Creating Identity Policies

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 8 minute(s) read
Prev Next

You can create multiple identity policies and attach them to users and groups.

Identity policies are managed via VMS. You  add an identity policy to VMS and then attach it to user(s) and/or group(s). When you add an identity policy to VMS, you can choose to enter the policy statements manually, upload a JSON file, or create a policy using a visual editor.

VAST identity policies support a subset of the elements listed in Amazon's IAM JSON Policy Reference. For information about the required JSON format, supported elements and examples, see Identity Policy Format.

Identity Policy Format

An identity policy comprises a series of statements. Each statement allows or denies a set of S3 actions on a set of S3 resources.

Identity Policy Syntax

The identity policy syntax is:

  {
      "Version": "2012-10-17",
      "Statement": [{
      "Sid": "SID",
      ("Action" | "NotAction"): ("*" | [<action_string>, <action_string>, ...]),
      "Effect": ("Allow" | "Deny"),
      ("Resource" | "NotResource"): 
        ("*" | [<resource_string>, <resource_string>, ...])
      
    }
      ]
    }

The following conventions are used in the provided syntax:

  • The following characters are JSON tokens and are included in identity policies: { } [ ] " , :

  • The following characters are special characters in the grammar and are not included in identity policies: = < > ( ) |

  • If an element allows multiple values, it is indicated using repeated values, a comma delimiter, and an ellipsis (...).

    For example:

    [<action_string>, <action_string>, ...]

  • If multiple values are allowed, it is also valid to include only one value. For only one value, the trailing comma must be omitted. If the element takes an array (marked with [ and ]) but only one value is included, the brackets are optional.

    For example, both of the following are valid, with and without the brackets:

    "Action": [<action_string>]
    "Action": <action_string>

  • A vertical line (|) between elements indicates alternatives. Parentheses in the syntax define the scope of the alternatives. Example:

    ("Action" | "NotAction")

  • Elements that must be literal strings are enclosed in double quotation marks ("). For example, "Allow".

Supported Elements in the Identity Policy Syntax

Note

The Condition element is not supported.

Element

Required/Optional

Description

Usage Notes and Valid Values

Version

Required

Specifies the language syntax rules that are to be used to process the policy.

There is one supported value for version:  2012-10-17

This is the current version of the policy language.

Statement

Required

The main element in a policy, the Statement element contains one or more permission statements.

The Statement element can contain a single statement or an array of individual statements. Each individual statement block must be enclosed in curly braces { }. For multiple statements, the array must be enclosed in square brackets [ ].

Sid

Optional

An optional identifier for the policy statement. You can assign a Sid value to each statement in a statement array. The Sid value must be unique within a JSON policy.

You can't retrieve a particular statement based on the Sid value.

The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).

Action,  NotAction

Required (Action or NotAction)

Specifies an action or actions.

With Action:

  • All specified actions are allowed if Effect is set to Allow

  • All specified actions are denied if Effect is set to Deny.

With NotAction:

  • All actions that are not specified are allowed if Effect is set to Allow and

  • All actions that are not specified are denied if Effect is set to Deny.

Using NotAction can result in a shorter policy by listing only a few actions that should not match, rather than including a long list of actions that will match.

The Action or NotAction element can specify all actions, using the expression "*", or one or more action strings specifying specific actions to be allowed or denied by the statement.

Specify <action_string> in the format:

"S3:ACTION"

ACTION is the AWS S3 action name of any supported S3 action. For supported actions and their Amazon S3 action name, see Supported S3 Requests & Custom Headers.Supported S3 API Actions

For example: "S3:GetObject"

You can use wildcards to specify multiple actions, such as:

  • "S3:Get*". Denotes all actions beginning with Get, such as GetBucket, GetObject etc.

  • "S3:*Object*". Denotes all actions that include the string Object, such as GetObjectDeleteObjectListObjects, and so on.

Effect

Required

Specifies whether a statement results in an allow or an explicit deny.

Valid values are Allow and Deny.

Resource, NotResource

Required (Resource or NotResource)

Specifies buckets and/or objects.

With Resource, the specified buckets and/or objects are covered by a statement.

WIth NotResource, all buckets and/or objects except those specified are covered by a statement.

You can specify one resource element or multiple resource elements in a statement.

The expression "*" denotes all buckets and objects.

The following are valid for resource_string:

  • "arn:aws:s3:::BUCKET". Specifies bucket BUCKET.

  • "arn:aws:s3:::BUCKET/*". Specifies all objects in bucket BUCKET.

