Download OpenAPI specification:Download
Manage access policies and role assignments
Manage access policies and role assignments
Allows a user to page through the external grants of an access policy including a managed policy. Access to this operation is controlled by the access policy being accessed.
The auth token's access policy must allow action:use/listGrants.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | (AccessPolicyId (string) or ManagedPolicyId (string)) or Ern (string) Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 500 Example: pageSize=20 Maximum number of results to return per page. |
required | Array of objects (AccessPolicyGrant) | ||||||||||||
Array
| |||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||
{- "list": [
- {
- "grantId": "grant:ABCDEFGHIJ123",
- "accessPolicyId": "accesspolicy:my-policy",
- "accessPolicyErn": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "grantee": "principal:abc-123:idp:example-user",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Allows a user to add an external grant to an access policy including a managed policy. Access to this operation is controlled by the access policy being accessed.
The auth token's access policy must allow action:use/addGrant.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | (AccessPolicyId (string) or ManagedPolicyId (string)) or Ern (string) Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
required | Principal (string) or Group (string) or ProjectId (string) (Grantee) An entity that can be granted an access policy |
Any of string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Globally unique string identifier for a principal formatted like "principal:...". | |
| lastRev | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
| grantId required | string (GrantId) ^grant:[A-Z0-9]{13}$ Uniquely identifies an access policy grant. |
required | AccessPolicyId (string) or ManagedPolicyId (string) |
One of string (AccessPolicyId) ^accesspolicy:[a-zA-Z](?![^:]*-$)(?![^:]*--)[... Uniquely identifies an access policy within a project. | |
| accessPolicyErn required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". |
required | Principal (string) or Group (string) or ProjectId (string) (Grantee) An entity that can be granted an access policy |
Any of string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Globally unique string identifier for a principal formatted like "principal:...". | |
| createdBy required | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. |
| createdAt required | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" |
{- "grantee": "principal:abc-123:idp:example-user",
- "lastRev": "abc123"
}{- "grantId": "grant:ABCDEFGHIJ123",
- "accessPolicyId": "accesspolicy:my-policy",
- "accessPolicyErn": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "grantee": "principal:abc-123:idp:example-user",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z"
}Allows a user to page through all of the access policies within a project. The project is identified by
projectId. Access to this operation is controlled by the project being accessed.
The auth token's access policy must allow action:use/listAccessPolicies.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
required | Array of objects (UserAccessPolicyData) | ||||||||||||||||||||||||||||||||
Array
| |||||||||||||||||||||||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||||||||||||||||||||||
{- "list": [
- {
- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "accessPolicyId": "accesspolicy:my-policy",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Allows a user to create a new access policy. The access policy is created in the project identified by the
projectId. An access policy contains that same data as a permission set but also includes the grants
field for indicating what principals can use the access policy. Access to this operation is controlled by the project
being accessed.
The auth token's access policy must allow action:use/createAccessPolicy.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| description | string^.{0,500}$ | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
| accessPolicyId required | string (AccessPolicyId) ^accesspolicy:[a-zA-Z](?![^:]*-$)(?![^:]*--)[... Uniquely identifies an access policy within a project. | ||||||||
| allowBadRefs | string Value: "additional" Indicates that the access policy should be created even if it includes invalid references to permission objects. | ||||||||
| description | string^.{0,500}$ | ||||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||||||
| disabledPolicy | any Value: true | ||||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||||
| managed | any Value: true | ||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
required | AccessPolicyId (string) or ManagedPolicyId (string) | ||||||||
One of string (AccessPolicyId) ^accesspolicy:[a-zA-Z](?![^:]*-$)(?![^:]*--)[... Uniquely identifies an access policy within a project. | |||||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||||
{- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "description": "A description string.",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "accessPolicyId": "accesspolicy:my-policy",
- "allowBadRefs": "additional"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "accessPolicyId": "accesspolicy:my-policy",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Allows a user to remove an external grant from an access policy including a managed policy. Access to this operation is controlled by the access policy being accessed.
The auth token's access policy must allow action:use/removeGrant.
| grantId required | string (GrantId) ^grant:[A-Z0-9]{13}$ Example: grant:ABCDEFGHIJ123 Uniquely identifies an access policy grant. Callers may URL encode this value. |
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | (AccessPolicyId (string) or ManagedPolicyId (string)) or Ern (string) Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
{- "error": {
- "errorCode": "not-found"
}
}Allows a user to retrieve the definition of an access policy identified by accessPolicyId.
The access policy is retrieved from the project identified by projectId.
Access to this operation is controlled by the access policy being accessed.
The auth token's access policy must allow action:use/getAccessPolicy.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | (AccessPolicyId (string) or ManagedPolicyId (string)) or Ern (string) Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| description | string^.{0,500}$ | ||||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||||||
| disabledPolicy | any Value: true | ||||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||||
| managed | any Value: true | ||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
required | AccessPolicyId (string) or ManagedPolicyId (string) | ||||||||
One of string (AccessPolicyId) ^accesspolicy:[a-zA-Z](?![^:]*-$)(?![^:]*--)[... Uniquely identifies an access policy within a project. | |||||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||||
{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "accessPolicyId": "accesspolicy:my-policy",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Allows a user to delete an access policy identified by either the accessPolicyId or the accessPolicyErn
parameter. The access policy is deleted from the project identified by the accessPolicyErn if provided, else in the
project that owns the access policy being used to invoke the operation. The project must be disabled and not have any
grants in order for it to be deleted. Access to this operation is controlled by the access policy being accessed.
The auth token's access policy must allow action:use/deleteAccessPolicy.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | AccessPolicyId (string) or Ern (string) Uniquely identifies an access policy within a project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
{- "lastRev": "abc123"
}{- "error": {
- "errorCode": "not-found"
}
}Allows a user to update the definition of an access policy identified by the accessPolicyId.
