Docs Home
ibm 1.78.0 published on Wednesday, Apr 30, 2025 by ibm-cloud
ibm.IamServicePolicy
Explore with Pulumi AI
Create, update, or delete an IAM service policy. For more information, about IAM role action, see managing access to resources.
Example Usage
Service policy for all Identity and Access enabled services
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: ["Viewer"],
description: "IAM Service Policy",
resourceTags: [{
name: "env",
value: "dev",
}],
transactionId: "terraformServicePolicy",
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=["Viewer"],
description="IAM Service Policy",
resource_tags=[{
"name": "env",
"value": "dev",
}],
transaction_id="terraformServicePolicy")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Description: pulumi.String("IAM Service Policy"),
ResourceTags: ibm.IamServicePolicyResourceTagArray{
&ibm.IamServicePolicyResourceTagArgs{
Name: pulumi.String("env"),
Value: pulumi.String("dev"),
},
},
TransactionId: pulumi.String("terraformServicePolicy"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Viewer",
},
Description = "IAM Service Policy",
ResourceTags = new[]
{
new Ibm.Inputs.IamServicePolicyResourceTagArgs
{
Name = "env",
Value = "dev",
},
},
TransactionId = "terraformServicePolicy",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourceTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles("Viewer")
.description("IAM Service Policy")
.resourceTags(IamServicePolicyResourceTagArgs.builder()
.name("env")
.value("dev")
.build())
.transactionId("terraformServicePolicy")
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Viewer
description: IAM Service Policy
resourceTags:
- name: env
value: dev
transactionId: terraformServicePolicy
Service Policy using service with region
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: [
"Viewer",
"Manager",
],
resources: {
service: "cloudantnosqldb",
region: "us-south",
},
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=[
"Viewer",
"Manager",
],
resources={
"service": "cloudantnosqldb",
"region": "us-south",
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
pulumi.String("Manager"),
},
Resources: &ibm.IamServicePolicyResourcesArgs{
Service: pulumi.String("cloudantnosqldb"),
Region: pulumi.String("us-south"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Viewer",
"Manager",
},
Resources = new Ibm.Inputs.IamServicePolicyResourcesArgs
{
Service = "cloudantnosqldb",
Region = "us-south",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles(
"Viewer",
"Manager")
.resources(IamServicePolicyResourcesArgs.builder()
.service("cloudantnosqldb")
.region("us-south")
.build())
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Viewer
- Manager
resources:
service: cloudantnosqldb
region: us-south
Service policy by using resource instance
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const instance = new ibm.ResourceInstance("instance", {
service: "kms",
plan: "tiered-pricing",
location: "us-south",
});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: [
"Manager",
"Viewer",
"Administrator",
],
resources: {
service: "kms",
resourceInstanceId: instance.resourceInstanceId.apply(resourceInstanceId => resourceInstanceId.split(":"))[7],
},
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
instance = ibm.ResourceInstance("instance",
service="kms",
plan="tiered-pricing",
location="us-south")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=[
"Manager",
"Viewer",
"Administrator",
],
resources={
"service": "kms",
"resource_instance_id": instance.resource_instance_id.apply(lambda resource_instance_id: resource_instance_id.split(":"))[7],
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
instance, err := ibm.NewResourceInstance(ctx, "instance", &ibm.ResourceInstanceArgs{
Service: pulumi.String("kms"),
Plan: pulumi.String("tiered-pricing"),
Location: pulumi.String("us-south"),
})
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Manager"),
pulumi.String("Viewer"),
pulumi.String("Administrator"),
},
Resources: &ibm.IamServicePolicyResourcesArgs{
Service: pulumi.String("kms"),
ResourceInstanceId: "TODO: call element",
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var instance = new Ibm.ResourceInstance("instance", new()
{
Service = "kms",
Plan = "tiered-pricing",
Location = "us-south",
});
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Manager",
"Viewer",
"Administrator",
},
Resources = new Ibm.Inputs.IamServicePolicyResourcesArgs
{
Service = "kms",
ResourceInstanceId = instance.ResourceInstanceId.Apply(resourceInstanceId => resourceInstanceId.Split(":"))[7],
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.ResourceInstance;
import com.pulumi.ibm.ResourceInstanceArgs;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
var instance = new ResourceInstance("instance", ResourceInstanceArgs.builder()
.service("kms")
.plan("tiered-pricing")
.location("us-south")
.build());
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles(
"Manager",
"Viewer",
"Administrator")
.resources(IamServicePolicyResourcesArgs.builder()
.service("kms")
.resourceInstanceId(instance.resourceInstanceId().applyValue(resourceInstanceId -> resourceInstanceId.split(":"))[7])
.build())
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
instance:
type: ibm:ResourceInstance
properties:
service: kms
plan: tiered-pricing
location: us-south
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Manager
- Viewer
- Administrator
resources:
service: kms
resourceInstanceId:
fn::select:
- 7
- fn::split:
- ${instance.resourceInstanceId}
- ':'
Service policy by using resource group
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: ["Viewer"],
resources: {
service: "containers-kubernetes",
resourceGroupId: group.then(group => group.id),
},
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
group = ibm.get_resource_group(name="default")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=["Viewer"],
resources={
"service": "containers-kubernetes",
"resource_group_id": group.id,
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
group, err := ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Resources: &ibm.IamServicePolicyResourcesArgs{
Service: pulumi.String("containers-kubernetes"),
ResourceGroupId: pulumi.String(group.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Viewer",
},
Resources = new Ibm.Inputs.IamServicePolicyResourcesArgs
{
Service = "containers-kubernetes",
ResourceGroupId = @group.Apply(@group => @group.Apply(getResourceGroupResult => getResourceGroupResult.Id)),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles("Viewer")
.resources(IamServicePolicyResourcesArgs.builder()
.service("containers-kubernetes")
.resourceGroupId(group.applyValue(getResourceGroupResult -> getResourceGroupResult.id()))
.build())
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Viewer
resources:
service: containers-kubernetes
resourceGroupId: ${group.id}
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
Service policy by using resource and resource type
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: ["Administrator"],
resources: {
resourceType: "resource-group",
resource: group.then(group => group.id),
},
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
group = ibm.get_resource_group(name="default")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=["Administrator"],
resources={
"resource_type": "resource-group",
"resource": group.id,
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
group, err := ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Administrator"),
},
Resources: &ibm.IamServicePolicyResourcesArgs{
ResourceType: pulumi.String("resource-group"),
Resource: pulumi.String(group.Id),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Administrator",
},
Resources = new Ibm.Inputs.IamServicePolicyResourcesArgs
{
ResourceType = "resource-group",
