Docs Home
ibm 1.77.1 published on Monday, Apr 14, 2025 by ibm-cloud
ibm.IamUserPolicy
Explore with Pulumi AI
- Example Usage
- User policy for all Identity and Access enabled services
- User policy using service with region
- User policy using resource instance
- User policy using resource group
- User policy using resource and resource type
- User policy using attributes
- User policy using resource_attributes
- User policy using service_type with region
- User policy by using service and rule_conditions
- User policy using service_group_id resource attribute
- User Policy by using Attribute Based Condition
- Create IamUserPolicy Resource
- Constructor syntax
- Constructor example
- IamUserPolicy Resource Properties
- Inputs
- Outputs
- Look up Existing IamUserPolicy Resource
- Supporting Types
- Import
- Package Details
Create, update, or delete an IAM user policy. To assign a policy to one user, the user must exist in the account to which you assign the policy. For more information, about IAM role action, see managing access to resources.
Example Usage
User policy for all Identity and Access enabled services
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const policy = new ibm.IamUserPolicy("policy", {
description: "IAM User Policy",
ibmId: "test@in.ibm.com",
resourceTags: [{
name: "env",
value: "dev",
}],
roles: ["Viewer"],
});
import pulumi
import pulumi_ibm as ibm
policy = ibm.IamUserPolicy("policy",
description="IAM User Policy",
ibm_id="test@in.ibm.com",
resource_tags=[{
"name": "env",
"value": "dev",
}],
roles=["Viewer"])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
Description: pulumi.String("IAM User Policy"),
IbmId: pulumi.String("test@in.ibm.com"),
ResourceTags: ibm.IamUserPolicyResourceTagArray{
&ibm.IamUserPolicyResourceTagArgs{
Name: pulumi.String("env"),
Value: pulumi.String("dev"),
},
},
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var policy = new Ibm.IamUserPolicy("policy", new()
{
Description = "IAM User Policy",
IbmId = "test@in.ibm.com",
ResourceTags = new[]
{
new Ibm.Inputs.IamUserPolicyResourceTagArgs
{
Name = "env",
Value = "dev",
},
},
Roles = new[]
{
"Viewer",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourceTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.description("IAM User Policy")
.ibmId("test@in.ibm.com")
.resourceTags(IamUserPolicyResourceTagArgs.builder()
.name("env")
.value("dev")
.build())
.roles("Viewer")
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
description: IAM User Policy
ibmId: test@in.ibm.com
resourceTags:
- name: env
value: dev
roles:
- Viewer
User policy using service with region
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const policy = new ibm.IamUserPolicy("policy", {
ibmId: "test@in.ibm.com",
resources: {
region: "us-south",
service: "cloudantnosqldb",
},
roles: [
"Viewer",
"Manager",
],
});
import pulumi
import pulumi_ibm as ibm
policy = ibm.IamUserPolicy("policy",
ibm_id="test@in.ibm.com",
resources={
"region": "us-south",
"service": "cloudantnosqldb",
},
roles=[
"Viewer",
"Manager",
])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("test@in.ibm.com"),
Resources: &ibm.IamUserPolicyResourcesArgs{
Region: pulumi.String("us-south"),
Service: pulumi.String("cloudantnosqldb"),
},
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
pulumi.String("Manager"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var policy = new Ibm.IamUserPolicy("policy", new()
{
IbmId = "test@in.ibm.com",
Resources = new Ibm.Inputs.IamUserPolicyResourcesArgs
{
Region = "us-south",
Service = "cloudantnosqldb",
},
Roles = new[]
{
"Viewer",
"Manager",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.ibmId("test@in.ibm.com")
.resources(IamUserPolicyResourcesArgs.builder()
.region("us-south")
.service("cloudantnosqldb")
.build())
.roles(
"Viewer",
"Manager")
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
ibmId: test@in.ibm.com
resources:
region: us-south
service: cloudantnosqldb
roles:
- Viewer
- Manager
User policy using resource instance
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const instance = new ibm.ResourceInstance("instance", {
service: "kms",
plan: "tiered-pricing",
location: "us-south",
});
const policy = new ibm.IamUserPolicy("policy", {
ibmId: "test@in.ibm.com",
roles: [
"Manager",
"Viewer",
"Administrator",
],
resources: {
service: "kms",
resourceInstanceId: instance.resourceInstanceId.apply(resourceInstanceId => resourceInstanceId.split(":"))[7],
},
});
import pulumi
import pulumi_ibm as ibm
instance = ibm.ResourceInstance("instance",
service="kms",
plan="tiered-pricing",
location="us-south")
policy = ibm.IamUserPolicy("policy",
ibm_id="test@in.ibm.com",
roles=[
"Manager",
"Viewer",
"Administrator",
],
resources={
"service": "kms",
"resource_instance_id": instance.resource_instance_id.apply(lambda resource_instance_id: resource_instance_id.split(":"))[7],
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
instance, err := ibm.NewResourceInstance(ctx, "instance", &ibm.ResourceInstanceArgs{
Service: pulumi.String("kms"),
Plan: pulumi.String("tiered-pricing"),
Location: pulumi.String("us-south"),
})
if err != nil {
return err
}
_, err = ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("test@in.ibm.com"),
Roles: pulumi.StringArray{
pulumi.String("Manager"),
pulumi.String("Viewer"),
pulumi.String("Administrator"),
},
Resources: &ibm.IamUserPolicyResourcesArgs{
Service: pulumi.String("kms"),
ResourceInstanceId: "TODO: call element",
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var instance = new Ibm.ResourceInstance("instance", new()
{
Service = "kms",
Plan = "tiered-pricing",
Location = "us-south",
