IAM Policy Documents Reference
This reference provides detailed information about IAM policy document structure, syntax, and components in Vidos.
Policy Document Structure
Section titled “Policy Document Structure”Every IAM policy document must contain the following elements:
{ "version": "1.0", "permissions": [ // One or more permission statements ]}Version
Section titled “Version”| Field | Type | Required | Description |
|---|---|---|---|
| version | string | Yes | Policy language version - currently only “1.0” is supported |
Permissions
Section titled “Permissions”| Field | Type | Required | Description |
|---|---|---|---|
| permissions | array | Yes | Array of permission statements |
Each policy document must contain at least one permission statement.
Permission Statement Structure
Section titled “Permission Statement Structure”Each permission statement in a policy document consists of four required components:
{ "effect": "allow", "scope": "management", "actions": ["create", "read"], "resources": [ { "region": "eu", "service": "resolver", "resourceType": "instance", "resourceId": "resolver-prod" } ]}Effect
Section titled “Effect”| Values | Description |
|---|---|
| allow | Explicitly grants access to the specified resources and actions |
| deny | Explicitly blocks access to the specified resources and actions |
| Values | Description |
|---|---|
| management | Applies to administrative operations that create, configure, or manage services |
| service | Applies to functional operations that use service capabilities |
Actions
Section titled “Actions”For management scope, actions include:
| Action | Description |
|---|---|
| create | Create new resources |
| read | Read or view existing resources |
| update | Modify existing resources |
| delete | Remove resources |
| list | Enumerate resources |
| add | Add components to resources |
| remove | Remove components from resources |
| read-status | Check resource status |
| update-status | Modify resource status |
| * | All actions |
For service scope, actions include:
| Action | Description |
|---|---|
| authorize | Perform authorization operations |
| resolve | Perform resolution operations |
| validate | Perform validation operations |
| verify | Perform verification operations |
| list-methods | List available methods |
| * | All actions |
Resources
Section titled “Resources”Resources define the specific Vidos resources that the permission applies to. Each resource is defined as an object with these properties:
| Field | Type | Required | Description |
|---|---|---|---|
| region | string | Yes | Geographic region where the resource is located |
| service | string | Yes | Vidos service the resource belongs to |
| resourceType | string | Yes | Type of resource being referenced |
| resourceId | string | Yes | Unique identifier for the resource |
Regions
Section titled “Regions”| Value | Description |
|---|---|
| global | Global region for resources not tied to specific regions |
| eu | European region |
| * | All regions |
Services
Section titled “Services”| Value | Description |
|---|---|
| authorizer | Authorizer service |
| gateway | Gateway service |
| library | Library service |
| logs | Logs service |
| resolver | Resolver service |
| trail | Trail service |
| validator | Validator service |
| verifier | Verifier service |
| accounts | Accounts service |
| iam | IAM service |
| * | All services |
Resource Types
Section titled “Resource Types”Global service resource types:
| Value | Description |
|---|---|
| user | User resource |
| policy | Policy resource |
| api-key | API key resource |
| serviceRole | Service role resource |
| * | All resource types |
Regional service resource types:
| Value | Description |
|---|---|
| instance | Service instance |
| configuration | Service configuration |
| method | Service method |
| credentialDefinition | Credential definition |
| * | All resource types |
Resource ID
Section titled “Resource ID”The resource ID can be a specific identifier or a wildcard:
| Value | Description |
|---|---|
| * | Matches all resource IDs |
| [id] | Specific resource identifier |
Complete Example
Section titled “Complete Example”Here’s a comprehensive example of an IAM policy document that demonstrates multiple permission statements with different scopes, effects, and access patterns:
{ "version": "1.0", "permissions": [ { "effect": "allow", "scope": "management", "actions": ["create", "read", "update"], "resources": [ { "region": "eu", "service": "resolver", "resourceType": "instance", "resourceId": "*" } ] }, { "effect": "allow", "scope": "service", "actions": ["resolve"], "resources": [ { "region": "eu", "service": "resolver", "resourceType": "instance", "resourceId": "resolver-prod" } ] }, { "effect": "deny", "scope": "management", "actions": ["delete"], "resources": [ { "region": "eu", "service": "resolver", "resourceType": "instance", "resourceId": "resolver-prod" } ] } ]}This policy document:
- Allows management operations (create, read, update) for any resolver instances in the EU region
- Allows use of the
resolveaction, but only for the specificresolver-prodinstance - Explicitly denies deletion of the
resolver-prodinstance, adding an additional safeguard
Policy Evaluation Rules
Section titled “Policy Evaluation Rules”- An explicit deny in any policy overrides any allows
- If there is no explicit allow, access is denied by default
- Permissions are evaluated within their defined scope context
- More specific resource definitions take precedence over less specific ones