Resource = @group.Apply(@group => @group.Apply(getResourceGroupResult => getResourceGroupResult.Id)),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles("Administrator")
.resources(IamServicePolicyResourcesArgs.builder()
.resourceType("resource-group")
.resource(group.applyValue(getResourceGroupResult -> getResourceGroupResult.id()))
.build())
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Administrator
resources:
resourceType: resource-group
resource: ${group.id}
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
Service policy by using attributes
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const group = ibm.getResourceGroup({
name: "default",
});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: ["Administrator"],
resources: {
service: "is",
attributes: {
vpcId: "*",
},
},
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
group = ibm.get_resource_group(name="default")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=["Administrator"],
resources={
"service": "is",
"attributes": {
"vpcId": "*",
},
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
_, err = ibm.LookupResourceGroup(ctx, &ibm.LookupResourceGroupArgs{
Name: pulumi.StringRef("default"),
}, nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Administrator"),
},
Resources: &ibm.IamServicePolicyResourcesArgs{
Service: pulumi.String("is"),
Attributes: pulumi.StringMap{
"vpcId": pulumi.String("*"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var @group = Ibm.GetResourceGroup.Invoke(new()
{
Name = "default",
});
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Administrator",
},
Resources = new Ibm.Inputs.IamServicePolicyResourcesArgs
{
Service = "is",
Attributes =
{
{ "vpcId", "*" },
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IbmFunctions;
import com.pulumi.ibm.inputs.GetResourceGroupArgs;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
final var group = IbmFunctions.getResourceGroup(GetResourceGroupArgs.builder()
.name("default")
.build());
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles("Administrator")
.resources(IamServicePolicyResourcesArgs.builder()
.service("is")
.attributes(Map.of("vpcId", "*"))
.build())
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Administrator
resources:
service: is
attributes:
vpcId: '*'
variables:
group:
fn::invoke:
function: ibm:getResourceGroup
arguments:
name: default
Cross account service policy by using iam_id
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const accA = new ibm.Provider("accA", {ibmcloudApiKey: "Account A Api Key"});
const serviceId = new ibm.IamServiceId("serviceId", {}, {
provider: ibm.accA,
});
const accB = new ibm.Provider("accB", {ibmcloudApiKey: "Account B Api Key"});
const policy = new ibm.IamServicePolicy("policy", {
iamId: serviceId.iamId,
roles: ["Reader"],
resources: {
service: "cloud-object-storage",
},
}, {
provider: ibm.accB,
});
import pulumi
import pulumi_ibm as ibm
acc_a = ibm.Provider("accA", ibmcloud_api_key="Account A Api Key")
service_id = ibm.IamServiceId("serviceId", opts = pulumi.ResourceOptions(provider=ibm["accA"]))
acc_b = ibm.Provider("accB", ibmcloud_api_key="Account B Api Key")
policy = ibm.IamServicePolicy("policy",
iam_id=service_id.iam_id,
roles=["Reader"],
resources={
"service": "cloud-object-storage",
},
opts = pulumi.ResourceOptions(provider=ibm["accB"]))
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewProvider(ctx, "accA", &ibm.ProviderArgs{
IbmcloudApiKey: pulumi.String("Account A Api Key"),
})
if err != nil {
return err
}
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil, pulumi.Provider(ibm.AccA))
if err != nil {
return err
}
_, err = ibm.NewProvider(ctx, "accB", &ibm.ProviderArgs{
IbmcloudApiKey: pulumi.String("Account B Api Key"),
})
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamId: serviceId.IamId,
Roles: pulumi.StringArray{
pulumi.String("Reader"),
},
Resources: &ibm.IamServicePolicyResourcesArgs{
Service: pulumi.String("cloud-object-storage"),
},
}, pulumi.Provider(ibm.AccB))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var accA = new Ibm.Provider("accA", new()
{
IbmcloudApiKey = "Account A Api Key",
});
var serviceId = new Ibm.IamServiceId("serviceId", new()
{
}, new CustomResourceOptions
{
Provider = ibm.AccA,
});
var accB = new Ibm.Provider("accB", new()
{
IbmcloudApiKey = "Account B Api Key",
});
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamId = serviceId.IamId,
Roles = new[]
{
"Reader",
},
Resources = new Ibm.Inputs.IamServicePolicyResourcesArgs
{
Service = "cloud-object-storage",
},
}, new CustomResourceOptions
{
Provider = ibm.AccB,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.Provider;
import com.pulumi.ibm.ProviderArgs;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IamServiceIdArgs;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourcesArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var accA = new Provider("accA", ProviderArgs.builder()
.ibmcloudApiKey("Account A Api Key")
.build());
var serviceId = new IamServiceId("serviceId", IamServiceIdArgs.Empty, CustomResourceOptions.builder()
.provider(ibm.accA())
.build());
var accB = new Provider("accB", ProviderArgs.builder()
.ibmcloudApiKey("Account B Api Key")
.build());
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamId(serviceId.iamId())
.roles("Reader")
.resources(IamServicePolicyResourcesArgs.builder()
.service("cloud-object-storage")
.build())
.build(), CustomResourceOptions.builder()
.provider(ibm.accB())
.build());
}
}
resources:
accA:
type: pulumi:providers:ibm
properties:
ibmcloudApiKey: Account A Api Key
serviceId:
type: ibm:IamServiceId
options:
provider: ${ibm.accA}
accB:
type: pulumi:providers:ibm
properties:
ibmcloudApiKey: Account B Api Key
policy:
type: ibm:IamServicePolicy
properties:
iamId: ${serviceId.iamId}
roles:
- Reader
resources:
service: cloud-object-storage
options:
provider: ${ibm.accB}
Service policy by using resource_attributes
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: ["Viewer"],
resourceAttributes: [
{
name: "resource",
value: "test123*",
operator: "stringMatch",
},
{
name: "serviceName",
value: "messagehub",
},
],
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=["Viewer"],
resource_attributes=[
{
"name": "resource",
"value": "test123*",
"operator": "stringMatch",
},
{
"name": "serviceName",
"value": "messagehub",
},
])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
ResourceAttributes: ibm.IamServicePolicyResourceAttributeArray{
&ibm.IamServicePolicyResourceAttributeArgs{
Name: pulumi.String("resource"),
Value: pulumi.String("test123*"),
Operator: pulumi.String("stringMatch"),
},
&ibm.IamServicePolicyResourceAttributeArgs{
Name: pulumi.String("serviceName"),
Value: pulumi.String("messagehub"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Viewer",
},
ResourceAttributes = new[]
{
new Ibm.Inputs.IamServicePolicyResourceAttributeArgs
{
Name = "resource",
Value = "test123*",
Operator = "stringMatch",
},
new Ibm.Inputs.IamServicePolicyResourceAttributeArgs
{
Name = "serviceName",
Value = "messagehub",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourceAttributeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles("Viewer")
.resourceAttributes(
IamServicePolicyResourceAttributeArgs.builder()
.name("resource")
.value("test123*")
.operator("stringMatch")
.build(),
IamServicePolicyResourceAttributeArgs.builder()
.name("serviceName")
.value("messagehub")
.build())
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Viewer
resourceAttributes:
- name: resource
value: test123*
operator: stringMatch
- name: serviceName
value: messagehub
Service Policy using service_type with region
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: ["Viewer"],
resources: {
serviceType: "service",
region: "us-south",
},
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=["Viewer"],