});
var policy = new Ibm.IamUserPolicy("policy", new()
{
IbmId = "test@in.ibm.com",
Roles = new[]
{
"Manager",
"Viewer",
"Administrator",
},
Resources = new Ibm.Inputs.IamUserPolicyResourcesArgs
{
Service = "kms",
ResourceInstanceId = instance.ResourceInstanceId.Apply(resourceInstanceId => resourceInstanceId.Split(":"))[7],
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.ResourceInstance;
import com.pulumi.ibm.ResourceInstanceArgs;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var instance = new ResourceInstance("instance", ResourceInstanceArgs.builder()
.service("kms")
.plan("tiered-pricing")
.location("us-south")
.build());
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.ibmId("test@in.ibm.com")
.roles(
"Manager",
"Viewer",
"Administrator")
.resources(IamUserPolicyResourcesArgs.builder()
.service("kms")
.resourceInstanceId(instance.resourceInstanceId().applyValue(resourceInstanceId -> resourceInstanceId.split(":"))[7])
.build())
.build());
}
}
resources:
instance:
type: ibm:ResourceInstance
properties:
service: kms
plan: tiered-pricing
location: us-south
policy:
type: ibm:IamUserPolicy
properties:
ibmId: test@in.ibm.com
roles:
- Manager
- Viewer
- Administrator
resources:
service: kms
resourceInstanceId:
fn::select:
- 7
- fn::split:
- ${instance.resourceInstanceId}
- ':'
User policy using resource group
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamUserPolicy("policy", {
ibmId: "test@in.ibm.com",
roles: ["Viewer"],
resources: {
service: "containers-kubernetes",
resourceGroupId: group.then(group => group.id),
},
});
import pulumi
import pulumi_ibm as ibm
group = ibm.get_resource_group(name="default")
policy = ibm.IamUserPolicy("policy",
ibm_id="test@in.ibm.com",
roles=["Viewer"],
resources={
"service": "containers-kubernetes",
"resource_group_id": group.id,
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
group, err := ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("test@in.ibm.com"),
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Resources: &ibm.IamUserPolicyResourcesArgs{
Service: pulumi.String("containers-kubernetes"),
ResourceGroupId: pulumi.String(group.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamUserPolicy("policy", new()
{
IbmId = "test@in.ibm.com",
Roles = new[]
{
"Viewer",
},
Resources = new Ibm.Inputs.IamUserPolicyResourcesArgs
{
Service = "containers-kubernetes",
ResourceGroupId = @group.Apply(@group => @group.Apply(getResourceGroupResult => getResourceGroupResult.Id)),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.ibmId("test@in.ibm.com")
.roles("Viewer")
.resources(IamUserPolicyResourcesArgs.builder()
.service("containers-kubernetes")
.resourceGroupId(group.applyValue(getResourceGroupResult -> getResourceGroupResult.id()))
.build())
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
ibmId: test@in.ibm.com
roles:
- Viewer
resources:
service: containers-kubernetes
resourceGroupId: ${group.id}
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
User policy using resource and resource type
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamUserPolicy("policy", {
ibmId: "test@in.ibm.com",
roles: ["Administrator"],
resources: {
resourceType: "resource-group",
resource: group.then(group => group.id),
},
});
import pulumi
import pulumi_ibm as ibm
group = ibm.get_resource_group(name="default")
policy = ibm.IamUserPolicy("policy",
ibm_id="test@in.ibm.com",
roles=["Administrator"],
resources={
"resource_type": "resource-group",
"resource": group.id,
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
group, err := ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("test@in.ibm.com"),
Roles: pulumi.StringArray{
pulumi.String("Administrator"),
},
Resources: &ibm.IamUserPolicyResourcesArgs{
ResourceType: pulumi.String("resource-group"),
Resource: pulumi.String(group.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamUserPolicy("policy", new()
{
IbmId = "test@in.ibm.com",
Roles = new[]
{
"Administrator",
},
Resources = new Ibm.Inputs.IamUserPolicyResourcesArgs
{
ResourceType = "resource-group",
Resource = @group.Apply(@group => @group.Apply(getResourceGroupResult => getResourceGroupResult.Id)),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.ibmId("test@in.ibm.com")
.roles("Administrator")
.resources(IamUserPolicyResourcesArgs.builder()
.resourceType("resource-group")
.resource(group.applyValue(getResourceGroupResult -> getResourceGroupResult.id()))
.build())
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
ibmId: test@in.ibm.com
roles:
- Administrator
resources:
resourceType: resource-group
resource: ${group.id}
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
User policy using attributes
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamUserPolicy("policy", {
ibmId: "test@in.ibm.com",
resources: {
attributes: {
vpcId: "*",
},
service: "is",
},
roles: ["Administrator"],
});
import pulumi
import pulumi_ibm as ibm
group = ibm.get_resource_group(name="default")
policy = ibm.IamUserPolicy("policy",
ibm_id="test@in.ibm.com",
resources={
"attributes": {
"vpcId": "*",
},
"service": "is",
},
roles=["Administrator"])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("test@in.ibm.com"),
Resources: &ibm.IamUserPolicyResourcesArgs{
Attributes: pulumi.StringMap{
"vpcId": pulumi.String("*"),
},
Service: pulumi.String("is"),
},
Roles: pulumi.StringArray{
pulumi.String("Administrator"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamUserPolicy("policy", new()
{
IbmId = "test@in.ibm.com",
Resources = new Ibm.Inputs.IamUserPolicyResourcesArgs
{
Attributes =
{
{ "vpcId", "*" },
},
Service = "is",
},
Roles = new[]
{
