概要
2019 年の 10 月ごろから IAM ロールの透明化がおこなわれ、より詳細に定義済みのロール詳細を把握することができるようになりました。
ロール詳細を CLI で確認する方法を書きます。
サービス名称の確認
ibmcloud catalog service-marketplace
# 例
# cloud-object-storage
# logdna
# power-iaas
# など
power-iaas の定義済みロール詳細
以下のコマンドで power-iaas サービスで定義済みのロール詳細を確認できます。
export SERVICE_NAME=power-iaas
ibmcloud iam roles --service $SERVICE_NAME --output JSON
serviceRole はそれぞれのサービスごとにサービス内部での操作を対象として固有に定義されます。
例えば power-iaas.cloud-instance のリソース変更 (modify) をユーザーに許可したくない場合は、serviceRole:Manager を割り当てなければよいです。
serviceRole:Manager- 管理者には、サービスで定義されている特権付きアクションを実行する、ライター役割を超える権限があります。 それに加え、サービス固有のリソースを作成および編集できます。
serviceRole:Reader- リーダーは、サービス固有のリソースの表示など、サービス内の読み取り専用アクションを実行できます。
Platform 共通の role は、サービスインスタンスそのものに対する操作を対象として共通して定義されます。
-
role:Administrator- 管理者は、他のユーザーへのアクセス・ポリシーの割り当てを含め、この役割が割り当てられているリソースに基づいてすべてのプラットフォーム・アクションを実行できます。
-
role:Editor- エディターは、アカウントの管理とアクセス・ポリシーの割り当てを除き、すべてのプラットフォーム・アクションを実行できます。
-
role:Operator- オペレーターは、サービスのダッシュボードの表示など、サービス・インスタンスを構成および操作するために必要なプラットフォーム・アクションを実行できます。
-
role:Viewer- ビューアーは、サービス・インスタンスを表示できますが、それらを変更することはできません。
result.json
[
{
"id": "",
"crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
"name": "",
"display_name": "管理者",
"description": "管理者には、サービスで定義されている特権付きアクションを実行する、ライター役割を超える権限があります。 それに加え、サービス固有のリソースを作成および編集できます。",
"actions": [
{
"action_id": "power-iaas.dashboard.view",
"display_name": "View Dashboard",
"description": ""
},
{
"action_id": "power-iaas.cloud-instance.modify",
"display_name": "Power IaaS Cloud Instance Modify",
"description": ""
},
{
"action_id": "power-iaas.cloud-instance.read",
"display_name": "Power IaaS Cloud Instance Read",
"description": ""
},
{
"action_id": "global-search-tagging.resource.read",
"display_name": "Find cloud resources",
"description": "The ability to find the resource using Global Search and Tagging search API"
},
{
"action_id": "iam.policy.read",
"display_name": "IAM Policy Read",
"description": "The ability to see policies."
}
],
"account_id": "",
"service_name": ""
},
{
"id": "",
"crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader",
"name": "",
"display_name": "リーダー",
"description": "リーダーは、サービス固有のリソースの表示など、サービス内の読み取り専用アクションを実行できます。",
"actions": [
{
"action_id": "power-iaas.dashboard.view",
"display_name": "View Dashboard",
"description": ""
},
{
"action_id": "power-iaas.cloud-instance.read",
"display_name": "Power IaaS Cloud Instance Read",
"description": ""
},
{
"action_id": "global-search-tagging.resource.read",
"display_name": "Find cloud resources",
"description": "The ability to find the resource using Global Search and Tagging search API"
},
{
"action_id": "iam.policy.read",
"display_name": "IAM Policy Read",
"description": "The ability to see policies."
}
],
"account_id": "",
"service_name": ""
},
{
"id": "",
"crn": "crn:v1:bluemix:public:iam::::role:Viewer",
"name": "",
"display_name": "ビューアー",
"description": "ビューアーは、サービス・インスタンスを表示できますが、それらを変更することはできません。",
"actions": [
{
"action_id": "global-search-tagging.resource.read",
"display_name": "Find cloud resources",
"description": "The ability to find the resource using Global Search and Tagging search API"
},
{
"action_id": "iam.policy.read",
"display_name": "IAM Policy Read",
"description": "The ability to see policies."
},
{
"action_id": "iam.role.read",
"display_name": "IAM Role Read",
"description": "The ability to see roles."
},
{
"action_id": "resource-controller.broker.retrieve",
"display_name": "Resource Broker Retrieve",
"description": "The ability to see brokers."
},
{
"action_id": "resource-controller.instance.retrieve",
"display_name": "Resource Instance Retrieve",
"description": "The ability to see instances."
},
{
"action_id": "resource-controller.alias.retrieve",
"display_name": "Resource Alias Retrieve",
"description": "The ability to see aliases."
},
{
"action_id": "resource-controller.binding.retrieve",
"display_name": "Resource Binding Retrieve",
"description": "The ability to see bindings."
},
{
"action_id": "resource-controller.key.retrieve",
"display_name": "Resource Key Retrieve ",
"description": "The ability to see keys."
},
{
"action_id": "resource-controller.quota.retrieve",
"display_name": "Quota Definitions Retrieve",
"description": "The ability to see quota definitions."
},
{
"action_id": "resource-controller.group.retrieve",
"display_name": "Resource Group Retrieve",
"description": "The ability to see resource groups."
