Using a Custom Policy Along with Full-Permission System-Defined Policies
If you grant an IAM user a high-permission system policy, such as "FullAccess", but do not want the IAM user to have permissions for a certain service, such as Cloud Trace Service (CTS), you can create a custom policy. Set the Effect of the custom policy to Deny, then assign both the high-permission system policy and the custom policy to the user. As an explicit deny in any policy overrides any allows, the authorized IAM user will be able to perform all operations on all other services except CTS.
The following policy example indicates: Deny the IAM user access to CTS.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny" ,
"Action": [
"cts:*:*"
]
}
]
}
Description:
l Action is the authorization item, formatted as: service name:resource type:operation. "cts:*:*" indicates all operations for CTS. Here, "cts" is the service name; "*" is a wildcard, representing all operations that can be performed on all resource types.
l Effect means to take effect, where Deny means to deny, and Allow means to allow.
Using a Custom Policy Along with a System-Defined Policy
l If you grant an IAM user a system policy for a single service, such as BMS FullAccess, but do not want the user to have the permission to create DPSs (bms:servers:create) included in BMS FullAccess, you can create a custom policy with the same Action and set its Effect to Deny. Then, assign both the system policy (BMS FullAccess) and the custom policy to the user. As an explicit deny in any policy overrides any allows, the user will be able to perform all BMS operations except creating DPSs.
The following policy example indicates: deny IAM users from creating DPSs.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny" ,
"Action": [
"bms:servers:create"
]
}
]
}
l If you grant an IAM user the "OBS ReadOnlyAccess" permission but want to restrict certain users (e.g., those with usernames starting with "TestUser") from accessing specific OBS resources (such as buckets with names beginning with "TestBucket"), you can create a custom policy targeting those resources and set its Effect to Deny. Then, assign both the OBS ReadOnlyAccess policy and the custom policy to the user. As an explicit deny in any policy overrides any allows, the user will retain read-only access to all OBS buckets except those starting with "TestBucket".
The following policy example indicates: deny users whose names begin with TestUser access to buckets whose names begin with TestBucket.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny" ,
"Action": [
"obs:bucket:ListAllMybuckets",
"obs:bucket:HeadBucket",
"obs:bucket:ListBucket",
"obs:bucket:GetBucketLocation"
],
"Resource": [
"obs:*:*:bucket:TestBucket*"
],
"Condition": {
"StringStartWith": {
"g:UserName": [
"TestUser"
]
}
}
}
]
}
Description:
Currently, only some services support resource-level authorization, such as OBS.
For services that do not support resource-level authorization, if a custom policy includes a resource type, the policy cannot be created successfully.
Using Only a Custom Policy
You can only create a custom policy without using system policies to achieve IAM user-specified authorization.
l The following policy example indicates: Only allow IAM users to use ECS, EVS, VPC, ELB, and AOM.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow" ,
"Action": [
"ecs:*:*",
"evs:*:*",
"vpc:*:*",
"elb:*:*",
"aom:*:*"
]
}
]
}
l The following policy example indicates: Allow specific IAM users (with usernames starting with "TestUser") to delete specific OBS objects (all objects under the "my-object" directory in the "my-bucket" bucket).
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow" ,
"Action": [
"obs:object:DeleteObject"
],
"Resource": [
"obs:*:*:object:my-bucket/my-object/*"
],
"Condition": {
"StringStartWith": {
"g:UserName": [
"TestUser"
]
}
}
}
]
}
l The following policy example indicates: Allow IAM users to access all services except ECS, EVS, VPC, ELB, and AOM.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow" ,
"Action": [
"*:*:*"
]
} ,
{
"Action": [
"ecs:*:*",
"evs:*:*",
"vpc:*:*",
"elb:*:*",
"aom:*:*",
],
"Effect": "Deny"
}
]
}