:bluemix:public:iam::::role:Viewer',
    }],
  }
};
const policyRule = {
  operator: 'and',
  conditions: [
      {
          key: '{{environment.attributes.day_of_week}}',
          operator: 'dayOfWeekAnyOf',
          value: ['1+00:00', '2+00:00', '3+00:00', '4+00:00', '5+00:00'],
      },
      {
          key: '{{environment.attributes.current_time}}',
          operator: 'timeGreaterThanOrEquals',
          value: '09:00:00+00:00',
      },
      {
          key: '{{environment.attributes.current_time}}',
          operator: 'timeLessThanOrEquals',
          value: '17:00:00+00:00',
      },
  ],
}
const policyPattern = 'time-based-conditions:weekly:custom-hours'
const params = {
  type: 'access',
  subject: policySubject,
  control: policyControl,
  resource: policyResource,
  rule: policyRule,
  pattern: policyPattern,
};

try {
  const res = await iamPolicyManagementService.createV2Policy(params);
  examplePolicyId = res.result.id;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
Copy to clipboard

Example request

policy_subject = V2PolicySubject(
  attributes=[V2PolicySubjectAttribute(key='iam_id', value=example_user_id, operator='stringEquals')]
)
policy_role = PolicyRole(role_id='crn:v1:bluemix:public:iam::::role:Viewer')
account_id_resource_attribute = V2PolicyResourceAttribute(
  key='accountId', value=example_account_id, operator='stringEquals'
)
service_name_resource_attribute = V2PolicyResourceAttribute(
  key='serviceType', value='service', operator='stringEquals'
)
policy_resource_tag = V2PolicyResourceTag(key='project', value='prototype', operator='stringEquals')
policy_resource = V2PolicyResource(
  attributes=[account_id_resource_attribute, service_name_resource_attribute], tags=[policy_resource_tag]
)
policy_control = Control(grant=Grant(roles=[policy_role]))
policy_rule = V2PolicyRuleRuleWithNestedConditions(
  operator='and',
  conditions=[
    RuleAttribute(
      key='{{environment.attributes.day_of_week}}',
      operator='dayOfWeekAnyOf',
      value=['1+00:00', '2+00:00', '3+00:00', '4+00:00', '5+00:00'],
    ),
    RuleAttribute(
      key='{{environment.attributes.current_time}}',
      operator='timeGreaterThanOrEquals',
      value='09:00:00+00:00',
    ),
    RuleAttribute(
      key='{{environment.attributes.current_time}}',
      operator='timeLessThanOrEquals',
      value='17:00:00+00:00',
    ),
  ],
)
policy_pattern = 'time-based-conditions:weekly:custom-hours'

policy = iam_policy_management_service.create_v2_policy(
  type='access',
  subject=policy_subject,
  control=policy_control,
  resource=policy_resource,
  rule=policy_rule,
  pattern=policy_pattern,
).get_result()

global example_policy_id
example_policy_id = policy['id']

print(json.dumps(policy, indent=2))
Copy to clipboard

Response

Response Body

V2Policy

The core set of properties associated with the policy.

V2Policy

The core set of properties associated with the policy.

V2Policy

The core set of properties associated with the policy.

V2Policy

The core set of properties associated with the policy.

V2Policy

The core set of properties associated with the policy.

Status Code

201
Policy creation successful.
400
Policy input is invalid.
401
The token that you provided is not valid.
403
You do not have access to create the policy.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
409
A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.
415
The request body sent was formatted that uses an unsupported media type.
422
Exceeded maximum policies quota.
429
Too many requests are within a time window.

Example responses

Status 201

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00",
          "5+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
Copy to clipboard

Success example

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00",
          "5+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
Copy to clipboard

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Invalid body format. Check the input parameters."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to create the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 409

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to create policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to create policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Status 415

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Status 422

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policies quota (4020) for account 100abcde100a41abc100aza678abc0zz."
    }
  ],
  "status_code": 422
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "request_not_processed",
      "message": "Exceeded maximum policies quota (4020) for account 100abcde100a41abc100aza678abc0zz."
    }
  ],
  "status_code": 422
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Beta

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy.

Access

To update an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }

You can use the following operators in the key and value pair:

  'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals',
  'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals',
  'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals',
  'dayOfWeekEquals', 'dayOfWeekAnyOf'

The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.

attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:

  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy.

Access

To update an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf' ``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.

attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:

  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy.

Access

To update an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf' ``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.

attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:

  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy.

Access

To update an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf' ``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.

attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:

  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/_*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

Update a policy to grant access between a subject and a resource. A policy administrator might want to update an existing policy.

Access

To update an access policy, use "type": "access" in the body. The supported subject attributes are iam_id and access_group_id. Use the iam_id subject attribute to assign access to a user or service-id. Use the access_group_id subject attribute to assign access to an access group. Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. The policy resource must include either the serviceType, serviceName, resourceGroupId or service_group_id attribute and the accountId attribute. In the rule field, you can specify a single condition by using key, value, and condition operator, or a set of conditions with a combination operator. The possible combination operators are and and or.