}
],
"account_id": "",
"service_name": ""
},
{
"id": "",
"crn": "crn:v1:bluemix:public:iam::::role:Administrator",
"name": "",
"display_name": "管理者",
"description": "管理者は、他のユーザーへのアクセス・ポリシーの割り当てを含め、この役割が割り当てられているリソースに基づいてすべてのプラットフォーム・アクションを実行できます。",
"actions": [
{
"action_id": "global-search-tagging.resource.read",
"display_name": "Find cloud resources",
"description": "The ability to find the resource using Global Search and Tagging search API"
},
{
"action_id": "global-search-tagging.tag.attach-user-tag",
"display_name": "Attach tag",
"description": "The ability to attach a tag to the resource"
},
{
"action_id": "global-search-tagging.tag.detach-user-tag",
"display_name": "Detach tag",
"description": "The ability to detach a tag from the resource"
},
{
"action_id": "iam.delegationPolicy.create",
"display_name": "IAM Delegation policy Create",
"description": "The ability to create a policy that can be delegated to another service."
},
{
"action_id": "iam.policy.read",
"display_name": "IAM Policy Read",
"description": "The ability to see policies."
},
{
"action_id": "iam.policy.create",
"display_name": "IAM Policy Create",
"description": "The ability to create policies."
},
{
"action_id": "iam.policy.update",
"display_name": "IAM Policy Update",
"description": "The ability to update or edit existing policies."
},
{
"action_id": "iam.policy.delete",
"display_name": "IAM Policy Delete",
"description": "The ability to delete existing policies."
},
{
"action_id": "iam.service.read",
"display_name": "IAM Service Read",
"description": "The ability to see services."
},
{
"action_id": "iam.role.read",
"display_name": "IAM Role Read",
"description": "The ability to see roles."
},
{
"action_id": "iam.role.assign",
"display_name": "IAM Role Assign",
"description": "The ability to assign roles to policies."
},
{
"action_id": "resource-controller.broker.create",
"display_name": "Resource Broker Create",
"description": "The ability to create brokers."
},
{
"action_id": "resource-controller.broker.update",
"display_name": "Resource Broker Update",
"description": "The ability to update or edit existing brokers."
},
{
"action_id": "resource-controller.broker.delete",
"display_name": "Resource Broker Delete",
"description": "The ability to delete existing brokers."
},
{
"action_id": "resource-controller.broker.retrieve",
"display_name": "Resource Broker Retrieve",
"description": "The ability to see brokers."
},
{
"action_id": "resource-controller.instance.create",
"display_name": "Resource Instance Create",
"description": "The ability to create instances."
},
{
"action_id": "resource-controller.instance.delete",
"display_name": "Resource Instance Delete",
"description": "The ability to delete existing instances."
},
{
"action_id": "resource-controller.instance.update_plan",
"display_name": "Resource Instance Update Plan",
"description": "The ability to update the plan or configuration of existing instances."
},
{
"action_id": "resource-controller.alias.create",
"display_name": "Resource Alias Create",
"description": "The ability to create aliases."
},
{
"action_id": "resource-controller.alias.delete",
"display_name": "Resource Alias Delete",
"description": "The ability to delete existing aliases."
},
{
"action_id": "resource-controller.binding.create",
"display_name": "Resource Binding Create ",
"description": "The ability to create bindings."
},
{
"action_id": "resource-controller.binding.delete",
"display_name": "Resource Binding Delete",
"description": "The ability to delete existing bindings."
},
{
"action_id": "resource-controller.key.create",
"display_name": "Resource Key Create",
"description": "The ability to create keys."
},
{
"action_id": "resource-controller.key.delete",
"display_name": "Resource Key Delete",
"description": "The ability to delete existing keys."
},
{
"action_id": "resource-controller.instance.update",
"display_name": "Resource Instance Update",
"description": "The ability to update or edit existing instances."
},
{
"action_id": "resource-controller.alias.update",
"display_name": "Resource Alias Update ",
"description": "The ability to update or edit existing aliases."
},
{
"action_id": "resource-controller.binding.update",
"display_name": "Resource Binding Update",
"description": "The ability to update or edit existing bindings."
},
{
"action_id": "resource-controller.key.update",
"display_name": "Resource Key Update",
"description": "The ability to update or edit existing keys."
},
{
"action_id": "resource-controller.instance.retrieve",
"display_name": "Resource Instance Retrieve",
"description": "The ability to see instances."
},
{
"action_id": "resource-controller.instance.retrieve_history",
"display_name": "Resource Instance Retrieve History",
"description": "The ability to see the history for instances."
},
{
"action_id": "resource-controller.alias.retrieve",
"display_name": "Resource Alias Retrieve",
"description": "The ability to see aliases."
},
{
"action_id": "resource-controller.binding.retrieve",
"display_name": "Resource Binding Retrieve",
"description": "The ability to see bindings."
},
{
"action_id": "resource-controller.key.retrieve",
"display_name": "Resource Key Retrieve ",
"description": "The ability to see keys."
},
{
"action_id": "resource-controller.quota.retrieve",
"display_name": "Quota Definitions Retrieve",
"description": "The ability to see quota definitions."
},
{
"action_id": "resource-controller.group.create",
"display_name": "Resource Group Create",
"description": "The ability to create resource groups."
},
{
"action_id": "resource-controller.group.retrieve",
"display_name": "Resource Group Retrieve",
"description": "The ability to see resource groups."
},
{
"action_id": "resource-controller.group.update",
"display_name": "Resource Group Update",
"description": "The ability to update or edit existing resource groups."
},
{
"action_id": "resource-controller.group.delete",
"display_name": "Resource Group Delete",
"description": "The ability to delete existing resource groups."
