Manage IAM

Manage your IAM policies to grant access to users and Personal Access Tokens (PATs).

Use IAM service to grant access to users and Personal Access Tokens (PATs) on your projects and perform actions on your behalf.

Command References

    affinidi iam

Use these commands to manage policies for access configuration

affinidi iam add-principal

Adds a principal (user or token) to the active project

USAGE


affinidi  iam add-principal [--json] [--no-color] [--no-input] [-i [value]] [-t	 token|user]

FLAGS

-i, --principal-id=[value] ID of the principal

-t, --principal-type=[option] Type of the principal [options: token|user]

GLOBAL FLAGS

--json Format output as json.

--no-color Disables color in the output. If you have trouble distinguishing colors, consider using this flag.

--no-input Disables all the interactive prompts

DESCRIPTION

Adds a principal (user or token) to the active project To change your active project, use commandaffinidi project select-project

EXAMPLES


affinidi  iam add-principal -i [uuid]

affinidi iam add-principal --principal-id [uuid] --principal-type token

FLAG DESCRIPTIONS

-i, --principal-id=[value] ID of the principal Get a list of possible IDs with commandaffinidi token list-tokens

affinidi iam get-policies

Gets the policies of a principal (user or token)

USAGE


affinidi  iam get-policies [--json] [--no-color] [--no-input] [-i [value]] [-t	 token|user]

FLAGS

-i, --principal-id=[value] ID of the principal

-t, --principal-type=[option] Type of the principal [options: token|user]

GLOBAL FLAGS

--json Format output as json.

--no-color Disables color in the output. If you have trouble distinguishing colors, consider using this flag.

--no-input Disables all the interactive prompts

DESCRIPTION

Gets the policies of a principal (user or token) Make sure the principal you are working with is part of the active project

Use commandaffinidi project select-project to change your active project

EXAMPLES


affinidi  iam get-policies -i [uuid]

affinidi iam get-policies --principal-id [uuid] --principal-type token

FLAG DESCRIPTIONS

-i, --principal-id=[value] ID of the principal Get a list of possible IDs with commandaffinidi token list-tokens

affinidi iam list-principals

Lists the principals (users and tokens) in the active project

USAGE


affinidi  iam list-principals [--json] [--no-color] [--no-input]

GLOBAL FLAGS

--json Format output as json.

--no-color Disables color in the output. If you have trouble distinguishing colors, consider using this flag.

--no-input Disables all the interactive prompts

DESCRIPTION

Lists the principals (users and tokens) in the active project To change your active project, use commandaffinidi project select-project

EXAMPLES


affinidi  iam list-principals

affinidi iam remove-principal

Removes a principal (user or token) from the active project

USAGE


affinidi  iam remove-principal [--json] [--no-color] [--no-input] [-i [value]] [-t	 token|user]

FLAGS

-i, --principal-id=[value] ID of the principal

-t, --principal-type=[option] Type of the principal [options: token|user]

GLOBAL FLAGS

--json Format output as json.

--no-color Disables color in the output. If you have trouble distinguishing colors, consider using this flag.

--no-input Disables all the interactive prompts

DESCRIPTION

Removes a principal (user or token) from the active project To change your active project, use commandaffinidi project select-project

EXAMPLES


affinidi  iam remove-principal -i [uuid]

affinidi iam remove-principal --principal-id [uuid] --principal-type token

FLAG DESCRIPTIONS

-i, --principal-id=[value] ID of the principal Get a list of possible IDs with commandaffinidi token list-tokens

affinidi iam update-policies

Updates the policies of a principal (user or token) in the active project

USAGE


affinidi  iam update-policies [--json] [--no-color] [--no-input] [-i [value]] [-t	 token|user] [-f [value]]

FLAGS

-f, --file=[value] Location of a json file containing principal policies

-i, --principal-id=[value] ID of the principal

-t, --principal-type=[option] Type of the principal [options: token|user]

GLOBAL FLAGS

--json Format output as json.

--no-color Disables color in the output. If you have trouble distinguishing colors, consider using this flag.

--no-input Disables all the interactive prompts

DESCRIPTION

Updates the policies of a principal (user or token) in the active project Make sure the principal you are working with is part of the active project

Use commandaffinidi project select-project to change your active project

EXAMPLES


affinidi  iam update-policies -i [uuid]

affinidi iam update-policies --principal-id [uuid] --principal-type token --file policies.json

FLAG DESCRIPTIONS

-i, --principal-id=[value] ID of the principal Get a list of possible IDs with commandaffinidi token list-tokens

List of Available Actions

Below is the list of actions available to be defined in the policy.