resources={
"service_type": "service",
"region": "us-south",
})
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Resources: &ibm.IamServicePolicyResourcesArgs{
ServiceType: pulumi.String("service"),
Region: pulumi.String("us-south"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Viewer",
},
Resources = new Ibm.Inputs.IamServicePolicyResourcesArgs
{
ServiceType = "service",
Region = "us-south",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourcesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles("Viewer")
.resources(IamServicePolicyResourcesArgs.builder()
.serviceType("service")
.region("us-south")
.build())
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Viewer
resources:
serviceType: service
region: us-south
Service Policy by using service and rule_conditions
rule_conditions can be used in conjunction with pattern and rule_operator to implement service policies with time-based conditions. For information see Limiting access with time-based conditions. Note Currently, a policy resource created without rule_conditions, pattern, and rule_operator cannot be updated including those conditions on update.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: ["Viewer"],
resources: {
service: "kms",
},
ruleConditions: [
{
key: "{{environment.attributes.day_of_week}}",
operator: "dayOfWeekAnyOf",
values: [
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00",
],
},
{
key: "{{environment.attributes.current_time}}",
operator: "timeGreaterThanOrEquals",
values: ["09:00:00+00:00"],
},
{
key: "{{environment.attributes.current_time}}",
operator: "timeLessThanOrEquals",
values: ["17:00:00+00:00"],
},
],
ruleOperator: "and",
pattern: "time-based-conditions:weekly:custom-hours",
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=["Viewer"],
resources={
"service": "kms",
},
rule_conditions=[
{
"key": "{{environment.attributes.day_of_week}}",
"operator": "dayOfWeekAnyOf",
"values": [
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00",
],
},
{
"key": "{{environment.attributes.current_time}}",
"operator": "timeGreaterThanOrEquals",
"values": ["09:00:00+00:00"],
},
{
"key": "{{environment.attributes.current_time}}",
"operator": "timeLessThanOrEquals",
"values": ["17:00:00+00:00"],
},
],
rule_operator="and",
pattern="time-based-conditions:weekly:custom-hours")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Viewer"),
},
Resources: &ibm.IamServicePolicyResourcesArgs{
Service: pulumi.String("kms"),
},
RuleConditions: ibm.IamServicePolicyRuleConditionArray{
&ibm.IamServicePolicyRuleConditionArgs{
Key: pulumi.String("{{environment.attributes.day_of_week}}"),
Operator: pulumi.String("dayOfWeekAnyOf"),
Values: pulumi.StringArray{
pulumi.String("1+00:00"),
pulumi.String("2+00:00"),
pulumi.String("3+00:00"),
pulumi.String("4+00:00"),
},
},
&ibm.IamServicePolicyRuleConditionArgs{
Key: pulumi.String("{{environment.attributes.current_time}}"),
Operator: pulumi.String("timeGreaterThanOrEquals"),
Values: pulumi.StringArray{
pulumi.String("09:00:00+00:00"),
},
},
&ibm.IamServicePolicyRuleConditionArgs{
Key: pulumi.String("{{environment.attributes.current_time}}"),
Operator: pulumi.String("timeLessThanOrEquals"),
Values: pulumi.StringArray{
pulumi.String("17:00:00+00:00"),
},
},
},
RuleOperator: pulumi.String("and"),
Pattern: pulumi.String("time-based-conditions:weekly:custom-hours"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Viewer",
},
Resources = new Ibm.Inputs.IamServicePolicyResourcesArgs
{
Service = "kms",
},
RuleConditions = new[]
{
new Ibm.Inputs.IamServicePolicyRuleConditionArgs
{
Key = "{{environment.attributes.day_of_week}}",
Operator = "dayOfWeekAnyOf",
Values = new[]
{
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00",
},
},
new Ibm.Inputs.IamServicePolicyRuleConditionArgs
{
Key = "{{environment.attributes.current_time}}",
Operator = "timeGreaterThanOrEquals",
Values = new[]
{
"09:00:00+00:00",
},
},
new Ibm.Inputs.IamServicePolicyRuleConditionArgs
{
Key = "{{environment.attributes.current_time}}",
Operator = "timeLessThanOrEquals",
Values = new[]
{
"17:00:00+00:00",
},
},
},
RuleOperator = "and",
Pattern = "time-based-conditions:weekly:custom-hours",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourcesArgs;
import com.pulumi.ibm.inputs.IamServicePolicyRuleConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles("Viewer")
.resources(IamServicePolicyResourcesArgs.builder()
.service("kms")
.build())
.ruleConditions(
IamServicePolicyRuleConditionArgs.builder()
.key("{{environment.attributes.day_of_week}}")
.operator("dayOfWeekAnyOf")
.values(
"1+00:00",
"2+00:00",
"3+00:00",
"4+00:00")
.build(),
IamServicePolicyRuleConditionArgs.builder()
.key("{{environment.attributes.current_time}}")
.operator("timeGreaterThanOrEquals")
.values("09:00:00+00:00")
.build(),
IamServicePolicyRuleConditionArgs.builder()
.key("{{environment.attributes.current_time}}")
.operator("timeLessThanOrEquals")
.values("17:00:00+00:00")
.build())
.ruleOperator("and")
.pattern("time-based-conditions:weekly:custom-hours")
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Viewer
resources:
service: kms
ruleConditions:
- key: '{{environment.attributes.day_of_week}}'
operator: dayOfWeekAnyOf
values:
- 1+00:00
- 2+00:00
- 3+00:00
- 4+00:00
- key: '{{environment.attributes.current_time}}'
operator: timeGreaterThanOrEquals
values:
- 09:00:00+00:00
- key: '{{environment.attributes.current_time}}'
operator: timeLessThanOrEquals
values:
- 17:00:00+00:00
ruleOperator: and
pattern: time-based-conditions:weekly:custom-hours
Service Policy by using service_group_id resource attribute
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const policy = new ibm.IamServicePolicy("policy", {
resourceAttributes: [{
name: "service_group_id",
operator: "stringEquals",
value: "IAM",
}],
roles: [
"Service ID creator",
"User API key creator",
"Administrator",
],
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
policy = ibm.IamServicePolicy("policy",
resource_attributes=[{
"name": "service_group_id",
"operator": "stringEquals",
"value": "IAM",
}],
roles=[
"Service ID creator",
"User API key creator",
"Administrator",
])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
ResourceAttributes: ibm.IamServicePolicyResourceAttributeArray{
&ibm.IamServicePolicyResourceAttributeArgs{
Name: pulumi.String("service_group_id"),
Operator: pulumi.String("stringEquals"),
Value: pulumi.String("IAM"),
},
},
Roles: pulumi.StringArray{
pulumi.String("Service ID creator"),
pulumi.String("User API key creator"),
pulumi.String("Administrator"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var policy = new Ibm.IamServicePolicy("policy", new()
{
ResourceAttributes = new[]
{
new Ibm.Inputs.IamServicePolicyResourceAttributeArgs
{
Name = "service_group_id",
Operator = "stringEquals",
Value = "IAM",
},
},
Roles = new[]
{
"Service ID creator",
"User API key creator",
"Administrator",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourceAttributeArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.resourceAttributes(IamServicePolicyResourceAttributeArgs.builder()
.name("service_group_id")
.operator("stringEquals")
.value("IAM")
.build())
.roles(
"Service ID creator",
"User API key creator",
"Administrator")
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
resourceAttributes:
- name: service_group_id
operator: stringEquals
value: IAM
roles:
- Service ID creator
- User API key creator
- Administrator
Service Policy by using Attribute Based Condition
rule_conditions can be used in conjunction with pattern = attribute-based-condition:resource:literal-and-wildcard and rule_operator to implement more complex policy conditions. Note Currently, a policy resource created without rule_conditions, pattern, and rule_operator cannot be updated including those conditions on update.