}
],
"account_id": "",
"service_name": ""
},
{
"id": "",
"crn": "crn:v1:bluemix:public:iam::::role:Operator",
"name": "",
"display_name": "オペレーター",
"description": "オペレーターは、サービスのダッシュボードの表示など、サービス・インスタンスを構成および操作するために必要なプラットフォーム・アクションを実行できます。",
"actions": [
{
"action_id": "global-search-tagging.resource.read",
"display_name": "Find cloud resources",
"description": "The ability to find the resource using Global Search and Tagging search API"
},
{
"action_id": "iam.policy.read",
"display_name": "IAM Policy Read",
"description": "The ability to see policies."
},
{
"action_id": "resource-controller.broker.update",
"display_name": "Resource Broker Update",
"description": "The ability to update or edit existing brokers."
},
{
"action_id": "resource-controller.broker.retrieve",
"display_name": "Resource Broker Retrieve",
"description": "The ability to see brokers."
},
{
"action_id": "resource-controller.alias.create",
"display_name": "Resource Alias Create",
"description": "The ability to create aliases."
},
{
"action_id": "resource-controller.alias.delete",
"display_name": "Resource Alias Delete",
"description": "The ability to delete existing aliases."
},
{
"action_id": "resource-controller.binding.create",
"display_name": "Resource Binding Create ",
"description": "The ability to create bindings."
},
{
"action_id": "resource-controller.binding.delete",
"display_name": "Resource Binding Delete",
"description": "The ability to delete existing bindings."
},
{
"action_id": "resource-controller.key.create",
"display_name": "Resource Key Create",
"description": "The ability to create keys."
},
{
"action_id": "resource-controller.key.delete",
"display_name": "Resource Key Delete",
"description": "The ability to delete existing keys."
},
{
"action_id": "resource-controller.instance.update",
"display_name": "Resource Instance Update",
"description": "The ability to update or edit existing instances."
},
{
"action_id": "resource-controller.alias.update",
"display_name": "Resource Alias Update ",
"description": "The ability to update or edit existing aliases."
},
{
"action_id": "resource-controller.binding.update",
"display_name": "Resource Binding Update",
"description": "The ability to update or edit existing bindings."
},
{
"action_id": "resource-controller.key.update",
"display_name": "Resource Key Update",
"description": "The ability to update or edit existing keys."
},
{
"action_id": "resource-controller.instance.retrieve",
"display_name": "Resource Instance Retrieve",
"description": "The ability to see instances."
},
{
"action_id": "resource-controller.alias.retrieve",
"display_name": "Resource Alias Retrieve",
"description": "The ability to see aliases."
},
{
"action_id": "resource-controller.binding.retrieve",
"display_name": "Resource Binding Retrieve",
"description": "The ability to see bindings."
},
{
"action_id": "resource-controller.key.retrieve",
"display_name": "Resource Key Retrieve ",
"description": "The ability to see keys."
},
{
"action_id": "resource-controller.quota.retrieve",
"display_name": "Quota Definitions Retrieve",
"description": "The ability to see quota definitions."
},
{
"action_id": "resource-controller.group.retrieve",
"display_name": "Resource Group Retrieve",
"description": "The ability to see resource groups."
},
{
"action_id": "resource-controller.group.update",
"display_name": "Resource Group Update",
"description": "The ability to update or edit existing resource groups."
}
],
"account_id": "",
"service_name": ""
},
{
"id": "",
"crn": "crn:v1:bluemix:public:iam::::role:Editor",
"name": "",
"display_name": "エディター",
"description": "エディターは、アカウントの管理とアクセス・ポリシーの割り当てを除き、すべてのプラットフォーム・アクションを実行できます。",
"actions": [
{
"action_id": "global-search-tagging.resource.read",
"display_name": "Find cloud resources",
"description": "The ability to find the resource using Global Search and Tagging search API"
},
{
"action_id": "global-search-tagging.tag.attach-user-tag",
"display_name": "Attach tag",
"description": "The ability to attach a tag to the resource"
},
{
"action_id": "global-search-tagging.tag.detach-user-tag",
"display_name": "Detach tag",
"description": "The ability to detach a tag from the resource"
},
{
"action_id": "iam.policy.read",
"display_name": "IAM Policy Read",
"description": "The ability to see policies."
},
{
"action_id": "resource-controller.broker.create",
"display_name": "Resource Broker Create",
"description": "The ability to create brokers."
},
{
"action_id": "resource-controller.broker.update",
"display_name": "Resource Broker Update",
"description": "The ability to update or edit existing brokers."
},
{
"action_id": "resource-controller.broker.delete",
"display_name": "Resource Broker Delete",
"description": "The ability to delete existing brokers."
},
{
"action_id": "resource-controller.broker.retrieve",
"display_name": "Resource Broker Retrieve",
"description": "The ability to see brokers."
},
{
"action_id": "resource-controller.instance.create",
"display_name": "Resource Instance Create",
"description": "The ability to create instances."
},
{
"action_id": "resource-controller.instance.delete",
"display_name": "Resource Instance Delete",
"description": "The ability to delete existing instances."
},
{
"action_id": "resource-controller.instance.update_plan",
"display_name": "Resource Instance Update Plan",
"description": "The ability to update the plan or configuration of existing instances."
},
{
"action_id": "resource-controller.alias.create",
"display_name": "Resource Alias Create",
"description": "The ability to create aliases."
},
{
"action_id": "resource-controller.alias.delete",
"display_name": "Resource Alias Delete",
"description": "The ability to delete existing aliases."
},
{
"action_id": "resource-controller.binding.create",
"display_name": "Resource Binding Create ",
"description": "The ability to create bindings."
