getPolicyDocument

Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws.iam.Policy.

Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings in your configuration or to use the file interpolation function to read a raw JSON policy document from a file.

Example Usage

Basic Example

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var examplePolicyDocument = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "1",
                    Actions = 
                    {
                        "s3:ListAllMyBuckets",
                        "s3:GetBucketLocation",
                    },
                    Resources = 
                    {
                        "arn:aws:s3:::*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "s3:ListBucket",
                    },
                    Resources = 
                    {
                        $"arn:aws:s3:::{@var.S3_bucket_name}",
                    },
                    Conditions = 
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionArgs
                        {
                            Test = "StringLike",
                            Variable = "s3:prefix",
                            Values = 
                            {
                                "",
                                "home/",
                                "home/&{aws:username}/",
                            },
                        },
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "s3:*",
                    },
                    Resources = 
                    {
                        $"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}",
                        $"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}/*",
                    },
                },
            },
        }));
        var examplePolicy = new Aws.Iam.Policy("examplePolicy", new Aws.Iam.PolicyArgs
        {
            Path = "/",
            Policy = examplePolicyDocument.Apply(examplePolicyDocument => examplePolicyDocument.Json),
        });
    }

}
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		examplePolicyDocument, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Sid: "1",
					Actions: []string{
						"s3:ListAllMyBuckets",
						"s3:GetBucketLocation",
					},
					Resources: []string{
						"arn:aws:s3:::*",
					},
				},
				iam.GetPolicyDocumentStatement{
					Actions: []string{
						"s3:ListBucket",
					},
					Resources: []string{
						fmt.Sprintf("%v%v", "arn:aws:s3:::", _var.S3_bucket_name),
					},
					Conditions: []iam.GetPolicyDocumentStatementCondition{
						iam.GetPolicyDocumentStatementCondition{
							Test:     "StringLike",
							Variable: "s3:prefix",
							Values: []string{
								"",
								"home/",
								"home/&{aws:username}/",
							},
						},
					},
				},
				iam.GetPolicyDocumentStatement{
					Actions: []string{
						"s3:*",
					},
					Resources: []string{
						fmt.Sprintf("%v%v%v", "arn:aws:s3:::", _var.S3_bucket_name, "/home/&{aws:username}"),
						fmt.Sprintf("%v%v%v", "arn:aws:s3:::", _var.S3_bucket_name, "/home/&{aws:username}/*"),
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = iam.NewPolicy(ctx, "examplePolicy", &iam.PolicyArgs{
			Path:   pulumi.String("/"),
			Policy: pulumi.String(examplePolicyDocument.Json),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

example_policy_document = aws.iam.get_policy_document(statements=[
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="1",
        actions=[
            "s3:ListAllMyBuckets",
            "s3:GetBucketLocation",
        ],
        resources=["arn:aws:s3:::*"],
    ),
    aws.iam.GetPolicyDocumentStatementArgs(
        actions=["s3:ListBucket"],
        resources=[f"arn:aws:s3:::{var['s3_bucket_name']}"],
        conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
            test="StringLike",
            variable="s3:prefix",
            values=[
                "",
                "home/",
                "home/&{aws:username}/",
            ],
        )],
    ),
    aws.iam.GetPolicyDocumentStatementArgs(
        actions=["s3:*"],
        resources=[
            f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}",
            f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}/*",
        ],
    ),
])
example_policy = aws.iam.Policy("examplePolicy",
    path="/",
    policy=example_policy_document.json)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const examplePolicyDocument = aws.iam.getPolicyDocument({
    statements: [
        {
            sid: "1",
            actions: [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
            ],
            resources: ["arn:aws:s3:::*"],
        },
        {
            actions: ["s3:ListBucket"],
            resources: [`arn:aws:s3:::${_var.s3_bucket_name}`],
            conditions: [{
                test: "StringLike",
                variable: "s3:prefix",
                values: [
                    "",
                    "home/",
                    "home/&{aws:username}/",
                ],
            }],
        },
        {
            actions: ["s3:*"],
            resources: [
                `arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}`,
                `arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}/*`,
            ],
        },
    ],
});
const examplePolicy = new aws.iam.Policy("examplePolicy", {
    path: "/",
    policy: examplePolicyDocument.then(examplePolicyDocument => examplePolicyDocument.json),
});