The access policy is updated in the project identified by the projectId. It is possible that
some of the objects referenced by the updated access policy no longer exist or are no longer accessible. Such cases
will produce an error unless the allowBadRefs parameter is set to "existing". Setting this parameter allows users
to update access policies even if something unrelated to their update has changed since the access policy was
created. Using this flag allows urgent access policy changes to be made without requiring the caller to address
issues outside of their immediate concrent. Access to this operation is controlled by the access policy being
accessed.
The auth token's access policy must allow action:use/updateAccessPolicy.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | AccessPolicyId (string) or Ern (string) Uniquely identifies an access policy within a project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| description | string^.{0,500}$ | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
| allowBadRefs | string Enum: "existing" "additional" Indicates that the access policy should be updated even if it includes invalid references to permission objects. Setting to "existing" will allow existing invalid references to remain, but will complain if new invalid references are introduced. Setting to "additional" will allow both existing and new invalid references to be accepted without complaint. | ||||||||
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. | ||||||||
| description | string^.{0,500}$ | ||||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||||||
| disabledPolicy | any Value: true | ||||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||||
| managed | any Value: true | ||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
required | AccessPolicyId (string) or ManagedPolicyId (string) | ||||||||
One of string (AccessPolicyId) ^accesspolicy:[a-zA-Z](?![^:]*-$)(?![^:]*--)[... Uniquely identifies an access policy within a project. | |||||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||||
{- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "description": "A description string.",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "allowBadRefs": "additional",
- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "accessPolicyId": "accesspolicy:my-policy",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Allows a user to enable an access policy identified by either the accessPolicyId or the accessPolicyErn
parameter. The access policy is updated in the project identified by the accessPolicyErn if provided, else in the
project that owns the access policy being used to invoke the operation. This reverses the effect of disabling an
access policy. Access to this operation is controlled by the access policy being accessed.
The auth token's access policy must allow action:use/enableAccessPolicy.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | AccessPolicyId (string) or Ern (string) Uniquely identifies an access policy within a project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
| description | string^.{0,500}$ | ||||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||||||
| disabledPolicy | any Value: true | ||||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||||
| managed | any Value: true | ||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
required | AccessPolicyId (string) or ManagedPolicyId (string) | ||||||||
One of string (AccessPolicyId) ^accesspolicy:[a-zA-Z](?![^:]*-$)(?![^:]*--)[... Uniquely identifies an access policy within a project. | |||||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||||
{- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "accessPolicyId": "accesspolicy:my-policy",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Allows a user to disable an access policy identified by either the accessPolicyId or the accessPolicyErn
parameter. The access policy is updated in the project identified by the accessPolicyErn if provided, else in the
project that owns the access policy being used to invoke the operation. Disabling an access policy means that it is
not available for users to assume via token exchange and current tokens with this access policy as their scope will
eventually lose access. Access to this operation is controlled by the access policy being accessed.
The auth token's access policy must allow action:use/disableAccessPolicy.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | AccessPolicyId (string) or Ern (string) Uniquely identifies an access policy within a project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
| description | string^.{0,500}$ | ||||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||||||
| disabledPolicy | any Value: true | ||||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||||
| managed | any Value: true | ||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
required | AccessPolicyId (string) or ManagedPolicyId (string) | ||||||||
One of string (AccessPolicyId) ^accesspolicy:[a-zA-Z](?![^:]*-$)(?![^:]*--)[... Uniquely identifies an access policy within a project. | |||||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||||
{- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "accessPolicyId": "accesspolicy:my-policy",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Allows a user to page through all of the permission sets within a project. The project is identifed by the
projectId. Access to this operation is controlled by the project being accessed.
The auth token's access policy must allow action:use/listPermissionSets.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
required | Array of objects (PermissionSet) | ||||||||||||||||||||||||||||||
Array
| |||||||||||||||||||||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||||||||||||||||||||
{- "list": [
- {
- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "permissionSetId": "permissionset:my-set",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Allows users to define a permission set object which can then be used as a reusable building block when defining
access policies. The permission set is created in the project identified by the projectId. A
permission set is conceptually a set of action/resource tuples. The set is computed based on the permissions,
intersect, and subtract fields. Each of those fields is a unioned composite and are then combined by taking the
permissions tuples, intersected with the intersect tuples, and then from that the subtract tuples are
removed. Access to this operation is controlled by the project being accessed.
The auth token's access policy must allow action:use/createPermissionSet.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| description | string^.{0,500}$ | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
| permissionSetId required | string (PermissionSetId) ^permissionset:[a-zA-Z](?![^:]*-$)(?![^:]*--)... Uniquely identifies a PermissionSet within a project. | ||||||||
| allowBadRefs | string Value: "additional" Indicates that the permission set should be created even if it includes invalid references to permission objects. | ||||||||
| description | string^.{0,500}$ | ||||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||||
| managed | any Value: true | ||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
required | PermissionSetId (string) or ManagedPermissionSetId (string) | ||||||||
One of string (PermissionSetId) ^permissionset:[a-zA-Z](?![^:]*-$)(?![^:]*--)... Uniquely identifies a PermissionSet within a project. | |||||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||||
{- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "description": "A description string.",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "permissionSetId": "permissionset:my-set",
- "allowBadRefs": "additional"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "permissionSetId": "permissionset:my-set",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Allows a user to retrieve the definition of a permission set identified by permissionSetId.
The permission set is retrieved from the project identified by projectId.
Access to this operation is controlled by the permission set being accessed.