import * as pulumi from "@pulumi/pulumi";
import * as ibm from "@pulumi/ibm";
const serviceId = new ibm.IamServiceId("serviceId", {});
const policy = new ibm.IamServicePolicy("policy", {
iamServiceId: serviceId.iamServiceIdId,
roles: ["Writer"],
resourceAttributes: [
{
value: "cloud-object-storage",
operator: "stringEquals",
name: "serviceName",
},
{
value: "cos-instance",
operator: "stringEquals",
name: "serviceInstance",
},
{
value: "bucket",
operator: "stringEquals",
name: "resourceType",
},
{
value: "fgac-tf-test",
operator: "stringEquals",
name: "resource",
},
],
ruleConditions: [
{
operator: "and",
conditions: [
{
key: "{{resource.attributes.prefix}}",
operator: "stringMatch",
values: ["folder1/subfolder1/*"],
},
{
key: "{{resource.attributes.delimiter}}",
operator: "stringEqualsAnyOf",
values: [
"/",
"",
],
},
],
},
{
key: "{{resource.attributes.path}}",
operator: "stringMatch",
values: ["folder1/subfolder1/*"],
},
{
operator: "and",
conditions: [
{
key: "{{resource.attributes.delimiter}}",
operator: "stringExists",
values: ["false"],
},
{
key: "{{resource.attributes.prefix}}",
operator: "stringExists",
values: ["false"],
},
],
},
],
ruleOperator: "or",
pattern: "attribute-based-condition:resource:literal-and-wildcard",
description: "IAM User Policy Attribute Based Condition Creation for test scenario",
});
import pulumi
import pulumi_ibm as ibm
service_id = ibm.IamServiceId("serviceId")
policy = ibm.IamServicePolicy("policy",
iam_service_id=service_id.iam_service_id_id,
roles=["Writer"],
resource_attributes=[
{
"value": "cloud-object-storage",
"operator": "stringEquals",
"name": "serviceName",
},
{
"value": "cos-instance",
"operator": "stringEquals",
"name": "serviceInstance",
},
{
"value": "bucket",
"operator": "stringEquals",
"name": "resourceType",
},
{
"value": "fgac-tf-test",
"operator": "stringEquals",
"name": "resource",
},
],
rule_conditions=[
{
"operator": "and",
"conditions": [
{
"key": "{{resource.attributes.prefix}}",
"operator": "stringMatch",
"values": ["folder1/subfolder1/*"],
},
{
"key": "{{resource.attributes.delimiter}}",
"operator": "stringEqualsAnyOf",
"values": [
"/",
"",
],
},
],
},
{
"key": "{{resource.attributes.path}}",
"operator": "stringMatch",
"values": ["folder1/subfolder1/*"],
},
{
"operator": "and",
"conditions": [
{
"key": "{{resource.attributes.delimiter}}",
"operator": "stringExists",
"values": ["false"],
},
{
"key": "{{resource.attributes.prefix}}",
"operator": "stringExists",
"values": ["false"],
},
],
},
],
rule_operator="or",
pattern="attribute-based-condition:resource:literal-and-wildcard",
description="IAM User Policy Attribute Based Condition Creation for test scenario")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/ibm/ibm"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
serviceId, err := ibm.NewIamServiceId(ctx, "serviceId", nil)
if err != nil {
return err
}
_, err = ibm.NewIamServicePolicy(ctx, "policy", &ibm.IamServicePolicyArgs{
IamServiceId: serviceId.IamServiceIdId,
Roles: pulumi.StringArray{
pulumi.String("Writer"),
},
ResourceAttributes: ibm.IamServicePolicyResourceAttributeArray{
&ibm.IamServicePolicyResourceAttributeArgs{
Value: pulumi.String("cloud-object-storage"),
Operator: pulumi.String("stringEquals"),
Name: pulumi.String("serviceName"),
},
&ibm.IamServicePolicyResourceAttributeArgs{
Value: pulumi.String("cos-instance"),
Operator: pulumi.String("stringEquals"),
Name: pulumi.String("serviceInstance"),
},
&ibm.IamServicePolicyResourceAttributeArgs{
Value: pulumi.String("bucket"),
Operator: pulumi.String("stringEquals"),
Name: pulumi.String("resourceType"),
},
&ibm.IamServicePolicyResourceAttributeArgs{
Value: pulumi.String("fgac-tf-test"),
Operator: pulumi.String("stringEquals"),
Name: pulumi.String("resource"),
},
},
RuleConditions: ibm.IamServicePolicyRuleConditionArray{
&ibm.IamServicePolicyRuleConditionArgs{
Operator: pulumi.String("and"),
Conditions: ibm.IamServicePolicyRuleConditionConditionArray{
&ibm.IamServicePolicyRuleConditionConditionArgs{
Key: pulumi.String("{{resource.attributes.prefix}}"),
Operator: pulumi.String("stringMatch"),
Values: pulumi.StringArray{
pulumi.String("folder1/subfolder1/*"),
},
},
&ibm.IamServicePolicyRuleConditionConditionArgs{
Key: pulumi.String("{{resource.attributes.delimiter}}"),
Operator: pulumi.String("stringEqualsAnyOf"),
Values: pulumi.StringArray{
pulumi.String("/"),
pulumi.String(""),
},
},
},
},
&ibm.IamServicePolicyRuleConditionArgs{
Key: pulumi.String("{{resource.attributes.path}}"),
Operator: pulumi.String("stringMatch"),
Values: pulumi.StringArray{
pulumi.String("folder1/subfolder1/*"),
},
},
&ibm.IamServicePolicyRuleConditionArgs{
Operator: pulumi.String("and"),
Conditions: ibm.IamServicePolicyRuleConditionConditionArray{
&ibm.IamServicePolicyRuleConditionConditionArgs{
Key: pulumi.String("{{resource.attributes.delimiter}}"),
Operator: pulumi.String("stringExists"),
Values: pulumi.StringArray{
pulumi.String("false"),
},
},
&ibm.IamServicePolicyRuleConditionConditionArgs{
Key: pulumi.String("{{resource.attributes.prefix}}"),
Operator: pulumi.String("stringExists"),
Values: pulumi.StringArray{
pulumi.String("false"),
},
},
},
},
},
RuleOperator: pulumi.String("or"),
Pattern: pulumi.String("attribute-based-condition:resource:literal-and-wildcard"),
Description: pulumi.String("IAM User Policy Attribute Based Condition Creation for test scenario"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Ibm = Pulumi.Ibm;
return await Deployment.RunAsync(() =>
{
var serviceId = new Ibm.IamServiceId("serviceId");
var policy = new Ibm.IamServicePolicy("policy", new()
{
IamServiceId = serviceId.IamServiceIdId,
Roles = new[]
{
"Writer",
},
ResourceAttributes = new[]
{
new Ibm.Inputs.IamServicePolicyResourceAttributeArgs
{
Value = "cloud-object-storage",
Operator = "stringEquals",
Name = "serviceName",
},
new Ibm.Inputs.IamServicePolicyResourceAttributeArgs
{
Value = "cos-instance",
Operator = "stringEquals",
Name = "serviceInstance",
},
new Ibm.Inputs.IamServicePolicyResourceAttributeArgs
{
Value = "bucket",
Operator = "stringEquals",
Name = "resourceType",
},
new Ibm.Inputs.IamServicePolicyResourceAttributeArgs
{
Value = "fgac-tf-test",
Operator = "stringEquals",
Name = "resource",
},
},
RuleConditions = new[]
{
new Ibm.Inputs.IamServicePolicyRuleConditionArgs
{
Operator = "and",
Conditions = new[]
{
new Ibm.Inputs.IamServicePolicyRuleConditionConditionArgs
{
Key = "{{resource.attributes.prefix}}",
Operator = "stringMatch",
Values = new[]
