Documentation

IAM Policies

Cloudalus supports fine-grained access control using IAM policies. This allows you to control what actions users and access keys can perform on resources.

What is an IAM policy?

An IAM policy is a JSON document that defines the permissions and actions that are permitted or forbidden for a given principal to perform on a resource.

A policy consists of 3 fields: effect, actions, and resources.

{
  "effect": "Allow" | "Deny",
  "actions": [
    "kvdb:Create",
    "kvdb:Delete",
    "iam:CreateAccessKey",
    "iam:DeleteAccessKey",
    ...
  ],
  "resources": [
    "org:*",
    "kvdb:*",
    "iam:*",
    ...
  ]
}

Effect

The effect field specifies whether the policy allows or denies the specified actions on resources. The effect can be either "Allow" or "Deny".

If multiple conflicting policies exist, deny takes precedence over allow.

Actions

The actions field specifies the actions that are permitted or forbidden to perform.

Multiple actions can be matched using wildcards, e.g. "kvdb:*" or "kvdb:Execute*".

The following actions are supported:

Supported Actions
  • kvdb:List
  • kvdb:Create
  • kvdb:Describe
  • kvdb:Update
  • kvdb:Delete
  • kvdb:ExecuteCopy
  • kvdb:ExecuteDel
  • kvdb:ExecuteExists
  • kvdb:ExecuteExpire
  • kvdb:ExecuteExpiretime
  • kvdb:ExecuteFlushall
  • kvdb:ExecutePersist
  • kvdb:ExecutePttl
  • kvdb:ExecuteRename
  • kvdb:ExecuteScan
  • kvdb:ExecuteTtl
  • kvdb:ExecuteType
  • kvdb:ExecuteAppend
  • kvdb:ExecuteGet
  • kvdb:ExecuteGetdel
  • kvdb:ExecuteGetex
  • kvdb:ExecuteGetrange
  • kvdb:ExecuteIncrby
  • kvdb:ExecuteMget
  • kvdb:ExecuteMset
  • kvdb:ExecuteMsetnx
  • kvdb:ExecuteSet
  • kvdb:ExecuteStrlen
  • kvdb:ExecuteSadd
  • kvdb:ExecuteScard
  • kvdb:ExecuteSdiff
  • kvdb:ExecuteSinter
  • kvdb:ExecuteSintercard
  • kvdb:ExecuteSismember
  • kvdb:ExecuteSmembers
  • kvdb:ExecuteSmismember
  • kvdb:ExecuteSmove
  • kvdb:ExecuteSpop
  • kvdb:ExecuteSrandmember
  • kvdb:ExecuteSrem
  • kvdb:ExecuteSscan
  • kvdb:ExecuteSunion
  • kvdb:ExecuteHdel
  • kvdb:ExecuteHexists
  • kvdb:ExecuteHget
  • kvdb:ExecuteHgetall
  • kvdb:ExecuteHincrby
  • kvdb:ExecuteHkeys
  • kvdb:ExecuteHlen
  • kvdb:ExecuteHmget
  • kvdb:ExecuteHscan
  • kvdb:ExecuteHset
  • kvdb:ExecuteHsetnx
  • kvdb:ExecuteHstrlen
  • kvdb:ExecuteHvals
  • kvdb:ExecuteLindex
  • kvdb:ExecuteLinsert
  • kvdb:ExecuteLlen
  • kvdb:ExecuteLmove
  • kvdb:ExecuteLpop
  • kvdb:ExecuteLpos
  • kvdb:ExecuteLpush
  • kvdb:ExecuteLpushx
  • kvdb:ExecuteLrange
  • kvdb:ExecuteLrem
  • kvdb:ExecuteLset
  • kvdb:ExecuteLtrim
  • kvdb:ExecuteRpop
  • kvdb:ExecuteRpush
  • kvdb:ExecuteRpushx
  • kvdb:ExecuteZadd
  • kvdb:ExecuteZcard
  • kvdb:ExecuteZcount
  • kvdb:ExecuteZdiff
  • kvdb:ExecuteZincrby
  • kvdb:ExecuteZinter
  • kvdb:ExecuteZintercard
  • kvdb:ExecuteZlexcount
  • kvdb:ExecuteZmscore
  • kvdb:ExecuteZpop
  • kvdb:ExecuteZrandmember
  • kvdb:ExecuteZrange
  • kvdb:ExecuteZrangestore
  • kvdb:ExecuteZrank
  • kvdb:ExecuteZrem
  • kvdb:ExecuteZremrange
  • kvdb:ExecuteZscan
  • kvdb:ExecuteZscore
  • kvdb:ExecuteZunion
  • org:Describe
  • org:UpdateName
  • iam:CreateAccessKey
  • iam:DeleteAccessKey
  • iam:ListAccessKeys
  • iam:DescribeAccessKey
  • iam:UpdateAccessKey
  • iam:ListUsers
  • iam:CreateUser
  • iam:DeleteUser
  • iam:PutIdentityPolicy
  • iam:GetIdentityPolicy

Resources

Similar to actions, resources can be matched using wildcards, e.g. kvdb:*, org:org_123/user/*, or *.

Unlike actions, resource wildcards can not match partial names, i.e. kvdb:kvdb_a* is not supported.

Four types of resources are supported:

TypeSpecificationDescription
Organisationorg:<org id>Actions on an organisation, including creating resources within the organisation.
Access Keyaccesskey:<access key id>Actions on an access key, including renaming, deleting, and updating access keys.
KvDBkvdb:<kvdb id>Actions on a KvDB, including executing client commands, or deleting the database.
Organisation Userorg:<org id>/user/<user id>Actions on a user within an organisation, including creating, deleting and setting their policies.

What are managed policies?

Managed policies are a special type of IAM policy that are automatically created and managed by Cloudalus. These policies exist to help with common use cases, such as assigning users roles within an organisation.

NameIDDescriptionPolicy
Organisation User (Editor) midpd_6367aa02d3f2ae5b Allows read and write access to organisation resources
Full Access midpd_a303111e02ea1536 Allows full access to all resources
KvDB Execute Any midpd_b93881e635610cf6 Allows executing any command on all KvDB databases
Organisation User (Read Only) midpd_ba543acdacf0df53 Allows read-only access to organisation resources

Examples

Here are some examples of IAM policies that you can use as a starting point.

Allow all commands on a specific KvDB

loading...

The action kvdb:Execute* matches all actions that start with kvdb:Execute, such as kvdb:ExecuteGet and kvdb:ExecuteSet.

The resource kvdb:kvdb_1234567890 matches only the specific KvDB with ID kvdb_1234567890.

Allow GET on a specific KvDB

loading...

The action kvdb:ExecuteGet matches the specific action kvdb:ExecuteGet.

The resource kvdb:kvdb_1234567890 matches only the specific KvDB with ID kvdb_1234567890.

Allow all commands execept DEL on a specific KvDB

loading...

This policy makes use of combining allow and deny statements together. Rather than having to list all actions that aren't kvdb:ExecuteDel, we can use the wildcard kvdb:Execute* to match all actions and then deny kvdb:ExecuteDel.

Manage access keys but not their access / policies

loading...

Note that in this policy we're able to have multiple resource types in the same statement. This is because these actions apply to different resource types.

iam:CreateAccessKey and iam:ListAccessKeys apply to org:* as access keys are created within an organisation. All other actions apply to accesskey:*, as they operate on an access key directly.