The auth token's access policy must allow action:use/getPermissionSet.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | (PermissionSetId (string) or ManagedPermissionSetId (string)) or Ern (string) Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| description | string^.{0,500}$ | ||||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||||
| managed | any Value: true | ||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
required | PermissionSetId (string) or ManagedPermissionSetId (string) | ||||||||
One of string (PermissionSetId) ^permissionset:[a-zA-Z](?![^:]*-$)(?![^:]*--)... Uniquely identifies a PermissionSet within a project. | |||||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||||
{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "permissionSetId": "permissionset:my-set",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Allows a user to delete a permission set identified by either the permissionSetId or the permissionSetErn
parameter. The permission set must not be referenced by any other permission sets or access policies in order
for it to be deleted. Access to this operation is controlled by the permission set being accessed.
The auth token's access policy must allow action:use/deletePermissionSet.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | PermissionSetId (string) or Ern (string) Uniquely identifies a PermissionSet within a project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
{- "lastRev": "abc123"
}{- "error": {
- "errorCode": "not-found"
}
}Allows a user to update the definition of a permission set identified by the permissionSetId.
The permission set is updated in the project identified by projectId. It is possible that
some of the objects referenced by the updated permission set no longer exist or are no longer accessible. Such cases
will produce an error unless the allowBadRefs parameter is set to "existing". Setting this parameter allows users
to update permission sets even if something unrelated to their update has changed since the permission set was
created. Using this flag allows urgent permission set changes to be made without requiring the caller to address
issues outside of their immediate concrent. Access to this operation is controlled by the permission set being
accessed.
The auth token's access policy must allow action:use/updatePermissionSet.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | PermissionSetId (string) or Ern (string) Uniquely identifies a PermissionSet within a project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| description | string^.{0,500}$ | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
| allowBadRefs | string Enum: "existing" "additional" Indicates that the permission set should be updated even if it includes invalid references to permission objects. Setting to "existing" will allow existing invalid references to remain, but will complain if new invalid references are introduced. Setting to "additional" will allow both existing and new invalid references to be accepted without complaint. | ||||||||
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. | ||||||||
| description | string^.{0,500}$ | ||||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||||
| |||||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
required | Array of InlinePermission (object) or strings or strings or strings or objects or objects (UserRectSet) unique A set of permissions, each of which may be an inline permission, a permission set reference, or a foreign access policy reference. | ||||||||
Array One of
| |||||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||||
| managed | any Value: true | ||||||||
Array of InlinePermission (object) or strings or strings or strings or objects or objects unique Entries must appear in both the | |||||||||
Array One of
| |||||||||
Array of objects (InlinePermission) unique Entries in the | |||||||||
Array
| |||||||||
required | PermissionSetId (string) or ManagedPermissionSetId (string) | ||||||||
One of string (PermissionSetId) ^permissionset:[a-zA-Z](?![^:]*-$)(?![^:]*--)... Uniquely identifies a PermissionSet within a project. | |||||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||||
{- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "description": "A description string.",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "allowBadRefs": "additional",
- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "permissions": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "managed": true,
- "intersect": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "subtract": [
- {
- "resources": "all",
- "serviceActions": "all",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "permissionSetId": "permissionset:my-set",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Get a page of all the Roles visible. All System and Product roles are visibile, but visibility of Custom Roles depend on the claims in the token. For an Access Policy token, all Custom Roles usable by the project are visible (if given, otherwise the project that owns the Access Policy). For a Role Assignment token, all Custom Roles usable by the token's Organization are visible and the project args are unsupported.
The auth token's access policy must allow action:use/listRoles.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
| projectErn | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Example: projectErn=ern:eqix:equinix/sts:global:abc-123:SomeType:res-id Equinix Resource Name of a project. Mutually exclusive with projectId. |
required | Array of objects (RoleDetails) | ||||||||||
Array
| |||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||
{- "list": [
- {
- "roleId": "role:550e8400-e29b-41d4-a716-446655440000",
- "name": "Network Admin",
- "description": "string",
- "assignmentScopeTypes": [
- "PROJECT"
], - "permissions": [
- {
- "action": "iam.role.assignment.read",
- "description": "Allows reading role assignments"
}
]
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Get a page of all the Roles visible. All System and Product roles are visibile, but visibility of Custom Roles depend on the claims in the token. For an Access Policy token, all Custom Roles usable by the project are visible (if given, otherwise the project that owns the Access Policy). For a Role Assignment token, all Custom Roles usable by the token's Organization are visible and the project args are unsupported.
The auth token's access policy must allow action:use/listRoles.
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
| projectId | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: projectId=project:abc-123 Globally unique identifier of a project. Mutually exclusive with projectErn. |
| projectErn | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Example: projectErn=ern:eqix:equinix/sts:global:abc-123:SomeType:res-id Equinix Resource Name of a project. Mutually exclusive with projectId. |
required | Array of objects (RoleDetails) | ||||||||||
Array
| |||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||
{- "list": [
- {
- "roleId": "role:550e8400-e29b-41d4-a716-446655440000",
- "name": "Network Admin",
- "description": "string",
- "assignmentScopeTypes": [
- "PROJECT"
], - "permissions": [
- {
- "action": "iam.role.assignment.read",
- "description": "Allows reading role assignments"
}
]
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Get a RoleAssignment by its id. For an Access Policy token, the RoleAssignment's assignmentScope must be at or below the project (if given, otherwise the project that owns the Access Policy) For a Role Assignment token, the RoleAssignment must be visible by the user and the project args are unsupported.