},
{
"action_id": "resource-controller.binding.delete",
"display_name": "Resource Binding Delete",
"description": "The ability to delete existing bindings."
},
{
"action_id": "resource-controller.key.create",
"display_name": "Resource Key Create",
"description": "The ability to create keys."
},
{
"action_id": "resource-controller.key.delete",
"display_name": "Resource Key Delete",
"description": "The ability to delete existing keys."
},
{
"action_id": "resource-controller.instance.update",
"display_name": "Resource Instance Update",
"description": "The ability to update or edit existing instances."
},
{
"action_id": "resource-controller.alias.update",
"display_name": "Resource Alias Update ",
"description": "The ability to update or edit existing aliases."
},
{
"action_id": "resource-controller.binding.update",
"display_name": "Resource Binding Update",
"description": "The ability to update or edit existing bindings."
},
{
"action_id": "resource-controller.key.update",
"display_name": "Resource Key Update",
"description": "The ability to update or edit existing keys."
},
{
"action_id": "resource-controller.instance.retrieve",
"display_name": "Resource Instance Retrieve",
"description": "The ability to see instances."
},
{
"action_id": "resource-controller.alias.retrieve",
"display_name": "Resource Alias Retrieve",
"description": "The ability to see aliases."
},
{
"action_id": "resource-controller.binding.retrieve",
"display_name": "Resource Binding Retrieve",
"description": "The ability to see bindings."
},
{
"action_id": "resource-controller.key.retrieve",
"display_name": "Resource Key Retrieve ",
"description": "The ability to see keys."
},
{
"action_id": "resource-controller.quota.retrieve",
"display_name": "Quota Definitions Retrieve",
"description": "The ability to see quota definitions."
},
{
"action_id": "resource-controller.group.create",
"display_name": "Resource Group Create",
"description": "The ability to create resource groups."
},
{
"action_id": "resource-controller.group.retrieve",
"display_name": "Resource Group Retrieve",
"description": "The ability to see resource groups."
},
{
"action_id": "resource-controller.group.update",
"display_name": "Resource Group Update",
"description": "The ability to update or edit existing resource groups."
}
],
"account_id": "",
"service_name": ""
}
]
cloud-object-storage の定義済みロール詳細
以下のコマンドで cloud-object-storage サービスで定義済みのロール詳細を確認できます。
export SERVICE_NAME=cloud-object-storage
ibmcloud iam roles --service $SERVICE_NAME --output JSON | jq -r '.[] | select(.crn | contains("serviceRole"))'
cloud-object-storage では、以下の serviceRole が定義されます。
serviceRole:Manager- 管理者には、サービスで定義されている特権付きアクションを実行する、ライター役割を超える権限があります。 それに加え、サービス固有のリソースを作成および編集できます。
-
serviceRole:Writer- ライターには、サービス固有のリソースの作成および編集を含め、リーダー役割を超える権限があります。
serviceRole:Reader- リーダーは、サービス固有のリソースの表示など、サービス内の読み取り専用アクションを実行できます。
-
serviceRole:ObjectWriter- As an Object Writer, one can only write objects to a bucket.
-
serviceRole:ObjectReader- As an Object Reader, one can read objects in the bucket.
-
serviceRole:ContentReader- As a Content Reader, one can read and list objects in the bucket.
result.json
{
"id": "",
"crn": "crn:v1:bluemix:public:iam::::serviceRole:Writer",
"name": "",
"display_name": "Writer",
"description": "As a Writer, one can create/modify/delete buckets. In addition, one can upload and download the objects in the bucket.",
"actions": [
{
"action_id": "cloud-object-storage.account.get_account_buckets",
"display_name": "account.get_account_buckets",
"description": "List all buckets in a service instance."
},
{
"action_id": "cloud-object-storage.bucket.put_bucket",
"display_name": "bucket.put_bucket",
"description": "Create a bucket."
},
{
"action_id": "cloud-object-storage.bucket.post_bucket",
"display_name": "bucket.post_bucket",
"description": "Internal use only - unsupported for users."
},
{
"action_id": "cloud-object-storage.bucket.delete_bucket",
"display_name": "bucket.delete_bucket",
"description": "Delete a bucket."
},
{
"action_id": "cloud-object-storage.bucket.get",
"display_name": "bucket.get",
"description": "List all the objects in a bucket."
},
{
"action_id": "cloud-object-storage.bucket.list_crk_id",
"display_name": "bucket.list_crk_id",
"description": "List the IDs of encryption root keys associated with a bucket."
},
{
"action_id": "cloud-object-storage.bucket.head",
"display_name": "bucket.head",
"description": "View bucket metadata."
},
{
"action_id": "cloud-object-storage.bucket.get_versions",
"display_name": "bucket.get_versions",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.get_uploads",
"display_name": "bucket.get_uploads",
"description": "List all active multipart uploads for a bucket."
},
{
"action_id": "cloud-object-storage.bucket.put_quota",
"display_name": "bucket.put_quota",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.get_cors",
"display_name": "bucket.get_cors",
"description": "Read CORS rules."
},
{
"action_id": "cloud-object-storage.bucket.put_cors",
"display_name": "bucket.put_cors",
"description": "Add CORS rules to a bucket."
},
{
"action_id": "cloud-object-storage.bucket.delete_cors",
"display_name": "bucket.delete_cors",
"description": "Delete CORS rules."
},
{
"action_id": "cloud-object-storage.bucket.get_website",
"display_name": "bucket.get_website",
"description": "Read bucket website configuration."