"Administrator",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.ibmId("test@in.ibm.com")
.resources(IamUserPolicyResourcesArgs.builder()
.attributes(Map.of("vpcId", "*"))
.service("is")
.build())
.roles("Administrator")
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
ibmId: test@in.ibm.com
resources:
attributes:
vpcId: '*'
service: is
roles:
- Administrator
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
User policy using resource_attributes
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const policy = new ibm.IamUserPolicy("policy", {
ibmId: "test@in.ibm.com",
resourceAttributes: [
{
name: "resource",
operator: "stringMatch",
value: "test123*",
},
{
name: "serviceName",
value: "messagehub",
},
],
roles: ["Viewer"],
});
import pulumi
import pulumi_ibm as ibm
policy = ibm.IamUserPolicy("policy",
ibm_id="test@in.ibm.com",
resource_attributes=[
{
"name": "resource",
"operator": "stringMatch",
"value": "test123*",
},
{
"name": "serviceName",
"value": "messagehub",
},
],
roles=["Viewer"])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("test@in.ibm.com"),
ResourceAttributes: ibm.IamUserPolicyResourceAttributeArray{
&ibm.IamUserPolicyResourceAttributeArgs{
Name: pulumi.String("resource"),
Operator: pulumi.String("stringMatch"),
Value: pulumi.String("test123*"),
},
&ibm.IamUserPolicyResourceAttributeArgs{
Name: pulumi.String("serviceName"),
Value: pulumi.String("messagehub"),
},
},
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var policy = new Ibm.IamUserPolicy("policy", new()
{
IbmId = "test@in.ibm.com",
ResourceAttributes = new[]
{
new Ibm.Inputs.IamUserPolicyResourceAttributeArgs
{
Name = "resource",
Operator = "stringMatch",
Value = "test123*",
},
new Ibm.Inputs.IamUserPolicyResourceAttributeArgs
{
Name = "serviceName",
Value = "messagehub",
},
},
Roles = new[]
{
"Viewer",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourceAttributeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.ibmId("test@in.ibm.com")
.resourceAttributes(
IamUserPolicyResourceAttributeArgs.builder()
.name("resource")
.operator("stringMatch")
.value("test123*")
.build(),
IamUserPolicyResourceAttributeArgs.builder()
.name("serviceName")
.value("messagehub")
.build())
.roles("Viewer")
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
ibmId: test@in.ibm.com
resourceAttributes:
- name: resource
operator: stringMatch
value: test123*
- name: serviceName
value: messagehub
roles:
- Viewer
User policy using service_type with region
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const policy = new ibm.IamUserPolicy("policy", {
ibmId: "test@in.ibm.com",
resources: {
region: "us-south",
serviceType: "service",
},
roles: ["Viewer"],
});
import pulumi
import pulumi_ibm as ibm
policy = ibm.IamUserPolicy("policy",
ibm_id="test@in.ibm.com",
resources={
"region": "us-south",
"service_type": "service",
},
roles=["Viewer"])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("test@in.ibm.com"),
Resources: &ibm.IamUserPolicyResourcesArgs{
Region: pulumi.String("us-south"),
ServiceType: pulumi.String("service"),
},
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var policy = new Ibm.IamUserPolicy("policy", new()
{
IbmId = "test@in.ibm.com",
Resources = new Ibm.Inputs.IamUserPolicyResourcesArgs
{
Region = "us-south",
ServiceType = "service",
},
Roles = new[]
{
"Viewer",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.ibmId("test@in.ibm.com")
.resources(IamUserPolicyResourcesArgs.builder()
.region("us-south")
.serviceType("service")
.build())
.roles("Viewer")
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
ibmId: test@in.ibm.com
resources:
region: us-south
serviceType: service
roles:
- Viewer
User policy by using service and rule_conditions
rule_conditions can be used in conjunction with pattern and rule_operator to implement user policies with time-based conditions. For information see Limiting access with time-based conditions. Note Currently, a policy resource created without rule_conditions, pattern, and rule_operator cannot be updated including those conditions on update.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const policy = new ibm.IamUserPolicy("policy", {
ibmId: "test@in.ibm.com",
pattern: "time-based-conditions:weekly:custom-hours",
resources: {
service: "kms",
},
roles: ["Viewer"],
ruleConditions: [
{
key: "{{environment.attributes.day_of_week}}",
operator: "dayOfWeekAnyOf",
values: [
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00",
],
},
{
key: "{{environment.attributes.current_time}}",
operator: "timeGreaterThanOrEquals",
values: ["09:00:00+00:00"],
},
{
key: "{{environment.attributes.current_time}}",
operator: "timeLessThanOrEquals",
values: ["17:00:00+00:00"],
},
],
ruleOperator: "and",
});
import pulumi
import pulumi_ibm as ibm
policy = ibm.IamUserPolicy("policy",
ibm_id="test@in.ibm.com",
pattern="time-based-conditions:weekly:custom-hours",
resources={
"service": "kms",
},
roles=["Viewer"],
rule_conditions=[
{
"key": "{{environment.attributes.day_of_week}}",
"operator": "dayOfWeekAnyOf",
"values": [
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00",
],
},
{
"key": "{{environment.attributes.current_time}}",
"operator": "timeGreaterThanOrEquals",
"values": ["09:00:00+00:00"],
},
{
"key": "{{environment.attributes.current_time}}",
"operator": "timeLessThanOrEquals",
"values": ["17:00:00+00:00"],
},
],
rule_operator="and")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("test@in.ibm.com"),
Pattern: pulumi.String("time-based-conditions:weekly:custom-hours"),
Resources: &ibm.IamUserPolicyResourcesArgs{
Service: pulumi.String("kms"),
},
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