  • "arn:aws:s3:::BUCKET/PREFIX/*" . Specifies all objects in bucket BUCKET with prefix PREFIX/.

  • "arn:aws:s3:::BUCKET/OBJECT". Specifies a specific object OBJECT in a bucket BUCKET.

Identity Policy Examples

The following identity policy grants a user access to one of your buckets, DOC-EXAMPLE-BUCKET1, and allows the user to add, update, and delete objects.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action": "s3:ListAllMyBuckets",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":["s3:ListObjects","s3:GetBucketLocation"],
         "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET1"
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:DeleteObject"
         ],
         "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*"
      }
   ]
}

The following policy contains one statement that grants permission to perform all actions on all objects in all buckets:

  {
      "Version": "2012-10-17",
      "Statement": [{
      "Sid": "Allow Everything",
      "Action":
        "*",
      "Effect": "Allow",
      "Resource": 
        "*"
      
    }
      ]
    }

The following identity policy contains one statement that grants permission to perform the GetObject action on all objects in the bucket dev:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow All GetObject in dev Bucket",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::dev/*"
    }
  ]
}

The following identity policy grants permission for multiple actions on the bucket product and on all objects in the same bucket, while also denying delete permission on the same bucket and objects. 

{  "Version": "2012-10-17",
  "Statement": [
    {      
       "Sid": "Allow Multiple Actions on product bucket and its objects",
      "Action": [
        "s3:Get*",
        "s3:Put*",
        "s3:Head*",
        "s3:List*"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::product",
        "arn:aws:s3:::product/*"
      ]
    },
    {
      "Sid": "Deny delete product bucket and objects",
      "Action": [
        "s3:DeleteBucket",
        "s3:DeleteObject"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::product",
        "arn:aws:s3:::product/*"
      ]
    }
  ]}

Adding an Identity Policy to VMS via VAST Web UI

Tip

VAST recommends adding identity policies through VAST Web UI.

To add an identity policy:

  1. In the left navigation menu, choose User Management and then Identity Policies.

  2. In the Identity Policies page, click + Create Policy to open the  Add Policy dialog.

  3. In the Name field, enter a name for the identity policy. Do not include spaces in the name.

  4. Do one of the following to add the policy statements:

    • Enter the policy statements in the Policy field.

    • Click Upload JSON file and browse to the .json policy file that contains the policy statements.

    • Click Visual Policy Editor to enter policy statements using a visual editor.

      In the Identity Policy Generator dialog that opens:

      1. Choose  Allow or Deny to allow or prohibit an S3 action or actions.

      2. Select one or more S3 actions from the Actions dropdown.

      3. In the Resource name list, specify the names of resources for which the action(s) is to be allowed or prohibited. You can enter a single resource name or a comma-separated list of resource names. For resource name format and examples, see Supported Elements in the Identity Policy Syntax.

        In the Resource name field, specify one or more bucket names or bucket prefixes for which the action(s) is to be allowed or prohibited.  You can enter a single name or a comma-separated list of names.

        Use an asterisk (*) as a wildcard, for example:

        • my-bucket/*

        • my-bucket/*/test/**

        • *

        Note

        For more examples, see the Resource element in Supported Elements in the Identity Policy Syntax and Identity Policy Examples.

      4. Click Add to JSON.

        The newly added statement is displayed in the grid where you can review it. If needed, you can delete a statement from the grid and add a new one.

      5. Repeat steps 1-4 to add as many statements as you need.

      6. When finished, click Preview to preview the identity policy.

      7. If you are satisfied with the policy content, click Add to policy to return to the Add Policy dialog. The statements you created in the visual editor are displayed in the Policy field.

        Otherwise, click Back to return to the visual editor and repeat steps 1-5 as necessary.

  5. In the Add Policy dialog, click Create.

    The policy is created and added to the set of available policies and displayed in the Identity Policies page. Proceed to Attaching/Removing Identity Policies to/from Users and Groups.

Adding an Identity Policy to VMS via VAST CLI

Note

The recommended way to add identity policies to VMS is via the VAST Web UI. Since policies are multi-line, you may find that your SSH terminal does not succeed in creating the policies.

To add an identity policy to VMS, run the identitypolicy create command.

To modify an identity policy that has been added, run the identitypolicy modify command.

Related articles
  • Creating Identity Policies
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Administrator's Guide > Managing Users > Identity Management > Managing Identity Policies
  • Creating Identity Policies
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > Managing S3 Access > Managing Identity Policies
  • Creating Identity Policies
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Tenant Administrator's Guide > Managing Users > Identity Management > Managing Identity Policies