Policy Examples
Here is an explanation of IAM roles, along with examples of how to set permissions for services.
Default service strategy
Choose the default strategy that determines whether access to services is allow or deny by default. To enhance the security of your organization, we recommend setting the default strategy to deny, which ensures that access is granted only when explicitly permitted.
Example
{
"default-service-strategy": "deny"
}Services
After selecting the default strategy, choose which services should be set to allow or deny based on the selected default strategy.
Available services
- Compute
- Concrete AI
- Storage
- DBaaS
- DNS
- IAM
Example
{
"default-service-strategy": "deny",
"services": {
"dns": {
"type": "allow"
},
"dbaas": {
"type": "allow"
}
}
}Services strategy
It is possible to select one of the following strategies for services.
- Allow: This strategy will give the users full access on a service.
- Deny : This strategy will block the access to a service.
- Rules: This strategy let to set specific permissions on a service.
Example
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation in ['create-instance', 'delete-instance']"
}
]
}
}
}This example grants a user specific permissions within the Compute service. The user is allowed only to create and delete instances. This approach can be used when you want to provide a user with limited or partial access on a service instead of granting full permissions.
Add a zone
Set permissions that allow users to use services within a specific zone.
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"expression": "operation.startsWith('get-') || operation.startsWith('list-') && zone == 'ch-gva-2'",
"action": "allow"
},
{
"expression": "operation in ['create-instance', 'delete-instance'] && zone == 'ch-gva-2'",
"action": "allow"
},
{
"expression": "operation in ['create-block-storage-volume', 'delete-block-storage-volume'] && zone == 'ch-gva-2'",
"action": "allow"
}
]
}
}
}This example grants a user permissions to view, create, and delete instances and block storage resources in the ch-gva-2 zone. The user can access only the resources within this zone and will not be able to view or manage instances, block storage or other resources located in other zones.
Limit resources deletion
Limit the deletion of the services/resources to business hours.
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
},
{
"action": "allow",
"expression": "operation in ['create-instance']"
},
{
"expression": "operation.startsWith('delete-') && timestamp(now).getDayOfWeek('Europe/Zurich') >= 1 && timestamp(now).getDayOfWeek('Europe/Zurich') <= 5 && timestamp(now).getHours('Europe/Zurich') >= 8 && timestamp(now).getHours('Europe/Zurich') < 18",
"action": "allow"
}
]
}
}
}Role example — DEV team
Users with this role have permissions to manage the Compute Service. They can create or delete an instance, create or delete an instance pool, and create or delete a security group.
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
},
{
"action": "allow",
"expression": "operation in ['create-instance', 'delete-instance']"
},
{
"action": "allow",
"expression": "operation in ['create-instance-pool', 'delete-instance-pool']"
},
{
"action":"allow",
"expression": "operation in ['create-security-group', 'delete-security-group-rule']"
}
]
}
}
}Available options for compute
These are some of the common ones you will use and here is the place in our docs where you can find the exhaustive list.
Instance
To configure additional permissions for compute instances, you can use these options.
- ’elastic-ip-instance'
- ‘start-instance’
- ‘stop-instance’
- ’enable-tmp-instance'
- ’list-instances'
- ‘private-network-instance’
- ‘reset-instance’
- ‘reset-password-instance’
- ‘resize-disk-instance’
- ‘reveal-password-instance’
- ‘scale-instance’
- ‘security-group-instance’
- ‘snapshot-instance’
- ‘reboot-instance’
- ‘update-instance’
instance-pool
To configure additional permissions for instance pool, you can use these options.
- ’evict-instance-pool',
- ’list-instance-pool'
- ‘scale-instance-pool’
- ‘update-instance-pool’
SKS
Here are additional options for SKS
- ‘create-sks-cluster’
- ‘delete-sks-cluster’
- ‘upgrade-sks-cluster’
- ‘active-nodepool-template-sks-cluster’
- ‘get-sks-cluster-authority-cert’
- ’list-sks-clusters'
- ‘create-sks-nodepool’,
- ‘rotate-ccm-credentials-sks-cluster’
- ‘rotate-csi-credentials-sks-cluster’
- ‘rotate-karpenter-credentials-sks-cluster’
- ‘rotate-operators-ca-sks-cluster’
- ‘show-sks-cluster’
- ‘update-sks-cluster’
- ‘upgrade-sks-cluster’
- ‘upgrade-service-level-sks-cluster’
- ‘version-sks-cluster’
Block storage
Here are additional configuration options for storage services.
- ‘create-block-storage-volume’
- ‘delete-block-storage-volume’
- ‘detach-block-storage-volume’
- ’list-block-storage-volume'
- ‘show-block-storage-volume’
- ‘snapshot-block-storage-volume’
- ‘update-block-storage-volume’
Templates
Here are more configuration options for templates.