RuleConditions: ibm.IamUserPolicyRuleConditionArray{
&ibm.IamUserPolicyRuleConditionArgs{
Key: pulumi.String("{{environment.attributes.day_of_week}}"),
Operator: pulumi.String("dayOfWeekAnyOf"),
Values: pulumi.StringArray{
pulumi.String("1+00:00"),
pulumi.String("2+00:00"),
pulumi.String("3+00:00"),
pulumi.String("4+00:00"),
},
},
&ibm.IamUserPolicyRuleConditionArgs{
Key: pulumi.String("{{environment.attributes.current_time}}"),
Operator: pulumi.String("timeGreaterThanOrEquals"),
Values: pulumi.StringArray{
pulumi.String("09:00:00+00:00"),
},
},
&ibm.IamUserPolicyRuleConditionArgs{
Key: pulumi.String("{{environment.attributes.current_time}}"),
Operator: pulumi.String("timeLessThanOrEquals"),
Values: pulumi.StringArray{
pulumi.String("17:00:00+00:00"),
},
},
},
RuleOperator: pulumi.String("and"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var policy = new Ibm.IamUserPolicy("policy", new()
{
IbmId = "test@in.ibm.com",
Pattern = "time-based-conditions:weekly:custom-hours",
Resources = new Ibm.Inputs.IamUserPolicyResourcesArgs
{
Service = "kms",
},
Roles = new[]
{
"Viewer",
},
RuleConditions = new[]
{
new Ibm.Inputs.IamUserPolicyRuleConditionArgs
{
Key = "{{environment.attributes.day_of_week}}",
Operator = "dayOfWeekAnyOf",
Values = new[]
{
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00",
},
},
new Ibm.Inputs.IamUserPolicyRuleConditionArgs
{
Key = "{{environment.attributes.current_time}}",
Operator = "timeGreaterThanOrEquals",
Values = new[]
{
"09:00:00+00:00",
},
},
new Ibm.Inputs.IamUserPolicyRuleConditionArgs
{
Key = "{{environment.attributes.current_time}}",
Operator = "timeLessThanOrEquals",
Values = new[]
{
"17:00:00+00:00",
},
},
},
RuleOperator = "and",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourcesArgs;
import com.pulumi.ibm.inputs.IamUserPolicyRuleConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.ibmId("test@in.ibm.com")
.pattern("time-based-conditions:weekly:custom-hours")
.resources(IamUserPolicyResourcesArgs.builder()
.service("kms")
.build())
.roles("Viewer")
.ruleConditions(
IamUserPolicyRuleConditionArgs.builder()
.key("{{environment.attributes.day_of_week}}")
.operator("dayOfWeekAnyOf")
.values(
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00")
.build(),
IamUserPolicyRuleConditionArgs.builder()
.key("{{environment.attributes.current_time}}")
.operator("timeGreaterThanOrEquals")
.values("09:00:00+00:00")
.build(),
IamUserPolicyRuleConditionArgs.builder()
.key("{{environment.attributes.current_time}}")
.operator("timeLessThanOrEquals")
.values("17:00:00+00:00")
.build())
.ruleOperator("and")
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
ibmId: test@in.ibm.com
pattern: time-based-conditions:weekly:custom-hours
resources:
service: kms
roles:
- Viewer
ruleConditions:
- key: '{{environment.attributes.day_of_week}}'
operator: dayOfWeekAnyOf
values:
- 1+00:00
- 2+00:00
- 3+00:00
- 4+00:00
- key: '{{environment.attributes.current_time}}'
operator: timeGreaterThanOrEquals
values:
- 09:00:00+00:00
- key: '{{environment.attributes.current_time}}'
operator: timeLessThanOrEquals
values:
- 17:00:00+00:00
ruleOperator: and
User policy using service_group_id resource attribute
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const policy = new ibm.IamUserPolicy("policy", {
ibmId: "test@in.ibm.com",
resourceAttributes: [{
name: "service_group_id",
operator: "stringEquals",
value: "IAM",
}],
roles: [
"Service ID creator",
"User API key creator",
"Administrator",
],
});
import pulumi
import pulumi_ibm as ibm
policy = ibm.IamUserPolicy("policy",
ibm_id="test@in.ibm.com",
resource_attributes=[{
"name": "service_group_id",
"operator": "stringEquals",
"value": "IAM",
}],
roles=[
"Service ID creator",
"User API key creator",
"Administrator",
])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewIamUserPolicy(ctx, "policy", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("test@in.ibm.com"),
ResourceAttributes: ibm.IamUserPolicyResourceAttributeArray{
&ibm.IamUserPolicyResourceAttributeArgs{
Name: pulumi.String("service_group_id"),
Operator: pulumi.String("stringEquals"),
Value: pulumi.String("IAM"),
},
},
Roles: pulumi.StringArray{
pulumi.String("Service ID creator"),
pulumi.String("User API key creator"),
pulumi.String("Administrator"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var policy = new Ibm.IamUserPolicy("policy", new()
{
IbmId = "test@in.ibm.com",
ResourceAttributes = new[]
{
new Ibm.Inputs.IamUserPolicyResourceAttributeArgs
{
Name = "service_group_id",
Operator = "stringEquals",
Value = "IAM",
},
},
Roles = new[]
{
"Service ID creator",
"User API key creator",
"Administrator",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourceAttributeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.ibmId("test@in.ibm.com")
.resourceAttributes(IamUserPolicyResourceAttributeArgs.builder()
.name("service_group_id")
.operator("stringEquals")
.value("IAM")
.build())
.roles(
"Service ID creator",
"User API key creator",
"Administrator")
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
ibmId: test@in.ibm.com
resourceAttributes:
- name: service_group_id
operator: stringEquals
value: IAM
roles:
- Service ID creator
- User API key creator
- Administrator
User Policy by using Attribute Based Condition
rule_conditions can be used in conjunction with pattern = attribute-based-condition:resource:literal-and-wildcard and rule_operator to implement more complex policy conditions. Note Currently, a policy resource created without rule_conditions, pattern, and rule_operator cannot be updated including those conditions on update.
Coming soon!
Coming soon!
Coming soon!
Coming soon!
