Policy Reference

Trust policies are JSON documents attached to trusts. They define what actions a trustee is allowed or denied on a given set of resources when acting through that trust. This page covers the full policy syntax, available actions, resource types, and worked examples.

Policy structure

A policy is an array of statements. Each statement has three fields:

[
  {
    "Effect": "Allow" | "Deny",
    "Actions": ["<action>", ...],
    "Resources": ["<resource>", ...]
  }
]

Field	Required	Description
`Effect`	Yes	Whether this statement allows or denies the specified actions. Either `Allow` or `Deny`.
`Actions`	Yes	One or more actions this statement applies to. Must not be empty.
`Resources`	Yes	One or more resources this statement applies to. Must not be empty.

Deny always wins. If any statement in any applicable policy denies an action, that action is denied, regardless of allow statements elsewhere.

Actions

Actions follow the format <service>:<ActionName>, for example kvdb:ExecuteGet or iam:CreateProgrammaticIdentity.

You can use wildcards to match multiple actions:

*: matches all actions across all services.
kvdb:*: matches all KvDB actions.
kvdb:Execute*: matches all KvDB execute (client command) actions.

Wildcards match at the end of an action name only. kvdb:*Get is not supported. Use kvdb:ExecuteGet to target a specific command.

All supported actions

kvdb:ListDatabases
kvdb:CreateDatabase
kvdb:DescribeDatabase
kvdb:UpdateDatabase
kvdb:DeleteDatabase
kvdb:ExecuteCopy
kvdb:ExecuteDel
kvdb:ExecuteExists
kvdb:ExecuteExpire
kvdb:ExecuteExpiretime
kvdb:ExecuteFlushall
kvdb:ExecutePersist
kvdb:ExecutePttl
kvdb:ExecuteRename
kvdb:ExecuteScan
kvdb:ExecuteTtl
kvdb:ExecuteType
kvdb:ExecuteAppend
kvdb:ExecuteGet
kvdb:ExecuteGetdel
kvdb:ExecuteGetex
kvdb:ExecuteGetrange
kvdb:ExecuteIncrby
kvdb:ExecuteMget
kvdb:ExecuteMset
kvdb:ExecuteMsetnx
kvdb:ExecuteSet
kvdb:ExecuteStrlen
kvdb:ExecuteSadd
kvdb:ExecuteScard
kvdb:ExecuteSdiff
kvdb:ExecuteSinter
kvdb:ExecuteSintercard
kvdb:ExecuteSismember
kvdb:ExecuteSmembers
kvdb:ExecuteSmismember
kvdb:ExecuteSmove
kvdb:ExecuteSpop
kvdb:ExecuteSrandmember
kvdb:ExecuteSrem
kvdb:ExecuteSscan
kvdb:ExecuteSunion
kvdb:ExecuteHdel
kvdb:ExecuteHexists
kvdb:ExecuteHget
kvdb:ExecuteHgetall
kvdb:ExecuteHincrby
kvdb:ExecuteHkeys
kvdb:ExecuteHlen
kvdb:ExecuteHmget
kvdb:ExecuteHscan
kvdb:ExecuteHset
kvdb:ExecuteHsetnx
kvdb:ExecuteHstrlen
kvdb:ExecuteHvals
kvdb:ExecuteLindex
kvdb:ExecuteLinsert
kvdb:ExecuteLlen
kvdb:ExecuteLmove
kvdb:ExecuteLpop
kvdb:ExecuteLpos
kvdb:ExecuteLpush
kvdb:ExecuteLpushx
kvdb:ExecuteLrange
kvdb:ExecuteLrem
kvdb:ExecuteLset
kvdb:ExecuteLtrim
kvdb:ExecuteRpop
kvdb:ExecuteRpush
kvdb:ExecuteRpushx
kvdb:ExecuteZadd
kvdb:ExecuteZcard
kvdb:ExecuteZcount
kvdb:ExecuteZdiff
kvdb:ExecuteZincrby
kvdb:ExecuteZinter
kvdb:ExecuteZintercard
kvdb:ExecuteZlexcount
kvdb:ExecuteZmscore
kvdb:ExecuteZpop
kvdb:ExecuteZrandmember
kvdb:ExecuteZrange
kvdb:ExecuteZrangestore
kvdb:ExecuteZrank
kvdb:ExecuteZrem
kvdb:ExecuteZremrange
kvdb:ExecuteZscan
kvdb:ExecuteZscore
kvdb:ExecuteZunion
org:DescribeOrganisation
org:UpdateName
iam:CreateProgrammaticIdentity
iam:DeleteProgrammaticIdentity
iam:ListProgrammaticIdentities
iam:DescribeProgrammaticIdentity
iam:UpdateProgrammaticIdentity
iam:CreateAccessKey
iam:DeleteAccessKey
iam:ListAccessKeys
iam:DescribeAccessKey
iam:UpdateAccessKey
iam:ListUsers
iam:DescribeUser
iam:GetTrust
iam:PutTrust