- ‘register-instance-template’
- ‘delete-instance-template’
- ’list-instance-template'
- ‘show-instance-template’
Security group
Available options for security group.
- ’list-security-groups',
- ‘add-security-group-rule’
- ‘source-security-group’
Elastic ip
Additional options for elastic ip.
- ‘create-elastic-ip’
- ‘delete-elastic-ip’
- ’list-elastic-ips'
- ‘update-elastic-ip’
Load balancer
Here are additional options for load balancer.
- ‘create-load-balancer’
- ‘delete-load-balancer’
- ’list-load-balancer'
- ‘update-load-balancer’
- ‘service-load-balancer’
Private network
Set more configuration for private network.
- ‘create-private-network’
- ‘delete-private-network’
- ’list-private-network'
- ‘update-private-network’
SSH-KEY
SSH key additional options.
- ‘register-ssh-key’
- ‘show-ssh-key’
Anti affinity group
Here are additional options for anti affinity group.
- ‘create-anti-affinity-group’
- ‘delete-anti-affinity-group’
- ’list-anti-affinity-group'
- ‘show-anti-affinity-group’
Role example — Viewer
In this example, the users have the permission to see everything in compute, dbaas and sos services but they can’t update, stop, start or delete any services.
{
"default-service-strategy": "deny",
"services": {
"compute": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
}
]
},
"dbaas": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
}
]
},
"sos": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
}
]
}
}
}Role example — AI team
Set permission that allow users to access the Concrete AI product and dedicated-inference service.
{
"default-service-strategy": "deny",
"services": {
"dedicated-inference": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
},
{
"action": "allow",
"expression": "operation in ['create-model', 'delete-model', 'show-model']"
},
{
"action":"allow",
"expression" :"operation in ['create-deployment', 'delete-deployment']"
}
]
}
}
}Available options for concrete AI
Deployment
Here are additional options for deployment.
- ‘instance-type-deployment’
- ’logs-deployment'
- ‘reveal-api-key-deployment’
- ‘scale-deployment’
- ‘update-deployment’
Role example — Backup admin
The owner of this role has full access to storage and partial access to the compute for backups.
{
"default-service-strategy": "deny",
"services": {
"sos": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
},
{
"action": "allow",
"expression": "operation in ['create-bucket', 'delete-bucket']"
}
]
},
"compute": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
},
{
"action": "allow",
"expression": "operation.contains('snapshot')"
}
]
}
}
}Available options for storage (SOS)
Here are additional options for SOS.
- operation.startsWith(‘head-’)
- operation == ‘show-object-cors’
- ‘put-object’
- ‘delete-object’
- ‘delete-object-tagging’
- ‘abort-multipart-upload’
- ‘put-bucket-acl’
- ‘put-bucket-cors’
- ‘put-bucket-policy’
- ‘put-bucket-versioning’
- ‘delete-bucket-cors’
- ‘delete-bucket-policy’
- ‘delete-bucket-lifecycle’
Role example — Database admin
In this case, users with this role only have read access to DBaaS.
{
"default-service-strategy": "deny",
"services": {
"dbaas": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
}
]
}
}
}Available options for DBaaS
More options for DBaaS.
- ‘create-dbaas-service’
- ‘update-dbaas-service’
- ‘delete-dbaas-service’
Role example — Network admin
Users with role have access to DNS and Compute services.
{
"default-service-strategy": "deny",
"services": {
"dns": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
},
{
"action": "allow",
"expression": "operation in ['create-dns-domain-record']"
},
{
"action": "allow",
"expression": "operation in ['create-dns-domain' ]"
}
]
},
"compute": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
},
{
"action": "allow",
"expression": "operation in ['create-instance', 'delete-instance']"
},
{
"action": "allow",
"expression": "operation in ['create-sks-cluster', 'delete-sks-cluster']"
}
]
}
}
}Available options for DNS
Set more configuration for DNS services.
- ‘update-dns-domain-record’
- ‘delete-dns-domain-record’
- ‘delete-dns-domain’
Role example — Security admin
In this case, the security team/users have full control on IAM, SSH-KEY and Security group across the entire organization.
Note: Users assigned this role cannot invite other users to the organization. Only the owner of an organization has permission to send user invitations.
{
"default-service-strategy": "deny",
"services": {
"iam": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
},
{
"action":"allow",
"expression": "operation in ['create-iam-role']"
},
{
"action":"allow",
"expression": "operation in ['create-api-key']"
}
]
},
"compute": {
"type": "rules",
"rules": [
{
"action": "allow",
"expression": "operation.startsWith('get-') || operation.startsWith('list-')"
},
{
"action": "allow",
"expression": "operation.contains('security-group') || operation.contains('ssh-key')"
}
]
}
}
}Available options for IAM
Set more configuration for IAM.
- ‘delete-iam-role’
- ‘update-iam-role’
- ‘delete-api-key’
- ‘update-org-policy’