Example Assume-Role Policy with Multiple Principals

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var eventStreamBucketRoleAssumeRolePolicy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "sts:AssumeRole",
                    },
                    Principals = 
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "Service",
                            Identifiers = 
                            {
                                "firehose.amazonaws.com",
                            },
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "AWS",
                            Identifiers = 
                            {
                                @var.Trusted_role_arn,
                            },
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "Federated",
                            Identifiers = 
                            {
                                $"arn:aws:iam::{@var.Account_id}:saml-provider/{@var.Provider_name}",
                                "cognito-identity.amazonaws.com",
                            },
                        },
                    },
                },
            },
        }));
    }

}

Coming soon!

import pulumi
import pulumi_aws as aws

event_stream_bucket_role_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    actions=["sts:AssumeRole"],
    principals=[
        aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Service",
            identifiers=["firehose.amazonaws.com"],
        ),
        aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="AWS",
            identifiers=[var["trusted_role_arn"]],
        ),
        aws.iam.GetPolicyDocumentStatementPrincipalArgs(
            type="Federated",
            identifiers=[
                f"arn:aws:iam::{var['account_id']}:saml-provider/{var['provider_name']}",
                "cognito-identity.amazonaws.com",
            ],
        ),
    ],
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const eventStreamBucketRoleAssumeRolePolicy = aws.iam.getPolicyDocument({
    statements: [{
        actions: ["sts:AssumeRole"],
        principals: [
            {
                type: "Service",
                identifiers: ["firehose.amazonaws.com"],
            },
            {
                type: "AWS",
                identifiers: [_var.trusted_role_arn],
            },
            {
                type: "Federated",
                identifiers: [
                    `arn:aws:iam::${_var.account_id}:saml-provider/${_var.provider_name}`,
                    "cognito-identity.amazonaws.com",
                ],
            },
        ],
    }],
});

Example Using A Source Document

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "ec2:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "SidToOverride",
                    Actions = 
                    {
                        "s3:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var sourceJsonExample = source.Apply(source => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            SourceJson = source.Json,
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "SidToOverride",
                    Actions = 
                    {
                        "s3:*",
                    },
                    Resources = 
                    {
                        "arn:aws:s3:::somebucket",
                        "arn:aws:s3:::somebucket/*",
                    },
                },
            },
        })));
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Actions: []string{
						"ec2:*",
					},
					Resources: []string{
						"*",
					},
				},
				iam.GetPolicyDocumentStatement{
					Sid: "SidToOverride",
					Actions: []string{
						"s3:*",
					},
					Resources: []string{
						"*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		opt0 := source.Json
		_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			SourceJson: &opt0,
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Sid: "SidToOverride",
					Actions: []string{
						"s3:*",
					},
					Resources: []string{
						"arn:aws:s3:::somebucket",
						"arn:aws:s3:::somebucket/*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

source = aws.iam.get_policy_document(statements=[
    aws.iam.GetPolicyDocumentStatementArgs(
        actions=["ec2:*"],
        resources=["*"],
    ),
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="SidToOverride",
        actions=["s3:*"],
        resources=["*"],
    ),
])
source_json_example = aws.iam.get_policy_document(source_json=source.json,
    statements=[aws.iam.GetPolicyDocumentStatementArgs(
        sid="SidToOverride",
        actions=["s3:*"],
        resources=[
            "arn:aws:s3:::somebucket",
            "arn:aws:s3:::somebucket/*",
        ],
    )])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const source = aws.iam.getPolicyDocument({
    statements: [
        {
            actions: ["ec2:*"],
            resources: ["*"],
        },
        {
            sid: "SidToOverride",
            actions: ["s3:*"],
            resources: ["*"],
        },
    ],
});
const sourceJsonExample = source.then(source => aws.iam.getPolicyDocument({
    sourceJson: source.json,
    statements: [{
        sid: "SidToOverride",
        actions: ["s3:*"],
        resources: [
            "arn:aws:s3:::somebucket",
            "arn:aws:s3:::somebucket/*",
        ],
    }],
}));