Currently, we support two types of patterns:

time-based: Used to specify a time-based restriction

Combine conditions to specify a time-based restriction (e.g., access only during business hours, during the Monday-Friday work week). For example, a policy can grant access Monday-Friday, 9:00am-5:00pm using the following rule:

  "rule": {
    "operator": "and",
    "conditions": [{
      "key": "{{environment.attributes.day_of_week}}",
      "operator": "dayOfWeekAnyOf",
      "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeGreaterThanOrEquals",
      "value": "09:00:00+00:00"
    },
      "key": "{{environment.attributes.current_time}}",
      "operator": "timeLessThanOrEquals",
      "value": "17:00:00+00:00"
    }]
  }
``` You can use the following operators in the **`key`** and **`value`** pair:

'timeLessThan', 'timeLessThanOrEquals', 'timeGreaterThan', 'timeGreaterThanOrEquals', 'dateLessThan', 'dateLessThanOrEquals', 'dateGreaterThan', 'dateGreaterThanOrEquals', 'dateTimeLessThan', 'dateTimeLessThanOrEquals', 'dateTimeGreaterThan', 'dateTimeGreaterThanOrEquals', 'dayOfWeekEquals', 'dayOfWeekAnyOf' ``` The pattern field that matches the rule is required when rule is provided. For the business hour rule example above, the pattern is "time-based-conditions:weekly". For more information, see Time-based conditions operators and Limiting access with time-based conditions. If the subject is a locked service-id, the request will fail.

attribute-based: Used to specify a combination of OR/AND based conditions applied on resource attributes.

Combine conditions to specify an attribute-based condition using AND/OR-based operators.

For example, a policy can grant access based on multiple conditions applied on the resource attributes below:

  "pattern": "attribute-based-condition:resource:literal-and-wildcard"
  "rule": {
      "operator": "or",
      "conditions": [
        {
          "operator": "and",
          "conditions": [
            {
              "key": "{{resource.attributes.prefix}}",
              "operator": "stringEquals",
              "value": "home/test"
            },
            {
              "key": "{{environment.attributes.delimiter}}",
              "operator": "stringEquals",
              "value": "/"
            }
          ]
        },
        {
          "key": "{{resource.attributes.path}}",
          "operator": "stringMatch",
          "value": "home/David/*"
        }
      ]
  }

In addition to satisfying the resources section, the policy grants permission only if either the path begins with home/David/ OR the prefix is home/test and the delimiter is /. This mechanism helps you consolidate multiple policies in to a single policy, making policies easier to administer and stay within the policy limit for an account. View the list of operators that can be used in the condition here.

Authorization

To update an authorization policy, use "type": "authorization" in the body. The subject attributes must match the supported authorization subjects of the resource. Multiple subject attributes might be provided. The following attributes are supported: serviceName, serviceInstance, region, resourceType, resource, accountId, resourceGroupId Assign roles that are supported by the service or platform roles. For more information, see IAM roles and actions. The user must also have the same level of access or greater to the target resource in order to grant the role. Use only the resource attributes supported by the service. To view a service's or the platform's supported attributes, check the documentation. Both the policy subject and the policy resource must include the accountId attributes. The policy subject must include either serviceName or resourceGroupId (or both) attributes.

Attribute Operators

Currently, only the stringEquals, stringMatch, and stringEquals operators are available. For more information, see Assigning access by using wildcard policies.

Attribute Validations

Policy attribute values must be between 1 and 1,000 characters in length. If location related attributes like geography, country, metro, region, satellite, and locationvalues are supported by the service, they are validated against Global Catalog locations.

PUT /v2/policies/{id}

(iamPolicyManagement *IamPolicyManagementV1) ReplaceV2Policy(replaceV2PolicyOptions *ReplaceV2PolicyOptions) (result *V2Policy, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) ReplaceV2PolicyWithContext(ctx context.Context, replaceV2PolicyOptions *ReplaceV2PolicyOptions) (result *V2Policy, response *core.DetailedResponse, err error)

ServiceCall<V2Policy> replaceV2Policy(ReplaceV2PolicyOptions replaceV2PolicyOptions)
Copy to clipboard

replaceV2Policy(params)

replace_v2_policy(
        self,
        id: str,
        if_match: str,
        control: 'Control',
        type: str,
        *,
        description: Optional[str] = None,
        subject: Optional['V2PolicySubject'] = None,
        resource: Optional['V2PolicyResource'] = None,
        pattern: Optional[str] = None,
        rule: Optional['V2PolicyRule'] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.update

Auditing

Calling this method generates the following auditing event.

iam-am.policy.update

Request

Instantiate the ReplaceV2PolicyOptions struct and set the fields to provide parameter values for the ReplaceV2Policy method.

Use the ReplaceV2PolicyOptions.Builder to create a ReplaceV2PolicyOptions object that contains the parameter values for the replaceV2Policy method.

Custom Headers

If-Match
Required*
string
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v2/policies/{id} API and looking at the ETag response header.