{
"folder1/subfolder1/*",
},
},
new Ibm.Inputs.IamServicePolicyRuleConditionConditionArgs
{
Key = "{{resource.attributes.delimiter}}",
Operator = "stringEqualsAnyOf",
Values = new[]
{
"/",
"",
},
},
},
},
new Ibm.Inputs.IamServicePolicyRuleConditionArgs
{
Key = "{{resource.attributes.path}}",
Operator = "stringMatch",
Values = new[]
{
"folder1/subfolder1/*",
},
},
new Ibm.Inputs.IamServicePolicyRuleConditionArgs
{
Operator = "and",
Conditions = new[]
{
new Ibm.Inputs.IamServicePolicyRuleConditionConditionArgs
{
Key = "{{resource.attributes.delimiter}}",
Operator = "stringExists",
Values = new[]
{
"false",
},
},
new Ibm.Inputs.IamServicePolicyRuleConditionConditionArgs
{
Key = "{{resource.attributes.prefix}}",
Operator = "stringExists",
Values = new[]
{
"false",
},
},
},
},
},
RuleOperator = "or",
Pattern = "attribute-based-condition:resource:literal-and-wildcard",
Description = "IAM User Policy Attribute Based Condition Creation for test scenario",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.ibm.IamServiceId;
import com.pulumi.ibm.IamServicePolicy;
import com.pulumi.ibm.IamServicePolicyArgs;
import com.pulumi.ibm.inputs.IamServicePolicyResourceAttributeArgs;
import com.pulumi.ibm.inputs.IamServicePolicyRuleConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var serviceId = new IamServiceId("serviceId");
var policy = new IamServicePolicy("policy", IamServicePolicyArgs.builder()
.iamServiceId(serviceId.iamServiceIdId())
.roles("Writer")
.resourceAttributes(
IamServicePolicyResourceAttributeArgs.builder()
.value("cloud-object-storage")
.operator("stringEquals")
.name("serviceName")
.build(),
IamServicePolicyResourceAttributeArgs.builder()
.value("cos-instance")
.operator("stringEquals")
.name("serviceInstance")
.build(),
IamServicePolicyResourceAttributeArgs.builder()
.value("bucket")
.operator("stringEquals")
.name("resourceType")
.build(),
IamServicePolicyResourceAttributeArgs.builder()
.value("fgac-tf-test")
.operator("stringEquals")
.name("resource")
.build())
.ruleConditions(
IamServicePolicyRuleConditionArgs.builder()
.operator("and")
.conditions(
IamServicePolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.prefix}}")
.operator("stringMatch")
.values("folder1/subfolder1/*")
.build(),
IamServicePolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.delimiter}}")
.operator("stringEqualsAnyOf")
.values(
"/",
"")
.build())
.build(),
IamServicePolicyRuleConditionArgs.builder()
.key("{{resource.attributes.path}}")
.operator("stringMatch")
.values("folder1/subfolder1/*")
.build(),
IamServicePolicyRuleConditionArgs.builder()
.operator("and")
.conditions(
IamServicePolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.delimiter}}")
.operator("stringExists")
.values("false")
.build(),
IamServicePolicyRuleConditionConditionArgs.builder()
.key("{{resource.attributes.prefix}}")
.operator("stringExists")
.values("false")
.build())
.build())
.ruleOperator("or")
.pattern("attribute-based-condition:resource:literal-and-wildcard")
.description("IAM User Policy Attribute Based Condition Creation for test scenario")
.build());
}
}
resources:
serviceId:
type: ibm:IamServiceId
policy:
type: ibm:IamServicePolicy
properties:
iamServiceId: ${serviceId.iamServiceIdId}
roles:
- Writer
resourceAttributes:
- value: cloud-object-storage
operator: stringEquals
name: serviceName
- value: cos-instance
operator: stringEquals
name: serviceInstance
- value: bucket
operator: stringEquals
name: resourceType
- value: fgac-tf-test
operator: stringEquals
name: resource
ruleConditions:
- operator: and
conditions:
- key: '{{resource.attributes.prefix}}'
operator: stringMatch
values:
- folder1/subfolder1/*
- key: '{{resource.attributes.delimiter}}'
operator: stringEqualsAnyOf
values:
- /
- ""
- key: '{{resource.attributes.path}}'
operator: stringMatch
values:
- folder1/subfolder1/*
- operator: and
conditions:
- key: '{{resource.attributes.delimiter}}'
operator: stringExists
values:
- 'false'
- key: '{{resource.attributes.prefix}}'
operator: stringExists
values:
- 'false'
ruleOperator: or
pattern: attribute-based-condition:resource:literal-and-wildcard
description: IAM User Policy Attribute Based Condition Creation for test scenario
Create IamServicePolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new IamServicePolicy(name: string, args: IamServicePolicyArgs, opts?: CustomResourceOptions);@overload
def IamServicePolicy(resource_name: str,
args: IamServicePolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def IamServicePolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
roles: Optional[Sequence[str]] = None,
iam_service_id: Optional[str] = None,
iam_id: Optional[str] = None,
account_management: Optional[bool] = None,
iam_service_policy_id: Optional[str] = None,
pattern: Optional[str] = None,
resource_attributes: Optional[Sequence[IamServicePolicyResourceAttributeArgs]] = None,
resource_tags: Optional[Sequence[IamServicePolicyResourceTagArgs]] = None,
resources: Optional[IamServicePolicyResourcesArgs] = None,
description: Optional[str] = None,
rule_conditions: Optional[Sequence[IamServicePolicyRuleConditionArgs]] = None,
rule_operator: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
transaction_id: Optional[str] = None)func NewIamServicePolicy(ctx *Context, name string, args IamServicePolicyArgs, opts ...ResourceOption) (*IamServicePolicy, error)public IamServicePolicy(string name, IamServicePolicyArgs args, CustomResourceOptions? opts = null)
public IamServicePolicy(String name, IamServicePolicyArgs args)
public IamServicePolicy(String name, IamServicePolicyArgs args, CustomResourceOptions options)
type: ibm:IamServicePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args IamServicePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args IamServicePolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IamServicePolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IamServicePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args IamServicePolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var iamServicePolicyResource = new Ibm.IamServicePolicy("iamServicePolicyResource", new()
{
Roles = new[]
{
"string",
},
IamServiceId = "string",
IamId = "string",
AccountManagement = false,
IamServicePolicyId = "string",
Pattern = "string",
ResourceAttributes = new[]
{
new Ibm.Inputs.IamServicePolicyResourceAttributeArgs
{
Name = "string",
Value = "string",
Operator = "string",
},
},
ResourceTags = new[]
{
new Ibm.Inputs.IamServicePolicyResourceTagArgs