Example Using An Override Document

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "SidToOverride",
                    Actions = 
                    {
                        "s3:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var overrideJsonExample = @override.Apply(@override => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            OverrideJson = @override.Json,
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "ec2:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "SidToOverride",
                    Actions = 
                    {
                        "s3:*",
                    },
                    Resources = 
                    {
                        "arn:aws:s3:::somebucket",
                        "arn:aws:s3:::somebucket/*",
                    },
                },
            },
        })));
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Sid: "SidToOverride",
					Actions: []string{
						"s3:*",
					},
					Resources: []string{
						"*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		opt0 := override.Json
		_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			OverrideJson: &opt0,
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Actions: []string{
						"ec2:*",
					},
					Resources: []string{
						"*",
					},
				},
				iam.GetPolicyDocumentStatement{
					Sid: "SidToOverride",
					Actions: []string{
						"s3:*",
					},
					Resources: []string{
						"arn:aws:s3:::somebucket",
						"arn:aws:s3:::somebucket/*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    sid="SidToOverride",
    actions=["s3:*"],
    resources=["*"],
)])
override_json_example = aws.iam.get_policy_document(override_json=override.json,
    statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["ec2:*"],
            resources=["*"],
        ),
        aws.iam.GetPolicyDocumentStatementArgs(
            sid="SidToOverride",
            actions=["s3:*"],
            resources=[
                "arn:aws:s3:::somebucket",
                "arn:aws:s3:::somebucket/*",
            ],
        ),
    ])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const override = aws.iam.getPolicyDocument({
    statements: [{
        sid: "SidToOverride",
        actions: ["s3:*"],
        resources: ["*"],
    }],
});
const overrideJsonExample = override.then(override => aws.iam.getPolicyDocument({
    overrideJson: override.json,
    statements: [
        {
            actions: ["ec2:*"],
            resources: ["*"],
        },
        {
            sid: "SidToOverride",
            actions: ["s3:*"],
            resources: [
                "arn:aws:s3:::somebucket",
                "arn:aws:s3:::somebucket/*",
            ],
        },
    ],
}));

Example with Both Source and Override Documents

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "OverridePlaceholder",
                    Actions = 
                    {
                        "ec2:DescribeAccountAttributes",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "OverridePlaceholder",
                    Actions = 
                    {
                        "s3:GetObject",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var politik = Output.Tuple(source, @override).Apply(values =>
        {
            var source = values.Item1;
            var @override = values.Item2;
            return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
            {
                SourceJson = source.Json,
                OverrideJson = @override.Json,
            }));
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Sid: "OverridePlaceholder",
					Actions: []string{
						"ec2:DescribeAccountAttributes",
					},
					Resources: []string{
						"*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				iam.GetPolicyDocumentStatement{
					Sid: "OverridePlaceholder",
					Actions: []string{
						"s3:GetObject",
					},
					Resources: []string{
						"*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		opt0 := source.Json
		opt1 := override.Json
		_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			SourceJson:   &opt0,
			OverrideJson: &opt1,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_aws as aws

source = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    sid="OverridePlaceholder",
    actions=["ec2:DescribeAccountAttributes"],
    resources=["*"],
)])
override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    sid="OverridePlaceholder",
    actions=["s3:GetObject"],
    resources=["*"],
)])
politik = aws.iam.get_policy_document(source_json=source.json,
    override_json=override.json)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const source = aws.iam.getPolicyDocument({
    statements: [{
        sid: "OverridePlaceholder",
        actions: ["ec2:DescribeAccountAttributes"],
        resources: ["*"],
    }],
});
const override = aws.iam.getPolicyDocument({
    statements: [{
        sid: "OverridePlaceholder",
        actions: ["s3:GetObject"],
        resources: ["*"],
    }],
});
const politik = Promise.all([source, override]).then(([source, override]) => aws.iam.getPolicyDocument({
    sourceJson: source.json,
    overrideJson: override.json,
}));

Example of Merging Source Documents

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var sourceOne = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "ec2:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "UniqueSidOne",
                    Actions = 
                    {
                        "s3:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var sourceTwo = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "UniqueSidTwo",
                    Actions = 
                    {
                        "iam:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions = 
                    {
                        "lambda:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var combined = Output.Tuple(sourceOne, sourceTwo).Apply(values =>
        {
            var sourceOne = values.Item1;
            var sourceTwo = values.Item2;
            return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
            {
                SourcePolicyDocuments = 
                {
                    sourceOne.Json,
                    sourceTwo.Json,
                },
            }));
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		return nil
	})
}
import pulumi
import pulumi_aws as aws

