ActiveScale IAM API

1.0 Introduction

The ActiveScale Identity and Access Management (IAM) API allows users to set fine-grained access permissions on AWS compatible services on ActiveScale (S3 and IAM). In addition, the users can also use the IAM API to control who can set those permissions.

The ActiveScale IAM API is compatible with the Amazon Web Services (AWS) IAM API, although not all features found on AWS are supported. The full AWS IAM API can be found here, this document details the difference in supported features as well as some basic examples to help you get started.

2.0 AWS IAM API Compatibility

2.1 Policy grammar specifics

Actions	Notes
Version	Only version “2012-10-17” is supported by ActiveScale IAM. For more information on IAM version refer to the AWS documentation.
Statement.Principal	Note: Only for bucket policies. Supported principal types: : all principals (including anonymous) . AWS: account root user by arn (no wildcards), IAM user by arn (no wildcards), account identifier, CanonicalUser: account root user by account canonical id .
Statement.NotPrincipal	Refer to Statement.Principal.
Action	* An action in Supported Actions (may include wildcards).
NotAction	Refer to Action.
Resource	* A resource ARN (may include wildcard). Only S3 resources and IAM resources are supported.
NotResource	Refer to Resource.
Condition	Supported from ActiveScale 7.1 and above.

2.4 Supported Actions

The following tables list the support actions supported by ActiveScale IAM and any difference with AWS IAM. For more in-depth information on the actions please refer to the AWS documentation.

2.4.1 Access Key

Actions	Request Parameters	Response Elements
CreateAccessKey	Supported request parameters: UserName	Supported response elements: CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.UserName CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.AccessKeyId CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.SecretAccessKey CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.Status CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.CreateDate CreateAccessKeyResponse.ResponseMetadata.RequestId Not supported response elements: CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.AccessKeySelector
ListAccessKeys	Supported request parameters: UserName Marker MaxItems	Supported response elements: ListAccessKeysResponse.ListAccessKeysResult.AccessKeyMetadata.member.UserName ListAccessKeysResponse.ListAccessKeysResult.AccessKeyMetadata.member.AccessKeyId ListAccessKeysResponse.ListAccessKeysResult.AccessKeyMetadata.member.Status ListAccessKeysResponse.ListAccessKeysResult.AccessKeyMetadata.member.CreateDate ListAccessKeysResponse.ListAccessKeysResult.IsTruncated ListAccessKeysResponse.ListAccessKeysResult.Marker ListAccessKeysResponse.ResponseMetadata.RequestId
UpdateAccessKey	Supported request parameters: UserName AccessKeyId	Status Supported response elements: UpdateAccessKeyResponse.ResponseMetadata.RequestId

Actions

Request Parameters

Response Elements

CreateAccessKey

Supported request parameters:

UserName

Supported response elements:

CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.UserName
CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.AccessKeyId
CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.SecretAccessKey
CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.Status
CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.CreateDate
CreateAccessKeyResponse.ResponseMetadata.RequestId

Not supported response elements:

CreateAccessKeyResponse.CreateAccessKeyResult.AccessKey.AccessKeySelector

ListAccessKeys

Supported request parameters:

UserName
Marker
MaxItems

Supported response elements:

ListAccessKeysResponse.ListAccessKeysResult.AccessKeyMetadata.member.UserName
ListAccessKeysResponse.ListAccessKeysResult.AccessKeyMetadata.member.AccessKeyId
ListAccessKeysResponse.ListAccessKeysResult.AccessKeyMetadata.member.Status
ListAccessKeysResponse.ListAccessKeysResult.AccessKeyMetadata.member.CreateDate
ListAccessKeysResponse.ListAccessKeysResult.IsTruncated
ListAccessKeysResponse.ListAccessKeysResult.Marker
ListAccessKeysResponse.ResponseMetadata.RequestId

UpdateAccessKey

Supported request parameters:

UserName
AccessKeyId

Status Supported response elements:

UpdateAccessKeyResponse.ResponseMetadata.RequestId

2.4.2 Group

Actions	Request Parameters	Response Elements
CreateGroup	Supported request parameters: GroupName Path	Supported response elements: CreateGroupResponse.CreateGroupResult.Group.Path CreateGroupResponse.CreateGroupResult.Group.GroupName CreateGroupResponse.CreateGroupResult.Group.GroupId CreateGroupResponse.CreateGroupResult.Group.Arn CreateGroupResponse.CreateGroupResult.Group.CreateDate CreateGroupResponse.ResponseMetadata.RequestId
GetGroup	Supported request parameters: GroupName Marker MaxItems	Supported response elements: GetGroupResponse.GetGroupResult.Group.Path GetGroupResponse.GetGroupResult.Group.GroupName GetGroupResponse.GetGroupResult.Group.GroupId GetGroupResponse.GetGroupResult.Group.Arn GetGroupResponse.GetGroupResult.Group.CreateDate GetGroupResponse.GetGroupResult.Users.member.Path GetGroupResponse.GetGroupResult.Users.member.UserName GetGroupResponse.GetGroupResult.Users.member.UserId GetGroupResponse.GetGroupResult.Users.member.Arn GetGroupResponse.GetGroupResult.Users.member.CreateDate GetGroupResponse.GetGroupResult.IsTruncated GetGroupResponse.GetGroupResult.Marker GetGroupResponse.ResponseMetadata.RequestId
ListGroups	Supported request parameters: PathPrefix Marker MaxItems	Supported response elements: ListGroupsResponse.ListGroupsResult.Groups.member.Path ListGroupsResponse.ListGroupsResult.Groups.member.GroupName ListGroupsResponse.ListGroupsResult.Groups.member.GroupId ListGroupsResponse.ListGroupsResult.Groups.member.Arn ListGroupsResponse.ListGroupsResult.Groups.member.CreateDate ListGroupsResponse.ListGroupsResult.IsTruncated ListGroupsResponse.ListGroupsResult.Marker ListGroupsResponse.ResponseMetadata.RequestId
UpdateGroup	Supported request parameters: GroupName NewPath NewGroupName	Supported response elements: UpdateGroupResponse.ResponseMetadata.RequestId
DeleteGroup	Supported request parameters: GroupName	Supported response elements: : DeleteGroupResponse.ResponseMetadata.RequestId
AddUserToGroup	Supported request parameters: GroupName UserName	Supported response elements: AddUserToGroupResponse.ResponseMetadata.RequestId
ListGroupsForUser	Supported request parameters: UserName Marker MaxItems	Supported response elements: ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.Path ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.GroupName ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.GroupId ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.Arn ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.CreateDate ListGroupsForUserResponse.ListGroupsForUserResult.IsTruncated ListGroupsForUserResponse.ListGroupsForUserResult.Marker ListGroupsForUserResponse.ResponseMetadata.RequestId
RemoveUserFromGroup	Supported request parameters: GroupName UserName	Supported response elements: RemoveUserFromGroupResponse.ResponseMetadata.RequestId

Actions

Request Parameters

Response Elements

CreateGroup

Supported request parameters:

GroupName
Path

Supported response elements:

CreateGroupResponse.CreateGroupResult.Group.Path
CreateGroupResponse.CreateGroupResult.Group.GroupName
CreateGroupResponse.CreateGroupResult.Group.GroupId
CreateGroupResponse.CreateGroupResult.Group.Arn
CreateGroupResponse.CreateGroupResult.Group.CreateDate
CreateGroupResponse.ResponseMetadata.RequestId

GetGroup

Supported request parameters:

GroupName
Marker
MaxItems

Supported response elements:

GetGroupResponse.GetGroupResult.Group.Path
GetGroupResponse.GetGroupResult.Group.GroupName
GetGroupResponse.GetGroupResult.Group.GroupId
GetGroupResponse.GetGroupResult.Group.Arn
GetGroupResponse.GetGroupResult.Group.CreateDate
GetGroupResponse.GetGroupResult.Users.member.Path
GetGroupResponse.GetGroupResult.Users.member.UserName
GetGroupResponse.GetGroupResult.Users.member.UserId
GetGroupResponse.GetGroupResult.Users.member.Arn
GetGroupResponse.GetGroupResult.Users.member.CreateDate
GetGroupResponse.GetGroupResult.IsTruncated
GetGroupResponse.GetGroupResult.Marker
GetGroupResponse.ResponseMetadata.RequestId

ListGroups

Supported request parameters:

PathPrefix
Marker
MaxItems

Supported response elements:

ListGroupsResponse.ListGroupsResult.Groups.member.Path
ListGroupsResponse.ListGroupsResult.Groups.member.GroupName
ListGroupsResponse.ListGroupsResult.Groups.member.GroupId
ListGroupsResponse.ListGroupsResult.Groups.member.Arn
ListGroupsResponse.ListGroupsResult.Groups.member.CreateDate
ListGroupsResponse.ListGroupsResult.IsTruncated
ListGroupsResponse.ListGroupsResult.Marker
ListGroupsResponse.ResponseMetadata.RequestId

UpdateGroup

Supported request parameters:

GroupName
NewPath
NewGroupName

Supported response elements:

UpdateGroupResponse.ResponseMetadata.RequestId

DeleteGroup

Supported request parameters:

GroupName

Supported response elements:

: DeleteGroupResponse.ResponseMetadata.RequestId

AddUserToGroup

Supported request parameters:

GroupName
UserName

Supported response elements:

AddUserToGroupResponse.ResponseMetadata.RequestId

ListGroupsForUser

Supported request parameters:

UserName
Marker
MaxItems

Supported response elements:

ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.Path
ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.GroupName
ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.GroupId
ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.Arn
ListGroupsForUserResponse.ListGroupsForUserResult.Groups.member.CreateDate
ListGroupsForUserResponse.ListGroupsForUserResult.IsTruncated
ListGroupsForUserResponse.ListGroupsForUserResult.Marker
ListGroupsForUserResponse.ResponseMetadata.RequestId

RemoveUserFromGroup

Supported request parameters:

GroupName
UserName

Supported response elements:

RemoveUserFromGroupResponse.ResponseMetadata.RequestId

2.4.3 Group Policy

Actions	Request Parameters	Response Elements
PutGroupPolicy	Supported request parameters: GroupName PolicyName PolicyDocument	Supported response elements: PutGroupPolicyResponse.ResponseMetadata.RequestId
GetGroupPolicy	Supported request parameters: GroupName PolicyName	Supported response elements: GetGroupPolicyResponse.GetGroupPolicyResult.GroupName GetGroupPolicyResponse.GetGroupPolicyResult.PolicyName GetGroupPolicyResponse.GetGroupPolicyResult.PolicyDocument GetGroupPolicyResponse.ResponseMetadata.RequestId
ListGroupPolicies	Supported request parameters: GroupName Marker MaxItems	Supported response elements: ListGroupPoliciesResponse.ListGroupPoliciesResult.PolicyNames.member ListGroupPoliciesResponse.ListGroupPoliciesResult.IsTruncated ListGroupPoliciesResponse.ListGroupPoliciesResult.Marker ListGroupPoliciesResponse.ResponseMetadata.RequestId
DeleteGroupPolicy	Supported request parameters: GroupName PolicyName	Supported response elements: DeleteGroupPolicyResponse.ResponseMetadata.RequestId
AttachGroupPolicy	Supported request parameters: GroupName PolicyArn	Supported response elements: AttachGroupPolicyResponse.ResponseMetadata.RequestId
ListAttachedGroupPolicies	Supported request parameters: GroupName PathPrefix Marker MaxItems	Supported response elements: ListAttachedGroupPoliciesResponse.ListAttachedGroupPoliciesResult.AttachedPolicies.member.PolicyName ListAttachedGroupPoliciesResponse.ListAttachedGroupPoliciesResult.AttachedPolicies.member.PolicyArn ListAttachedGroupPoliciesResponse.ListAttachedGroupPoliciesResult.IsTruncated ListAttachedGroupPoliciesResponse.ListAttachedGroupPoliciesResult.Marker ListAttachedGroupPoliciesResponse.ResponseMetadata.RequestId
DetachGroupPolicy	Supported request parameters: GroupName PolicyArn	Supported response elements: DetachGroupPolicyResponse.ResponseMetadata.RequestId

Actions

Request Parameters

Response Elements

PutGroupPolicy

Supported request parameters:

GroupName
PolicyName
PolicyDocument

Supported response elements:

PutGroupPolicyResponse.ResponseMetadata.RequestId

GetGroupPolicy

Supported request parameters:

GroupName
PolicyName

Supported response elements:

GetGroupPolicyResponse.GetGroupPolicyResult.GroupName
GetGroupPolicyResponse.GetGroupPolicyResult.PolicyName
GetGroupPolicyResponse.GetGroupPolicyResult.PolicyDocument
GetGroupPolicyResponse.ResponseMetadata.RequestId

ListGroupPolicies

Supported request parameters:

GroupName
Marker
MaxItems

Supported response elements:

ListGroupPoliciesResponse.ListGroupPoliciesResult.PolicyNames.member
ListGroupPoliciesResponse.ListGroupPoliciesResult.IsTruncated
ListGroupPoliciesResponse.ListGroupPoliciesResult.Marker
ListGroupPoliciesResponse.ResponseMetadata.RequestId

DeleteGroupPolicy

Supported request parameters:

GroupName
PolicyName

Supported response elements:

DeleteGroupPolicyResponse.ResponseMetadata.RequestId

AttachGroupPolicy

Supported request parameters:

GroupName
PolicyArn

Supported response elements:

AttachGroupPolicyResponse.ResponseMetadata.RequestId

ListAttachedGroupPolicies

Supported request parameters:

GroupName
PathPrefix
Marker
MaxItems

Supported response elements:

ListAttachedGroupPoliciesResponse.ListAttachedGroupPoliciesResult.AttachedPolicies.member.PolicyName
ListAttachedGroupPoliciesResponse.ListAttachedGroupPoliciesResult.AttachedPolicies.member.PolicyArn
ListAttachedGroupPoliciesResponse.ListAttachedGroupPoliciesResult.IsTruncated
ListAttachedGroupPoliciesResponse.ListAttachedGroupPoliciesResult.Marker
ListAttachedGroupPoliciesResponse.ResponseMetadata.RequestId

DetachGroupPolicy

Supported request parameters:

GroupName
PolicyArn

Supported response elements:

DetachGroupPolicyResponse.ResponseMetadata.RequestId

2.4.4 Policy

Actions	Request Parameters	Response Elements
CreatePolicy	Supported request parameters: PolicyName Path PolicyDocument Description Not supported request parameters: Tags	Supported response elements: CreatePolicyResponse.CreatePolicyResult.Policy.Path CreatePolicyResponse.CreatePolicyResult.Policy.PolicyName CreatePolicyResponse.CreatePolicyResult.Policy.PolicyId CreatePolicyResponse.CreatePolicyResult.Policy.Arn CreatePolicyResponse.CreatePolicyResult.Policy.DefaultVersionId CreatePolicyResponse.CreatePolicyResult.Policy.IsAttachable CreatePolicyResponse.CreatePolicyResult.Policy.AttachmentCount CreatePolicyResponse.CreatePolicyResult.Policy.CreateDate CreatePolicyResponse.CreatePolicyResult.Policy.UpdateDate CreatePolicyResponse.ResponseMetadata.RequestId Not supported response elements: CreatePolicyResponse.CreatePolicyResult.Policy.PermissionsBoundaryUsageCount
GetPolicy	Supported request parameters: PolicyArn	Supported response elements: GetPolicyResponse.GetPolicyResult.Policy.Path GetPolicyResponse.GetPolicyResult.Policy.PolicyName GetPolicyResponse.GetPolicyResult.Policy.PolicyId GetPolicyResponse.GetPolicyResult.Policy.Arn GetPolicyResponse.GetPolicyResult.Policy.Description GetPolicyResponse.GetPolicyResult.Policy.DefaultVersionId GetPolicyResponse.GetPolicyResult.Policy.IsAttachable GetPolicyResponse.GetPolicyResult.Policy.AttachmentCount GetPolicyResponse.GetPolicyResult.Policy.CreateDate GetPolicyResponse.GetPolicyResult.Policy.UpdateDate GetPolicyResponse.ResponseMetadata.RequestId Not supported response elements: GetPolicyResponse.GetPolicyResult.Policy.PermissionsBoundaryUsageCount GetPolicyResponse.GetPolicyResult.Policy.Tags
ListPolicies	Supported request parameters: PathPrefix OnlyAttached PolicyUsageFilter Scope Marker MaxItems	Supported response elements: ListPoliciesResponse.ListPoliciesResult.Policies.member.Path ListPoliciesResponse.ListPoliciesResult.Policies.member.PolicyName ListPoliciesResponse.ListPoliciesResult.Policies.member.PolicyId ListPoliciesResponse.ListPoliciesResult.Policies.member.Arn ListPoliciesResponse.ListPoliciesResult.Policies.member.DefaultVersionId ListPoliciesResponse.ListPoliciesResult.Policies.member.IsAttachable ListPoliciesResponse.ListPoliciesResult.Policies.member.AttachmentCount ListPoliciesResponse.ListPoliciesResult.Policies.member.CreateDate ListPoliciesResponse.ListPoliciesResult.Policies.member.UpdateDate ListPoliciesResponse.ListPoliciesResult.IsTruncated ListPoliciesResponse.ListPoliciesResult.Marker ListPoliciesResponse.ResponseMetadata.RequestId Not supported response elements: ListPoliciesResponse.ListPoliciesResult.Policies.member.PermissionsBoundaryUsageCount
DeletePolicy	Supported request parameters: PolicyArn	Supported response elements: DeletePolicyResponse.ResponseMetadata.RequestId

Actions

Request Parameters

Response Elements

CreatePolicy

Supported request parameters:

PolicyName
Path
PolicyDocument

Description Not supported request parameters:

Tags

Supported response elements:

CreatePolicyResponse.CreatePolicyResult.Policy.Path
CreatePolicyResponse.CreatePolicyResult.Policy.PolicyName
CreatePolicyResponse.CreatePolicyResult.Policy.PolicyId
CreatePolicyResponse.CreatePolicyResult.Policy.Arn
CreatePolicyResponse.CreatePolicyResult.Policy.DefaultVersionId
CreatePolicyResponse.CreatePolicyResult.Policy.IsAttachable
CreatePolicyResponse.CreatePolicyResult.Policy.AttachmentCount
CreatePolicyResponse.CreatePolicyResult.Policy.CreateDate
CreatePolicyResponse.CreatePolicyResult.Policy.UpdateDate
CreatePolicyResponse.ResponseMetadata.RequestId

Not supported response elements:

CreatePolicyResponse.CreatePolicyResult.Policy.PermissionsBoundaryUsageCount

GetPolicy

Supported request parameters:

PolicyArn

Supported response elements:

GetPolicyResponse.GetPolicyResult.Policy.Path
GetPolicyResponse.GetPolicyResult.Policy.PolicyName
GetPolicyResponse.GetPolicyResult.Policy.PolicyId
GetPolicyResponse.GetPolicyResult.Policy.Arn
GetPolicyResponse.GetPolicyResult.Policy.Description
GetPolicyResponse.GetPolicyResult.Policy.DefaultVersionId
GetPolicyResponse.GetPolicyResult.Policy.IsAttachable
GetPolicyResponse.GetPolicyResult.Policy.AttachmentCount
GetPolicyResponse.GetPolicyResult.Policy.CreateDate
GetPolicyResponse.GetPolicyResult.Policy.UpdateDate
GetPolicyResponse.ResponseMetadata.RequestId

Not supported response elements:

GetPolicyResponse.GetPolicyResult.Policy.PermissionsBoundaryUsageCount
GetPolicyResponse.GetPolicyResult.Policy.Tags

ListPolicies

Supported request parameters:

PathPrefix
OnlyAttached
PolicyUsageFilter
Scope Marker
MaxItems

Supported response elements:

ListPoliciesResponse.ListPoliciesResult.Policies.member.Path
ListPoliciesResponse.ListPoliciesResult.Policies.member.PolicyName
ListPoliciesResponse.ListPoliciesResult.Policies.member.PolicyId
ListPoliciesResponse.ListPoliciesResult.Policies.member.Arn
ListPoliciesResponse.ListPoliciesResult.Policies.member.DefaultVersionId
ListPoliciesResponse.ListPoliciesResult.Policies.member.IsAttachable
ListPoliciesResponse.ListPoliciesResult.Policies.member.AttachmentCount
ListPoliciesResponse.ListPoliciesResult.Policies.member.CreateDate
ListPoliciesResponse.ListPoliciesResult.Policies.member.UpdateDate
ListPoliciesResponse.ListPoliciesResult.IsTruncated
ListPoliciesResponse.ListPoliciesResult.Marker
ListPoliciesResponse.ResponseMetadata.RequestId

Not supported response elements:

ListPoliciesResponse.ListPoliciesResult.Policies.member.PermissionsBoundaryUsageCount

DeletePolicy

Supported request parameters:

PolicyArn

Supported response elements:

