# Policy Examples Here is an explanation of IAM roles, along with examples of how to set permissions for services. ### Default service strategy Choose the default strategy that determines whether access to services is `allow` or `deny` by default. To enhance the security of your organization, we recommend setting the default strategy to `deny`, which ensures that access is granted only when explicitly permitted. **Example** ```json { "default-service-strategy": "deny" } ``` ### Services After selecting the default strategy, choose which services should be set to `allow` or `deny` based on the selected default strategy. **Available services** - Compute - Concrete AI - Storage - DBaaS - DNS - IAM **Example** ```json { "default-service-strategy": "deny", "services": { "dns": { "type": "allow" }, "dbaas": { "type": "allow" } } } ``` ### Services strategy It is possible to select one of the following strategies for services. - **Allow**: This strategy will give the users full access on a service. - **Deny** : This strategy will block the access to a service. - **Rules**: This strategy let to set specific permissions on a service. **Example** ```json { "default-service-strategy": "deny", "services": { "compute": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation in ['create-instance', 'delete-instance']" } ] } } } ``` This example grants a user specific permissions within the Compute service. The user is allowed only to create and delete instances. This approach can be used when you want to provide a user with limited or partial access on a service instead of granting full permissions. ### Add a zone Set permissions that allow users to use services within a specific `zone`. ```json { "default-service-strategy": "deny", "services": { "compute": { "type": "rules", "rules": [ { "expression": "operation.startsWith('get-') || operation.startsWith('list-') && zone == 'ch-gva-2'", "action": "allow" }, { "expression": "operation in ['create-instance', 'delete-instance'] && zone == 'ch-gva-2'", "action": "allow" }, { "expression": "operation in ['create-block-storage-volume', 'delete-block-storage-volume'] && zone == 'ch-gva-2'", "action": "allow" } ] } } } ``` This example grants a user permissions to view, create, and delete instances and block storage resources in the `ch-gva-2` zone. The user can access only the resources within this zone and will not be able to view or manage instances, block storage or other resources located in other zones. ### Limit resources deletion Limit the deletion of the services/resources to business hours. ```json { "default-service-strategy": "deny", "services": { "compute": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" }, { "action": "allow", "expression": "operation in ['create-instance']" }, { "expression": "operation.startsWith('delete-') && timestamp(now).getDayOfWeek('Europe/Zurich') >= 1 && timestamp(now).getDayOfWeek('Europe/Zurich') <= 5 && timestamp(now).getHours('Europe/Zurich') >= 8 && timestamp(now).getHours('Europe/Zurich') < 18", "action": "allow" } ] } } } ``` --- {{< callout type="info" >}} These examples are provided to help you understand how IAM policies work. They should be adapted to comply with your organization's internal requirements and security policies before use in production. {{< /callout >}} ### Role example — DEV team Users with this role have permissions to manage the `Compute Service`. They can create or delete an instance, create or delete an instance pool, and create or delete a security group. ```json { "default-service-strategy": "deny", "services": { "compute": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" }, { "action": "allow", "expression": "operation in ['create-instance', 'delete-instance']" }, { "action": "allow", "expression": "operation in ['create-instance-pool', 'delete-instance-pool']" }, { "action":"allow", "expression": "operation in ['create-security-group', 'delete-security-group-rule']" } ] } } } ``` #### Available options for compute These are some of the common ones you will use and here is the place in our docs where you can find the exhaustive list. #### Instance To configure additional permissions for compute instances, you can use these options. - 'elastic-ip-instance' - 'start-instance' - 'stop-instance' - 'enable-tmp-instance' - 'list-instances' - 'private-network-instance' - 'reset-instance' - 'reset-password-instance' - 'resize-disk-instance' - 'reveal-password-instance' - 'scale-instance' - 'security-group-instance' - 'snapshot-instance' - 'reboot-instance' - 'update-instance' #### instance-pool To configure additional permissions for instance pool, you can use these options. - 'evict-instance-pool', - 'list-instance-pool' - 'scale-instance-pool' - 'update-instance-pool' #### SKS Here are additional options for SKS - 'create-sks-cluster' - 'delete-sks-cluster' - 'upgrade-sks-cluster' - 'active-nodepool-template-sks-cluster' - 'get-sks-cluster-authority-cert' - 'list-sks-clusters' - 'create-sks-nodepool', - 'rotate-ccm-credentials-sks-cluster' - 'rotate-csi-credentials-sks-cluster' - 'rotate-karpenter-credentials-sks-cluster' - 'rotate-operators-ca-sks-cluster' - 'show-sks-cluster' - 'update-sks-cluster' - 'upgrade-sks-cluster' - 'upgrade-service-level-sks-cluster' - 'version-sks-cluster' #### Block storage Here are additional configuration options for storage services. - 'create-block-storage-volume' - 'delete-block-storage-volume' - 'detach-block-storage-volume' - 