AWS IAM v0.0.3, Jun 1 22

aws-iam.ReadOnlyPolicy

Explore with Pulumi AI

This resource helps you create an IAM read-only policy for the services you specify. The default AWS read-only policies may not include services you need or may contain services you do not need access to. This resource helps ensure your read-only policy has permissions to exactly what you specify.

Example Usage

using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;

class MyStack : Stack
{
    public MyStack()
    {
        var readOnlyPolicy = new ReadOnlyPolicy("read-only-policy", new ReadOnlyPolicyArgs
        {
            Name = "example",
            Path = "/",
            Description = "My example read only policy",
            AllowedServices = {"rds", "dynamodb"},
        });

        this.ReadOnlyPolicy = Output.Create<ReadOnlyPolicy>(readOnlyPolicy);
    }

    [Output]
    public Output<ReadOnlyPolicy> ReadOnlyPolicy { get; set; }
}

package main

import (
    iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        readOnlyPolicy, err := iam.NewReadOnlyPolicy(ctx, "read-only-policy", &iam.ReadOnlyPolicyArgs{
            Name:            pulumi.String("example"),
            Path:            pulumi.String("/"),
            Description:     pulumi.String("My example policy"),
            AllowedServices: pulumi.ToStringArray([]string{"rds", "dynamodb"}),
        })
        if err != nil {
            return err
        }

        ctx.Export("readOnlyPolicy", readOnlyPolicy)

        return nil
    })
}

Coming soon!

import pulumi
import pulumi_aws_iam as iam

read_only_policy = iam.ReadOnlyPolicy(
    'read_only_policy',
    name='example',
    path='/',
    description='My example read only policy',
    allowed_services=['rds','dynamodb'],
)

pulumi.export('read_only_policy', read_only_policy)

import * as iam from "@pulumi/aws-iam";

export const readOnlyPolicy = new iam.ReadOnlyPolicy("aws-iam-example-read-only-policy", {
    name: "aws-iam-example-read-only",
    path: "/",
    description: "My example read only policy",
    allowedServices: [ "rds", "dynamodb" ],
});

name: awsiam-yaml
runtime: yaml
resources:
    readOnlyPolicy:
        type: "aws-iam:index:ReadOnlyPolicy"
        properties:
            name: "example"
            path: "/"
            description: "My example read only policy"
            allowedServices:
                - "rds"
                - "dynamodb"
outputs:
    readOnlyPolicy: ${readOnlyPolicy}

Create ReadOnlyPolicy Resource

new ReadOnlyPolicy(name: string, args: ReadOnlyPolicyArgs, opts?: CustomResourceOptions);

@overload
def ReadOnlyPolicy(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   additional_policy_json: Optional[str] = None,
                   allow_cloudwatch_logs_query: Optional[bool] = None,
                   allow_predefined_sts_actions: Optional[bool] = None,
                   allow_web_console_services: Optional[bool] = None,
                   allowed_services: Optional[Sequence[str]] = None,
                   description: Optional[str] = None,
                   name: Optional[str] = None,
                   path: Optional[str] = None,
                   tags: Optional[Mapping[str, str]] = None,
                   web_console_services: Optional[Sequence[str]] = None)
@overload
def ReadOnlyPolicy(resource_name: str,
                   args: ReadOnlyPolicyArgs,
                   opts: Optional[ResourceOptions] = None)

func NewReadOnlyPolicy(ctx *Context, name string, args ReadOnlyPolicyArgs, opts ...ResourceOption) (*ReadOnlyPolicy, error)

public ReadOnlyPolicy(string name, ReadOnlyPolicyArgs args, CustomResourceOptions? opts = null)

public ReadOnlyPolicy(String name, ReadOnlyPolicyArgs args)
public ReadOnlyPolicy(String name, ReadOnlyPolicyArgs args, CustomResourceOptions options)

type: aws-iam:ReadOnlyPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ReadOnlyPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ReadOnlyPolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ReadOnlyPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ReadOnlyPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ReadOnlyPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

ReadOnlyPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The ReadOnlyPolicy resource accepts the following input properties:

Name string: The name of the policy.
AdditionalPolicyJson string: JSON policy document if you want to add custom actions.
AllowCloudwatchLogsQuery bool: Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
AllowPredefinedStsActions bool: Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
AllowWebConsoleServices bool: Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
AllowedServices List<string>: List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
Description string: The description of the policy.
Path string: The path of the policy in IAM.
Tags Dictionary<string, string>: A map of tags to add.
WebConsoleServices List<string>: List of web console services to allow.

Name string: The name of the policy.
AdditionalPolicyJson string: JSON policy document if you want to add custom actions.
AllowCloudwatchLogsQuery bool: Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
AllowPredefinedStsActions bool: Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
AllowWebConsoleServices bool: Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
AllowedServices []string: List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
Description string: The description of the policy.
Path string: The path of the policy in IAM.
Tags map[string]string: A map of tags to add.
WebConsoleServices []string: List of web console services to allow.

name String: The name of the policy.
additionalPolicyJson String: JSON policy document if you want to add custom actions.
allowCloudwatchLogsQuery Boolean: Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
allowPredefinedStsActions Boolean: Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
allowWebConsoleServices Boolean: Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
allowedServices List<String>: List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
description String: The description of the policy.
path String: The path of the policy in IAM.
tags Map<String,String>: A map of tags to add.
webConsoleServices List<String>: List of web console services to allow.

name string: The name of the policy.
additionalPolicyJson string: JSON policy document if you want to add custom actions.
allowCloudwatchLogsQuery boolean: Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
allowPredefinedStsActions boolean: Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
allowWebConsoleServices boolean: Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
allowedServices string[]: List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
description string: The description of the policy.
path string: The path of the policy in IAM.
tags {[key: string]: string}: A map of tags to add.
webConsoleServices string[]: List of web console services to allow.

name str: The name of the policy.
additional_policy_json str: JSON policy document if you want to add custom actions.
allow_cloudwatch_logs_query bool: Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
allow_predefined_sts_actions bool: Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
allow_web_console_services bool: Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
allowed_services Sequence[str]: List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
description str: The description of the policy.
path str: The path of the policy in IAM.
tags Mapping[str, str]: A map of tags to add.
web_console_services Sequence[str]: List of web console services to allow.

name String: The name of the policy.
additionalPolicyJson String: JSON policy document if you want to add custom actions.
allowCloudwatchLogsQuery Boolean: Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
allowPredefinedStsActions Boolean: Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
allowWebConsoleServices Boolean: Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
allowedServices List<String>: List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
description String: The description of the policy.
path String: The path of the policy in IAM.
tags Map<String>: A map of tags to add.
webConsoleServices List<String>: List of web console services to allow.

Outputs

All input properties are implicitly available as output properties. Additionally, the ReadOnlyPolicy resource produces the following output properties:

Arn string: The ARN assigned by AWS to this policy.
Id string: The policy's ID.
Policy string: The policy document.
PolicyJson string: Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

Arn string: The ARN assigned by AWS to this policy.
Id string: The policy's ID.
Policy string: The policy document.
PolicyJson string: Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

arn String: The ARN assigned by AWS to this policy.
id String: The policy's ID.
policy String: The policy document.
policyJson String: Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

arn string: The ARN assigned by AWS to this policy.
id string: The policy's ID.
policy string: The policy document.
policyJson string: Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

arn str: The ARN assigned by AWS to this policy.
id str: The policy's ID.
policy str: The policy document.
policy_json str: Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

arn String: The ARN assigned by AWS to this policy.
id String: The policy's ID.
policy String: The policy document.
policyJson String: Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

Package Details

Repository: aws-iam
License