},
{
"action_id": "cloud-object-storage.bucket.put_website",
"display_name": "bucket.put_website",
"description": "Add bucket website configuration."
},
{
"action_id": "cloud-object-storage.bucket.delete_website",
"display_name": "bucket.delete_website",
"description": "Delete bucket website configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_versioning",
"display_name": "bucket.get_versioning",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.put_versioning",
"display_name": "bucket.put_versioning",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.get_fasp_connection_info",
"display_name": "bucket.get_fasp_connection_info",
"description": "View Aspera FASP connection information."
},
{
"action_id": "cloud-object-storage.account.delete_fasp_connection_info",
"display_name": "account.delete_fasp_connection_info",
"description": "Delete Aspera FASP connection information."
},
{
"action_id": "cloud-object-storage.bucket.get_location",
"display_name": "bucket.get_location",
"description": "View the location and storage class of a bucket."
},
{
"action_id": "cloud-object-storage.bucket.get_lifecycle",
"display_name": "bucket.get_lifecycle",
"description": "Read a bucket lifecycle policy."
},
{
"action_id": "cloud-object-storage.bucket.put_lifecycle",
"display_name": "bucket.put_lifecycle",
"description": "Create a bucket lifecycle policy."
},
{
"action_id": "cloud-object-storage.bucket.get_activity_tracking",
"display_name": "bucket.get_activity_tracking",
"description": "Read activity tracking configuration."
},
{
"action_id": "cloud-object-storage.bucket.put_activity_tracking",
"display_name": "bucket.put_activity_tracking",
"description": "Add activity tracking configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_metrics_monitoring",
"display_name": "bucket.get_metrics_monitoring",
"description": "Read metrics monitoring configuration."
},
{
"action_id": "cloud-object-storage.bucket.put_metrics_monitoring",
"display_name": "bucket.put_metrics_monitoring",
"description": "Add metrics monitoring configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_protection",
"display_name": "bucket.get_protection",
"description": "Read Immutable Object Storage policy."
},
{
"action_id": "cloud-object-storage.bucket.get_basic",
"display_name": "bucket.get_basic",
"description": "List objects in a bucket [deprecated]."
},
{
"action_id": "cloud-object-storage.bucket.list_bucket_crn",
"display_name": "bucket.list_bucket_crn",
"description": "View a bucket CRN."
},
{
"action_id": "cloud-object-storage.object.get",
"display_name": "object.get",
"description": "View and download objects."
},
{
"action_id": "cloud-object-storage.object.head",
"display_name": "object.head",
"description": "Read an object's metadata."
},
{
"action_id": "cloud-object-storage.object.get_version",
"display_name": "object.get_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.head_version",
"display_name": "object.head_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.put",
"display_name": "object.put",
"description": "Write and upload objects."
},
{
"action_id": "cloud-object-storage.object.post",
"display_name": "object.post",
"description": "Upload an object using HTML forms [deprecated]."
},
{
"action_id": "cloud-object-storage.object.post_md",
"display_name": "object.post_md",
"description": "Update object metadata using HTML forms [deprecated]."
},
{
"action_id": "cloud-object-storage.object.post_initiate_upload",
"display_name": "object.post_initiate_upload",
"description": "Initiate multipart uploads."
},
{
"action_id": "cloud-object-storage.object.put_part",
"display_name": "object.put_part",
"description": "Upload an object part."
},
{
"action_id": "cloud-object-storage.object.copy_part",
"display_name": "object.copy_part",
"description": "Copy (write) an object part."
},
{
"action_id": "cloud-object-storage.object.copy_part_get",
"display_name": "object.copy_part_get",
"description": "Copy (read) an object part."
},
{
"action_id": "cloud-object-storage.object.post_complete_upload",
"display_name": "object.post_complete_upload",
"description": "Complete a multipart upload."
},
{
"action_id": "cloud-object-storage.object.copy",
"display_name": "object.copy",
"description": "Copy (write) an object from one bucket to another."
},
{
"action_id": "cloud-object-storage.object.copy_get",
"display_name": "object.copy_get",
"description": "Copy (read) an object from one bucket to another."
},
{
"action_id": "cloud-object-storage.object.delete",
"display_name": "object.delete",
"description": "Delete an object."
},
{
"action_id": "cloud-object-storage.object.delete_version",
"display_name": "object.delete_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.get_uploads",
"display_name": "object.get_uploads",
"description": "List parts of a multi-part object upload."
},
{
"action_id": "cloud-object-storage.object.delete_upload",
"display_name": "object.delete_upload",
"description": "Abort a multipart upload."
},
{
"action_id": "cloud-object-storage.object.restore",
"display_name": "object.restore",
"description": "Temporarily restore an archived object."
},
{
"action_id": "cloud-object-storage.object.post_multi_delete",
"display_name": "object.post_multi_delete",
"description": "Delete multiple objects."
},
{
"action_id": "cloud-object-storage.object.post_legal_hold",
"display_name": "object.post_legal_hold",
"description": "Add a legal hold to an object."
},
{
"action_id": "cloud-object-storage.object.get_legal_hold",
"display_name": "object.get_legal_hold",
"description": "View any legal holds on an object."
},
{
"action_id": "cloud-object-storage.object.post_extend_retention",
"display_name": "object.post_extend_retention",
"description": "Extend a retention policy."
},
{
"action_id": "global-search-tagging.resource.read",
"display_name": "Find cloud resources",
"description": "The ability to find the resource using Global Search and Tagging search API"
},
{
"action_id": "iam.policy.read",
"display_name": "IAM Policy Read",
"description": "The ability to see policies."