The auth token's access policy must allow action:use/getRoleAssignment.
| roleAssignmentId required | string (RoleAssignmentId) ^roleassignment:[0-9a-f]{8}(-[0-9a-f]{4}){3}-... Example: roleassignment:550e8400-e29b-41d4-a716-446655440000 Uniquely identifies an access policy within a project. Callers may URL encode this value. |
| roleAssignmentId required | string (RoleAssignmentId) ^roleassignment:[0-9a-f]{8}(-[0-9a-f]{4}){3}-... Immutable UUID of this RoleAssignment | ||||||||||||||||
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Id of the project that owns this assignment | ||||||||||||||||
required | Principal (string) or Group (string) The principal assigned to a Role as provided in the | ||||||||||||||||
Any of string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Globally unique string identifier for a principal formatted like "principal:...". | |||||||||||||||||
| roleId required | string (RoleId) ^role:[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{1... Id of the Role assigned to the principal | ||||||||||||||||
| roleName required | string Name of the Role assigned to the principal | ||||||||||||||||
required | object The scope this assignment applies to, usually a specific Project or Organization. | ||||||||||||||||
| |||||||||||||||||
{- "roleAssignmentId": "roleassignment:550e8400-e29b-41d4-a716-446655440000",
- "projectId": "project:abc-123",
- "principal": "principal:abc-123:idp:example-user",
- "roleId": "role:550e8400-e29b-41d4-a716-446655440000",
- "roleName": "Network Admin",
- "assignmentScope": {
- "id": "project:ABCD-EFG-12345",
- "type": "PROJECT",
- "name": "My Project",
- "parent": {
- "id": "project:ABCD-EFG-12345",
- "type": "PROJECT",
- "name": "My Project"
}
}
}Delete an existing RoleAssignment, thereby removing the permissions granted to the principal by the given Role.
The auth token's access policy must allow action:use/deleteRoleAssignment.
| roleAssignmentId required | string (RoleAssignmentId) ^roleassignment:[0-9a-f]{8}(-[0-9a-f]{4}){3}-... Example: roleassignment:550e8400-e29b-41d4-a716-446655440000 Uniquely identifies an access policy within a project. Callers may URL encode this value. |
{- "error": {
- "errorCode": "not-found"
}
}Get a page of all the RoleAssignments for the given assignment scope.
The auth token's access policy must allow action:use/listRoleAssignments.
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
| assignmentScopeId required | string Example: assignmentScopeId=project:ABCD-EFG-12345 Id of the object this assignment scope refers to |
| assignmentScopeType required | string Examples: assignmentScopeType=PDS_ORG assignmentScopeType=ORGANIZATION assignmentScopeType=PROJECT assignmentScopeType=BILLING_ACCOUNT assignmentScopeType=SUBSCRIPTION_KEY assignmentScopeType=PORT Type of object that defines the scope of a role assignment (e.g. PROJECT, ORGANIZATION). |
required | Array of objects (RoleAssignment) | ||||||||||||
Array
| |||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||
{- "list": [
- {
- "roleAssignmentId": "roleassignment:550e8400-e29b-41d4-a716-446655440000",
- "projectId": "project:abc-123",
- "principal": "principal:abc-123:idp:example-user",
- "roleId": "role:550e8400-e29b-41d4-a716-446655440000",
- "roleName": "Network Admin",
- "assignmentScope": {
- "id": "project:ABCD-EFG-12345",
- "type": "PROJECT",
- "name": "My Project",
- "parent": {
- "id": "project:ABCD-EFG-12345",
- "type": "PROJECT",
- "name": "My Project"
}
}
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Create a new RoleAssignement, thereby granting the principal the permissions defined by the given Role.
The auth token's access policy must allow action:use/createRoleAssignment.
| principal required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... The principal to be assigned to a Role. | ||||||||||||
| roleId required | string (RoleId) ^role:[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{1... Id of the Role to be assigned to the principal. | ||||||||||||
required | object The scope this assignment applies to, usually a specific Project or Organization. | ||||||||||||
| |||||||||||||
| roleAssignmentId required | string (RoleAssignmentId) ^roleassignment:[0-9a-f]{8}(-[0-9a-f]{4}){3}-... Immutable UUID of this RoleAssignment | ||||||||||||||||
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Id of the project that owns this assignment | ||||||||||||||||
required | Principal (string) or Group (string) The principal assigned to a Role as provided in the | ||||||||||||||||
Any of string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Globally unique string identifier for a principal formatted like "principal:...". | |||||||||||||||||
| roleId required | string (RoleId) ^role:[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{1... Id of the Role assigned to the principal | ||||||||||||||||
| roleName required | string Name of the Role assigned to the principal | ||||||||||||||||
required | object The scope this assignment applies to, usually a specific Project or Organization. | ||||||||||||||||
| |||||||||||||||||
{- "principal": "principal:abc-123:idp:example-user",
- "roleId": "role:550e8400-e29b-41d4-a716-446655440000",
- "assignmentScope": {
- "id": "project:ABCD-EFG-12345",
- "type": "PROJECT",
- "parent": {
- "id": "project:ABCD-EFG-12345",
- "type": "PROJECT"
}
}
}{- "roleAssignmentId": "roleassignment:550e8400-e29b-41d4-a716-446655440000",
- "projectId": "project:abc-123",
- "principal": "principal:abc-123:idp:example-user",
- "roleId": "role:550e8400-e29b-41d4-a716-446655440000",
- "roleName": "Network Admin",
- "assignmentScope": {
- "id": "project:ABCD-EFG-12345",
- "type": "PROJECT",
- "name": "My Project",
- "parent": {
- "id": "project:ABCD-EFG-12345",
- "type": "PROJECT",
- "name": "My Project"
}
}
}Allows an admin to list principal policies in a project with pagination. Access to this operation is controlled by the project. Includes disabled policies so admins can re-enable them.