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamUserPolicy;
import com.pulumi.ibm.IamUserPolicyArgs;
import com.pulumi.ibm.inputs.IamUserPolicyResourceAttributeArgs;
import com.pulumi.ibm.inputs.IamUserPolicyRuleConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new IamUserPolicy("policy", IamUserPolicyArgs.builder()
.description("IAM User Policy Attribute Based Condition Creation for test scenario")
.ibmId("test@in.ibm.com")
.pattern("attribute-based-condition:resource:literal-and-wildcard")
.resourceAttributes(
IamUserPolicyResourceAttributeArgs.builder()
.name("serviceName")
.operator("stringEquals")
.value("cloud-object-storage")
.build(),
IamUserPolicyResourceAttributeArgs.builder()
.name("serviceInstance")
.operator("stringEquals")
.value("cos-instance")
.build(),
IamUserPolicyResourceAttributeArgs.builder()
.name("resourceType")
.operator("stringEquals")
.value("bucket")
.build(),
IamUserPolicyResourceAttributeArgs.builder()
.name("resource")
.operator("stringEquals")
.value("fgac-tf-test")
.build())
.roles("Writer")
.ruleConditions(
IamUserPolicyRuleConditionArgs.builder()
.conditions(
IamUserPolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.prefix}}")
.operator("stringMatch")
.value("folder1/subfolder1/*")
.build(),
IamUserPolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.delimiter}}")
.operator("stringEqualsAnyOf")
.value(
"/",
"")
.build())
.operator("and")
.build(),
IamUserPolicyRuleConditionArgs.builder()
.key("{{resource.attributes.path}}")
.operator("stringMatch")
.values("folder1/subfolder1/*")
.build(),
IamUserPolicyRuleConditionArgs.builder()
.conditions(
IamUserPolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.delimiter}}")
.operator("stringExists")
.value("false")
.build(),
IamUserPolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.prefix}}")
.operator("stringExists")
.value("false")
.build())
.operator("and")
.build())
.ruleOperator("or")
.build());
}
}
resources:
policy:
type: ibm:IamUserPolicy
properties:
description: IAM User Policy Attribute Based Condition Creation for test scenario
ibmId: test@in.ibm.com
pattern: attribute-based-condition:resource:literal-and-wildcard
resourceAttributes:
- name: serviceName
operator: stringEquals
value: cloud-object-storage
- name: serviceInstance
operator: stringEquals
value: cos-instance
- name: resourceType
operator: stringEquals
value: bucket
- name: resource
operator: stringEquals
value: fgac-tf-test
roles:
- Writer
ruleConditions:
- conditions:
- key: '{{resource.attributes.prefix}}'
operator: stringMatch
value:
- folder1/subfolder1/*
- key: '{{resource.attributes.delimiter}}'
operator: stringEqualsAnyOf
value:
- /
- ""
operator: and
- key: '{{resource.attributes.path}}'
operator: stringMatch
values:
- folder1/subfolder1/*
- conditions:
- key: '{{resource.attributes.delimiter}}'
operator: stringExists
value:
- 'false'
- key: '{{resource.attributes.prefix}}'
operator: stringExists
value:
- 'false'
operator: and
ruleOperator: or
Create IamUserPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new IamUserPolicy(name: string, args: IamUserPolicyArgs, opts?: CustomResourceOptions);@overload
def IamUserPolicy(resource_name: str,
args: IamUserPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def IamUserPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
ibm_id: Optional[str] = None,
roles: Optional[Sequence[str]] = None,
resource_tags: Optional[Sequence[IamUserPolicyResourceTagArgs]] = None,
iam_user_policy_id: Optional[str] = None,
pattern: Optional[str] = None,
resource_attributes: Optional[Sequence[IamUserPolicyResourceAttributeArgs]] = None,
account_management: Optional[bool] = None,
resources: Optional[IamUserPolicyResourcesArgs] = None,
description: Optional[str] = None,
rule_conditions: Optional[Sequence[IamUserPolicyRuleConditionArgs]] = None,
rule_operator: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
transaction_id: Optional[str] = None)func NewIamUserPolicy(ctx *Context, name string, args IamUserPolicyArgs, opts ...ResourceOption) (*IamUserPolicy, error)public IamUserPolicy(string name, IamUserPolicyArgs args, CustomResourceOptions? opts = null)public IamUserPolicy(String name, IamUserPolicyArgs args)
public IamUserPolicy(String name, IamUserPolicyArgs args, CustomResourceOptions options)
type: ibm:IamUserPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. IamUserPolicyArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. IamUserPolicyArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. IamUserPolicyArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. IamUserPolicyArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. IamUserPolicyArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var iamUserPolicyResource = new Ibm.IamUserPolicy("iamUserPolicyResource", new()
{
IbmId = "string",
Roles = new[]
{
"string",
},
ResourceTags = new[]
{
new Ibm.Inputs.IamUserPolicyResourceTagArgs
{
Name = "string",
Value = "string",
Operator = "string",
},
},
IamUserPolicyId = "string",
Pattern = "string",
ResourceAttributes = new[]
{
new Ibm.Inputs.IamUserPolicyResourceAttributeArgs
{
Name = "string",
Value = "string",
Operator = "string",
},
},
AccountManagement = false,
Resources = new Ibm.Inputs.IamUserPolicyResourcesArgs
{
Attributes =
{
{ "string", "string" },
},
Region = "string",
Resource = "string",
ResourceGroupId = "string",
ResourceInstanceId = "string",
ResourceType = "string",
Service = "string",
ServiceGroupId = "string",
ServiceType = "string",
},
Description = "string",
RuleConditions = new[]
{
new Ibm.Inputs.IamUserPolicyRuleConditionArgs
{
Operator = "string",
Conditions = new[]
{
new Ibm.Inputs.IamUserPolicyRuleConditionConditionArgs
{
Key = "string",
Operator = "string",
Values = new[]
{
"string",
},
},
},
Key = "string",
Values = new[]
{
"string",
},
},
},
RuleOperator = "string",
Tags = new[]
{
"string",
},
TransactionId = "string",
});
example, err := ibm.NewIamUserPolicy(ctx, "iamUserPolicyResource", &ibm.IamUserPolicyArgs{
IbmId: pulumi.String("string"),
Roles: pulumi.StringArray{
pulumi.String("string"),
},
ResourceTags: ibm.IamUserPolicyResourceTagArray{
&ibm.IamUserPolicyResourceTagArgs{
Name: pulumi.String("string"),
Value: pulumi.String("string"),
Operator: pulumi.String("string"),
},
},
IamUserPolicyId: pulumi.String("string"),
Pattern: pulumi.String("string"),
ResourceAttributes: ibm.IamUserPolicyResourceAttributeArray{
&ibm.IamUserPolicyResourceAttributeArgs{
Name: pulumi.String("string"),
Value: pulumi.String("string"),
Operator: pulumi.String("string"),
},
},
AccountManagement: pulumi.Bool(false),
Resources: &ibm.IamUserPolicyResourcesArgs{
Attributes: pulumi.StringMap{
"string": pulumi.String("string"),
},
Region: pulumi.String("string"),
