IAM Policy Documents Reference

This reference provides detailed information about IAM policy document structure, syntax, and components in Vidos.

Policy Document Structure

Every IAM policy document must contain the following elements:

{
    "version": "1.0",
    "permissions": [
        // One or more permission statements
    ]
}

Version

Field	Type	Required	Description
version	string	Yes	Policy language version - currently only "1.0" is supported

Permissions

Field	Type	Required	Description
permissions	array	Yes	Array of permission statements

Each policy document must contain at least one permission statement.

Permission Statement Structure

Each permission statement in a policy document consists of four required components:

{
    "effect": "allow",
    "scope": "management",
    "actions": ["create", "read"],
    "resources": [
        {
            "region": "eu",
            "service": "resolver",
            "resourceType": "instance",
            "resourceId": "resolver-prod"
        }
    ]
}

Effect

Values	Description
allow	Explicitly grants access to the specified resources and actions
deny	Explicitly blocks access to the specified resources and actions

Scope

Values	Description
management	Applies to administrative operations that create, configure, or manage services
service	Applies to functional operations that use service capabilities

Actions

For management scope, actions include:

Action	Description
create	Create new resources
read	Read or view existing resources
update	Modify existing resources
delete	Remove resources
list	Enumerate resources
add	Add components to resources
remove	Remove components from resources
read-status	Check resource status
update-status	Modify resource status
*	All actions

For service scope, actions include:

Action	Description
authorize	Perform authorization operations
resolve	Perform resolution operations
validate	Perform validation operations
verify	Perform verification operations
list-methods	List available methods
*	All actions

Resources

Resources define the specific Vidos resources that the permission applies to. Each resource is defined as an object with these properties:

Field	Type	Required	Description
region	string	Yes	Geographic region where the resource is located
service	string	Yes	Vidos service the resource belongs to
resourceType	string	Yes	Type of resource being referenced
resourceId	string	Yes	Unique identifier for the resource

Regions

Value	Description
global	Global region for resources not tied to specific regions
eu	European region
*	All regions

Services

Value	Description
authorizer	Authorizer service
gateway	Gateway service
library	Library service
logs	Logs service
resolver	Resolver service
trail	Trail service
validator	Validator service
verifier	Verifier service
accounts	Accounts service
iam	IAM service
*	All services

Resource Types

Global service resource types:

Value	Description
user	User resource
policy	Policy resource
api-key	API key resource
serviceRole	Service role resource
*	All resource types

Regional service resource types:

Value	Description
instance	Service instance
configuration	Service configuration
method	Service method
credentialDefinition	Credential definition
*	All resource types

Resource ID

The resource ID can be a specific identifier or a wildcard:

Value	Description
*	Matches all resource IDs
[id]	Specific resource identifier

Complete Example

Here's a comprehensive example of an IAM policy document that demonstrates multiple permission statements with different scopes, effects, and access patterns:

{
    "version": "1.0",
    "permissions": [
        {
            "effect": "allow",
            "scope": "management",
            "actions": ["create", "read", "update"],
            "resources": [
                {
                    "region": "eu",
                    "service": "resolver",
                    "resourceType": "instance",
                    "resourceId": "*"
                }
            ]
        },
        {
            "effect": "allow",
            "scope": "service",
            "actions": ["resolve"],
            "resources": [
                {
                    "region": "eu",
                    "service": "resolver",
                    "resourceType": "instance",
                    "resourceId": "resolver-prod"
                }
            ]
        },
        {
            "effect": "deny",
            "scope": "management",
            "actions": ["delete"],
            "resources": [
                {
                    "region": "eu",
                    "service": "resolver",
                    "resourceType": "instance",
                    "resourceId": "resolver-prod"
                }
            ]
        }
    ]
}

This policy document:

Allows management operations (create, read, update) for any resolver instances in the EU region
Allows use of the resolve action, but only for the specific resolver-prod instance
Explicitly denies deletion of the resolver-prod instance, adding an additional safeguard

Policy Evaluation Rules

An explicit deny in any policy overrides any allows
If there is no explicit allow, access is denied by default
Permissions are evaluated within their defined scope context
More specific resource definitions take precedence over less specific ones

ON THIS PAGE

#IAM Policy Documents Reference

#Policy Document Structure

#Version

#Permissions

#Permission Statement Structure

#Effect

#Scope

#Actions

#Resources

#Regions

#Services

#Resource Types

#Resource ID

#Complete Example

#Policy Evaluation Rules