List of Actions for Login Configuration

  • vpa:listLoginConfigurations
  • vpa:createLoginConfigurations
  • vpa:getLoginConfigurationsById
  • vpa:updateLoginConfigurationsById
  • vpa:deleteLoginConfigurationsById

List of Actions for User Groups

  • vpa:listGroups
  • vpa:createGroup
  • vpa:deleteGroup
  • vpa:getGroupById
  • vpa:listGroupUserMappings
  • vpa:addUserToGroup
  • vpa:removeUserFromGroup

If you want to indicate all access to available actions, you can set the action to vpa:*.

List of Actions for Personal Access Token

  • iam:createMachineUser
  • iam:updateMachineUser
  • iam:deleteMachineUser
  • iam:getMachineUser
  • iam:listMachineUser

List of Actions for IAM Policy

  • iam:getPolicies
  • iam:updatePolicies
  • iam:addUserToProject
  • iam:listUsersOfProject
  • iam:deleteUserFromProject
  • iam:addPrincipalToProject
  • iam:deletePrincipalFromProject
  • iam:listPrincipalsOfProject

Defining a Policy

When you add a user or Personal Access Token (PAT) as a principal to a particular project, it creates a default policy with the following format:

{
  "version": "2022-12-15",
  "statement": [
    {
      "principal": [
        "<PRINCIPAL_ID>"
      ],
      "action": [
        ""
      ],
      "resource": [
        ""
      ],
      "effect": "Allow"
    }
  ]
}

Given the above policy, the action and resource property is empty; the user or PAT has no access privilege yet to perform any actions on any resources.

To update the attached user or PAT policy, execute the following command:

affinidi iam update-policies --principal-id="<USER_PRINCIPAL_ID>" --file="<NEW_POLICY_FILE>"

If the policy you are updating is attached to a type user instead of Personal Access Token (PAT), use the flag --principal-type=user.

Getting your Principal ID (Subject)

To get the Subject (sub) or Principal ID of your account, use the following CLI command:

affinidi whoami

The above command will return the Subject (sub) value, representing your Principal ID.

Retrieving user data... Retrieved successfully!
{
  "sub": "af83656f-bffc-4dbb-ygd7-5b9fd68f2ji8",
  "sessionId": "5hxQNR2/NLOQLi7DH+z5IPbun5rXp6t9aapHjDM2gRjAfOtRKOrHdBpy+Fvi3XLkohyY1T0lGhDP3HdYYKDCTg==",
  "projectScopedToken": "...",
  "projectContext": "4e18c949-agyt-8hgf-a357-c66d3eb5ju8g",
  "projectList": {
    "isValid": true,
    "projects": [
      {
        "id": "4e18c949-agyt-8hgf-a357-c66d3eb5ju8g",
        "name": "Default Project",
        "createdAt": "2023-10-02T06:54:33.298Z"
      }
    ]
  },
  "access_token": "..."
}

Defining the Resource

The resource is defined based on the Project ID you want the user or PAT to access. For example, if you’re going to define a policy that only allows access to a specific project, you can specify the following policy:

{
  "version": "2022-12-15",
  "statement": [
    {
      "principal": [
        "<PRINCIPAL_ID>"
      ],
      "action": [
        "*"
      ],
      "resource": [
        "*:<PROJECT_ID>:*"
      ],
      "effect": "Allow"
    }
  ]
}

Defining Policy with All Access

To allow all access to perform actions to resource under a project, you can define the following policy by adding * to both action and resource property:

{
  "version": "2022-12-15",
  "statement": [
    {
      "principal": [
        "<PRINCIPAL_ID>"
      ],
      "action": [
        "*"
      ],
      "resource": [
        "*"
      ],
      "effect": "Allow"
    }
  ]
}

Defining Policy with Limited Actions

To allow a user or PAT to only perform a specific action, you can define the following policy:

{
  "version": "2022-12-15",
  "statement": [
    {
      "principal": [
        "<PRINCIPAL_ID>"
      ],
      "action": [
        "vpa:listLoginConfigurations",
        "vpa:getLoginConfigurationsById"
      ],
      "resource": [
        "*"
      ],
      "effect": "Allow"
    }
  ]
}

In the defined policy above, we are only allowing the user or PAT to perform the list and get Login Configuration operation to all resources.

Learn how to create a Personal Access Token (PAT) and attach a policy to it to automate specific tasks on your application.