}
],
"account_id": "",
"service_name": ""
}
{
"id": "",
"crn": "crn:v1:bluemix:public:iam::::serviceRole:Reader",
"name": "",
"display_name": "Reader",
"description": "As a Reader, one can view bucket configuration and download the objects in the bucket.",
"actions": [
{
"action_id": "cloud-object-storage.account.get_account_buckets",
"display_name": "account.get_account_buckets",
"description": "List all buckets in a service instance."
},
{
"action_id": "cloud-object-storage.bucket.get",
"display_name": "bucket.get",
"description": "List all the objects in a bucket."
},
{
"action_id": "cloud-object-storage.bucket.head",
"display_name": "bucket.head",
"description": "View bucket metadata."
},
{
"action_id": "cloud-object-storage.bucket.get_versions",
"display_name": "bucket.get_versions",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.get_uploads",
"display_name": "bucket.get_uploads",
"description": "List all active multipart uploads for a bucket."
},
{
"action_id": "cloud-object-storage.bucket.get_cors",
"display_name": "bucket.get_cors",
"description": "Read CORS rules."
},
{
"action_id": "cloud-object-storage.bucket.get_website",
"display_name": "bucket.get_website",
"description": "Read bucket website configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_versioning",
"display_name": "bucket.get_versioning",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.get_fasp_connection_info",
"display_name": "bucket.get_fasp_connection_info",
"description": "View Aspera FASP connection information."
},
{
"action_id": "cloud-object-storage.bucket.get_location",
"display_name": "bucket.get_location",
"description": "View the location and storage class of a bucket."
},
{
"action_id": "cloud-object-storage.bucket.get_lifecycle",
"display_name": "bucket.get_lifecycle",
"description": "Read a bucket lifecycle policy."
},
{
"action_id": "cloud-object-storage.bucket.get_activity_tracking",
"display_name": "bucket.get_activity_tracking",
"description": "Read activity tracking configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_metrics_monitoring",
"display_name": "bucket.get_metrics_monitoring",
"description": "Read metrics monitoring configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_protection",
"display_name": "bucket.get_protection",
"description": "Read Immutable Object Storage policy."
},
{
"action_id": "cloud-object-storage.bucket.get_basic",
"display_name": "bucket.get_basic",
"description": "List objects in a bucket [deprecated]."
},
{
"action_id": "cloud-object-storage.bucket.list_bucket_crn",
"display_name": "bucket.list_bucket_crn",
"description": "View a bucket CRN."
},
{
"action_id": "cloud-object-storage.object.get",
"display_name": "object.get",
"description": "View and download objects."
},
{
"action_id": "cloud-object-storage.object.head",
"display_name": "object.head",
"description": "Read an object's metadata."
},
{
"action_id": "cloud-object-storage.object.get_version",
"display_name": "object.get_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.head_version",
"display_name": "object.head_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.copy_part_get",
"display_name": "object.copy_part_get",
"description": "Copy (read) an object part."
},
{
"action_id": "cloud-object-storage.object.copy_get",
"display_name": "object.copy_get",
"description": "Copy (read) an object from one bucket to another."
},
{
"action_id": "cloud-object-storage.object.get_uploads",
"display_name": "object.get_uploads",
"description": "List parts of a multi-part object upload."
},
{
"action_id": "cloud-object-storage.object.get_legal_hold",
"display_name": "object.get_legal_hold",
"description": "View any legal holds on an object."
},
{
"action_id": "global-search-tagging.resource.read",
"display_name": "Find cloud resources",
"description": "The ability to find the resource using Global Search and Tagging search API"
},
{
"action_id": "iam.policy.read",
"display_name": "IAM Policy Read",
"description": "The ability to see policies."
}
],
"account_id": "",
"service_name": ""
}
{
"id": "",
"crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
"name": "",
"display_name": "Manager",
"description": "As a Manager, one can create/modify/delete buckets including managing retention policy, configuring IP addresses. In addition, one can upload and download the objects in the bucket.",
"actions": [
{
"action_id": "cloud-object-storage.account.get_account_buckets",
"display_name": "account.get_account_buckets",
"description": "List all buckets in a service instance."
},
{
"action_id": "cloud-object-storage.bucket.put_bucket",
"display_name": "bucket.put_bucket",
"description": "Create a bucket."
},
{
"action_id": "cloud-object-storage.bucket.post_bucket",
"display_name": "bucket.post_bucket",
"description": "Internal use only - unsupported for users."
},
{
"action_id": "cloud-object-storage.bucket.delete_bucket",
"display_name": "bucket.delete_bucket",
"description": "Delete a bucket."
},
{
"action_id": "cloud-object-storage.bucket.get",
"display_name": "bucket.get",
"description": "List all the objects in a bucket."
},
{
"action_id": "cloud-object-storage.bucket.list_crk_id",
"display_name": "bucket.list_crk_id",
"description": "List the IDs of encryption root keys associated with a bucket."
},
{
"action_id": "cloud-object-storage.bucket.head",
"display_name": "bucket.head",
"description": "View bucket metadata."
},
{
"action_id": "cloud-object-storage.bucket.get_versions",
"display_name": "bucket.get_versions",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.get_uploads",
"display_name": "bucket.get_uploads",
"description": "List all active multipart uploads for a bucket."
},
{
"action_id": "cloud-object-storage.bucket.put_quota",
"display_name": "bucket.put_quota",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.get_acl",
"display_name": "bucket.get_acl",
"description": "Read a bucket ACL [deprecated]."