The auth token's access policy must allow action:use/listPrincipalPolicies.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
required | Array of objects (UserPrincipalPolicyData) | ||||||||||||||||||||||||
Array
| |||||||||||||||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||||||||||||||
{- "list": [
- {
- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "userPrincipal": "principal:abc-123:idp:example-user",
- "permissions": [
- {
- "permissionSet": "managedset:my-set",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Disables a principal policy in a project by user principal. Disabling a principal policy means it will not be available for use by the principal and will appear as if it does not exist via access-use APIs. Access to this operation is controlled at the project level.
The auth token's access policy must allow action:use/disablePrincipalPolicy.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| userPrincipal required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Example: principal:abc-123:idp:example-user Globally unique string identifier for a principal formatted like "principal:...". Callers may URL encode this value. |
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
| description | string^.{0,500}$ | ||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||
| |||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| userPrincipal required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Globally unique string identifier for a principal formatted like "principal:...". | ||||||
required | Array of objects (ManagedPermissionSetRef) unique | ||||||
Array
| |||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| disabledPolicy | any Value: true | ||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||
{- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "userPrincipal": "principal:abc-123:idp:example-user",
- "permissions": [
- {
- "permissionSet": "managedset:my-set",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Enables a principal policy in a project by user principal. This reverses the effect of disabling a principal policy. Access to this operation is controlled at the project level.
The auth token's access policy must allow action:use/enablePrincipalPolicy.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| userPrincipal required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Example: principal:abc-123:idp:example-user Globally unique string identifier for a principal formatted like "principal:...". Callers may URL encode this value. |
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
| description | string^.{0,500}$ | ||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||
| |||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| userPrincipal required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Globally unique string identifier for a principal formatted like "principal:...". | ||||||
required | Array of objects (ManagedPermissionSetRef) unique | ||||||
Array
| |||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| disabledPolicy | any Value: true | ||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||
{- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "userPrincipal": "principal:abc-123:idp:example-user",
- "permissions": [
- {
- "permissionSet": "managedset:my-set",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Retrieves a principal policy in a project by user principal. Access to this operation is controlled at the project level. Returns nil if the policy is disabled.
The auth token's access policy must allow action:use/getPrincipalPolicy.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| userPrincipal required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Example: principal:abc-123:idp:example-user Globally unique string identifier for a principal formatted like "principal:...". Callers may URL encode this value. |
| description | string^.{0,500}$ | ||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||
| |||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| userPrincipal required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Globally unique string identifier for a principal formatted like "principal:...". | ||||||
required | Array of objects (ManagedPermissionSetRef) unique | ||||||
Array
| |||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| disabledPolicy | any Value: true | ||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||
{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "userPrincipal": "principal:abc-123:idp:example-user",
- "permissions": [
- {
- "permissionSet": "managedset:my-set",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Updates a principal policy in a project by user principal. Access to this operation is controlled at the project level. Fails if the policy is disabled.
The auth token's access policy must allow action:use/updatePrincipalPolicy.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| userPrincipal required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Example: principal:abc-123:idp:example-user Globally unique string identifier for a principal formatted like "principal:...". Callers may URL encode this value. |
required | Array of objects (ManagedPermissionSetRef) unique | ||||||
Array
| |||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||
| |||||||
| description | string^.{0,500}$ | ||||||
| allowBadRefs | string Enum: "existing" "additional" Indicates that the principal policy should be updated even if it includes invalid references to permission objects. Setting to "existing" will allow existing invalid references to remain, but will complain if new invalid references are introduced. Setting to "additional" will allow both existing and new invalid references to be accepted without complaint. | ||||||
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. | ||||||
| description | string^.{0,500}$ | ||||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||||
| |||||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| userPrincipal required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Globally unique string identifier for a principal formatted like "principal:...". | ||||||
required | Array of objects (ManagedPermissionSetRef) unique | ||||||
Array
| |||||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||||
| approvedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||||
| disabledPolicy | any Value: true | ||||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||||
| approvedBy | string (ApprovedBy) ^.*$ A string indicating the principal who invoked an operation to approve the resource. | ||||||
{- "permissions": [
- {
- "permissionSet": "managedset:my-set",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "description": "A description string.",
- "allowBadRefs": "additional",
- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "userPrincipal": "principal:abc-123:idp:example-user",
- "permissions": [
- {
- "permissionSet": "managedset:my-set",
- "condition": "context.myAttribute < 5",
- "ibxLocationCondition": {
- "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
]
}
}
], - "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}Allows a user to disable a project-scoped policy mask. A disabled mask is treated as absent during policy mask resolution. Access is controlled by the mask.
The auth token's access policy must allow action:use/disablePolicyMask.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | PolicyMaskId (string) or Ern (string) Uniquely identifies a policy mask globally or within a governing project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
| description | string^.{0,500}$ | ||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||
| |||||
string or Array of ManagedPermissionSetId (strings) | |||||
One of string Value: "none" | |||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||
| disabledPolicy | any Value: true | ||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||
| policyMaskId required | string (PolicyMaskId) ^policymask:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-... Uniquely identifies a policy mask globally or within a governing project. | ||||
string or Array of ManagedPolicyId (strings) | |||||
One of string Value: "none" | |||||
object | |||||
| |||||
{- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "managedPermissionSets": "none",
- "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "policyMaskId": "policymask:my-mask",
- "managedPolicies": "none",
- "subtract": {
- "managedPolicies": [
- "managedpolicy:my-policy"
], - "managedPermissionSets": [
- "managedset:my-set"
]
}
}Allows a user to re-enable a disabled project-scoped policy mask. Access is controlled by the mask.