DeletePolicyResponse.ResponseMetadata.RequestId

2.4.5 Policy Version

Actions	Request Parameters	Response Elements
CreatePolicyVersion	Supported request parameters: PolicyArn PolicyDocument SetAsDefault	Supported response elements: CreatePolicyVersionResponse.CreatePolicyVersionResult.PolicyVersion.VersionId CreatePolicyVersionResponse.CreatePolicyVersionResult.PolicyVersion.IsDefaultVersion CreatePolicyVersionResponse.CreatePolicyVersionResult.PolicyVersion.CreateDate CreatePolicyVersionResponse.ResponseMetadata.RequestId
GetPolicyVersion	Supported request parameters: PolicyArn VersionId	Supported response elements: GetPolicyVersionResponse.GetPolicyVersionResult.PolicyVersion.VersionId GetPolicyVersionResponse.GetPolicyVersionResult.PolicyVersion.IsDefaultVersion GetPolicyVersionResponse.GetPolicyVersionResult.PolicyVersion.Document GetPolicyVersionResponse.GetPolicyVersionResult.PolicyVersion.CreateDate GetPolicyVersionResponse.ResponseMetadata.RequestId
ListPolicyVersions	Supported request parameters: PolicyArn Marker MaxItems	Supported response elements: ListPolicyVersionsResponse.ListPolicyVersionsResult.Versions.member.VersionId ListPolicyVersionsResponse.ListPolicyVersionsResult.Versions.member.IsDefaultVersion ListPolicyVersionsResponse.ListPolicyVersionsResult.Versions.member.CreateDate ListPolicyVersionsResponse.ListPolicyVersionsResult.IsTruncated ListPolicyVersionsResponse.ListPolicyVersionsResult.Marker ListPolicyVersionsResponse.ResponseMetadata.RequestId
DeletePolicyVersion	Supported request parameters: PolicyArn VersionId	Supported response elements: SetDefaultPolicyVersionResponse.ResponseMetadata.RequestId
SetDefaultPolicyVersion	Supported request parameters: PolicyArn VersionId	Supported response elements: SetDefaultPolicyVersionResponse.ResponseMetadata.RequestId

Actions

Request Parameters

Response Elements

CreatePolicyVersion

Supported request parameters:

PolicyArn
PolicyDocument
SetAsDefault

Supported response elements:

CreatePolicyVersionResponse.CreatePolicyVersionResult.PolicyVersion.VersionId
CreatePolicyVersionResponse.CreatePolicyVersionResult.PolicyVersion.IsDefaultVersion
CreatePolicyVersionResponse.CreatePolicyVersionResult.PolicyVersion.CreateDate
CreatePolicyVersionResponse.ResponseMetadata.RequestId

GetPolicyVersion

Supported request parameters:

PolicyArn
VersionId

Supported response elements:

GetPolicyVersionResponse.GetPolicyVersionResult.PolicyVersion.VersionId
GetPolicyVersionResponse.GetPolicyVersionResult.PolicyVersion.IsDefaultVersion
GetPolicyVersionResponse.GetPolicyVersionResult.PolicyVersion.Document
GetPolicyVersionResponse.GetPolicyVersionResult.PolicyVersion.CreateDate
GetPolicyVersionResponse.ResponseMetadata.RequestId

ListPolicyVersions

Supported request parameters:

PolicyArn
Marker
MaxItems

Supported response elements:

ListPolicyVersionsResponse.ListPolicyVersionsResult.Versions.member.VersionId
ListPolicyVersionsResponse.ListPolicyVersionsResult.Versions.member.IsDefaultVersion
ListPolicyVersionsResponse.ListPolicyVersionsResult.Versions.member.CreateDate
ListPolicyVersionsResponse.ListPolicyVersionsResult.IsTruncated
ListPolicyVersionsResponse.ListPolicyVersionsResult.Marker
ListPolicyVersionsResponse.ResponseMetadata.RequestId

DeletePolicyVersion

Supported request parameters:

PolicyArn
VersionId

Supported response elements:

SetDefaultPolicyVersionResponse.ResponseMetadata.RequestId

SetDefaultPolicyVersion

Supported request parameters:

PolicyArn
VersionId

Supported response elements:

SetDefaultPolicyVersionResponse.ResponseMetadata.RequestId

2.4.6 User

Actions	Request Parameters	Response Elements
CreateUser	Supported request parameters: Path UserName Not supported requests parameters: PermissionsBoundary	Supported response elements: CreateUserResponse.CreateUserResult.User.Path CreateUserResponse.CreateUserResult.User.UserName CreateUserResponse.CreateUserResult.User.UserId CreateUserResponse.CreateUserResult.User.Arn CreateUserResponse.CreateUserResult.User.CreateDate CreateUserResponse.ResponseMetadata.RequestId
GetUser	Supported request parameters: UserName	Supported response elements: GetUserResponse.GetUserResult.User.Path GetUserResponse.GetUserResult.User.UserName GetUserResponse.GetUserResult.User.UserId GetUserResponse.GetUserResult.User.Arn GetUserResponse.GetUserResult.User.CreateDate GetUserResponse.ResponseMetadata.RequestId Not supported response elements: GetUserResponse.GetUserResult.User.PasswordLastUsed
ListUsers	Supported request parameters: PathPrefix Marker MaxItems	Supported response elements: ListUsersResponse.ListUsersResult.Users.member.Path ListUsersResponse.ListUsersResult.Users.member.UserName ListUsersResponse.ListUsersResult.Users.member.UserId ListUsersResponse.ListUsersResult.Users.member.Arn ListUsersResponse.ListUsersResult.Users.member.CreateDate ListUsersResponse.ListUsersResult.IsTruncated ListUsersResponse.ListUsersResult.Marker ListUsersResponse.ResponseMetadata.RequestId Not supported response elements: ListUsersResponse.ListUsersResult.Users.member.PasswordLastUsed
UpdateUser	Supported request parameters: UserName NewPath NewUserName	Supported response elements: UpdateUserResponse.ResponseMetadata.RequestId
DeleteUser	Supported request parameters: UserName	Supported response elements: DeleteUserResponse.ResponseMetadata.RequestId