Possible values: length ≥ 1

Path Parameters

id
Required*
string
The policy ID.

Possible values: length ≥ 1

Request Body

Required*

CreateUpdateV2PolicyRequest

Updated policy content to be saved.

parameter

WithContext method only

ReplaceV2PolicyOptions

The ReplaceV2Policy options.

ReplaceV2PolicyOptions

The replaceV2Policy options.

parameters

id
Required*
string
The policy ID.

Possible values: length ≥ 1
ifMatch
Required*
string
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v2/policies/{id} API and looking at the ETag response header.

Possible values: length ≥ 1
control
Specifies the type of access that is granted by the policy.
type
Required*
string
The policy type; either 'access' or 'authorization'.

Allowable values: [access,authorization]
description
string
Description of the policy.

Possible values: 1 ≤ length ≤ 300, Value must match regular expression /^.*$/
subject
The subject attributes for whom the policy grants access.
resource
The resource attributes to which the policy grants access.
pattern
string
Indicates pattern of rule, either 'time-based-conditions:once', 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'.

Possible values: 1 ≤ length ≤ 42, Value must match regular expression /^[a-z:-]*$/
rule
Rule that specifies additional access that is granted (For example, time-based condition).
Change Request Parameter List

parameters

id
Required*
str
The policy ID.

Possible values: length ≥ 1
if_match
Required*
str
The revision number for updating a policy and must match the ETag value of the existing policy. The Etag can be retrieved using the GET /v2/policies/{id} API and looking at the ETag response header.

Possible values: length ≥ 1
control
Specifies the type of access that is granted by the policy.
type
Required*
str
The policy type; either 'access' or 'authorization'.

Allowable values: [access,authorization]
description
str
Description of the policy.

Possible values: 1 ≤ length ≤ 300, Value must match regular expression /^.*$/
subject
The subject attributes for whom the policy grants access.
resource
The resource attributes to which the policy grants access.
pattern
str
Indicates pattern of rule, either 'time-based-conditions:once', 'time-based-conditions:weekly:all-day', or 'time-based-conditions:weekly:custom-hours'.

Possible values: 1 ≤ length ≤ 42, Value must match regular expression /^[a-z:-]*$/
rule
Rule that specifies additional access that is granted (For example, time-based condition).
Change Request Parameter List

Example request

curl -X PUT 'https://iam.cloud.ibm.com/v2/policies' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json' -H 'If-Match: $ETAG' -d '{
  "type": "access",
  "description": "Viewer role for for all instances of SERVICE_NAME in the account.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "$ACCOUNT_ID"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "$SERVICE_NAME"
      }
    ]
  },
  "rule": {
    "key": "{{environment.attributes.day_of_week}}",
    "operator": "dayOfWeekAnyOf",
    "value": ["1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00"]
  },
  "pattern": "time-based-conditions:weekly:all-day"
}'
Copy to clipboard

Example request

subjectAttribute := &iampolicymanagementv1.V2PolicySubjectAttribute{
  Key:      core.StringPtr("iam_id"),
  Operator: core.StringPtr("stringEquals"),
  Value:    &exampleUserID,
}
policySubject := &iampolicymanagementv1.V2PolicySubject{
  Attributes: []iampolicymanagementv1.V2PolicySubjectAttribute{*subjectAttribute},
}
updatedPolicyRole := &iampolicymanagementv1.Roles{
  RoleID: core.StringPtr("crn:v1:bluemix:public:iam::::role:Editor"),
}
v2PolicyGrant := &iampolicymanagementv1.Grant{
  Roles: []iampolicymanagementv1.Roles{*updatedPolicyRole},
}
v2PolicyControl := &iampolicymanagementv1.Control{
  Grant: v2PolicyGrant,
}
accountIDResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("accountId"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr(exampleAccountID),
}
serviceNameResourceAttribute := &iampolicymanagementv1.V2PolicyResourceAttribute{
  Key:      core.StringPtr("serviceType"),
  Operator: core.StringPtr("stringEquals"),
  Value:    core.StringPtr("service"),
}
policyResource := &iampolicymanagementv1.V2PolicyResource{
  Attributes: []iampolicymanagementv1.V2PolicyResourceAttribute{
    *accountIDResourceAttribute, *serviceNameResourceAttribute},
}

options := iamPolicyManagementService.NewReplaceV2PolicyOptions(
  examplePolicyID,
  examplePolicyETag,
  v2PolicyControl,
  "access",
)
weeklyConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.day_of_week}}"),
  Operator: core.StringPtr("dayOfWeekAnyOf"),
  Value:    []string{"1+00:00", "2+00:00", "3+00:00", "4+00:00"},
}
startConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.current_time}}"),
  Operator: core.StringPtr("timeGreaterThanOrEquals"),
  Value:    core.StringPtr("09:00:00+00:00"),
}
endConditionAttribute := &iampolicymanagementv1.NestedCondition{
  Key:      core.StringPtr("{{environment.attributes.current_time}}"),
  Operator: core.StringPtr("timeLessThanOrEquals"),
  Value:    core.StringPtr("17:00:00+00:00"),
}
policyRule := &iampolicymanagementv1.V2PolicyRule{
  Operator: core.StringPtr("and"),
  Conditions: []iampolicymanagementv1.NestedConditionIntf{
    weeklyConditionAttribute, startConditionAttribute, endConditionAttribute},
}
options.SetRule(policyRule)
options.SetPattern(*core.StringPtr("time-based-conditions:weekly:custom-hours"))
options.SetSubject(policySubject)
options.SetResource(policyResource)

