Creating Identity Policies

You can create multiple identity policies and attach them to users and groups.

Identity policies are managed via VMS. You add an identity policy to VMS and then attach it to user(s) and/or group(s). When you add an identity policy to VMS, you can choose to enter the policy statements manually, upload a JSON file, or create a policy using a visual editor.

VAST identity policies support a subset of the elements listed in Amazon's IAM JSON Policy Reference. For information about the required JSON format, supported elements and examples, see S3 Policy Reference.

Adding an Identity Policy to VMS via VAST Web UI

Tip
VAST recommends adding identity policies through VAST Web UI.

To add an identity policy:

In the left navigation menu, choose User Management and then Identity Policies.
In the Identity Policies page, click + Create Policy to open the Add Policy dialog.
In the Name field, enter a name for the identity policy. Do not include spaces in the name.
In the Tenant field, select the tenant to which the identity policy will apply, from the dropdown list. An identity policy can be associated with a single tenant.
Do one of the following to add the policy statements:
- Enter the policy statements in the Policy field.
- Click Upload JSON file and browse to the .json policy file that contains the policy statements.
- Click Visual Policy Editor to enter policy statements using a visual editor.
  In the Identity Policy Generator dialog that opens:
  1. Choose Allow or Deny to allow or prohibit an S3 action or actions.
  2. Select one or more S3 actions from the Actions dropdown.
  3. In the Resource name list, specify the names of resources for which the action(s) is to be allowed or prohibited. You can enter a single resource name or a comma-separated list of resource names. For resource name format and examples, see Identity Policy Examples.
    Use an asterisk (*) as a wildcard, for example:
    my-bucket/*
    my-bucket/*/test/**
    *
  4. Click Add to JSON.
    The newly added statement is displayed in the grid where you can review it. If needed, you can delete a statement from the grid and add a new one.
  5. Repeat steps 1-4 to add as many statements as you need.
  6. When finished, click Preview to preview the identity policy.
  7. If you are satisfied with the policy content, click Add to policy to return to the Add Policy dialog. The statements you created in the visual editor are displayed in the Policy field.
    Otherwise, click Back to return to the visual editor and repeat steps 1-5 as necessary.
In the Add Policy dialog, click Create.
The policy is created and added to the set of available policies and displayed in the Identity Policies page. Proceed to Attaching/Removing Identity Policies to/from Users and Groups.

Adding an Identity Policy to VMS via VAST CLI

Note
The recommended way to add identity policies to VMS is via the VAST Web UI. Since policies are multi-line, you may find that your SSH terminal does not succeed in creating the policies.

To add an identity policy to VMS, run the identitypolicy create command.

To modify an identity policy that has been added, run the identitypolicy modify command.