{
Name = "string",
Value = "string",
Operator = "string",
},
},
Resources = new Ibm.Inputs.IamServicePolicyResourcesArgs
{
Attributes =
{
{ "string", "string" },
},
Region = "string",
Resource = "string",
ResourceGroupId = "string",
ResourceInstanceId = "string",
ResourceType = "string",
Service = "string",
ServiceGroupId = "string",
ServiceType = "string",
},
Description = "string",
RuleConditions = new[]
{
new Ibm.Inputs.IamServicePolicyRuleConditionArgs
{
Operator = "string",
Conditions = new[]
{
new Ibm.Inputs.IamServicePolicyRuleConditionConditionArgs
{
Key = "string",
Operator = "string",
Values = new[]
{
"string",
},
},
},
Key = "string",
Values = new[]
{
"string",
},
},
},
RuleOperator = "string",
Tags = new[]
{
"string",
},
TransactionId = "string",
});
example, err := ibm.NewIamServicePolicy(ctx, "iamServicePolicyResource", &ibm.IamServicePolicyArgs{
Roles: pulumi.StringArray{
pulumi.String("string"),
},
IamServiceId: pulumi.String("string"),
IamId: pulumi.String("string"),
AccountManagement: pulumi.Bool(false),
IamServicePolicyId: pulumi.String("string"),
Pattern: pulumi.String("string"),
ResourceAttributes: ibm.IamServicePolicyResourceAttributeArray{
&ibm.IamServicePolicyResourceAttributeArgs{
Name: pulumi.String("string"),
Value: pulumi.String("string"),
Operator: pulumi.String("string"),
},
},
ResourceTags: ibm.IamServicePolicyResourceTagArray{
&ibm.IamServicePolicyResourceTagArgs{
Name: pulumi.String("string"),
Value: pulumi.String("string"),
Operator: pulumi.String("string"),
},
},
Resources: &ibm.IamServicePolicyResourcesArgs{
Attributes: pulumi.StringMap{
"string": pulumi.String("string"),
},
Region: pulumi.String("string"),
Resource: pulumi.String("string"),
ResourceGroupId: pulumi.String("string"),
ResourceInstanceId: pulumi.String("string"),
ResourceType: pulumi.String("string"),
Service: pulumi.String("string"),
ServiceGroupId: pulumi.String("string"),
ServiceType: pulumi.String("string"),
},
Description: pulumi.String("string"),
RuleConditions: ibm.IamServicePolicyRuleConditionArray{
&ibm.IamServicePolicyRuleConditionArgs{
Operator: pulumi.String("string"),
Conditions: ibm.IamServicePolicyRuleConditionConditionArray{
&ibm.IamServicePolicyRuleConditionConditionArgs{
Key: pulumi.String("string"),
Operator: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Key: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
RuleOperator: pulumi.String("string"),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
TransactionId: pulumi.String("string"),
})
var iamServicePolicyResource = new IamServicePolicy("iamServicePolicyResource", IamServicePolicyArgs.builder()
.roles("string")
.iamServiceId("string")
.iamId("string")
.accountManagement(false)
.iamServicePolicyId("string")
.pattern("string")
.resourceAttributes(IamServicePolicyResourceAttributeArgs.builder()
.name("string")
.value("string")
.operator("string")
.build())
.resourceTags(IamServicePolicyResourceTagArgs.builder()
.name("string")
.value("string")
.operator("string")
.build())
.resources(IamServicePolicyResourcesArgs.builder()
.attributes(Map.of("string", "string"))
.region("string")
.resource("string")
.resourceGroupId("string")
.resourceInstanceId("string")
.resourceType("string")
.service("string")
.serviceGroupId("string")
.serviceType("string")
.build())
.description("string")
.ruleConditions(IamServicePolicyRuleConditionArgs.builder()
.operator("string")
.conditions(IamServicePolicyRuleConditionConditionArgs.builder()
.key("string")
.operator("string")
.values("string")
.build())
.key("string")
.values("string")
.build())
.ruleOperator("string")
.tags("string")
.transactionId("string")
.build());
iam_service_policy_resource = ibm.IamServicePolicy("iamServicePolicyResource",
roles=["string"],
iam_service_id="string",
iam_id="string",
account_management=False,
iam_service_policy_id="string",
pattern="string",
resource_attributes=[{
"name": "string",
"value": "string",
"operator": "string",
}],
resource_tags=[{
"name": "string",
"value": "string",
"operator": "string",
}],
resources={
"attributes": {
"string": "string",
},
"region": "string",
"resource": "string",
"resource_group_id": "string",
"resource_instance_id": "string",
"resource_type": "string",
"service": "string",
"service_group_id": "string",
"service_type": "string",
},
description="string",
rule_conditions=[{
"operator": "string",
"conditions": [{
"key": "string",
"operator": "string",
"values": ["string"],
}],
"key": "string",
"values": ["string"],
}],
rule_operator="string",
tags=["string"],
transaction_id="string")
const iamServicePolicyResource = new ibm.IamServicePolicy("iamServicePolicyResource", {
roles: ["string"],
iamServiceId: "string",
iamId: "string",
accountManagement: false,
iamServicePolicyId: "string",
pattern: "string",
resourceAttributes: [{
name: "string",
value: "string",
operator: "string",
}],
resourceTags: [{
name: "string",
value: "string",
operator: "string",
}],
resources: {
attributes: {
string: "string",
},
region: "string",
resource: "string",
resourceGroupId: "string",
resourceInstanceId: "string",
resourceType: "string",
service: "string",
serviceGroupId: "string",
serviceType: "string",
},
description: "string",
ruleConditions: [{
operator: "string",
conditions: [{
key: "string",
operator: "string",
values: ["string"],
}],
key: "string",
values: ["string"],
}],
ruleOperator: "string",
tags: ["string"],
transactionId: "string",
});
type: ibm:IamServicePolicy
properties:
accountManagement: false
description: string
iamId: string
iamServiceId: string
iamServicePolicyId: string
pattern: string
resourceAttributes:
- name: string
operator: string
value: string
resourceTags:
- name: string
operator: string
value: string
resources:
attributes:
string: string
region: string
resource: string
resourceGroupId: string
resourceInstanceId: string
resourceType: string
service: string
serviceGroupId: string
serviceType: string
roles:
- string
ruleConditions:
- conditions:
- key: string
operator: string
values:
- string
key: string
operator: string
values:
- string
ruleOperator: string
tags:
- string
transactionId: string
IamServicePolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The IamServicePolicy resource accepts the following input properties:
- Roles List<string>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Account
Management bool - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - Description string
- The description of the IAM Service Policy.
