Creating a Managed Policy

You can create managed policies that you can then apply to users or groups. This enables you to create a library of policies in your account to manage permissions on your account.

After creating a managed policy, you need to attach it to a user or a group. For more information, see Attaching a Managed Policy to a User or a Group.

You can use versions to modify the permissions in a policy, which are automatically applied to all users and groups it is attached to. For more information, see Editing Managed Policies Using Policy Versions.

Creating a Managed Policy Using Cockpit v1

  1. Hover over your name.
    A drop-down menu appears.

  2. Click Users and Policies Management .

  3. In the EIM navigation panel, click Policies.
    The Policies page appears.

  4. Click Create .
    The CREATE POLICY dialog box appears.

  5. In the Name field, type the name you want to give to the policy.

    This name must be unique and must contain between 1 and 128 characters. Allowed characters are a-z, A-Z, 0-9, and +=,.@-_.

  6. In the Selection section, check one of the following boxes for the policy:

    • Full Access, to allow all actions for all AWS-compliant services except Internal Call Unit (ICU).

    • Read-Only, to give read-only permissions for all actions related to Describe* API calls.

    • Custom, to select specific actions for which you want to set permissions.

      The Read-only policy allows EIM users to access and read the root user’s credentials. You can prevent this by creating the following custom policy instead:

      {
        "Statement": [
            {
                "Action": [
                    "*:Describe*",
                    "*:Read*"
                ],
                "Resource": ["*"],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "api:ReadSecretAccessKey"
                ],
                "Resource": ["*"],
                "Effect": "Deny"
            }
        ]
      }
  7. (Custom only) In the Statements section, do the following actions for the policy you want to create:

    1. In the Assisted tab, select the 3DS OUTSCALE service for which you want to manage permissions (FCU|LBU|EIM|DIRECTLINK).

    2. Click the text field and type or select one or more actions for which you want to set permissions.

    3. Select the effect you want to set for the selected actions (Deny|Allow).

    4. Click .

      You can also type the policy directly in JSON format directly in the Edition tab. For more information about the JSON structure, grammar, and elements to use for EIM policy documents, see EIM Reference Information.

  8. Click Create to validate.
    The policy is created and appears on the Policies page.

Creating a Managed Policy Using AWS CLI

To create a new managed policy, use the create-policy command following this syntax:

Request sample
$ aws iam create-policy \
    --profile YOUR_PROFILE \
    --policy-name MY_POLICY \
    --path / \
    --policy-document file://policy \
    --description "Admin policy allowing all actions on all resources" \
    --endpoint https://eim.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • policy-name: The name of the policy you want to create.

    This name must be unique and must contain between 1 and 128 characters. Allowed characters are a-z, A-Z, 0-9, and +=,.@-_.

  • (optional) path: The path for the policy (by default, set to a slash /).

  • policy-document: The policy document, corresponding to a JSON string that contains the policy. For more information, see EIM Reference Information.

  • (optional) description: A description for the policy.

  • endpoint: The endpoint corresponding to the Region you want to send the request to.

The create-policy command returns the following elements:

  • Policy: Information about the newly created policy. This element contains the following information:

    • PolicyName: The name of the policy.

    • PolicyId: The ID of the policy.

    • Arn: The OUTSCALE Resource Name (ORN) of the policy. For more information, see Resource Identifiers.

    • Path: The path for the policy.

    • DefaultVersionId: The ID of the policy version set as the default one.

    • AttachmentCount: The number of EIM identities (users or groups) that the policy is attached to.

    • IsAttachable: If true, the policy can be attached to an EIM identity. If false, it cannot.

    • CreateDate: The date and time of creation of the policy.

    • UpdateDate: The date and time of the last update of the policy.

Result sample
{
    "Policy": {
        "PolicyName": "MY_POLICY",
        "PolicyId": "ABCDEF1GHIJKLMN2OP3QR",
        "Arn": "arn:aws:iam::0123456789012:policy/my-policy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "CreateDate": "2018-05-12T18:43:14.524Z",
        "UpdateDate": "2018-05-12T18:43:14.524Z"
    }
}

The policy is created and can be attached to EIM users or groups in your account.

Related Pages

Corresponding API Method

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.