The auth token's access policy must allow action:use/enablePolicyMask.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | PolicyMaskId (string) or Ern (string) Uniquely identifies a policy mask globally or within a governing project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
| description | string^.{0,500}$ | ||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||
| |||||
string or Array of ManagedPermissionSetId (strings) | |||||
One of string Value: "none" | |||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||
| disabledPolicy | any Value: true | ||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||
| policyMaskId required | string (PolicyMaskId) ^policymask:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-... Uniquely identifies a policy mask globally or within a governing project. | ||||
string or Array of ManagedPolicyId (strings) | |||||
One of string Value: "none" | |||||
object | |||||
| |||||
{- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "managedPermissionSets": "none",
- "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "policyMaskId": "policymask:my-mask",
- "managedPolicies": "none",
- "subtract": {
- "managedPolicies": [
- "managedpolicy:my-policy"
], - "managedPermissionSets": [
- "managedset:my-set"
]
}
}Allows a user to list project-scoped policy masks with pagination. Authorization is checked against the project.
The auth token's access policy must allow action:use/listPolicyMasks.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
required | Array of objects (PolicyMask) | ||||||||||||||||||||||||||
Array
| |||||||||||||||||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||||||||||||||||
{- "list": [
- {
- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "managedPermissionSets": "none",
- "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "policyMaskId": "policymask:my-mask",
- "managedPolicies": "none",
- "subtract": {
- "managedPolicies": [
- "managedpolicy:my-policy"
], - "managedPermissionSets": [
- "managedset:my-set"
]
}
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Allows a project admin to create a project-scoped policy mask. The mask controls which managed policies and managed permission sets are available within this project. Access is controlled by the project.
The auth token's access policy must allow action:use/createPolicyMask.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
string or Array of ManagedPolicyId (strings) | |||||
One of string Value: "none" | |||||
string or Array of ManagedPermissionSetId (strings) | |||||
One of string Value: "none" | |||||
object | |||||
| |||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||
| |||||
| description | string^.{0,500}$ | ||||
| policyMaskId required | string (PolicyMaskId) ^policymask:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-... Uniquely identifies a policy mask globally or within a governing project. | ||||
| description | string^.{0,500}$ | ||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||
| |||||
string or Array of ManagedPermissionSetId (strings) | |||||
One of string Value: "none" | |||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||
| disabledPolicy | any Value: true | ||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||
| policyMaskId required | string (PolicyMaskId) ^policymask:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-... Uniquely identifies a policy mask globally or within a governing project. | ||||
string or Array of ManagedPolicyId (strings) | |||||
One of string Value: "none" | |||||
object | |||||
| |||||
{- "managedPolicies": "none",
- "managedPermissionSets": "none",
- "subtract": {
- "managedPolicies": [
- "managedpolicy:my-policy"
], - "managedPermissionSets": [
- "managedset:my-set"
]
}, - "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "description": "A description string.",
- "policyMaskId": "policymask:my-mask"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "managedPermissionSets": "none",
- "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "policyMaskId": "policymask:my-mask",
- "managedPolicies": "none",
- "subtract": {
- "managedPolicies": [
- "managedpolicy:my-policy"
], - "managedPermissionSets": [
- "managedset:my-set"
]
}
}Allows a user to retrieve a project-scoped policy mask. Access is controlled by the mask.
The auth token's access policy must allow action:use/getPolicyMask.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | PolicyMaskId (string) or Ern (string) Uniquely identifies a policy mask globally or within a governing project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| description | string^.{0,500}$ | ||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||
| |||||
string or Array of ManagedPermissionSetId (strings) | |||||
One of string Value: "none" | |||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||
| disabledPolicy | any Value: true | ||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||
| policyMaskId required | string (PolicyMaskId) ^policymask:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-... Uniquely identifies a policy mask globally or within a governing project. | ||||
string or Array of ManagedPolicyId (strings) | |||||
One of string Value: "none" | |||||
object | |||||
| |||||
{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "managedPermissionSets": "none",
- "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "policyMaskId": "policymask:my-mask",
- "managedPolicies": "none",
- "subtract": {
- "managedPolicies": [
- "managedpolicy:my-policy"
], - "managedPermissionSets": [
- "managedset:my-set"
]
}
}Allows a user to delete a project-scoped policy mask. The mask must be disabled first. Access is controlled by the mask.
The auth token's access policy must allow action:use/deletePolicyMask.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | PolicyMaskId (string) or Ern (string) Uniquely identifies a policy mask globally or within a governing project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. |
{- "lastRev": "abc123"
}{- "error": {
- "errorCode": "not-found"
}
}Allows a user to update a project-scoped policy mask. Access is controlled by the mask.
The auth token's access policy must allow action:use/updatePolicyMask.
required | ProjectId (string) or * (string) Globally unique identifier of a project.