- Iam
Id string - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - Iam
Service stringId - The UUID of the service ID.
- Iam
Service stringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes List<IamService Policy Resource Attribute> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
Service Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
Service Policy Resources Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Rule
Conditions List<IamService Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<string>
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- Roles []string
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Account
Management bool - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - Description string
- The description of the IAM Service Policy.
- Iam
Id string - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - Iam
Service stringId - The UUID of the service ID.
- Iam
Service stringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes []IamService Policy Resource Attribute Args A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
[]Iam
Service Policy Resource Tag Args A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
Service Policy Resources Args Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Rule
Conditions []IamService Policy Rule Condition Args A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - []string
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- roles List<String>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account
Management Boolean - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - description String
- The description of the IAM Service Policy.
- iam
Id String - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - iam
Service StringId - The UUID of the service ID.
- iam
Service StringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<IamService Policy Resource Attribute> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
Service Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Service Policy Resources Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule
Conditions List<IamService Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
- roles string[]
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account
Management boolean - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - description string
- The description of the IAM Service Policy.
- iam
Id string - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - iam
Service stringId - The UUID of the service ID.
- iam
Service stringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes IamService Policy Resource Attribute[] A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
Iam
Service Policy Resource Tag[] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Service Policy Resources Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule
Conditions IamService Policy Rule Condition[] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - string[]
- transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- roles Sequence[str]
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account_
management bool - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - description str
- The description of the IAM Service Policy.
- iam_
id str - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - iam_
service_ strid - The UUID of the service ID.
- iam_
service_ strpolicy_ id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - pattern str
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource_
attributes Sequence[IamService Policy Resource Attribute Args] A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
Sequence[Iam
Service Policy Resource Tag Args] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Service Policy Resources Args Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule_
conditions Sequence[IamService Policy Rule Condition Args] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule_
operator str - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - Sequence[str]
- transaction_
id str - The TransactionID can be passed to your request for tracking the calls.
- roles List<String>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - account
Management Boolean - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - description String
- The description of the IAM Service Policy.
- iam
Id String - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - iam
Service StringId - The UUID of the service ID.
- iam
Service StringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<Property Map> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:- List<Property Map>
A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources Property Map
Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- rule
Conditions List<Property Map> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
Outputs
All input properties are implicitly available as output properties. Additionally, the IamServicePolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing IamServicePolicy Resource
Get an existing IamServicePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IamServicePolicyState, opts?: CustomResourceOptions): IamServicePolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
account_management: Optional[bool] = None,
description: Optional[str] = None,
iam_id: Optional[str] = None,
iam_service_id: Optional[str] = None,
iam_service_policy_id: Optional[str] = None,
pattern: Optional[str] = None,
resource_attributes: Optional[Sequence[IamServicePolicyResourceAttributeArgs]] = None,
resource_tags: Optional[Sequence[IamServicePolicyResourceTagArgs]] = None,
resources: Optional[IamServicePolicyResourcesArgs] = None,
roles: Optional[Sequence[str]] = None,
rule_conditions: Optional[Sequence[IamServicePolicyRuleConditionArgs]] = None,
rule_operator: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
transaction_id: Optional[str] = None) -> IamServicePolicyfunc GetIamServicePolicy(ctx *Context, name string, id IDInput, state *IamServicePolicyState, opts ...ResourceOption) (*IamServicePolicy, error)public static IamServicePolicy Get(string name, Input<string> id, IamServicePolicyState? state, CustomResourceOptions? opts = null)public static IamServicePolicy get(String name, Output<String> id, IamServicePolicyState state, CustomResourceOptions options)resources: _: type: ibm:IamServicePolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Account
Management bool - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - Description string
- The description of the IAM Service Policy.
- Iam
Id string - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - Iam
Service stringId - The UUID of the service ID.
- Iam
Service stringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes List<IamService Policy Resource Attribute> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
Service Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
Service Policy Resources Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Roles List<string>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Rule
Conditions List<IamService Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<string>
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- Account
Management bool - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - Description string
- The description of the IAM Service Policy.
- Iam
Id string - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - Iam
Service stringId - The UUID of the service ID.
- Iam
Service stringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - Pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - Resource
Attributes []IamService Policy Resource Attribute Args A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
[]Iam
Service Policy Resource Tag Args A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- Resources
Iam
Service Policy Resources Args Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- Roles []string
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - Rule
Conditions []IamService Policy Rule Condition Args A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- Rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - []string
- Transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- account
Management Boolean - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - description String
- The description of the IAM Service Policy.
- iam
Id String - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - iam
Service StringId - The UUID of the service ID.
- iam
Service StringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<IamService Policy Resource Attribute> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
List<Iam
Service Policy Resource Tag> A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Service Policy Resources Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles List<String>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule
Conditions List<IamService Policy Rule Condition> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
- account
Management boolean - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - description string
- The description of the IAM Service Policy.
- iam
Id string - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - iam
Service stringId - The UUID of the service ID.
- iam
Service stringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - pattern string
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes IamService Policy Resource Attribute[] A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
Iam
Service Policy Resource Tag[] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Service Policy Resources Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles string[]
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule
Conditions IamService Policy Rule Condition[] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator string - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - string[]
- transaction
Id string - The TransactionID can be passed to your request for tracking the calls.
- account_
management bool - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - description str
- The description of the IAM Service Policy.
- iam_
id str - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - iam_
service_ strid - The UUID of the service ID.
- iam_
service_ strpolicy_ id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - pattern str
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource_
attributes Sequence[IamService Policy Resource Attribute Args] A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:-
Sequence[Iam
Service Policy Resource Tag Args] A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources
Iam
Service Policy Resources Args Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles Sequence[str]
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule_
conditions Sequence[IamService Policy Rule Condition Args] A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule_
operator str - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - Sequence[str]
- transaction_
id str - The TransactionID can be passed to your request for tracking the calls.
- account
Management Boolean - Gives access to all account management services if set to true. Default value is false. If you set this option, do not set
resourcesat the same time.Note Conflicts withresourcesandresource_attributes. - description String
- The description of the IAM Service Policy.
- iam
Id String - IAM ID of the service ID. Used to assign cross account service ID policy. Either
iam_service_idoriam_idis required. - iam
Service StringId - The UUID of the service ID.
