Manage users

Learn how to use the Storage Access API to manage users for InsuranceSuite and CDA applications.

Note:

To manage user, you need to authenticate with Guidewire Hub and obtain an access token with the following scopes:

storage.users.write, tenant.{tenantId}
storage.users.read, tenant.{tenantId}

Users with the write scope have the read scope granted automatically.

All sample requests in this guide include the following path parameters:

Parameter name	Description
`tenantId`	Your tenant ID.
`projectId`	ID of the star system with for which you modify user.
`userType`	Type of a user: - `CDA` for Cloud Data Access users. - `IS` for InsuranceSuite users.

Create an IAM user

To create a user, send the following POST request:

curl -X 'POST' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/users' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'\
  -d '{body}'

Where {body} contains the provided user data. For example, to create an InsuranceSuite user, use the following:

Example request body
{
  "type": "IS",
  "userTags": {
    "description": "The purpose of a user.",
    "contact_email": "email@example.com"
  },
  "policyData": {
    "allowedIPs": [
      "70.111.111.200/24",
      "66.111.111.200/24"
    ],
    "allowedVPCEs": [
      "vpce-0db54381abcde",
      "vpce-0db54381abcdefg"
    ]
  }
}

Where:

userTags provides additional information about a user:
- contact_email with user email address.
- description with details on what user is needed for and other important information, for example, ticket numeber.
policyData provides additional policy data and can use the following optional parameters:
- policyData.allowedIPs with a list allowed IP addresses that can access an S3 bucket.
- policyData.allowedVPCes with a list of allowed VPC (Virtual Private Cloud) endpoints that can access an S3 bucket.

Response contains a JSON object with a created user and attached policies, for example:

Example response
{
  "userName": "tenant-{tenantId}-{projectId}-is-storage-user",
  "type": "IS",
  "userTags": {
    "description": "description",
    "contact_email": "user@example.com"
  },
  "policies": [
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-outbound",
      "type": "OUTBOUND",
      "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-inbound",
      "type": "INBOUND",
      "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-bucket",
      "type": "BUCKET",
      "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket"
    }
  ],
  "allowedIPs": [
    "70.111.111.200/24",
    "66.111.111.200/24"
  ],
  "allowedVPCEs": [
    "vpce-0db54381abcde",
    "vpce-0db54381abcdefg"
  ]
}

Get IAM user details

To get the IAM user details, use the following GET request:

curl -X 'GET' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/users/{userType}' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'

Response contains a JSON object with a requested user details, for example:

Example response
{
  "userName": "tenant-{tenantId}-{projectId}-is-storage-user",
  "type": "IS",
  "userTags": {
    "description": "description",
    "contact_email": "user@example.com"
  },
  "policies": [
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-outbound",
      "type": "OUTBOUND",
      "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-inbound",
      "type": "INBOUND",
      "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-bucket",
      "type": "BUCKET",
      "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket"
    }
  ],
  "allowedIPs": [
    "70.111.111.200/24",
    "66.111.111.200/24"
  ],
  "allowedVPCEs": [
    "vpce-0db54381abcde",
    "vpce-0db54381abcdefg"
  ]
}

Get all IAM users details

To get the IAM users details, use the following GET request:

curl -X 'GET' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/users' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'

Response contains a JSON object with user details, for example:

Example response with one user
[
    {
      "userName": "tenant-{tenantId}-{projectId}-is-storage-user",
      "type": "IS",
      "userTags": {
        "description": "description",
        "contact_email": "user@example.com"
      },
      "policies": [
        {
          "name": "tenant-{tenantId}-{projectId}-dev-storage-outbound",
          "type": "OUTBOUND",
          "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
        },
        {
          "name": "tenant-{tenantId}-{projectId}-dev-storage-inbound",
          "type": "INBOUND",
          "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound"
        },
        {
          "name": "tenant-{tenantId}-{projectId}-dev-storage-bucket",
          "type": "BUCKET",
          "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket"
        }
      ],
      "allowedIPs": [
        "70.111.111.200/24",
        "66.111.111.200/24"
      ],
      "allowedVPCEs": [
        "vpce-0db54381abcde",
        "vpce-0db54381abcdefg"
      ]
    }
]

Update an IAM user

To update a user, send the following PUT request:

curl -X 'PUT' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/users' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'\
  -d '{body}'

Where {body} contains the provided user data. For example, to delete a VPC endpoint from an InsuranceSuite user, use the following:

Example request body
{
  "type": "IS",
  "userTags": {
    "description": "description",
    "contact_email": "email@example.com"
  },
  "policyData": {
    "allowedIPs": [
      "70.111.111.200/24",
      "66.111.111.200/24"
    ],
    "allowedVPCEs": [
      "vpce-0db54381abcde"
    ]
  }
}

Response contains updated user data and attached policies, for example:

Example response
{
  "userName": "tenant-{tenantId}-{projectId}-is-storage-user",
  "type": "IS",
  "userTags": {
    "description": "description",
    "contact_email": "user@example.com"
  },
  "policies": [
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-outbound",
      "type": "OUTBOUND",
      "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-outbound"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-inbound",
      "type": "INBOUND",
      "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-inbound"
    },
    {
      "name": "tenant-{tenantId}-{projectId}-dev-storage-bucket",
      "type": "BUCKET",
      "arn": "arn:aws:iam::942795021942:policy/tenant-{tenantId}-{projectId}-dev-storage-bucket"
    }
  ],
  "allowedIPs": [
    "70.111.111.200/24",
    "66.111.111.200/24"
  ],
  "allowedVPCEs": [
    "vpce-0db54381abcde"
  ]
}

Delete an IAM user

To delete an IAM user, send the following DELETE request without a request body:

curl -X 'DELETE' \
  '{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/users/{userType}' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {access_token}'

For a successful request, you'll receive the 204 status code.

Create an IAM user​

Get IAM user details​

Get all IAM users details​

Update an IAM user​

Delete an IAM user​

Create an IAM user

Get IAM user details

Get all IAM users details

Update an IAM user

Delete an IAM user