Callers may URL encode this value. Use |
required | PolicyMaskId (string) or Ern (string) Uniquely identifies a policy mask globally or within a governing project. Callers may URL encode this value. When passing an ERN, callers must URL encode this value. |
string or Array of ManagedPolicyId (strings) | |||||
One of string Value: "none" | |||||
string or Array of ManagedPermissionSetId (strings) | |||||
One of string Value: "none" | |||||
object | |||||
| |||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||
| |||||
| description | string^.{0,500}$ | ||||
| lastRev required | string (LastResourceRev) ^.*$ An opaque string that represents the expected revision of a given resource. This is provided when a resource is updated so that if a concurrent update has occurred since the resource was read, then the collision will be detected. | ||||
| description | string^.{0,500}$ | ||||
required | object (Tags) <= 10 properties Additional user-controlled data about this resource. | ||||
| |||||
string or Array of ManagedPermissionSetId (strings) | |||||
One of string Value: "none" | |||||
| updatedAt | string (UpdatedAt) ^.*$ A string timestamp indicating when the resource was last updated. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| createdBy | string (CreatedBy) ^.*$ A string indicating the principal who invoked an operation to create the resource. | ||||
| createdAt | string (CreatedAt) ^.*$ A string timestamp indicating when the resource was created. Formatted like: "2025-02-12T17:24:19.033772087Z" | ||||
| rev required | string (ResourceRev) ^.*$ An opaque string that represents the revision of a given resource. Each time the resource is updated, this value changes. | ||||
| ern required | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Equinix resource name, a universally unique identifier for a resource across all clouds, regions, and services. Formatted as "ern:<cloudId>:<serviceId>:<regionId>:<projectId>:<resourceType>:<resourceId>". | ||||
| disabledPolicy | any Value: true | ||||
| updatedBy | string (UpdatedBy) ^.*$ A string indicating the principal who last invoked an operation to update the resource. | ||||
| policyMaskId required | string (PolicyMaskId) ^policymask:[a-zA-Z](?![^:]*-$)(?![^:]*--)[a-... Uniquely identifies a policy mask globally or within a governing project. | ||||
string or Array of ManagedPolicyId (strings) | |||||
One of string Value: "none" | |||||
object | |||||
| |||||
{- "managedPolicies": "none",
- "managedPermissionSets": "none",
- "subtract": {
- "managedPolicies": [
- "managedpolicy:my-policy"
], - "managedPermissionSets": [
- "managedset:my-set"
]
}, - "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "description": "A description string.",
- "lastRev": "abc123"
}{- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "managedPermissionSets": "none",
- "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "disabledPolicy": true,
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "policyMaskId": "policymask:my-mask",
- "managedPolicies": "none",
- "subtract": {
- "managedPolicies": [
- "managedpolicy:my-policy"
], - "managedPermissionSets": [
- "managedset:my-set"
]
}
}Allows a user to retrieve the Cedar schema for the given service, in JSON representation. The Cedar schema describes
the attributes and resource types that can be referenced in access policy conditions for each action of the
service. Access is controlled based on the project identified by projectId.
The auth token's access policy must allow action:use/getServicePolicySchema.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| serviceId required | string (ServiceId) ^service:[a-zA-Z][a-zA-Z0-9]{0,49}/[a-zA-Z][a... Example: serviceId=service:equinix/sts Fully qualified, universally unique id of a service. |
required | object | ||
| |||
{- "schema": {
- "property1": null,
- "property2": null
}
}Allows a user to page through the actions defined for a given serviceId. This allows users to discover what actions
are available to be used when defining access policies. Access to this is operation is controlled by
the project specified by projectId. The results are filtered
according to the service mask of that same project. The results will include actions from all of the
aspects which are accessible based on the service mask. When the service mask does not allow any access to the
service an exception is thrown.
The auth token's access policy must allow action:use/listActions.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| serviceId required | string (ServiceId) ^service:[a-zA-Z][a-zA-Z0-9]{0,49}/[a-zA-Z][a... Example: serviceId=service:equinix/sts Fully qualified, universally unique id of a service. |
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
| projectErn | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Example: projectErn=ern:eqix:equinix/sts:global:abc-123:SomeType:res-id Equinix Resource Name of a project. Mutually exclusive with projectId. |
required | Array of objects (ListedAction) | ||||||||||||
Array
| |||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||
{- "list": [
- {
- "serviceAspect": "aspect:use",
- "rbacPermission": {
- "permission": "fabric.port.read",
- "permissionResourceType": "PROJECT"
}, - "permissionCodes": {
- "property1": {
- "requiresAll": true
}, - "property2": {
- "requiresAll": true
}
}, - "attributes": [ ],
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "actionId": "action:use/listPermissionSets"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Allows a user to page through the actions which can be invoked for a given serviceId and resourceType. This
allows users to discover what actions apply to what resource types when defining access policies.
Access to this is operation is controlled by the project specified by projectId. When the service mask that
applies to the project does not allow any access to the service an exception is thrown.
The auth token's access policy must allow action:use/listResourceTypeActions.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| serviceId required | string (ServiceId) ^service:[a-zA-Z][a-zA-Z0-9]{0,49}/[a-zA-Z][a... Example: serviceId=service:equinix/sts Fully qualified, universally unique id of the service owning the resource type. |
| resourceTypeServiceId | string (ServiceId) ^service:[a-zA-Z][a-zA-Z0-9]{0,49}/[a-zA-Z][a... Example: resourceTypeServiceId=service:equinix/sts Service id of the resource type, if different from serviceId. |
| resourceType required | string (ResourceTypeId) ^resourcetype:[a-zA-Z][a-zA-Z0-9]{0,49}$ Example: resourceType=resourcetype:AccessPolicy Identifies the resource type within the service. |
| lastAction | string (ActionId) ^action:(use|srv|ops)/([a-zA-Z][a-zA-Z0-9-]{0... Example: lastAction=action:use/listPermissionSets Id of the last action received; used for cursor-based pagination. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
| projectErn | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Example: projectErn=ern:eqix:equinix/sts:global:abc-123:SomeType:res-id Equinix Resource Name of a project. Mutually exclusive with projectId. |
required | Array of objects (ResourceTypeActionList) A list of resource type actions. | ||||||||||||
Array
| |||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||
{- "list": [
- {
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "resourceType": "resourcetype:AccessPolicy",
- "resourceTypeErn": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "action": "action:use/listPermissionSets",
- "rev": "abc123"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Allows a user to page through the resource types defined for a given serviceId. This allows users to discover what
resource types are available to be used when defining access policies. Access to this is operation is controlled by
the project specified by projectId. When the service mask that
applies to the project does not allow any access to the service an exception is thrown.