Actions

Request Parameters

Response Elements

CreateUser

Supported request parameters:

Path
UserName

Not supported requests parameters:

PermissionsBoundary

Supported response elements:

CreateUserResponse.CreateUserResult.User.Path
CreateUserResponse.CreateUserResult.User.UserName
CreateUserResponse.CreateUserResult.User.UserId
CreateUserResponse.CreateUserResult.User.Arn
CreateUserResponse.CreateUserResult.User.CreateDate
CreateUserResponse.ResponseMetadata.RequestId

GetUser

Supported request parameters:

UserName

Supported response elements:

GetUserResponse.GetUserResult.User.Path
GetUserResponse.GetUserResult.User.UserName
GetUserResponse.GetUserResult.User.UserId
GetUserResponse.GetUserResult.User.Arn
GetUserResponse.GetUserResult.User.CreateDate
GetUserResponse.ResponseMetadata.RequestId

Not supported response elements:

GetUserResponse.GetUserResult.User.PasswordLastUsed

ListUsers

Supported request parameters:

PathPrefix
Marker
MaxItems

Supported response elements:

ListUsersResponse.ListUsersResult.Users.member.Path
ListUsersResponse.ListUsersResult.Users.member.UserName
ListUsersResponse.ListUsersResult.Users.member.UserId
ListUsersResponse.ListUsersResult.Users.member.Arn
ListUsersResponse.ListUsersResult.Users.member.CreateDate
ListUsersResponse.ListUsersResult.IsTruncated
ListUsersResponse.ListUsersResult.Marker
ListUsersResponse.ResponseMetadata.RequestId

Not supported response elements:

ListUsersResponse.ListUsersResult.Users.member.PasswordLastUsed

UpdateUser

Supported request parameters:

UserName
NewPath
NewUserName

Supported response elements:

UpdateUserResponse.ResponseMetadata.RequestId

DeleteUser

Supported request parameters:

UserName

Supported response elements:

DeleteUserResponse.ResponseMetadata.RequestId

2.4.7 User Policy

Actions	Request Parameters	Response Elements
PutUserPolicy	Supported request parameters: UserName PolicyName PolicyDocument	Supported response elements: PutUserPolicyResponse.ResponseMetadata.RequestId
GetUserPolicy	Supported request parameters: UserName PolicyName	Supported response elements GetUserPolicyResponse.GetUserPolicyResult.UserName GetUserPolicyResponse.GetUserPolicyResult.PolicyName GetUserPolicyResponse.GetUserPolicyResult.PolicyDocument GetUserPolicyResponse.ResponseMetadata.RequestId
ListUserPolicies	Supported request parameters: UserName Marker MaxItems	Supported response elements: ListUserPoliciesResponse.ListUserPoliciesResult.PolicyNames.member ListUserPoliciesResponse.ListUserPoliciesResult.IsTruncated ListUserPoliciesResponse.ListUserPoliciesResult.Marker ListUserPoliciesResponse.ResponseMetadata.RequestId
DeleteUserPolicy	Supported request parameters: UserName	PolicyName Supported response elements: DeleteUserPolicyResponse.ResponseMetadata.RequestId
AttachUserPolicy	Supported request parameters: UserName	PolicyArn Supported response elements: AttachUserPolicyResponse.ResponseMetadata.RequestId
ListAttachedUserPolicies	Supported request parameters: UserName PathPrefix Marker MaxItems	Supported response elements: ListAttachedUserPoliciesResponse.ListAttachedUserPoliciesResult.AttachedPolicies.member.PolicyName ListAttachedUserPoliciesResponse.ListAttachedUserPoliciesResult.AttachedPolicies.member.PolicyArn ListAttachedUserPoliciesResponse.ListAttachedUserPoliciesResult.IsTruncated ListAttachedUserPoliciesResponse.ListAttachedUserPoliciesResult.Marker ListAttachedUserPoliciesResponse.ResponseMetadata.RequestId
DetachUserPolicy	Supported request parameters: UserName PolicyArn	Supported response elements: DetachUserPolicyResponse.ResponseMetadata.RequestId

Actions

Request Parameters

Response Elements

PutUserPolicy

Supported request parameters:

UserName
PolicyName
PolicyDocument

Supported response elements:

PutUserPolicyResponse.ResponseMetadata.RequestId

GetUserPolicy

Supported request parameters:

UserName
PolicyName

Supported response elements

GetUserPolicyResponse.GetUserPolicyResult.UserName
GetUserPolicyResponse.GetUserPolicyResult.PolicyName
GetUserPolicyResponse.GetUserPolicyResult.PolicyDocument
GetUserPolicyResponse.ResponseMetadata.RequestId

ListUserPolicies

Supported request parameters:

UserName
Marker
MaxItems

Supported response elements:

ListUserPoliciesResponse.ListUserPoliciesResult.PolicyNames.member
ListUserPoliciesResponse.ListUserPoliciesResult.IsTruncated
ListUserPoliciesResponse.ListUserPoliciesResult.Marker
ListUserPoliciesResponse.ResponseMetadata.RequestId

DeleteUserPolicy

Supported request parameters:

UserName

PolicyName Supported response elements:

DeleteUserPolicyResponse.ResponseMetadata.RequestId

AttachUserPolicy

Supported request parameters:

UserName

PolicyArn Supported response elements:

AttachUserPolicyResponse.ResponseMetadata.RequestId

ListAttachedUserPolicies

Supported request parameters:

UserName
PathPrefix
Marker
MaxItems

Supported response elements:

ListAttachedUserPoliciesResponse.ListAttachedUserPoliciesResult.AttachedPolicies.member.PolicyName
ListAttachedUserPoliciesResponse.ListAttachedUserPoliciesResult.AttachedPolicies.member.PolicyArn
ListAttachedUserPoliciesResponse.ListAttachedUserPoliciesResult.IsTruncated
ListAttachedUserPoliciesResponse.ListAttachedUserPoliciesResult.Marker
ListAttachedUserPoliciesResponse.ResponseMetadata.RequestId

DetachUserPolicy

Supported request parameters:

UserName
PolicyArn

Supported response elements:

DetachUserPolicyResponse.ResponseMetadata.RequestId

2.5 Supported Condition Keys

2.5.1 AWS Content Keys

Condition Key	Description
aws:CurrentTime	Current time in ISO8601 format.
aws:EpochTime	The date in epoch or Unix time.
aws:PrincipalAccount	The account id to which the principal belongs.
aws:PrincipalArn	The ARN of the principal.
aws:PrincipalType	Indicates whether the principal is an account or user ("Account", "User", "Anonymous").
aws:SecureTransport	Boolean value that represents whether the request was sent using SSL.
aws:SourceIp	The requester's IP address.
aws:UserAgent	Information about the requester's client application.
aws:userid	(if "Account"), unique user id (if "User") or not set (if "Anonymous").
aws:username	The friendly name of the current user (only set for principal type "User").

2.5.2 IAM Condition Keys

Condition Key	Description
iam:PolicyARN	ARN of a managed policy in requests that involve a managed policy.

2.5.3 S3 Condition Keys

Condition Key	Description
s3:LocationConstraint	The region.
s3:ResourceAccount	The owner account id of the resource (bucket).
s3:TlsVersion	The TLS version used by the client.
s3:VersionId	The object version id.
s3:authType	The authentication method ("REST-HEADER", "REST-QUERY-STRING", "POST").
s3:delimiter	The delimiter parameter of the request.
s3:max-keys	The max-keys parameter of the request.
s3:object-lock-legal-hold	The object legal hold status.
s3:object-lock-mode	The object retention mode ("COMPLIANCE", "GOVERNANCE").
s3:object-lock-remaining-retention-days	The remaining object retention days.
s3:object-lock-retain-until-date	The object retain until date.
s3:prefix	The prefix parameter of the request.
s3:signatureAge	The age (in ms) of the request signature.
s3:signatureversion	The signature version ("AWS" for v2, "AWS4-HMAC-SHA256" for v4).
s3:x-amz-acl	The canned ACL from the request x-amz-acl header.
s3:x-amz-content-sha256	Set to "UNSIGNED-PAYLOAD" if the payload isn't signed.
s3:x-amz-copy-source	The copy source (bucket, prefix, object) for a copy request.
s3:x-amz-grant-full-control	The request x-amz-grant-full-control header.
s3:x-amz-grant-read	The request x-amz-grant-read header.
s3:x-amz-grant-read-acp	The request x-amz-grant-read-acp header.
s3:x-amz-grant-write	The request x-amz-grant-write header.
s3:x-amz-grant-write-acp	The request x-amz-grant-write-acp header.
s3:x-amz-metadata-directive	The request x-amz-metadata-directive header.
s3:x-amz-server-side-encryption	The request x-amz-server-side-encryption header.
s3:x-amz-storage-class	The request x-amz-storage-class header.
s3:x-amz-website-redirect-location	The request x-amz-website-redirect-location header.

2.6 IAM Limits

Resource	Max Value
Managed policy size:	6144 bytes (whitespace ignored)
User policy size:	2048 bytes (whitespace ignored)
Attached policies per user:	20
Group policy size:	5120 bytes (whitespace ignored)
Attached policies per group:	10
Number of access keys per IAM user:	2
Total number of accounts:	10000
Total number of users per account:	5000
Total number of groups per account:	500
Number of groups a user can be attached to:	10
Number of users per group:	5000
Number of managed policies per account:	5000
Number of policy versions:	5

2.7 ACL Permissions Mapped to Policy Permissions

The following table shows how each ACL permission maps to the corresponding access policy permissions. As you can see, access policy allows more permissions than an ACL does. You use ACLs primarily to grant basic read/write permissions, similar to file system permissions, while policy permissions provide a lot more fine grained control over permissions.

