Creating Identity Policies

You can create multiple identity policies and attach them to users and groups.

Identity policies are managed via VMS. You add an identity policy to VMS and then attach it to user(s) and/or group(s). When you add an identity policy to VMS, you can choose to enter the policy statements from scratch, create a policy based on predefined templates, or upload a JSON file.

VAST identity policies support a subset of the elements listed in Amazon's IAM JSON Policy Reference. For information about the required JSON format, supported elements and examples, see Identity and Bucket Policy Reference.

Adding an Identity Policy to VMS via VAST Web UI

Tip
VAST recommends adding identity policies through VAST Web UI.

To add an identity policy:

In the left navigation menu, choose User Management and then Identity Policies.
In the Identity Policies page, click Create Policy to open the Add Policy dialog.
In the General tab:
- In the Name field, enter a name for the identity policy. Do not include spaces in the name.
- In the Tenant field, select the tenant to which the identity policy will apply, from the dropdown list. An identity policy can be associated with a single tenant.
In the Define policy tab, do either of the following to add the policy statements:
- Upload an identity policy to VMS.
  Click the Upload JSON button at the bottom right corner of the dialog to upload a .json policy file that contains the policy statements an identity policy to VMS.
- Create an identity policy from scratch.
  Either type your policy into the JSON panel on the right of the dialog or use the Create Statement pane to construct policy statements as follows:
  1. Specify a name for the statement in the Statement ID field.
  2. Choose Allow or Deny to allow or prohibit an S3 action or actions.
  3. Select one or more S3 actions from the Actions dropdown.
  4. In the Resource field, select, from the dropdown, the names of resources for which the action(s) is to be allowed or prohibited.
  5. Click Add to JSON. Your statement is added to the JSON panel.
- Create an identity policy based on a template.
  1. Go to the Predefined rules pane.
  2. Select one or more predefined statements and click Add to JSON.
  3. In the Resource for selected rule popup, specify the resource to which the statement applies.
    You can enter a single resource name or a comma-separated list of resource names. For resource name format and examples, see Identity and Bucket Policy Reference.
    Use an asterisk (*) as a wildcard, for example:
    my-bucket/*
    my-bucket/*/test/**
    *
  4. Click OK.
Click Create at the bottom of the Add Policy dialog.
The policy is created and added to the set of available policies and displayed in the Identity Policies page. Proceed to Attaching/Removing Identity Policies to/from Users and Groups.

Adding an Identity Policy to VMS via VAST CLI

Note
The recommended way to add identity policies to VMS is via the VAST Web UI. Since policies are multi-line, you may find that your SSH terminal does not succeed in creating the policies.

To add an identity policy to VMS, run the identitypolicy create command.

To modify an identity policy that has been added, run the identitypolicy modify command.