},
{
"action_id": "cloud-object-storage.bucket.put_acl",
"display_name": "bucket.put_acl",
"description": "Create a bucket ACL [deprecated]."
},
{
"action_id": "cloud-object-storage.bucket.get_cors",
"display_name": "bucket.get_cors",
"description": "Read CORS rules."
},
{
"action_id": "cloud-object-storage.bucket.put_cors",
"display_name": "bucket.put_cors",
"description": "Add CORS rules to a bucket."
},
{
"action_id": "cloud-object-storage.bucket.delete_cors",
"display_name": "bucket.delete_cors",
"description": "Delete CORS rules."
},
{
"action_id": "cloud-object-storage.bucket.get_website",
"display_name": "bucket.get_website",
"description": "Read bucket website configuration."
},
{
"action_id": "cloud-object-storage.bucket.put_website",
"display_name": "bucket.put_website",
"description": "Add bucket website configuration."
},
{
"action_id": "cloud-object-storage.bucket.delete_website",
"display_name": "bucket.delete_website",
"description": "Delete bucket website configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_versioning",
"display_name": "bucket.get_versioning",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.put_versioning",
"display_name": "bucket.put_versioning",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.get_fasp_connection_info",
"display_name": "bucket.get_fasp_connection_info",
"description": "View Aspera FASP connection information."
},
{
"action_id": "cloud-object-storage.account.delete_fasp_connection_info",
"display_name": "account.delete_fasp_connection_info",
"description": "Delete Aspera FASP connection information."
},
{
"action_id": "cloud-object-storage.bucket.get_location",
"display_name": "bucket.get_location",
"description": "View the location and storage class of a bucket."
},
{
"action_id": "cloud-object-storage.bucket.get_lifecycle",
"display_name": "bucket.get_lifecycle",
"description": "Read a bucket lifecycle policy."
},
{
"action_id": "cloud-object-storage.bucket.put_lifecycle",
"display_name": "bucket.put_lifecycle",
"description": "Create a bucket lifecycle policy."
},
{
"action_id": "cloud-object-storage.bucket.get_activity_tracking",
"display_name": "bucket.get_activity_tracking",
"description": "Read activity tracking configuration."
},
{
"action_id": "cloud-object-storage.bucket.put_activity_tracking",
"display_name": "bucket.put_activity_tracking",
"description": "Add activity tracking configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_metrics_monitoring",
"display_name": "bucket.get_metrics_monitoring",
"description": "Read metrics monitoring configuration."
},
{
"action_id": "cloud-object-storage.bucket.put_metrics_monitoring",
"display_name": "bucket.put_metrics_monitoring",
"description": "Add metrics monitoring configuration."
},
{
"action_id": "cloud-object-storage.bucket.put_protection",
"display_name": "bucket.put_protection",
"description": "Add Immutable Object Storage policy."
},
{
"action_id": "cloud-object-storage.bucket.get_protection",
"display_name": "bucket.get_protection",
"description": "Read Immutable Object Storage policy."
},
{
"action_id": "cloud-object-storage.bucket.put_firewall",
"display_name": "bucket.put_firewall",
"description": "Add a firewall configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_firewall",
"display_name": "bucket.get_firewall",
"description": "Read a firewall configuration."
},
{
"action_id": "cloud-object-storage.bucket.get_basic",
"display_name": "bucket.get_basic",
"description": "List objects in a bucket [deprecated]."
},
{
"action_id": "cloud-object-storage.bucket.list_bucket_crn",
"display_name": "bucket.list_bucket_crn",
"description": "View a bucket CRN."
},
{
"action_id": "cloud-object-storage.object.get",
"display_name": "object.get",
"description": "View and download objects."
},
{
"action_id": "cloud-object-storage.object.head",
"display_name": "object.head",
"description": "Read an object's metadata."
},
{
"action_id": "cloud-object-storage.object.get_version",
"display_name": "object.get_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.head_version",
"display_name": "object.head_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.put",
"display_name": "object.put",
"description": "Write and upload objects."
},
{
"action_id": "cloud-object-storage.object.post",
"display_name": "object.post",
"description": "Upload an object using HTML forms [deprecated]."
},
{
"action_id": "cloud-object-storage.object.post_md",
"display_name": "object.post_md",
"description": "Update object metadata using HTML forms [deprecated]."
},
{
"action_id": "cloud-object-storage.object.post_initiate_upload",
"display_name": "object.post_initiate_upload",
"description": "Initiate multipart uploads."
},
{
"action_id": "cloud-object-storage.object.put_part",
"display_name": "object.put_part",
"description": "Upload an object part."
},
{
"action_id": "cloud-object-storage.object.copy_part",
"display_name": "object.copy_part",
"description": "Copy (write) an object part."
},
{
"action_id": "cloud-object-storage.object.copy_part_get",
"display_name": "object.copy_part_get",
"description": "Copy (read) an object part."
},
{
"action_id": "cloud-object-storage.object.post_complete_upload",
"display_name": "object.post_complete_upload",
"description": "Complete a multipart upload."
},
{
"action_id": "cloud-object-storage.object.copy",
"display_name": "object.copy",
"description": "Copy (write) an object from one bucket to another."
},
{
"action_id": "cloud-object-storage.object.copy_get",
"display_name": "object.copy_get",
"description": "Copy (read) an object from one bucket to another."
},
{
"action_id": "cloud-object-storage.object.get_acl",
"display_name": "object.get_acl",
"description": "Read object ACL [deprecated]."
},
{
"action_id": "cloud-object-storage.object.get_acl_version",
"display_name": "object.get_acl_version",
"description": "Read object ACL Version [deprecated]"
},
{
"action_id": "cloud-object-storage.object.put_acl",
"display_name": "object.put_acl",
"description": "Write object ACL [deprecated]."