The auth token's access policy must allow action:use/listResourceTypes.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| serviceId required | string (ServiceId) ^service:[a-zA-Z][a-zA-Z0-9]{0,49}/[a-zA-Z][a... Example: serviceId=service:equinix/sts Fully qualified, universally unique id of a service. |
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
| projectErn | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Example: projectErn=ern:eqix:equinix/sts:global:abc-123:SomeType:res-id Equinix Resource Name of a project. Mutually exclusive with projectId. |
required | Array of objects (ResourceType) | ||||||||||||||||||||||
Array
| |||||||||||||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||||||||||||
{- "list": [
- {
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "createdAt": "2024-01-15T12:00:00Z",
- "resourceType": "resourcetype:AccessPolicy",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "ern": "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id",
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "attributes": [ ],
- "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}Returns a unified representation of the caller's permissions for a given service, based on the supplied access token. A user in possession of a valid access token is always authorized to perform this operation. There is no corresponding action id, because permission to perform the operation does not depend on the role assignments or access policy of the caller.
Permissions are always returned in the context of a specific project. When a project id is not supplied, permissions are returned for the project containing access policy in the access token's scope. When the access token is not associated with an access policy, a project id must be specified.
The auth token's access policy must allow action:use/getEffectivePermissions.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| serviceId required | string (ServiceId) ^service:[a-zA-Z][a-zA-Z0-9]{0,49}/[a-zA-Z][a... Example: serviceId=service:equinix/sts Fully qualified, universally unique id of a service. |
| projectErn | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Example: projectErn=ern:eqix:equinix/sts:global:abc-123:SomeType:res-id Equinix Resource Name of a project. Mutually exclusive with projectId. |
| principalId required | string (Principal) ^principal:([0-9a-zA-Z](?![^:]*-$)(?![^:]*--)... Globally unique string identifier for a principal formatted like "principal:...". | ||||||||||||
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Globally unique identifier of a project. | ||||||||||||
| serviceId required | string (ServiceId) ^service:[a-zA-Z][a-zA-Z0-9]{0,49}/[a-zA-Z][a... Fully qualified, universally unique id of a service. Starts with the NamespaceId. Formatted like "service:<namespace>/<service>". | ||||||||||||
Array of AccessPolicyId (string) or ManagedPolicyId (string) non-empty unique | |||||||||||||
Array (non-empty) One of string (AccessPolicyId) ^accesspolicy:[a-zA-Z](?![^:]*-$)(?![^:]*--)[... Uniquely identifies an access policy within a project. | |||||||||||||
required | Array of objects unique | ||||||||||||
Array
| |||||||||||||
{- "principalId": "principal:abc-123:idp:example-user",
- "projectId": "project:abc-123",
- "serviceId": "service:equinix/sts",
- "accessPolicyIds": [
- "accesspolicy:my-policy"
], - "permissions": [
- {
- "actions": [
- "action:use/listPermissionSets"
], - "resources": [
- "ern:eqix:equinix/sts:global:abc-123:SomeType:res-id"
], - "metroCodes": [
- "SV"
], - "ibxIds": [
- "SV1"
], - "cageIds": [
- "SV1:cage-1"
], - "condition": "context.myAttribute < 5"
}
]
}Allows a user to page through the action sets defined for a given serviceId. This allows users to discover what
action sets are available to be used when defining access policies. Access to this is operation is controlled by
the project specified by projectId. The results are filtered according to the service mask of that same project.
The auth token's access policy must allow action:use/listActionSets.
| projectId required | string (ProjectId) ^project:[0-9a-zA-Z](?![^:]*-$)(?![^:]*--)[0-... Example: project:abc-123 Globally unique identifier of a project. Callers may URL encode this value. |
| serviceId required | string (ServiceId) ^service:[a-zA-Z][a-zA-Z0-9]{0,49}/[a-zA-Z][a... Example: serviceId=service:equinix/sts Fully qualified, universally unique id of a service. |
| pageToken | string (PageToken) ^.*$ Example: pageToken=eyJsYXN0S2V5IjoiYWJjMTIzIn0= Opaque token identifying the page of results to retrieve. |
| pageSize | integer (PageSize) >= 1 Default: 100 Example: pageSize=20 Maximum number of results to return per page. |
| projectErn | string (Ern) ^ern:(?<cloud>[^:]{1,50}):(?<service>[^:/]{1,... Example: projectErn=ern:eqix:equinix/sts:global:abc-123:SomeType:res-id Equinix Resource Name of a project. Mutually exclusive with projectId. |
required | Array of objects (ServiceActionSetNoErn) | ||||||||||||||||||||||||
Array
| |||||||||||||||||||||||||
| nextPageToken | string (NextPageToken) ^.*$ When paging through results, the NextPageToken indicates what page to read next. It is obtained from the previous call. | ||||||||||||||||||||||||
{- "list": [
- {
- "description": "A description string.",
- "tags": {
- "property1": "my tag value",
- "property2": "my tag value"
}, - "updatedAt": "2024-01-15T12:00:00Z",
- "createdBy": "principal:ABCD-EFG-12345:idp:example-user",
- "actionSetId": "actionset:myactions",
- "createdAt": "2024-01-15T12:00:00Z",
- "rev": "abc123",
- "approvedAt": "2024-01-15T12:00:00Z",
- "serviceId": "service:equinix/sts",
- "updatedBy": "principal:ABCD-EFG-12345:idp:example-user",
- "actionSet": [
- "action:use/listPermissionSets"
], - "approvedBy": "principal:ABCD-EFG-12345:idp:example-user"
}
], - "nextPageToken": "eyJsYXN0S2V5IjoiYWJjMTIzIn0="
}