policy, response, err := iamPolicyManagementService.ReplaceV2Policy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
fmt.Println(string(b))
Copy to clipboard

Example request

V2PolicySubjectAttribute subjectAttribute = new V2PolicySubjectAttribute.Builder()
        .key("iam_id")
        .value(EXAMPLE_USER_ID)
        .operator("stringEquals")
        .build();

V2PolicySubject policySubject = new V2PolicySubject.Builder()
        .addAttributes(subjectAttribute)
        .build();

V2PolicyResourceAttribute accountIdResourceAttribute = new V2PolicyResourceAttribute.Builder()
        .key("accountId")
        .value(exampleAccountId)
        .operator("stringEquals")
        .build();

V2PolicyResourceAttribute serviceNameResourceAttribute = new V2PolicyResourceAttribute.Builder()
        .key("serviceType")
        .value("service")
        .operator("stringEquals")
        .build();

V2PolicyResourceTag policyResourceTag = new V2PolicyResourceTag.Builder()
        .key("project")
        .value("prototype")
        .operator("stringEquals")
        .build();

V2PolicyResource policyResource = new V2PolicyResource.Builder()
        .addAttributes(accountIdResourceAttribute)
        .addAttributes(serviceNameResourceAttribute)
        .addTags(policyResourceTag)
        .build();

Roles updatedPolicyRole = new Roles.Builder()
        .roleId("crn:v1:bluemix:public:iam::::role:Editor")
        .build();
Grant policyGrant = new Grant.Builder()
        .roles(Arrays.asList(updatedPolicyRole))
        .build();

Control policyControl = new Control.Builder()
        .grant(policyGrant)
        .build();

NestedConditionRuleAttribute weeklyConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.day_of_week}}")
        .value(new ArrayList<String>(Arrays.asList("1+00:00", "2+00:00", "3+00:00", "4+00:00", "5+00:00")))
        .operator("dayOfWeekAnyOf")
        .build();

NestedConditionRuleAttribute startConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.current_time}}")
        .value("09:00:00+00:00")
        .operator("timeGreaterThanOrEquals")
        .build();

NestedConditionRuleAttribute endConditionAttribute = new NestedConditionRuleAttribute.Builder()
        .key("{{environment.attributes.current_time}}")
        .value("17:00:00+00:00")
        .operator("timeLessThanOrEquals")
        .build();

V2PolicyRuleRuleWithNestedConditions policyRule = new V2PolicyRuleRuleWithNestedConditions.Builder()
        .operator("and")
        .conditions(new ArrayList<NestedCondition>(Arrays.asList(weeklyConditionAttribute, startConditionAttribute, endConditionAttribute)))
        .build();

ReplaceV2PolicyOptions options = new ReplaceV2PolicyOptions.Builder()
        .type("access")
        .id(exampleV2PolicyId)
        .ifMatch(exampleV2PolicyEtag)
        .subject(policySubject)
        .control(policyControl)
        .resource(policyResource)
        .rule(policyRule)
        .pattern("time-based-conditions:weekly:custom-hours")
        .build();

Response<V2Policy> response = service.replaceV2Policy(options).execute();
V2Policy policy = response.getResult();

exampleV2PolicyEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policy);
Copy to clipboard

Example request

const policySubject = {
  attributes: [
    {
      key: 'iam_id',
      operator: 'stringEquals',
      value: exampleUserId,
    },
  ],
};
const policyResourceAccountAttribute = {
  key: 'accountId',
  value: exampleAccountId,
  operator: 'stringEquals',
};
const policyResourceServiceAttribute = {
  key: 'serviceType',
  operator: 'stringEquals',
  value: 'service',
};
const policyResource = {
  attributes: [policyResourceAccountAttribute, policyResourceServiceAttribute]
};
const updatedPolicyControl = {
  grant: {
    roles: [{
      role_id: 'crn:v1:bluemix:public:iam::::role:Editor',
    }],
  }
};
const policyRule = {
  operator: 'and',
  conditions: [
      {
          key: '{{environment.attributes.day_of_week}}',
          operator: 'dayOfWeekAnyOf',
          value: ['1+00:00', '2+00:00', '3+00:00', '4+00:00', '5+00:00'],
      },
      {
          key: '{{environment.attributes.current_time}}',
          operator: 'timeGreaterThanOrEquals',
          value: '09:00:00+00:00',
      },
      {
          key: '{{environment.attributes.current_time}}',
          operator: 'timeLessThanOrEquals',
          value: '17:00:00+00:00',
      },
  ],
}
const policyPattern = 'time-based-conditions:weekly:custom-hours'
const params = {
  type: 'access',
  id: examplePolicyId,
  ifMatch: examplePolicyETag,
  subject: policySubject,
  control: updatedPolicyControl,
  resource: policyResource,
  rule: policyRule,
  pattern: policyPattern,
};

try {
  const res = await iamPolicyManagementService.replaceV2Policy(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
Copy to clipboard

Example request

policy_subject = V2PolicySubject(
  attributes=[V2PolicySubjectAttribute(key='iam_id', value=example_user_id, operator='stringEquals')]
)
updated_policy_role = PolicyRole(role_id='crn:v1:bluemix:public:iam::::role:Editor')
account_id_resource_attribute = V2PolicyResourceAttribute(
  key='accountId', value=example_account_id, operator='stringEquals'
)
service_name_resource_attribute = V2PolicyResourceAttribute(
  key='serviceType', value='service', operator='stringEquals'
)
policy_resource_tag = V2PolicyResourceTag(key='project', value='prototype', operator='stringEquals')
policy_resource = PolicyResource(
  attributes=[account_id_resource_attribute, service_name_resource_attribute], tags=[policy_resource_tag]
)
policy_control = Control(grant=Grant(roles=[updated_policy_role]))
policy_rule = V2PolicyRuleRuleWithNestedConditions(
