If system policies do not meet your requirements, you can create custom policies to implement the principle of least privilege. You can use custom policies to implement fine-grained permission management and improve resource access security. This topic describes the scenarios in which custom policies for Cloud Shell are used. This topic also provides sample custom policies.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You must manage the version updates of custom policies.
After you create a custom policy, you must attach the custom policy to the following RAM principal: RAM user, user group, or role. This way, the permissions specified in the policy can be granted to the principal.
You can delete a custom policy that is not attached to a principal. If a custom policy is attached to a principal, you must detach the custom policy from the principal before you delete the custom policy.
Custom policies support version control. You can manage custom policy versions based on the version management mechanism provided by RAM.
References
Scenarios and examples of custom policies
Grant a RAM user the permissions to upload files to Cloud Shell. Example:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudshell:UploadFile"
],
"Resource": [
"*"
]
}
]
}Authorization information reference
Before you use custom policies, you must understand the permission control requirements of your business and the authorization information about Cloud Shell. For more information, see Authorization information.