If system policies do not meet your requirements, you can create custom policies for Cloud Shell to implement fine-grained permission management and improve resource access security.
What is a custom policy?
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can create, update, and delete custom policies, and you are responsible for managing their version updates.
-
After you create a custom policy, you must attach it to a RAM principal: RAM user, user group, or role. The permissions specified in the policy are then granted to the principal.
-
You can delete a custom policy only if it is not attached to a principal. To delete an attached custom policy, detach it from the principal first.
-
Custom policies support version control. You can manage policy versions by using the version management mechanism provided by RAM.
References
Scenarios and examples of custom policies
The following example grants a RAM user the permission to upload files to Cloud Shell:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudshell:UploadFile"
],
"Resource": [
"*"
]
}
]
}Authorization information reference
Before you create custom policies, make sure that you understand the permission control requirements of your business and the authorization information about Cloud Shell. For more information, see Authorization information.