  operator='and',
  conditions=[
    RuleAttribute(
      key='{{environment.attributes.day_of_week}}',
      operator='dayOfWeekAnyOf',
      value=['1+00:00', '2+00:00', '3+00:00', '4+00:00', '5+00:00'],
    ),
    RuleAttribute(
      key='{{environment.attributes.current_time}}',
      operator='timeGreaterThanOrEquals',
      value='09:00:00+00:00',
    ),
    RuleAttribute(
      key='{{environment.attributes.current_time}}',
      operator='timeLessThanOrEquals',
      value='17:00:00+00:00',
    ),
  ],
)
policy_pattern = 'time-based-conditions:weekly:custom-hours'

response = iam_policy_management_service.replace_v2_policy(
  type='access',
  id=example_policy_id,
  if_match=example_policy_etag,
  subject=policy_subject,
  control=policy_control,
  resource=policy_resource,
  rule=policy_rule,
  pattern=policy_pattern,
)
policy = response.get_result()

print(json.dumps(policy, indent=2))
Copy to clipboard

Response

Response Body

V2Policy

The core set of properties associated with the policy.

V2Policy

The core set of properties associated with the policy.

V2Policy

The core set of properties associated with the policy.

V2Policy

The core set of properties associated with the policy.

V2Policy

The core set of properties associated with the policy.

Status Code

200
Policy update successful.
400
Policy input is invalid.
401
The token that you provided is not valid.
403
You do not have access to update the policy.
404
The policy was not found.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
409
A policy already exists for the given subject and resource. You can update that policy or delete it and create a new one.
415
The request body sent was formatted that uses an unsupported media type.
429
Too many requests are within a time window.

Example responses

Status 200

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours, except Friday.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
Copy to clipboard

Success example

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours, except Friday.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
Copy to clipboard

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy and delete the existing one."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "A policy's type cannot be updated. Create a new policy and delete the existing one."
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to update the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 409

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to update policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_conflict_error",
      "message": "Failed to update policy.",
      "details": {
        "conflicts_with": {
          "etag": "1-847833cec3bf3f3c3231d8f9492febac",
          "policy": "POLICY"
        }
      },
      "status_code": 409
    }
  ]
}
Copy to clipboard

Status 415

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unsupported_content_type",
      "message": "The supported media type for this API is 'application/json'."
    }
  ],
  "status_code": 415
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Beta

Retrieve a policy by providing a policy ID.

GET /v2/policies/{id}

(iamPolicyManagement *IamPolicyManagementV1) GetV2Policy(getV2PolicyOptions *GetV2PolicyOptions) (result *V2PolicyTemplateMetaData, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) GetV2PolicyWithContext(ctx context.Context, getV2PolicyOptions *GetV2PolicyOptions) (result *V2PolicyTemplateMetaData, response *core.DetailedResponse, err error)

ServiceCall<V2PolicyTemplateMetaData> getV2Policy(GetV2PolicyOptions getV2PolicyOptions)
Copy to clipboard

getV2Policy(params)

get_v2_policy(
        self,
        id: str,
        *,
        format: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.read

Auditing

Calling this method generates the following auditing event.

iam-am.policy.read

Request

Instantiate the GetV2PolicyOptions struct and set the fields to provide parameter values for the GetV2Policy method.

Use the GetV2PolicyOptions.Builder to create a GetV2PolicyOptions object that contains the parameter values for the getV2Policy method.

Path Parameters

id
Required*
string
The policy ID.

Possible values: length ≥ 1

Query Parameters

format
string
Include additional data for policy returned
- include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
- display - returns the list of all actions included in each of the policy roles and translations for all relevant fields
Allowable values: [include_last_permit,display]

parameter

WithContext method only

GetV2PolicyOptions

The GetV2Policy options.

GetV2PolicyOptions

The getV2Policy options.

parameters

id
Required*
string
The policy ID.

Possible values: length ≥ 1
format
string
Include additional data for policy returned
- include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
- display - returns the list of all actions included in each of the policy roles and translations for all relevant fields.
Allowable values: [include_last_permit,display]

parameters

id
Required*
str
The policy ID.

Possible values: length ≥ 1
format
str
Include additional data for policy returned
- include_last_permit - returns details of when the policy last granted a permit decision and the number of times it has done so
- display - returns the list of all actions included in each of the policy roles and translations for all relevant fields.
Allowable values: [include_last_permit,display]

Example request

curl -X GET 'https://iam.cloud.ibm.com/v2/policies/$POLICY_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewGetV2PolicyOptions(
  examplePolicyID,