Resources

Resources identify what a statement applies to. Patterns are matched against the path of the resource being accessed.

Shorthand patterns

Shorthand patterns are the most common form. They are automatically scoped to the policy owner's organisation:

Pattern	Matches
`kvdb/<id>`	A specific KvDB database
`kvdb/*`	All KvDB databases in your organisation
`programmatic_identity/<id>`	A specific programmatic identity and its credentials
`programmatic_identity/*`	All programmatic identities in your organisation
`org_user/<id>`	A specific organisation member
`org_user/*`	All organisation members
`**`	All resources in your organisation

Wildcards

* matches exactly one whole ID. Valid only in the ID position: kvdb/*, programmatic_identity/*.
** matches all remaining resources. Must be the final segment. Use bare ** to match everything in your organisation.

Bare * is not valid as a resource pattern. Use ** to match all resources in your organisation, or kvdb/* to match all resources of a specific type.

Fully qualified patterns

Advanced: fully qualified patterns

Fully qualified patterns start with // and include the full resource path. Shorthand patterns cover the vast majority of use cases; fully qualified patterns are rarely needed.

Pattern	Matches
`//org/<org_id>/kvdb/<kvdb_id>`	A specific database in a specific organisation
`//org/<org_id>/kvdb/*`	All databases in a specific organisation
`//**`	All resources everywhere (crosses org boundaries)

Fully qualified patterns are not expanded — they match exactly as written, with no org prefix added automatically.

Managed policies

Managed policies are predefined trust-policy templates provided by Cloudalus for common use cases. Rather than writing policy JSON from scratch, you can attach one or more managed policies to a trust such as an organisation member or programmatic identity trust.

Name	ID	Description
Unrestricted Access	`mtpd_00ca520ba4b294a7`	Allows full access to all resources including those that trust this organisation
Organisation User (Editor)	`mtpd_6367aa02d3f2ae5b`	Allows read and write access to organisation resources
Admin Access	`mtpd_a303111e02ea1536`	Allows full access to the organisation's own resources
KvDB Execute Any	`mtpd_b93881e635610cf6`	Allows executing any command on all KvDB databases
Organisation User (Read Only)	`mtpd_ba543acdacf0df53`	Allows read-only access to organisation resources

Examples

Allow all commands on a specific database

The most common use case: give a programmatic identity full read/write access to one database.

Read-only access to a database

Allow only read commands (GET, MGET, HGET, etc.) while preventing any writes.

Alternatively, allow all commands and then deny write operations:

Allow all commands except DEL

Use a wildcard allow with a targeted deny to block a specific command.

Access to multiple specific databases

Grant access to two databases in a single statement.

Manage credentials without controlling their policies

Allow creating, listing, updating, and deleting access key credentials, but not modifying the parent programmatic identities' trust policies.