Resource: pulumi.String("string"),
ResourceGroupId: pulumi.String("string"),
ResourceInstanceId: pulumi.String("string"),
ResourceType: pulumi.String("string"),
Service: pulumi.String("string"),
ServiceGroupId: pulumi.String("string"),
ServiceType: pulumi.String("string"),
},
Description: pulumi.String("string"),
RuleConditions: ibm.IamUserPolicyRuleConditionArray{
&ibm.IamUserPolicyRuleConditionArgs{
Operator: pulumi.String("string"),
Conditions: ibm.IamUserPolicyRuleConditionConditionArray{
&ibm.IamUserPolicyRuleConditionConditionArgs{
Key: pulumi.String("string"),
Operator: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Key: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
RuleOperator: pulumi.String("string"),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
TransactionId: pulumi.String("string"),
})
var iamUserPolicyResource = new IamUserPolicy("iamUserPolicyResource", IamUserPolicyArgs.builder()
.ibmId("string")
.roles("string")
.resourceTags(IamUserPolicyResourceTagArgs.builder()
.name("string")
.value("string")
.operator("string")
.build())
.iamUserPolicyId("string")
.pattern("string")
.resourceAttributes(IamUserPolicyResourceAttributeArgs.builder()
.name("string")
.value("string")
.operator("string")
.build())
.accountManagement(false)
.resources(IamUserPolicyResourcesArgs.builder()
.attributes(Map.of("string", "string"))
.region("string")
.resource("string")
.resourceGroupId("string")
.resourceInstanceId("string")
.resourceType("string")
.service("string")
.serviceGroupId("string")
.serviceType("string")
.build())
.description("string")
.ruleConditions(IamUserPolicyRuleConditionArgs.builder()
.operator("string")
.conditions(IamUserPolicyRuleConditionConditionArgs.builder()
.key("string")
.operator("string")
.values("string")
.build())
.key("string")
.values("string")
.build())
.ruleOperator("string")
.tags("string")
.transactionId("string")
.build());
iam_user_policy_resource = ibm.IamUserPolicy("iamUserPolicyResource",
ibm_id="string",
roles=["string"],
resource_tags=[{
"name": "string",
"value": "string",
"operator": "string",
}],
iam_user_policy_id="string",
pattern="string",
resource_attributes=[{
"name": "string",
"value": "string",
"operator": "string",
}],
account_management=False,
resources={
"attributes": {
"string": "string",
},
"region": "string",
"resource": "string",
"resource_group_id": "string",
"resource_instance_id": "string",
"resource_type": "string",
"service": "string",
"service_group_id": "string",
"service_type": "string",
},
description="string",
rule_conditions=[{
"operator": "string",
"conditions": [{
"key": "string",
"operator": "string",
"values": ["string"],
}],
"key": "string",
"values": ["string"],
}],
rule_operator="string",
tags=["string"],
transaction_id="string")
const iamUserPolicyResource = new ibm.IamUserPolicy("iamUserPolicyResource", {
ibmId: "string",
roles: ["string"],
resourceTags: [{
name: "string",
value: "string",
operator: "string",
}],
iamUserPolicyId: "string",
pattern: "string",
resourceAttributes: [{
name: "string",
value: "string",
operator: "string",
}],
accountManagement: false,
resources: {
attributes: {
string: "string",
},
region: "string",
resource: "string",
resourceGroupId: "string",
resourceInstanceId: "string",
resourceType: "string",
service: "string",
serviceGroupId: "string",
serviceType: "string",
},
description: "string",
ruleConditions: [{
operator: "string",
conditions: [{
key: "string",
operator: "string",
values: ["string"],
}],
key: "string",
values: ["string"],
}],
ruleOperator: "string",
tags: ["string"],
transactionId: "string",
});
type: ibm:IamUserPolicy
properties:
accountManagement: false
description: string
iamUserPolicyId: string
ibmId: string
pattern: string
resourceAttributes:
- name: string
operator: string
value: string
resourceTags:
- name: string
operator: string
value: string
resources:
attributes:
string: string
region: string
resource: string
resourceGroupId: string
resourceInstanceId: string
resourceType: string
service: string
serviceGroupId: string
serviceType: string
roles:
- string
ruleConditions:
- conditions:
- key: string
operator: string
values:
- string
key: string
operator: string
values:
- string
ruleOperator: string
tags:
- string
transactionId: string
IamUserPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The IamUserPolicy resource accepts the following input properties:
- Ibm
Id This property is required. string - The IBM ID or Email address of the user.
- Roles
This property is required. List<string> - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Account
Management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - Description string
- The description of the IAM User Policy.
- Iam
User stringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes List<IamUser Policy Resource Attribute> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
User Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
User Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Rule
Conditions List<IamUser Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<string>
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- Ibm
Id This property is required. string - The IBM ID or Email address of the user.
- Roles
This property is required. []string - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Account
Management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - Description string
- The description of the IAM User Policy.
- Iam
User stringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes []IamUser Policy Resource Attribute Args A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
[]Iam
User Policy Resource Tag Args A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
User Policy Resources Args A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Rule
Conditions []IamUser Policy Rule Condition Args A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - []string
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- ibm
Id This property is required. String - The IBM ID or Email address of the user.
- roles
This property is required. List<String> - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account
Management Boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description String
- The description of the IAM User Policy.
- iam
User StringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<IamUser Policy Resource Attribute> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
User Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
User Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule
Conditions List<IamUser Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
- ibm
Id This property is required. string - The IBM ID or Email address of the user.
