IAM policies API reference
The IAM policy API is part of the Thalassa Cloud platform API. Full OpenAPI definitions are available in the API reference.
IAM policy routes require the projects feature gate. See Projects.
Required headers
| Header | IAM policy APIs | Resource APIs |
|---|---|---|
Authorization | Yes | Yes |
X-Organisation-Identity | Yes | Yes |
X-Project-Identity | Yes | Optional |
Project resolution order on resource APIs: OIDC claim project → X-Project-Identity → ?project= query parameter.
Endpoints
Base path: /v1/projects/iam/policies
Always requires X-Project-Identity.
| Method | Path | Description |
|---|---|---|
GET | /resources | List assignable API resource types |
GET | / | List policies (includes rules, bindings, conditionals) |
POST | / | Create policy |
GET | /{identity} | Get policy |
PUT | /{identity} | Update description, labels, annotations, conditionals |
DELETE | /{identity} | Delete policy |
POST | /{identity}/rules | Add permission rule |
DELETE | /{identity}/rules/{ruleIdentity} | Remove permission rule |
GET | /{identity}/bindings | List bindings |
POST | /{identity}/bindings | Create binding |
PUT | /{identity}/bindings/{bindingIdentity} | Update binding metadata |
DELETE | /{identity}/bindings/{bindingIdentity} | Remove binding |
Common response codes
| HTTP | Meaning |
|---|---|
403 | projects feature gate disabled; insufficient iam_policy permission |
400 | Validation error; mutating system or read-only replica; escalation attempt; invalid resource type or conditional |
404 | Policy, binding, or project not found |
409 | Duplicate policy slug |
Documentation by topic
| Topic | Guide |
|---|---|
| Projects | Projects |
| Concepts | Concepts |
| Permission rules | Permission rules |
| Default policies | Default policies |
| Organisation roles | Organisation roles |