)

policy, response, err := iamPolicyManagementService.GetV2Policy(options)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policy, "", "  ")
examplePolicyETag = response.GetHeaders().Get("ETag")
fmt.Println(string(b))
Copy to clipboard

Example request

GetV2PolicyOptions options = new GetV2PolicyOptions.Builder()
        .id(exampleV2PolicyId)
        .build();

Response<V2PolicyTemplateMetaData> response = service.getV2Policy(options).execute();
V2PolicyTemplateMetaData policy = response.getResult();

exampleV2PolicyEtag = response.getHeaders().values("Etag").get(0);

System.out.println(policy);


GetV2PolicyOptions options = new GetV2PolicyOptions.Builder()
        .id(exampleAssignmentPolicyId)
        .build();

Response<V2PolicyTemplateMetaData> response = service.getV2Policy(options).execute();
V2PolicyTemplateMetaData policy = response.getResult();

System.out.println(policy.getTemplate());
Copy to clipboard

Example request

const params = {
  id: examplePolicyId,
};

try {
  const res = await iamPolicyManagementService.getV2Policy(params);
  examplePolicyETag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}


const params = {
  id: exampleAssignmentPolicyId,
};

try {
  const res = await iamPolicyManagementService.getV2Policy(params);
  examplePolicyETag = res.headers.etag;
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err)
}
Copy to clipboard

Example request

response = iam_policy_management_service.get_v2_policy(id=example_policy_id)
policy = response.get_result()

global example_policy_etag
example_policy_etag = response.get_headers().get("Etag")

print(json.dumps(policy, indent=2))
Copy to clipboard

Response

Response Body

V2PolicyTemplateMetaData

The core set of properties associated with the policy.

V2PolicyTemplateMetaData

The core set of properties associated with the policy.

V2PolicyTemplateMetaData

The core set of properties associated with the policy.

V2PolicyTemplateMetaData

The core set of properties associated with the policy.

V2PolicyTemplateMetaData

The core set of properties associated with the policy.

Status Code

200
Policy retrieval successful.
401
The token that you provided is not valid.
403
You do not have access to retrieve the policy.
404
The policy was not found.
406
The requested resource(s) cannot be formatted that uses the requested media type(s).
429
Too many requests are within a time window.

Example responses

Status 200

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00",
          "5+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
Copy to clipboard

Success example

{
  "id": "12345678-abcd-1a2b-a1b2-1234567890ab",
  "type": "access",
  "description": "Viewer role access for all instances of key protect in the account during business hours.",
  "subject": {
    "attributes": [
      {
        "key": "iam_id",
        "operator": "stringEquals",
        "value": "IBMid-123453user"
      }
    ]
  },
  "control": {
    "grant": {
      "roles": [
        {
          "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
        }
      ]
    }
  },
  "resource": {
    "attributes": [
      {
        "key": "accountId",
        "operator": "stringEquals",
        "value": "100abcde100a41abc100aza678abc0zz"
      },
      {
        "key": "serviceName",
        "operator": "stringEquals",
        "value": "kms"
      }
    ]
  },
  "rule": {
    "operator": "and",
    "conditions": [
      {
        "key": "{{environment.attributes.day_of_week}}",
        "operator": "dayOfWeekAnyOf",
        "value": [
          "1+00:00",
          "2+00:00",
          "3+00:00",
          "4+00:00",
          "5+00:00"
        ]
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeGreaterThanOrEquals",
        "value": "09:00:00+00:00"
      },
      {
        "key": "{{environment.attributes.current_time}}",
        "operator": "timeLessThanOrEquals",
        "value": "17:00:00+00:00"
      }
    ]
  },
  "pattern": "time-based-conditions:weekly:custom-hours",
  "href": "https://iam.cloud.ibm.com/v2/policies/12345678-abcd-1a2b-a1b2-1234567890ab",
  "created_at": "2018-08-30T14:09:09.907Z",
  "created_by_id": "IBMid-12345678",
  "last_modified_at": "2018-08-30T14:09:09.907Z",
  "last_modified_by_id": "IBMid-12345678",
  "state": "active"
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to retrieve the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 406

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "unable_to_process",
      "message": "The requested resource(s) can be formatted that only uses the 'application/json' media type."
    }
  ],
  "status_code": 406
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Beta

Delete a policy by providing a policy ID. A policy cannot be deleted if the subject ID contains a locked service ID. If the subject of the policy is a locked service-id, the request will fail.

DELETE /v2/policies/{id}

(iamPolicyManagement *IamPolicyManagementV1) DeleteV2Policy(deleteV2PolicyOptions *DeleteV2PolicyOptions) (response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) DeleteV2PolicyWithContext(ctx context.Context, deleteV2PolicyOptions *DeleteV2PolicyOptions) (response *core.DetailedResponse, err error)

ServiceCall<Void> deleteV2Policy(DeleteV2PolicyOptions deleteV2PolicyOptions)
Copy to clipboard

deleteV2Policy(params)

delete_v2_policy(
        self,
        id: str,
        **kwargs,
    ) -> DetailedResponse

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam.policy.delete

Auditing

Calling this method generates the following auditing event.

iam-am.policy.delete

Request