source_one = aws.iam.get_policy_document(statements=[
    aws.iam.GetPolicyDocumentStatementArgs(
        actions=["ec2:*"],
        resources=["*"],
    ),
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="UniqueSidOne",
        actions=["s3:*"],
        resources=["*"],
    ),
])
source_two = aws.iam.get_policy_document(statements=[
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="UniqueSidTwo",
        actions=["iam:*"],
        resources=["*"],
    ),
    aws.iam.GetPolicyDocumentStatementArgs(
        actions=["lambda:*"],
        resources=["*"],
    ),
])
combined = aws.iam.get_policy_document(source_policy_documents=[
    source_one.json,
    source_two.json,
])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const sourceOne = aws.iam.getPolicyDocument({
    statements: [
        {
            actions: ["ec2:*"],
            resources: ["*"],
        },
        {
            sid: "UniqueSidOne",
            actions: ["s3:*"],
            resources: ["*"],
        },
    ],
});
const sourceTwo = aws.iam.getPolicyDocument({
    statements: [
        {
            sid: "UniqueSidTwo",
            actions: ["iam:*"],
            resources: ["*"],
        },
        {
            actions: ["lambda:*"],
            resources: ["*"],
        },
    ],
});
const combined = Promise.all([sourceOne, sourceTwo]).then(([sourceOne, sourceTwo]) => aws.iam.getPolicyDocument({
    sourcePolicyDocuments: [
        sourceOne.json,
        sourceTwo.json,
    ],
}));

Example of Merging Override Documents

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var policyOne = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "OverridePlaceHolderOne",
                    Effect = "Allow",
                    Actions = 
                    {
                        "s3:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var policyTwo = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Effect = "Allow",
                    Actions = 
                    {
                        "ec2:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "OverridePlaceHolderTwo",
                    Effect = "Allow",
                    Actions = 
                    {
                        "iam:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var policyThree = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements = 
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Sid = "OverridePlaceHolderOne",
                    Effect = "Deny",
                    Actions = 
                    {
                        "logs:*",
                    },
                    Resources = 
                    {
                        "*",
                    },
                },
            },
        }));
        var combined = Output.Tuple(policyOne, policyTwo, policyThree).Apply(values =>
        {
            var policyOne = values.Item1;
            var policyTwo = values.Item2;
            var policyThree = values.Item3;
            return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
            {
                OverridePolicyDocuments = 
                {
                    policyOne.Json,
                    policyTwo.Json,
                    policyThree.Json,
                },
                Statements = 
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                    {
                        Sid = "OverridePlaceHolderTwo",
                        Effect = "Deny",
                        Actions = 
                        {
                            "*",
                        },
                        Resources = 
                        {
                            "*",
                        },
                    },
                },
            }));
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		return nil
	})
}
import pulumi
import pulumi_aws as aws

policy_one = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    sid="OverridePlaceHolderOne",
    effect="Allow",
    actions=["s3:*"],
    resources=["*"],
)])
policy_two = aws.iam.get_policy_document(statements=[
    aws.iam.GetPolicyDocumentStatementArgs(
        effect="Allow",
        actions=["ec2:*"],
        resources=["*"],
    ),
    aws.iam.GetPolicyDocumentStatementArgs(
        sid="OverridePlaceHolderTwo",
        effect="Allow",
        actions=["iam:*"],
        resources=["*"],
    ),
])
policy_three = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
    sid="OverridePlaceHolderOne",
    effect="Deny",
    actions=["logs:*"],
    resources=["*"],
)])
combined = aws.iam.get_policy_document(override_policy_documents=[
        policy_one.json,
        policy_two.json,
        policy_three.json,
    ],
    statements=[aws.iam.GetPolicyDocumentStatementArgs(
        sid="OverridePlaceHolderTwo",
        effect="Deny",
        actions=["*"],
        resources=["*"],
    )])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const policyOne = aws.iam.getPolicyDocument({
    statements: [{
        sid: "OverridePlaceHolderOne",
        effect: "Allow",
        actions: ["s3:*"],
        resources: ["*"],
    }],
});
const policyTwo = aws.iam.getPolicyDocument({
    statements: [
        {
            effect: "Allow",
            actions: ["ec2:*"],
            resources: ["*"],
        },
        {
            sid: "OverridePlaceHolderTwo",
            effect: "Allow",
            actions: ["iam:*"],
            resources: ["*"],
        },
    ],
});
const policyThree = aws.iam.getPolicyDocument({
    statements: [{
        sid: "OverridePlaceHolderOne",
        effect: "Deny",
        actions: ["logs:*"],
        resources: ["*"],
    }],
});
const combined = Promise.all([policyOne, policyTwo, policyThree]).then(([policyOne, policyTwo, policyThree]) => aws.iam.getPolicyDocument({
    overridePolicyDocuments: [
        policyOne.json,
        policyTwo.json,
        policyThree.json,
    ],
    statements: [{
        sid: "OverridePlaceHolderTwo",
        effect: "Deny",
        actions: ["*"],
        resources: ["*"],
    }],
}));