ACL Permission	Corresponding access policy permissions when the ACL permission is granted on a bucket	Corresponding access policy permissions when the ACL permission is granted on an object
`READ` (Read Objects)	`s3:ListBucket` `s3:ListBucketVersions` `s3:ListBucketMultipartUploads`	`s3:GetObject` `s3:GetObjectVersion`
`WRITE` (Write Objects)	`s3:PutObject` Bucket owner can create, overwrite, and delete any object in the bucket, and object owner has `FULL_CONTROL` over their object. In addition, when the grantee is the bucket owner, granting `WRITE` permission in a bucket ACL allows the `s3:DeleteObjectVersion` action to be performed on any version in that bucket.	Not applicable
`READ_ACP` (Read Bucket Permissions)	`s3:GetBucketAcl`	`s3:GetObjectAcl` `s3:GetObjectVersionAcl`
`WRITE_ACP` (Write Bucket Permissions)	`s3:PutBucketAcl`	`s3:PutObjectAcl` `s3:PutObjectVersionAcl`
`FULL_CONTROL`	Equivalent to granting `READ`, `WRITE`, `READ_ACP`, and `WRITE_ACP` ACL permissions. Accordingly, this ACL permission maps to a combination of corresponding access policy permissions.	Equivalent to granting `READ`, `READ_ACP,` and `WRITE_ACP` ACL permissions. Accordingly, this ACL permission maps to a combination of corresponding access policy permissions

3.0 Basic Examples

3.2 Sample Policy Documents

3.3 Example Using AWS CLI

The following code snippet shows the various users and groups interact with policies using AWS CLI. For more information on AWS CLI refer to the AWS documentation.

# Create a user called "demo-user"

~ $ aws --profile demo iam create-user --user-name demo-user

{

"User": {

"Path": "/",

"UserName": "demo-user",

"UserId": "AIDACCX78G1TZHCH0ATQ1",

"Arn": "arn:aws:iam::652303226922:user/demo-user",

"CreateDate": "2024-03-04T09:03:07+00:00"

}

# Add a new inline policy document to "demo-user"

# User policy is a local json file similar to the "Sample policy document" examples

~ $ aws --profile demo iam put-user-policy --user-name demo-user --policy-name my-policy --policy-document file://my-policy.json

# List and get the new inline policy

~ $ aws --profile demo iam list-user-policies --user-name demo-user

{

"PolicyNames": [

"my-policy"

]

}

~ $ aws --profile demo iam get-user-policy --user-name demo-user --policy-name my-policy

{

"UserName": "demo-user",

"PolicyName": "my-policy",

"PolicyDocument": {

"Version": "2012-10-17",

"Statement": [

{

"Sid": "allowAllIam",

"Effect": "Allow",

"Action": "iam:*",

"Resource": "*"

}

]

}

# Create a group of users, users of a group automatically have the permissions of the group

# on top of any permissions they already have (for example via in-line policies)

~ $ aws --profile demo iam create-group --group-name my-users

{

"Group": {

"Path": "/",

"GroupName": "my-users",

"GroupId": "AGPAYOKKRE1I380Y6UW6E",

"Arn": "arn:aws:iam::652303226922:group/my-users",

"CreateDate": "2024-03-04T09:24:35+00:00"

}

# Add our user to this group and list all users for this group

~ $ aws --profile demo iam add-user-to-group --user-name demo-user --group-name my-users

~ $ aws --profile demo iam get-group --group-name my-users

{

"Users": [

{

"Path": "/",

"UserName": "demo-user",

"UserId": "AIDA3FFSDMOUD3GJPUOE1",

"Arn": "arn:aws:iam::652303226922:user/demo-user",

"CreateDate": "2024-03-04T09:13:24+00:00"

}

"Group": {

"Path": "/",

"GroupName": "my-users",

"GroupId": "AGPAYOKKRE1I380Y6UW6E",

"Arn": "arn:aws:iam::652303226922:group/my-users",

"CreateDate": "2024-03-04T09:24:35+00:00"

}

# Groups can also have inline policies

~ $ aws --profile demo iam put-group-policy --group-name my-users --policy-name group-policy --policy-document file://group-policy.json

# When the same policy needs to applied to many different users or groups, we can create managed policies which can be re-used

~ $ aws --profile demo iam create-policy --policy-name reusable-policy --policy-document file://my-policy.json

{

"Policy": {

"PolicyName": "reusable-policy",

"PolicyId": "ANPA932LSXO1VC1W7XVZH",

"Arn": "arn:aws:iam::652303226922:policy/reusable-policy",

"Path": "/",

"DefaultVersionId": "v1",

"AttachmentCount": 0,

"IsAttachable": true,

"CreateDate": "2024-03-04T09:31:15+00:00",

"UpdateDate": "2024-03-04T09:31:15+00:00"

}

# This policy can now be attached to users and groups, the attached policy will be added on-top of any existing permissions

# When the policy is updated all attached users and groups will have their permissions updated as well

# In this example we only attach the policy to the group

~ $ aws --profile demo iam attach-group-policy --group-name my-user s --policy-arn "arn:aws:iam::652303226922:policy/reusable-policy"

~ $ aws --profile demo iam list-attached-group-policies --group-name my-users

{

"AttachedPolicies": [

{

"PolicyName": "reusable-policy",

"PolicyArn": "arn:aws:iam::652303226922:policy/reusable-policy"

}

]

}

?	Match one character. For example “arn:aws:s3:::bucket?” matches “arn:aws:s3::bucket1” and “arn:aws:s3:buckets” but not “arn:aws:s3::bucket123”.
*	Match any number of characters. For example “arn:aws:s3:::bucket*” matches “arn:aws:s3::bucket1”, “arn:aws:s3:buckets” and “arn:aws:s3::bucket123”.