Instantiate the DeleteV2PolicyOptions struct and set the fields to provide parameter values for the DeleteV2Policy method.

Use the DeleteV2PolicyOptions.Builder to create a DeleteV2PolicyOptions object that contains the parameter values for the deleteV2Policy method.

Path Parameters

id
Required*
string
The policy ID.

Possible values: length ≥ 1

parameter

WithContext method only

DeleteV2PolicyOptions

The DeleteV2Policy options.

DeleteV2PolicyOptions

The deleteV2Policy options.

parameters

id
Required*
string
The policy ID.

Possible values: length ≥ 1

parameters

id
Required*
str
The policy ID.

Possible values: length ≥ 1

Example request

curl -X DELETE 'https://iam.cloud.ibm.com/v2/policies/$POLICY_ID' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

options := iamPolicyManagementService.NewDeleteV2PolicyOptions(
  examplePolicyID,
)

response, err := iamPolicyManagementService.DeleteV2Policy(options)
if err != nil {
  panic(err)
}
Copy to clipboard

Example request

const params = {
  id: examplePolicyId,
};

try {
  await iamPolicyManagementService.deleteV2Policy(params);
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

response = iam_policy_management_service.delete_v2_policy(id=example_policy_id).get_result()

print(json.dumps(response, indent=2))
Copy to clipboard

Response

Status Code

204
Policy deletion successful.
400
Policy was not valid to delete.
401
The token that you provided is not valid.
403
You do not have access to delete the policy.
404
The policy was not found.
429
Too many requests are within a time window.

Example responses

Status 400

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a locked service id, cannot perform action"
    }
  ],
  "status_code": 400
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_body",
      "message": "Request includes a locked service id, cannot perform action"
    }
  ],
  "status_code": 400
}
Copy to clipboard

Status 401

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "invalid_token",
      "message": "The provided IAM token is invalid."
    }
  ],
  "status_code": 401
}
Copy to clipboard

Status 403

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "insufficent_permissions",
      "message": "You are not allowed to delete the requested policy."
    }
  ],
  "status_code": 403
}
Copy to clipboard

Status 404

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "policy_not_found",
      "message": "Policy with Id POLICY_ID not found."
    }
  ],
  "status_code": 404
}
Copy to clipboard

Status 429

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

Error example

{
  "trace": "26f0b2491ed6425c9e7b0c08a3a645f7",
  "errors": [
    {
      "code": "too_many_requests",
      "message": "Too many requests."
    }
  ],
  "status_code": 429
}
Copy to clipboard

List policy templates and filter by attributes by using query parameters. The following attributes are supported: account_id, policy_service_name, policy_service_type, policy_service_group_id and policy_type. account_id is a required query parameter. These attributes policy_service_name, policy_service_type and policy_service_group_id are mutually exclusive. Only policy templates that have the specified attributes and that the caller has read access to are returned. If the caller does not have read access to any policy templates an empty array is returned.

GET /v1/policy_templates

(iamPolicyManagement *IamPolicyManagementV1) ListPolicyTemplates(listPolicyTemplatesOptions *ListPolicyTemplatesOptions) (result *PolicyTemplateCollection, response *core.DetailedResponse, err error)

(iamPolicyManagement *IamPolicyManagementV1) ListPolicyTemplatesWithContext(ctx context.Context, listPolicyTemplatesOptions *ListPolicyTemplatesOptions) (result *PolicyTemplateCollection, response *core.DetailedResponse, err error)

ServiceCall<PolicyTemplateCollection> listPolicyTemplates(ListPolicyTemplatesOptions listPolicyTemplatesOptions)
Copy to clipboard

listPolicyTemplates(params)

list_policy_templates(
        self,
        account_id: str,
        *,
        accept_language: Optional[str] = None,
        state: Optional[str] = None,
        name: Optional[str] = None,
        policy_service_type: Optional[str] = None,
        policy_service_name: Optional[str] = None,
        policy_service_group_id: Optional[str] = None,
        policy_type: Optional[str] = None,
        limit: Optional[int] = None,
        start: Optional[str] = None,
        **kwargs,
    ) -> DetailedResponse
Copy to clipboard

Authorization

To call this method, you must be assigned one or more IAM access roles that include the following action. You can check your access by going to Users > User > Access.

iam-access-management.policy-template.read

Auditing

Calling this method generates the following auditing event.

iam-am.policyTemplate.read

Request

Instantiate the ListPolicyTemplatesOptions struct and set the fields to provide parameter values for the ListPolicyTemplates method.

Use the ListPolicyTemplatesOptions.Builder to create a ListPolicyTemplatesOptions object that contains the parameter values for the listPolicyTemplates method.

Custom Headers

Accept-Language
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan)
Possible values: length ≥ 1
Default: default

Query Parameters

account_id
Required*
string
The account GUID that the policy templates belong to.

Possible values: 1 ≤ length ≤ 32, Value must match regular expression ^[A-Za-z0-9-]*$
state
string
The policy template state.

Allowable values: [active,deleted]
name
string
The policy template name.

Possible values: 1 ≤ length ≤ 100
policy_service_type
string
Service type, Optional.