- roles
This property is required. string[] - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account
Management boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description string
- The description of the IAM User Policy.
- iam
User stringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes IamUser Policy Resource Attribute[] A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
Iam
User Policy Resource Tag[] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
User Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule
Conditions IamUser Policy Rule Condition[] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - string[]
- transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- ibm_
id This property is required. str - The IBM ID or Email address of the user.
- roles
This property is required. Sequence[str] - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account_
management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description str
- The description of the IAM User Policy.
- iam_
user_ strpolicy_ id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - pattern str
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource_
attributes Sequence[IamUser Policy Resource Attribute Args] A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
Sequence[Iam
User Policy Resource Tag Args] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
User Policy Resources Args A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule_
conditions Sequence[IamUser Policy Rule Condition Args] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule_
operator str - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - Sequence[str]
- transaction_
id str - The TransactionID can be passed to your request for tracking the calls.
- ibm
Id This property is required. String - The IBM ID or Email address of the user.
- roles
This property is required. List<String> - A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account
Management Boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description String
- The description of the IAM User Policy.
- iam
User StringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<Property Map> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:- List<Property Map>
A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources Property Map
A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule
Conditions List<Property Map> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
Outputs
All input properties are implicitly available as output properties. Additionally, the IamUserPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing IamUserPolicy Resource
Get an existing IamUserPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IamUserPolicyState, opts?: CustomResourceOptions): IamUserPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
account_management: Optional[bool] = None,
description: Optional[str] = None,
iam_user_policy_id: Optional[str] = None,
ibm_id: Optional[str] = None,
pattern: Optional[str] = None,
resource_attributes: Optional[Sequence[IamUserPolicyResourceAttributeArgs]] = None,
resource_tags: Optional[Sequence[IamUserPolicyResourceTagArgs]] = None,
resources: Optional[IamUserPolicyResourcesArgs] = None,
roles: Optional[Sequence[str]] = None,
rule_conditions: Optional[Sequence[IamUserPolicyRuleConditionArgs]] = None,
rule_operator: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
transaction_id: Optional[str] = None) -> IamUserPolicyfunc GetIamUserPolicy(ctx *Context, name string, id IDInput, state *IamUserPolicyState, opts ...ResourceOption) (*IamUserPolicy, error)public static IamUserPolicy Get(string name, Input<string> id, IamUserPolicyState? state, CustomResourceOptions? opts = null)public static IamUserPolicy get(String name, Output<String> id, IamUserPolicyState state, CustomResourceOptions options)resources: _: type: ibm:IamUserPolicy get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Account
Management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - Description string
- The description of the IAM User Policy.
- Iam
User stringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - Ibm
Id string - The IBM ID or Email address of the user.
- Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes List<IamUser Policy Resource Attribute> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
User Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
User Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Roles List<string>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Rule
Conditions List<IamUser Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<string>
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- Account
Management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - Description string
- The description of the IAM User Policy.
- Iam
User stringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - Ibm
Id string - The IBM ID or Email address of the user.
- Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes []IamUser Policy Resource Attribute Args A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
[]Iam
User Policy Resource Tag Args A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
User Policy Resources Args A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Roles []string
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Rule
Conditions []IamUser Policy Rule Condition Args A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - []string
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- account
Management Boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description String
- The description of the IAM User Policy.
- iam
User StringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - ibm
Id String - The IBM ID or Email address of the user.
- pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<IamUser Policy Resource Attribute> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
User Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
User Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles List<String>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule
Conditions List<IamUser Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
- account
Management boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description string
- The description of the IAM User Policy.
- iam
User stringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - ibm
Id string - The IBM ID or Email address of the user.
- pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes IamUser Policy Resource Attribute[] A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
Iam
User Policy Resource Tag[] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
User Policy Resources A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles string[]
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule
Conditions IamUser Policy Rule Condition[] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - string[]
- transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- account_
management bool - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description str
- The description of the IAM User Policy.
- iam_
user_ strpolicy_ id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - ibm_
id str - The IBM ID or Email address of the user.
- pattern str
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource_
attributes Sequence[IamUser Policy Resource Attribute Args] A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
Sequence[Iam
User Policy Resource Tag Args] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
User Policy Resources Args A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles Sequence[str]
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule_
conditions Sequence[IamUser Policy Rule Condition Args] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule_
operator str - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - Sequence[str]
- transaction_
id str - The TransactionID can be passed to your request for tracking the calls.
- account
Management Boolean - Gives access to all account management services if set to true. Default value false. If you set this option, do not set
resourcesat the same time. Note Conflicts withresourcesandresource_attributes. - description String
- The description of the IAM User Policy.
- iam
User StringPolicy Id - (String) The unique identifier of the user policy. The ID is composed of
<ibm_id>/<user_policy_id>. - ibm
Id String - The IBM ID or Email address of the user.
- pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<Property Map> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:- List<Property Map>
A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources Property Map
A nested block describes the resource of this policy. Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles List<String>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule
Conditions List<Property Map> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
Supporting Types
IamUserPolicyResourceAttribute, IamUserPolicyResourceAttributeArgs
, IamUserPolicyResourceAttributeArgs
- Name
This property is required. string - The name of an Attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_idand other service specific resource attributes. - Value
This property is required. string - The value of an attribute.
- Operator string
- Operator of an attribute. The default value is
stringEquals. Note: Conflicts withaccount_managementandresources.
- Name
This property is required. string - The name of an Attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_idand other service specific resource attributes. - Value
This property is required. string - The value of an attribute.
- Operator string
- Operator of an attribute. The default value is
stringEquals. Note: Conflicts withaccount_managementandresources.
- name
This property is required. String - The name of an Attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_idand other service specific resource attributes. - value
This property is required. String - The value of an attribute.
- operator String
- Operator of an attribute. The default value is
stringEquals. Note: Conflicts withaccount_managementandresources.
- name
This property is required. string - The name of an Attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_idand other service specific resource attributes. - value
This property is required. string - The value of an attribute.
