Manage roles

Learn how to use the Storage Access API to manage roles for InsuranceSuite and CDA applications.

Note:

To manage roles, you need to authenticate with Guidewire Hub and obtain an access token with the following scopes:

storage.roles.write, tenant.{tenantId}
storage.roles.read, tenant.{tenantId}

Users with the write scope have the read scope granted automatically.

All sample requests in this guide include the following path parameters:

Parameter name	Description
`tenantId`	Your tenant ID.
`projectId`	ID of the star system with for which you modify role.

Create role

To create a role, send the following POST request:

curl -X 'POST' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/roles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'\
  -d '{body}'

Where {body} contains the provided role data. For example, to create a role, use the following:

Example request body
{
  "externalIds": [
    "{some_secret_value}"
  ],
  "trustedEntity": "012345678901",
  "policyData": {
    "allowedIPs": [
      "70.22.22.22/24",
      "66.22.22.22/32"
    ],
    "allowedVPCEs": [
      "vpce-0dbabcd",
      "vpce-0dbabcdfgh"
    ]
  }
}

Where:

externalIds

Additional values for validation when assuming the cross-account role, such as passwords. For details, see AWS Documentation. With API, you can add more than one value.
trustedEntity

The ID of the AWS account for which the role can be assumed.
policyData
Provides additional policy data and can use the following optional parameters:
- policyData.allowedIPs with a list allowed IP addresses that can access an S3 bucket.
- policyData.allowedVPCes with a list of allowed VPC (Virtual Private Cloud) endpoints that can access an S3 bucket.

Response contains a JSON object with a created role and attached policies, for example:

Example response
{
  "roleArn": "arn:aws:iam::335666778967:role/tenant-{tenantId}-{projectId}-dev-storage-role",
  "roleName": "tenant-{tenantId}-{projectId}-dev-storage-role",
  "roleUsageType": "CUSTOMER",
  "storageAccessType": "IS",
  "principal": "012345678901",
  "policyArns": [
    "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket",
    "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound",
    "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
  ],
  "policies": [
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-bucket",
      "type": "BUCKET",
      "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-inbound",
      "type": "INBOUND",
      "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-outbound",
      "type": "OUTBOUND",
      "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
    }
  ],
   "allowedIPs": [
      "70.22.22.22/24",
      "66.22.22.22/32"
    ],
   "allowedVPCEs": [
      "vpce-0dbabcd",
      "vpce-0dbabcdfgh"
    ]
}

The 335666778967 in the role arn is the ID of the AWS account that owns the resource.

Get IAM role details

To get the IAM role details, use the following GET request:

curl -X 'GET' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/roles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'

Response contains a JSON object with a requested role details, for example:

Example response
{
  "roleArn": "arn:aws:iam::335666778967:role/tenant-{tenantId}-{projectId}-dev-storage-role",
  "roleName": "tenant-{tenantId}-{projectId}-dev-storage-role",
  "roleUsageType": "CUSTOMER",
  "storageAccessType": "IS",
  "principal": "012345678901",
  "policyArns": [
    "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket",
    "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound",
    "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
  ],
  "policies": [
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-bucket",
      "type": "BUCKET",
      "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-inbound",
      "type": "INBOUND",
      "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-outbound",
      "type": "OUTBOUND",
      "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
    }
  ],
   "allowedIPs": [
      "70.22.22.22/24",
      "66.22.22.22/32"
    ],
   "allowedVPCEs": [
      "vpce-0dbabcd",
      "vpce-0dbabcdfgh"
    ]
}

Get details of all IAM roles

To get details of all IAM roles, use the following GET request:

curl -X 'GET' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/all-roles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'

Response contains a JSON object with role details, for example:

Example response with one role
[
    {
      "roleArn": "arn:aws:iam::335666778967:role/tenant-{tenantId}-{projectId}-dev-storage-role",
      "roleName": "tenant-{tenantId}-{projectId}-dev-storage-role",
      "roleUsageType": "CUSTOMER",
      "storageAccessType": "IS",
      "principal": "012345678901",
      "policyArns": [
        "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket",
        "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound",
        "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
      ],
      "policies": [
        {
          "name": "tenant-{tenantId}-{projectId}-dev-storage-bucket",
          "type": "BUCKET",
          "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket"
        },
        {
          "name": "tenant-{tenantId}-{projectId}-dev-storage-inbound",
          "type": "INBOUND",
          "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound"
        },
        {
          "name": "tenant-{tenantId}-{projectId}-dev-storage-outbound",
          "type": "OUTBOUND",
          "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
        }
      ],
       "allowedIPs": [
          "70.22.22.22/24",
          "66.22.22.22/32"
        ],
       "allowedVPCEs": [
          "vpce-0dbabcd",
          "vpce-0dbabcdfgh"
        ]
    }
]

Update an IAM role

Important:

Note that policies are shared between IAM user and internal IAM role access points. This means that when you configure IP ranges and VPC endpoints for an IAM user, the same settings will automatically apply to an internal IAM role. If IP ranges or VPC endpoints aren't specified or left empty, the existing access conditions will be deleted.

If multiple policies are assigned to a role, such as inbound, outbound, and bucket, the same access conditions will be applied to all these policies.

To update a role, send the following PUT request:

curl -X 'PUT' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/roles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'\
  -d '{body}'

Where {body} contains the provided role data. For example, to delete a VPC endpoint from an InsuranceSuite role, use the following:

Example request body
{
  "externalIds": [
    "{some_secret_value}"
  ],
  "trustedEntity": "012345678901",
  "policyData": {
    "allowedIPs": [
      "70.22.22.22/24",
      "66.22.22.22/32"
    ],
    "allowedVPCEs": [
      "vpce-0dbabcd"
    ]
  }
}

Response contains updated role data and attached policies, for example:

Example response
{
  "roleArn": "arn:aws:iam::335666778967:role/tenant-{tenantId}-{projectId}-dev-storage-role",
  "roleName": "tenant-{tenantId}-{projectId}-dev-storage-role",
  "roleUsageType": "CUSTOMER",
  "storageAccessType": "IS",
  "principal": "012345678901",
  "policyArns": [
    "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket",
    "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound",
    "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
  ],
  "policies": [
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-bucket",
      "type": "BUCKET",
      "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-inbound",
      "type": "INBOUND",
      "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-outbound",
      "type": "OUTBOUND",
      "arn": "arn:aws:iam::335666778967:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
    }
  ],
   "allowedIPs": [
      "70.22.22.22/24",
      "66.22.22.22/32"
    ],
   "allowedVPCEs": [
      "vpce-0dbabcd"
    ]
}

Delete an IAM role

To delete an IAM role, send the following DELETE request without a request body:

curl -X 'DELETE' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/roles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'

For a successful request, you'll receive the 204 status code.

Create role​

Get IAM role details​

Get details of all IAM roles​

Update an IAM role​

Delete an IAM role​

Create role

Get IAM role details

Get details of all IAM roles

Update an IAM role

Delete an IAM role