Using getPolicyDocument

function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
def get_policy_document(override_json: Optional[str] = None,
                        override_policy_documents: Optional[Sequence[str]] = None,
                        policy_id: Optional[str] = None,
                        source_json: Optional[str] = None,
                        source_policy_documents: Optional[Sequence[str]] = None,
                        statements: Optional[Sequence[GetPolicyDocumentStatement]] = None,
                        version: Optional[str] = None,
                        opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)

Note: This function is named GetPolicyDocument in the Go SDK.

public static class GetPolicyDocument {
    public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
}

The following arguments are supported:

OverrideJson string
IAM policy document whose statements with non-blank sids will override statements with the same sid from documents assigned to the source_json, source_policy_documents, and override_policy_documents arguments. Non-overriding statements will be added to the exported document.
OverridePolicyDocuments List<string>
List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from documents provided in the source_json and source_policy_documents arguments. Non-overriding statements will be added to the exported document.
PolicyId string
ID for the policy document.
SourceJson string
IAM policy document used as a base for the exported policy document. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
SourcePolicyDocuments List<string>
List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents or source_json must have unique sids. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
Statements List<GetPolicyDocumentStatement>
Configuration block for a policy statement. Detailed below.
Version string
IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
OverrideJson string
IAM policy document whose statements with non-blank sids will override statements with the same sid from documents assigned to the source_json, source_policy_documents, and override_policy_documents arguments. Non-overriding statements will be added to the exported document.
OverridePolicyDocuments []string
List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from documents provided in the source_json and source_policy_documents arguments. Non-overriding statements will be added to the exported document.
PolicyId string
ID for the policy document.
SourceJson string
IAM policy document used as a base for the exported policy document. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
SourcePolicyDocuments []string
List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents or source_json must have unique sids. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
Statements []GetPolicyDocumentStatement
Configuration block for a policy statement. Detailed below.
Version string
IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
overrideJson string
IAM policy document whose statements with non-blank sids will override statements with the same sid from documents assigned to the source_json, source_policy_documents, and override_policy_documents arguments. Non-overriding statements will be added to the exported document.
overridePolicyDocuments string[]
List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from documents provided in the source_json and source_policy_documents arguments. Non-overriding statements will be added to the exported document.
policyId string
ID for the policy document.
sourceJson string
IAM policy document used as a base for the exported policy document. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
sourcePolicyDocuments string[]
List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents or source_json must have unique sids. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
statements GetPolicyDocumentStatement[]
Configuration block for a policy statement. Detailed below.
version string
IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
override_json str
IAM policy document whose statements with non-blank sids will override statements with the same sid from documents assigned to the source_json, source_policy_documents, and override_policy_documents arguments. Non-overriding statements will be added to the exported document.
override_policy_documents Sequence[str]
List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from documents provided in the source_json and source_policy_documents arguments. Non-overriding statements will be added to the exported document.
policy_id str
ID for the policy document.
source_json str
IAM policy document used as a base for the exported policy document. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
source_policy_documents Sequence[str]
List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents or source_json must have unique sids. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
statements Sequence[GetPolicyDocumentStatement]
Configuration block for a policy statement. Detailed below.
version str
IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.

getPolicyDocument Result

The following output properties are available:

