Skip to content

IamResourceGroup

Source: src/Cloudflare/Iam/ResourceGroup.ts

A Cloudflare IAM resource group — a named set of account resources (zones, or the whole account) that fine-grained policies attach to.

Resource groups pair with permission groups inside a user group policy: the permission group says what actions are allowed, the resource group says which resources they apply to. Both name and scope are mutable in place.

Account-scoped IAM (resource groups, user groups) is an Enterprise feature.

Creating a Resource Group

Section titled “Creating a Resource Group”

Scope a group to the whole account

const { accountId } = yield* yield* Cloudflare.CloudflareEnvironment;
const group = yield* Cloudflare.IamResourceGroup("AllResources", {
  scope: {
    key: `com.cloudflare.api.account.${accountId}`,
    objects: [{ key: "*" }],
  },
});

Scope a group to a single zone

const group = yield* Cloudflare.IamResourceGroup("ZoneOnly", {
  name: "my-zone-resources",
  scope: {
    key: `com.cloudflare.api.account.${accountId}`,
    objects: [
      { key: `com.cloudflare.api.account.zone.${zone.zoneId}` },
    ],
  },
});

Using with User Groups

Section titled “Using with User Groups”
yield* Cloudflare.IamUserGroup("Readers", {
  policies: [
    {
      access: "allow",
      permissionGroups: [readOnlyPermissionGroupId],
      resourceGroups: [group.resourceGroupId],
    },
  ],
});