'list-block-storage-volume' - 'show-block-storage-volume' - 'snapshot-block-storage-volume' - 'update-block-storage-volume' #### Templates Here are more configuration options for templates. - 'register-instance-template' - 'delete-instance-template' - 'list-instance-template' - 'show-instance-template' #### Security group Available options for security group. - 'list-security-groups', - 'add-security-group-rule' - 'source-security-group' #### Elastic ip Additional options for elastic ip. - 'create-elastic-ip' - 'delete-elastic-ip' - 'list-elastic-ips' - 'update-elastic-ip' #### Load balancer Here are additional options for load balancer. - 'create-load-balancer' - 'delete-load-balancer' - 'list-load-balancer' - 'update-load-balancer' - 'service-load-balancer' #### Private network Set more configuration for private network. - 'create-private-network' - 'delete-private-network' - 'list-private-network' - 'update-private-network' #### SSH-KEY SSH key additional options. - 'register-ssh-key' - 'show-ssh-key' #### Anti affinity group Here are additional options for anti affinity group. - 'create-anti-affinity-group' - 'delete-anti-affinity-group' - 'list-anti-affinity-group' - 'show-anti-affinity-group' --- ### Role example — Viewer In this example, the users have the permission to see everything in `compute`, `dbaas` and `sos` services but they can't update, stop, start or delete any services. ```json { "default-service-strategy": "deny", "services": { "compute": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" } ] }, "dbaas": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" } ] }, "sos": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" } ] } } } ``` --- ### Role example — AI team Set permission that allow users to access the `Concrete AI` product and `dedicated-inference` service. ```json { "default-service-strategy": "deny", "services": { "dedicated-inference": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" }, { "action": "allow", "expression": "operation in ['create-model', 'delete-model', 'show-model']" }, { "action":"allow", "expression" :"operation in ['create-deployment', 'delete-deployment']" } ] } } } ``` #### Available options for concrete AI #### Deployment Here are additional options for deployment. - 'instance-type-deployment' - 'logs-deployment' - 'reveal-api-key-deployment' - 'scale-deployment' - 'update-deployment' --- ### Role example — Backup admin The owner of this role has full access to `storage` and partial access to the `compute` for backups. ```json { "default-service-strategy": "deny", "services": { "sos": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" }, { "action": "allow", "expression": "operation in ['create-bucket', 'delete-bucket']" } ] }, "compute": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" }, { "action": "allow", "expression": "operation.contains('snapshot')" } ] } } } ``` #### Available options for storage (SOS) Here are additional options for SOS. - operation.startsWith('head-') - operation == 'show-object-cors' - 'put-object' - 'delete-object' - 'delete-object-tagging' - 'abort-multipart-upload' - 'put-bucket-acl' - 'put-bucket-cors' - 'put-bucket-policy' - 'put-bucket-versioning' - 'delete-bucket-cors' - 'delete-bucket-policy' - 'delete-bucket-lifecycle' ### Role example — Database admin In this case, users with this role only have read access to `DBaaS`. ```json { "default-service-strategy": "deny", "services": { "dbaas": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" } ] } } } ``` #### Available options for DBaaS More options for DBaaS. - 'create-dbaas-service' - 'update-dbaas-service' - 'delete-dbaas-service' --- ### Role example — Network admin Users with role have access to `DNS` and `Compute services`. ```json { "default-service-strategy": "deny", "services": { "dns": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" }, { "action": "allow", "expression": "operation in ['create-dns-domain-record']" }, { "action": "allow", "expression": "operation in ['create-dns-domain' ]" } ] }, "compute": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" }, { "action": "allow", "expression": "operation in ['create-instance', 'delete-instance']" }, { "action": "allow", "expression": "operation in ['create-sks-cluster', 'delete-sks-cluster']" } ] } } } ``` #### Available options for DNS Set more configuration for DNS services. - 'update-dns-domain-record' - 'delete-dns-domain-record' - 'delete-dns-domain' --- ### Role example — Security admin In this case, the security team/users have full control on `IAM`, `SSH-KEY` and `Security group` across the entire organization. **Note**: Users assigned this role cannot invite other users to the organization. Only the owner of an organization has permission to send user invitations. ```json { "default-service-strategy": "deny", "services": { "iam": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" }, { "action":"allow", "expression": "operation in ['create-iam-role']" }, { "action":"allow", "expression": "operation in ['create-api-key']" } ] }, "compute": { "type": "rules", "rules": [ { "action": "allow", "expression": "operation.startsWith('get-') || operation.startsWith('list-')" }, { "action": "allow", "expression": "operation.contains('security-group') || operation.contains('ssh-key')" } ] } } } ``` #### Available options for IAM Set more configuration for IAM. - 'delete-iam-role' - 'update-iam-role' - 'delete-api-key' - 'update-org-policy'