Id string
The provider-assigned unique ID for this managed resource.
Json string
Standard JSON policy document rendered based on the arguments above.
OverrideJson string
OverridePolicyDocuments List<string>
PolicyId string
SourceJson string
SourcePolicyDocuments List<string>
Statements List<GetPolicyDocumentStatement>
Version string
Id string
The provider-assigned unique ID for this managed resource.
Json string
Standard JSON policy document rendered based on the arguments above.
OverrideJson string
OverridePolicyDocuments []string
PolicyId string
SourceJson string
SourcePolicyDocuments []string
Statements []GetPolicyDocumentStatement
Version string
id string
The provider-assigned unique ID for this managed resource.
json string
Standard JSON policy document rendered based on the arguments above.
overrideJson string
overridePolicyDocuments string[]
policyId string
sourceJson string
sourcePolicyDocuments string[]
statements GetPolicyDocumentStatement[]
version string
id str
The provider-assigned unique ID for this managed resource.
json str
Standard JSON policy document rendered based on the arguments above.
override_json str
override_policy_documents Sequence[str]
policy_id str
source_json str
source_policy_documents Sequence[str]
statements Sequence[GetPolicyDocumentStatement]
version str

Supporting Types

GetPolicyDocumentStatement

Actions List<string>
List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
Conditions List<GetPolicyDocumentStatementCondition>
Configuration block for a condition. Detailed below.
Effect string
Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
NotActions List<string>
List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
NotPrincipals List<GetPolicyDocumentStatementNotPrincipal>
Like principals except these are principals that the statement does not apply to.
NotResources List<string>
List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed.
Principals List<GetPolicyDocumentStatementPrincipal>
Configuration block for principals. Detailed below.
Resources List<string>
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
Sid string
Sid (statement ID) is an identifier for a policy statement.
Actions []string
List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
Conditions []GetPolicyDocumentStatementCondition
Configuration block for a condition. Detailed below.
Effect string
Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
NotActions []string
List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
NotPrincipals []GetPolicyDocumentStatementNotPrincipal
Like principals except these are principals that the statement does not apply to.
NotResources []string
List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed.
Principals []GetPolicyDocumentStatementPrincipal
Configuration block for principals. Detailed below.
Resources []string
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
Sid string
Sid (statement ID) is an identifier for a policy statement.
actions string[]
List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
conditions GetPolicyDocumentStatementCondition[]
Configuration block for a condition. Detailed below.
effect string
Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
notActions string[]
List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
notPrincipals GetPolicyDocumentStatementNotPrincipal[]
Like principals except these are principals that the statement does not apply to.
notResources string[]
List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed.
principals GetPolicyDocumentStatementPrincipal[]
Configuration block for principals. Detailed below.
resources string[]
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
sid string
Sid (statement ID) is an identifier for a policy statement.
actions Sequence[str]
List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
conditions Sequence[GetPolicyDocumentStatementCondition]
Configuration block for a condition. Detailed below.
effect str
Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
not_actions Sequence[str]
List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
not_principals Sequence[GetPolicyDocumentStatementNotPrincipal]
Like principals except these are principals that the statement does not apply to.
not_resources Sequence[str]
List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed.
principals Sequence[GetPolicyDocumentStatementPrincipal]
Configuration block for principals. Detailed below.
resources Sequence[str]
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
sid str
Sid (statement ID) is an identifier for a policy statement.

GetPolicyDocumentStatementCondition

Test string
Name of the IAM condition operator to evaluate.
Values List<string>
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an “OR” boolean operation.
Variable string
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
Test string
Name of the IAM condition operator to evaluate.
Values []string
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an “OR” boolean operation.
Variable string
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
test string
Name of the IAM condition operator to evaluate.
values string[]
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an “OR” boolean operation.
variable string
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
test str
Name of the IAM condition operator to evaluate.
values Sequence[str]
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an “OR” boolean operation.
variable str
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.

GetPolicyDocumentStatementNotPrincipal

Identifiers List<string>
List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g. arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g. lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g. accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
Type string
Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
Identifiers []string
List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g. arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g. lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g. accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
Type string
Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
identifiers string[]
List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g. arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g. lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g. accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
type string
Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
identifiers Sequence[str]
List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g. arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g. lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g. accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
type str
Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.

GetPolicyDocumentStatementPrincipal

Identifiers List<string>
List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g. arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g. lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g. accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
Type string
Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
Identifiers []string
List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g. arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g. lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g. accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
Type string
Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
identifiers string[]
List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g. arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g. lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g. accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
type string
Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
identifiers Sequence[str]
List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g. arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g. lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g. accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
type str
Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.