Creating Identity Policies

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 7 minute(s) read
Prev Next

You can create multiple identity policies and attach them to users and groups.

Identity policies are managed via VMS. You add an identity policy to VMS and then attach it to user(s) and/or group(s). When you add an identity policy to VMS, you can choose to enter the policy statements from scratch, create a policy based on predefined rules, or import a policy as a JSON file.Attaching/Removing Identity Policies to/from Users and Groups

VAST identity policies support a subset of the elements listed in Amazon's IAM JSON Policy Reference. For information about the required JSON format, supported elements and examples, see Identity and Bucket Policy Reference.Identity and Bucket Policy Reference

Adding an Identity Policy to VMS in VAST Web UI

Tip

VAST recommends adding identity policies through VAST Web UI.

Create an Identity Policy in the following ways:

Creating an Identity Policy Using the Interactive Policy Editor

You create an identity policy by defining statements that are included in the policy. There are different types of statements, which can be combined in a single policy.

  1. In the left navigation menu, choose User Management and then Identity Policies.

  2. In the Identity Policies page, click Create Policy to open the  Add Policy dialog.

  3. In the General Policy Details section, enter a name for the policy, without spaces, in the Name field.

  4. In the Define Statements section, select the type of statement to add to the policy:

    • Pre-defined. Select from a list of common, predefined statements.

    • Custom. Define a custom statement consisting of actions, effects, conditions, and resources.

  5. In the Statement ID field, enter a name for the statement. If not specified, a random name is generated.

  6. In the Resource field, enter one or more S3 resources (comma separated) on which the statement will apply. Wildcards can be included (for example, '*').

    Note

    Separate statements in a common policy can apply to different resources.

    Do one of the next three steps,  according to the statement type selected above.

  7. If the statement type is Pre-defined, select one or more statements from the list of Available Statements, then click right-arrow-symbol.png to move them to the Selected Statements list.

  8. If the statement type is Custom, do the following:

    1. Select the Effects of the actions in the statement: Allow or Deny. When applied, the policy will either allow or deny the selected actions.

    2. Select one or more actions from the list of Available Actions, then click right-arrow-symbol.png to move them to the Selected Actions list.

  9. Optionally, In the Conditions section add conditions for the statement. Conditions qualify when a policy statement applies to resources. Follow these steps to add conditions to the policy:

    1. Click Add Condition

    2. Select a Condition Key, from the list. This is the element that is tested by the condition.

    3. Select a Qualifier, from the list. This indicates whether the condition applies to any or for all values in a request.

      Note

      This field applies only to some condition keys.

    4. Select an Operator.

    5. Enter a list of Values, separated by commas.

      For example, these selections create a condition for the policy statement testing for the userid 1234:

      • Key: aws: userid

      • Qualifier: Any value in request

      • Operator: StringEquals

      • Value: 1234

    6. Repeat above steps for additional conditions for the same statement.

    See Adding Conditions to Identity Policies for more detail about conditions.

  10. Click Add Statement To Policy. The statement, in JSON format, is shown in the Identity Policy pane on the right.

    Once the statement has been added to the policy (next step), you cannot add or change the statement or any conditions for it using the editor (but you can manually edit the policy, including its statements and conditions, in the Identity Policy pane, on the right). You can manually make changes to the statement in this pane.

    You can also copy the text of the policy (click Copy Policy).

  11. Repeat steps Step 4 to Step 10 to add additional statements to the policy. You can include statements of different types in a single policy, each with its own list of resources and conditions.

  12. Click Create. The policy is created and added to the set of available policies and displayed in the Identity Policies page. Proceed to Attaching/Removing Identity Policies to/from Users and Groups. to associate Identity Policies with users or groups, in the Users or Groups tab.Attaching/Removing Identity Policies to/from Users and Groups

Examples of Identity Policies

This is a simple policy that allows GetObject for a bucket and its folders.