- operator string
- Operator of an attribute. The default value is
stringEquals. Note: Conflicts withaccount_managementandresources.
- name
This property is required. str - The name of an Attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_idand other service specific resource attributes. - value
This property is required. str - The value of an attribute.
- operator str
- Operator of an attribute. The default value is
stringEquals. Note: Conflicts withaccount_managementandresources.
- name
This property is required. String - The name of an Attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_idand other service specific resource attributes. - value
This property is required. String - The value of an attribute.
- operator String
- Operator of an attribute. The default value is
stringEquals. Note: Conflicts withaccount_managementandresources.
IamUserPolicyResourceTag, IamUserPolicyResourceTagArgs
, IamUserPolicyResourceTagArgs
IamUserPolicyResources, IamUserPolicyResourcesArgs
, IamUserPolicyResourcesArgs
- Attributes Dictionary<string, string>
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - Region string
- The region of the policy definition.
- Resource string
- The resource of the policy definition.
- Resource
Group stringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - Resource
Instance stringId - The ID of the resource instance of the policy definition.
- Resource
Type string - The resource type of the policy definition.
- Service string
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog searchcommand in the IBM Cloud CLI. Attributes service, service_type are mutually exclusive. - Service
Group stringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- Service
Type string - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- Attributes map[string]string
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - Region string
- The region of the policy definition.
- Resource string
- The resource of the policy definition.
- Resource
Group stringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - Resource
Instance stringId - The ID of the resource instance of the policy definition.
- Resource
Type string - The resource type of the policy definition.
- Service string
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog searchcommand in the IBM Cloud CLI. Attributes service, service_type are mutually exclusive. - Service
Group stringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- Service
Type string - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes Map<String,String>
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - region String
- The region of the policy definition.
- resource String
- The resource of the policy definition.
- resource
Group StringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - resource
Instance StringId - The ID of the resource instance of the policy definition.
- resource
Type String - The resource type of the policy definition.
- service String
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog searchcommand in the IBM Cloud CLI. Attributes service, service_type are mutually exclusive. - service
Group StringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service
Type String - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes {[key: string]: string}
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - region string
- The region of the policy definition.
- resource string
- The resource of the policy definition.
- resource
Group stringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - resource
Instance stringId - The ID of the resource instance of the policy definition.
- resource
Type string - The resource type of the policy definition.
- service string
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog searchcommand in the IBM Cloud CLI. Attributes service, service_type are mutually exclusive. - service
Group stringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service
Type string - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes Mapping[str, str]
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - region str
- The region of the policy definition.
- resource str
- The resource of the policy definition.
- resource_
group_ strid - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - resource_
instance_ strid - The ID of the resource instance of the policy definition.
- resource_
type str - The resource type of the policy definition.
- service str
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog searchcommand in the IBM Cloud CLI. Attributes service, service_type are mutually exclusive. - service_
group_ strid - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service_
type str - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes Map<String>
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - region String
- The region of the policy definition.
- resource String
- The resource of the policy definition.
- resource
Group StringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - resource
Instance StringId - The ID of the resource instance of the policy definition.
- resource
Type String - The resource type of the policy definition.
- service String
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog searchcommand in the IBM Cloud CLI. Attributes service, service_type are mutually exclusive. - service
Group StringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service
Type String - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
IamUserPolicyRuleCondition, IamUserPolicyRuleConditionArgs
, IamUserPolicyRuleConditionArgs
- Operator
This property is required. string - The operator of a rule condition.
- Conditions
List<Iam
User Policy Rule Condition Condition> A nested block describing additional conditions of this policy.
Nested schema for
conditions:- Key string
- The key of a rule condition.
- Values List<string>
- The value of a rule condition.
- Operator
This property is required. string - The operator of a rule condition.
- Conditions
[]Iam
User Policy Rule Condition Condition A nested block describing additional conditions of this policy.
Nested schema for
conditions:- Key string
- The key of a rule condition.
- Values []string
- The value of a rule condition.
- operator
This property is required. String - The operator of a rule condition.
- conditions
List<Iam
User Policy Rule Condition Condition> A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key String
- The key of a rule condition.
- values List<String>
- The value of a rule condition.
- operator
This property is required. string - The operator of a rule condition.
- conditions
Iam
User Policy Rule Condition Condition[] A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key string
- The key of a rule condition.
- values string[]
- The value of a rule condition.
- operator
This property is required. str - The operator of a rule condition.
- conditions
Sequence[Iam
User Policy Rule Condition Condition] A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key str
- The key of a rule condition.
- values Sequence[str]
- The value of a rule condition.
- operator
This property is required. String - The operator of a rule condition.
- conditions List<Property Map>
A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key String
- The key of a rule condition.
- values List<String>
- The value of a rule condition.
IamUserPolicyRuleConditionCondition, IamUserPolicyRuleConditionConditionArgs
, IamUserPolicyRuleConditionConditionArgs
Import
The user policy can be imported by using the IBMID and user policy ID.
Syntax
$ pulumi import ibm:index/iamUserPolicy:IamUserPolicy example <ibm_id>/<user_policy_ID>
Example
$ pulumi import ibm:index/iamUserPolicy:IamUserPolicy example test@in.ibm.com/9ebf7018-3d0c-4965-9976-ef8e0c38a7e2
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- ibm ibm-cloud/terraform-provider-ibm
- License
- Notes
- This Pulumi package is based on the
ibmTerraform Provider.
- Example Usage
- User policy for all Identity and Access enabled services
- User policy using service with region
- User policy using resource instance
- User policy using resource group
- User policy using resource and resource type
- User policy using attributes
- User policy using resource_attributes
- User policy using service_type with region
- User policy by using service and rule_conditions
- User policy using service_group_id resource attribute
- User Policy by using Attribute Based Condition
- Create IamUserPolicy Resource
- Constructor syntax
- Constructor example
- IamUserPolicy Resource Properties
- Inputs
- Outputs
- Look up Existing IamUserPolicy Resource
- Supporting Types
- Import
- Package Details