Allowable values: [service,platform_service]
policy_service_name
string
Service name, Optional.

Possible values: length ≥ 1
policy_service_group_id
string
Service group id, Optional.

Possible values: length ≥ 1
policy_type
string
Policy type, Optional.

Allowable values: [access,authorization]
limit
integer
The number of documents to include in the collection.

Possible values: 1 ≤ value ≤ 100
Default: 50
start
string
Page token that refers to the page of the collection to return.

Possible values: 9 ≤ length ≤ 100, Value must match regular expression ^[-A-Za-z0-9+/]*$

parameter

WithContext method only

ListPolicyTemplatesOptions

The ListPolicyTemplates options.

ListPolicyTemplatesOptions

The listPolicyTemplates options.

parameters

accountId
Required*
string
The account GUID that the policy templates belong to.

Possible values: 1 ≤ length ≤ 32, Value must match regular expression /^[A-Za-z0-9-]*$/
acceptLanguage
string
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default
state
string
The policy template state.

Allowable values: [active,deleted]
name
string
The policy template name.

Possible values: 1 ≤ length ≤ 100
policyServiceType
string
Service type, Optional.

Allowable values: [service,platform_service]
policyServiceName
string
Service name, Optional.

Possible values: length ≥ 1
policyServiceGroupId
string
Service group id, Optional.

Possible values: length ≥ 1
policyType
string
Policy type, Optional.

Allowable values: [access,authorization]
limit
number
The number of documents to include in the collection.

Possible values: 1 ≤ value ≤ 100
Default: 50
start
string
Page token that refers to the page of the collection to return.

Possible values: 9 ≤ length ≤ 100, Value must match regular expression /^[-A-Za-z0-9+\/]*$/

parameters

account_id
Required*
str
The account GUID that the policy templates belong to.

Possible values: 1 ≤ length ≤ 32, Value must match regular expression /^[A-Za-z0-9-]*$/
accept_language
str
Language code for translations
- default - English
- de - German (Standard)
- en - English
- es - Spanish (Spain)
- fr - French (Standard)
- it - Italian (Standard)
- ja - Japanese
- ko - Korean
- pt-br - Portuguese (Brazil)
- zh-cn - Chinese (Simplified, PRC)
- zh-tw - (Chinese, Taiwan).
Possible values: length ≥ 1
Default: default
state
str
The policy template state.

Allowable values: [active,deleted]
name
str
The policy template name.

Possible values: 1 ≤ length ≤ 100
policy_service_type
str
Service type, Optional.

Allowable values: [service,platform_service]
policy_service_name
str
Service name, Optional.

Possible values: length ≥ 1
policy_service_group_id
str
Service group id, Optional.

Possible values: length ≥ 1
policy_type
str
Policy type, Optional.

Allowable values: [access,authorization]
limit
int
The number of documents to include in the collection.

Possible values: 1 ≤ value ≤ 100
Default: 50
start
str
Page token that refers to the page of the collection to return.

Possible values: 9 ≤ length ≤ 100, Value must match regular expression /^[-A-Za-z0-9+\/]*$/

Example request

curl -X GET 'https://iam.cloud.ibm.com/v1/policy_templates?account_id=$ACCOUNT_ID&state=active' -H 'Authorization: Bearer $TOKEN' -H 'Content-Type: application/json'
Copy to clipboard

Example request

listPolicyTemplatesOptions := iamPolicyManagementService.NewListPolicyTemplatesOptions(
  exampleAccountID,
)

policyTemplateCollection, response, err := iamPolicyManagementService.ListPolicyTemplates(listPolicyTemplatesOptions)
if err != nil {
  panic(err)
}
b, _ := json.MarshalIndent(policyTemplateCollection, "", "  ")
fmt.Println(string(b))
Copy to clipboard

Example request

ListPolicyTemplatesOptions listPolicyTemplatesOptions = new ListPolicyTemplatesOptions.Builder()
  .accountId(exampleAccountId)
  .build();

Response<PolicyTemplateCollection> response = service.listPolicyTemplates(listPolicyTemplatesOptions).execute();
PolicyTemplateCollection policyTemplateCollection = response.getResult();

System.out.println(policyTemplateCollection);

Example request

const params = {
  accountId: exampleAccountId,
};

let res;
try {
  res = await iamPolicyManagementService.listPolicyTemplates(params);
  console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
  console.warn(err);
}
Copy to clipboard

Example request

response = iam_policy_management_service.list_policy_templates(
  account_id=example_account_id,
)
policy_template_collection = response.get_result()

print(json.dumps(policy_template_collection, indent=2))

Response

Response Body

PolicyTemplateCollection

A collection of policy Templates.

PolicyTemplateCollection

A collection of policy Templates.

PolicyTemplateCollection

A collection of policy Templates.

Introduction

Endpoint URLs

Authentication

Auditing

Error handling

Additional headers

Transaction-Id

Sorting

Policy data enrichment

Rate limiting

Related APIs

Methods

Get policies by attributes

Authorization

Auditing

Request

Custom Headers

Accept-Language

Query Parameters

account_id

iam_id

access_group_id

type

service_type

tag_name

tag_value

sort

format

state

limit

start

parameter

ctx

ListPoliciesOptions

AccountID

AcceptLanguage

IamID

AccessGroupID

Type

ServiceType

TagName

TagValue

Sort

Format

State

Limit

Start

ListPoliciesOptions

accountId

acceptLanguage

iamId

accessGroupId

type

serviceType

tagName

tagValue

sort

format

state

limit

start

parameters

accountId

acceptLanguage

iamId

accessGroupId

type

serviceType

tagName

tagValue

sort

format

state

limit

start

parameters

account_id

accept_language

iam_id

access_group_id