{
  "Version": "2012-10-17",
  "Id": "e9483951-4471-43e2-8361-baae43ad339d",
  "Statement": [
    {
      "Sid": "Stmt17440227975897972",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "test-bucket",
        "test-bucket/*"
      ]
    }
  ]
}

This example includes wildcards to allow any Get* action on the bucket:

{
  "Version": "2012-10-17",
  "Id": "e9483951-4471-43e2-8361-baae43ad339d",
  "Statement": [
    {
      "Sid": "Stmt17440227975897972",
      "Action": [
        "s3:Get*"
      ],
      "Effect": "Allow",
      "Resource": [
        "test-bucket",
        "test-bucket/*"
      ]
    }
  ]
}

This example includes multiple statements in the policy, one for Get* actions, and one for Put* actions:

{
  "Version": "2012-10-17",
  "Id": "12ce48cf-6ca9-4f33-ad2d-47b0bfbad5c0",
  "Statement": [
    {
      "Sid": "Stmt17440229217713216",
      "Action": [
        "s3:Get*"
      ],
      "Effect": "Allow",
      "Resource": [
        "test-bucket",
        "test-bucket/*"
      ]
    },
    {
      "Sid": "Stmt17440229217716670",
      "Action": [
        "s3:Put*"
      ],
      "Effect": "Allow",
      "Resource": [
        "another-bucket",
        "another-bucket/*"
      ]
    }
  ]
}

Adding Conditions to Identity Policies

Conditions qualify when a policy applies to a resource (to grant permissions). They can be added to any statement in a policy.

Conditions consist of a key, an operator, and a value. They appear in the policy (JSON) in the format:

"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}

Condition keys are case-insensitive. See Supported Condition Keys per S3 Action for a list of a supported condition keys.

Examples of Conditions

This condition allows the retrieval of objects if they have a tag 'foo' with value 'bar':

"Condition": { "StringEquals": {"s3:ExistingObjectTag/foo": "bar"    }}

This condition applies if the request is made over a secure HTTPs connection:

"Condition": {"Bool": {"aws:SecureTransport": "True"}}

This condition uses the 'IfExists' condition, and is true if the tag 'DeleteApproved' exists and is set to true, or if it doesn't exist:

 "Condition": {"StringEqualsIfExists": {"aws:ResourceTag/DeleteApproved": "true"}}

This condition uses the 'Null' condition operator, and is true if the the tag TagKeys exists:

"Condition": { "Null": { "aws:TagKeys": "true" }}

Using Variables in Identity Policies

Yo can use variables instead of hard-coded values in policies. For example, instead of adding a username in some bucket prefix, you can use a variable that contains the name of the user.

Insert variables in the resource or condition parts of policy statements using the format ${variable}.

These variables are supported:

  • ${BucketName}

  • ${ObjectName}

  • ${username}

  • ${sourceip}

Examples

This statement permits read-only access to objects in any bucket:

{
  "Id": "Policy1234",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RO",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Effect": "Allow",
      "Resource": "${BucketName}"
    }
  ]
}

This statement grants GetObject and PutObject permissions on the current bucket for user john:

{
      "Sid": "Policy12345",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket/home/${aws:username}/*",
      "Condition": "StringEquals": { "aws:username": "john" }
    }

Creating an Identity Policy by Importing an Existing Policy File

  1. In the left navigation menu, choose User Management and then Identity Policies.

  2. In the Identity Policies page, click Create Policy to open the  Add Policy dialog.

  3. Click Import Policy, in the lower right corner.

  4. Browse to the file containing the policy definition. The file must be in JSON format. The policy definition appears in the Policy pane.

  5. Optionally, edit the file in the Policy pane.

  6. Click Create to save the policy.

Creating an Identity Policy Manually

  1. In the left navigation menu, choose User Management and then Identity Policies.

  2. In the Identity Policies page, click Create Policy to open the  Add Policy dialog.

  3. In the Policy pane on the right, enter the definition for the policy, including all rules for it, in JSON format.

  4. Click Create to save the policy.

Related articles
  • Creating Identity Policies
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > Managing S3 Access > Managing Identity Policies
  • Creating Identity Policies
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Administrator's Guide > Managing Users > Identity Management > Managing Identity Policies
  • Creating Identity Policies
    VAST Cluster > Version 5.0 > VAST Cluster 5.0 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > Managing S3 Access > Managing Identity Policies (v4.6)