- iam
Service StringPolicy Id - (String) The unique identifier of the service policy. The ID is composed of
<iam_service_id>/<service_policy_id>. If policy is created by using<iam_service_id>. The ID is composed of<iam_id>/<service_policy_id>if policy is created by using<iam_id>. - pattern String
- The pattern that the rule follows, e.g.,
time-based-conditions:weekly:all-day. - resource
Attributes List<Property Map> A nested block describing the resource of this policy. -
resource_attributes- (Optional, List) A nested block describing the resource of this policy. Note Conflicts withaccount_managementandresources.Nested scheme for
resource_attributes:- List<Property Map>
A nested block describing the access management tags. Note
resource_tagsare only allowed in policy with resource attribute serviceType, where value is equal to service.Nested scheme for
resource_tags:- resources Property Map
Optional- A nested block describes the resource of this policy.Note Conflicts with
account_managementandresource_attributes.Nested scheme for
resources:- roles List<String>
- A comma separated list of roles. Valid roles are
Writer,Reader,Manager,Administrator,Operator,Viewer, andEditor. For more information, about supported service specific roles, see IAM roles and actions - rule
Conditions List<Property Map> A nested block describing the rule conditions of this policy.
Nested schema for
rule_conditions:- rule
Operator String - The operator used to evaluate multiple rule conditions, e.g., all must be satisfied with
and. - List<String>
- transaction
Id String - The TransactionID can be passed to your request for tracking the calls.
Supporting Types
IamServicePolicyResourceAttribute, IamServicePolicyResourceAttributeArgs
- Name string
- The name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - Value string
- The value of an attribute.
- Operator string
- Operator of an attribute. The default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- Name string
- The name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - Value string
- The value of an attribute.
- Operator string
- Operator of an attribute. The default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- name String
- The name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - value String
- The value of an attribute.
- operator String
- Operator of an attribute. The default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- name string
- The name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - value string
- The value of an attribute.
- operator string
- Operator of an attribute. The default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- name str
- The name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - value str
- The value of an attribute.
- operator str
- Operator of an attribute. The default value is
stringEquals. Note Conflicts withaccount_managementandresources.
- name String
- The name of an attribute. Supported values are
serviceName,serviceInstance,region,resourceType,resource,resourceGroupId,service_group_id, and other service specific resource attributes. - value String
- The value of an attribute.
- operator String
- Operator of an attribute. The default value is
stringEquals. Note Conflicts withaccount_managementandresources.
IamServicePolicyResourceTag, IamServicePolicyResourceTagArgs
IamServicePolicyResources, IamServicePolicyResourcesArgs
- Attributes Dictionary<string, string>
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - Region string
- The region of the policy definition.
- Resource string
- The resource of the policy definition.
- Resource
Group stringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - Resource
Instance stringId - The ID of the resource instance of the policy definition.
- Resource
Type string - The resource type of the policy definition.
- Service string
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog search. Attributes service, service_type are mutually exclusive. - Service
Group stringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- Service
Type string - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- Attributes map[string]string
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - Region string
- The region of the policy definition.
- Resource string
- The resource of the policy definition.
- Resource
Group stringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - Resource
Instance stringId - The ID of the resource instance of the policy definition.
- Resource
Type string - The resource type of the policy definition.
- Service string
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog search. Attributes service, service_type are mutually exclusive. - Service
Group stringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- Service
Type string - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes Map<String,String>
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - region String
- The region of the policy definition.
- resource String
- The resource of the policy definition.
- resource
Group StringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - resource
Instance StringId - The ID of the resource instance of the policy definition.
- resource
Type String - The resource type of the policy definition.
- service String
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog search. Attributes service, service_type are mutually exclusive. - service
Group StringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service
Type String - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes {[key: string]: string}
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - region string
- The region of the policy definition.
- resource string
- The resource of the policy definition.
- resource
Group stringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - resource
Instance stringId - The ID of the resource instance of the policy definition.
- resource
Type string - The resource type of the policy definition.
- service string
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog search. Attributes service, service_type are mutually exclusive. - service
Group stringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service
Type string - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes Mapping[str, str]
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - region str
- The region of the policy definition.
- resource str
- The resource of the policy definition.
- resource_
group_ strid - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - resource_
instance_ strid - The ID of the resource instance of the policy definition.
- resource_
type str - The resource type of the policy definition.
- service str
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog search. Attributes service, service_type are mutually exclusive. - service_
group_ strid - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service_
type str - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
- attributes Map<String>
- A set of resource attributes in the format
name=value,name=value. If you set this option, do not specifyaccount_managementandresource_attributesat the same time. - region String
- The region of the policy definition.
- resource String
- The resource of the policy definition.
- resource
Group StringId - The ID of the resource group. To retrieve the value, run
ibmcloud resource groupsor use theibm.ResourceGroupdata source. - resource
Instance StringId - The ID of the resource instance of the policy definition.
- resource
Type String - The resource type of the policy definition.
- service String
- The service name of the policy definition. You can retrieve the value by running the
ibmcloud catalog service-marketplaceoribmcloud catalog search. Attributes service, service_type are mutually exclusive. - service
Group StringId - The service group id of the policy definition. Note Attributes service, service_group_id are mutually exclusive.
- service
Type String - The service type of the policy definition. Note Attributes service, service_type are mutually exclusive.
IamServicePolicyRuleCondition, IamServicePolicyRuleConditionArgs
- Operator string
- The operator of a rule condition.
- Conditions
List<Iam
Service Policy Rule Condition Condition> A nested block describing additional conditions of this policy.
Nested schema for
conditions:- Key string
- The key of a rule condition.
- Values List<string>
- The value of a rule condition.
- Operator string
- The operator of a rule condition.
- Conditions
[]Iam
Service Policy Rule Condition Condition A nested block describing additional conditions of this policy.
Nested schema for
conditions:- Key string
- The key of a rule condition.
- Values []string
- The value of a rule condition.
- operator String
- The operator of a rule condition.
- conditions
List<Iam
Service Policy Rule Condition Condition> A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key String
- The key of a rule condition.
- values List<String>
- The value of a rule condition.
- operator string
- The operator of a rule condition.
- conditions
Iam
Service Policy Rule Condition Condition[] A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key string
- The key of a rule condition.
- values string[]
- The value of a rule condition.
- operator str
- The operator of a rule condition.
- conditions
Sequence[Iam
Service Policy Rule Condition Condition] A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key str
- The key of a rule condition.
- values Sequence[str]
- The value of a rule condition.
- operator String
- The operator of a rule condition.
- conditions List<Property Map>
A nested block describing additional conditions of this policy.
Nested schema for
conditions:- key String
- The key of a rule condition.
- values List<String>
- The value of a rule condition.
IamServicePolicyRuleConditionCondition, IamServicePolicyRuleConditionConditionArgs
Import
The ibm_iam_service_policy resource can be imported by using service ID and service policy ID or IAM ID and service policy ID.
Syntax
$ pulumi import ibm:index/iamServicePolicy:IamServicePolicy example <service_ID>/<service_policy_ID>
Example
$ pulumi import ibm:index/iamServicePolicy:IamServicePolicy example ServiceId-d7bec597-4726-451f-8a63-e62e6f19c32c/cea6651a-bc0a-4438-9f8a-a0770bbf3ebb
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- ibm ibm-cloud/terraform-provider-ibm
- License
- Notes
- This Pulumi package is based on the
ibmTerraform Provider.