},
{
"action_id": "cloud-object-storage.object.put_acl_version",
"display_name": "object.put_acl_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.delete",
"display_name": "object.delete",
"description": "Delete an object."
},
{
"action_id": "cloud-object-storage.object.delete_version",
"display_name": "object.delete_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.get_uploads",
"display_name": "object.get_uploads",
"description": "List parts of a multi-part object upload."
},
{
"action_id": "cloud-object-storage.object.delete_upload",
"display_name": "object.delete_upload",
"description": "Abort a multipart upload."
},
{
"action_id": "cloud-object-storage.object.restore",
"display_name": "object.restore",
"description": "Temporarily restore an archived object."
},
{
"action_id": "cloud-object-storage.object.post_multi_delete",
"display_name": "object.post_multi_delete",
"description": "Delete multiple objects."
},
{
"action_id": "cloud-object-storage.object.post_legal_hold",
"display_name": "object.post_legal_hold",
"description": "Add a legal hold to an object."
},
{
"action_id": "cloud-object-storage.object.get_legal_hold",
"display_name": "object.get_legal_hold",
"description": "View any legal holds on an object."
},
{
"action_id": "cloud-object-storage.object.post_extend_retention",
"display_name": "object.post_extend_retention",
"description": "Extend a retention policy."
},
{
"action_id": "global-search-tagging.resource.read",
"display_name": "Find cloud resources",
"description": "The ability to find the resource using Global Search and Tagging search API"
},
{
"action_id": "iam.policy.read",
"display_name": "IAM Policy Read",
"description": "The ability to see policies."
}
],
"account_id": "",
"service_name": ""
}
{
"id": "",
"crn": "crn:v1:bluemix:public:cloud-object-storage::::serviceRole:ContentReader",
"name": "",
"display_name": "Content Reader",
"description": "As a Content Reader, one can read and list objects in the bucket.",
"actions": [
{
"action_id": "cloud-object-storage.bucket.get",
"display_name": "bucket.get",
"description": "List all the objects in a bucket."
},
{
"action_id": "cloud-object-storage.bucket.head",
"display_name": "bucket.head",
"description": "View bucket metadata."
},
{
"action_id": "cloud-object-storage.bucket.get_versions",
"display_name": "bucket.get_versions",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.bucket.get_location",
"display_name": "bucket.get_location",
"description": "View the location and storage class of a bucket."
},
{
"action_id": "cloud-object-storage.object.get",
"display_name": "object.get",
"description": "View and download objects."
},
{
"action_id": "cloud-object-storage.object.head",
"display_name": "object.head",
"description": "Read an object's metadata."
},
{
"action_id": "cloud-object-storage.object.get_version",
"display_name": "object.get_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.head_version",
"display_name": "object.head_version",
"description": "Unsupported operation - used for S3 API compatibility only."
}
],
"account_id": "",
"service_name": ""
}
{
"id": "",
"crn": "crn:v1:bluemix:public:cloud-object-storage::::serviceRole:ObjectReader",
"name": "",
"display_name": "Object Reader",
"description": "As an Object Reader, one can read objects in the bucket.",
"actions": [
{
"action_id": "cloud-object-storage.object.get",
"display_name": "object.get",
"description": "View and download objects."
},
{
"action_id": "cloud-object-storage.object.head",
"display_name": "object.head",
"description": "Read an object's metadata."
},
{
"action_id": "cloud-object-storage.object.get_version",
"display_name": "object.get_version",
"description": "Unsupported operation - used for S3 API compatibility only."
},
{
"action_id": "cloud-object-storage.object.head_version",
"display_name": "object.head_version",
"description": "Unsupported operation - used for S3 API compatibility only."
}
],
"account_id": "",
"service_name": ""
}
{
"id": "",
"crn": "crn:v1:bluemix:public:cloud-object-storage::::serviceRole:ObjectWriter",
"name": "",
"display_name": "Object Writer",
"description": "As an Object Writer, one can only write objects to a bucket.",
"actions": [
{
"action_id": "cloud-object-storage.object.put",
"display_name": "object.put",
"description": "Write and upload objects."
},
{
"action_id": "cloud-object-storage.object.post",
"display_name": "object.post",
"description": "Upload an object using HTML forms [deprecated]."
},
{
"action_id": "cloud-object-storage.object.post_md",
"display_name": "object.post_md",
"description": "Update object metadata using HTML forms [deprecated]."
},
{
"action_id": "cloud-object-storage.object.post_initiate_upload",
"display_name": "object.post_initiate_upload",
"description": "Initiate multipart uploads."
},
{
"action_id": "cloud-object-storage.object.put_part",
"display_name": "object.put_part",
"description": "Upload an object part."
},
{
"action_id": "cloud-object-storage.object.post_complete_upload",
"display_name": "object.post_complete_upload",
"description": "Complete a multipart upload."
},
{
"action_id": "cloud-object-storage.object.get_uploads",
"display_name": "object.get_uploads",
"description": "List parts of a multi-part object upload."
},
{
"action_id": "cloud-object-storage.object.delete_upload",
"display_name": "object.delete_upload",
"description": "Abort a multipart upload."
}
],
"account_id": "",
"service_name": ""
}
GUI での確認
カスタマーポータルの「Manage > Access (IAM) > Roles > Create」 (https://cloud.ibm.com/iam/roles/create) から指定のサービスとロールを選択することで、割り当てられたアクションの詳細を確認できます。
