aws-iam logo
AWS IAM v0.0.3, Jun 1 22

aws-iam.ReadOnlyPolicy

This resource helps you create an IAM read-only policy for the services you specify. The default AWS read-only policies may not include services you need or may contain services you do not need access to. This resource helps ensure your read-only policy has permissions to exactly what you specify.

Example Usage

using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;

class MyStack : Stack
{
    public MyStack()
    {
        var readOnlyPolicy = new ReadOnlyPolicy("read-only-policy", new ReadOnlyPolicyArgs
        {
            Name = "example",
            Path = "/",
            Description = "My example read only policy",
            AllowedServices = {"rds", "dynamodb"},
        });

        this.ReadOnlyPolicy = Output.Create<ReadOnlyPolicy>(readOnlyPolicy);
    }

    [Output]
    public Output<ReadOnlyPolicy> ReadOnlyPolicy { get; set; }
}
package main

import (
    iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        readOnlyPolicy, err := iam.NewReadOnlyPolicy(ctx, "read-only-policy", &iam.ReadOnlyPolicyArgs{
            Name:            pulumi.String("example"),
            Path:            pulumi.String("/"),
            Description:     pulumi.String("My example policy"),
            AllowedServices: pulumi.ToStringArray([]string{"rds", "dynamodb"}),
        })
        if err != nil {
            return err
        }

        ctx.Export("readOnlyPolicy", readOnlyPolicy)

        return nil
    })
}

Coming soon!

import pulumi
import pulumi_aws_iam as iam

read_only_policy = iam.ReadOnlyPolicy(
    'read_only_policy',
    name='example',
    path='/',
    description='My example read only policy',
    allowed_services=['rds','dynamodb'],
)

pulumi.export('read_only_policy', read_only_policy)
import * as iam from "@pulumi/aws-iam";

export const readOnlyPolicy = new iam.ReadOnlyPolicy("aws-iam-example-read-only-policy", {
    name: "aws-iam-example-read-only",
    path: "/",
    description: "My example read only policy",
    allowedServices: [ "rds", "dynamodb" ],
});
name: awsiam-yaml
runtime: yaml
resources:
    readOnlyPolicy:
        type: "aws-iam:index:ReadOnlyPolicy"
        properties:
            name: "example"
            path: "/"
            description: "My example read only policy"
            allowedServices:
                - "rds"
                - "dynamodb"
outputs:
    readOnlyPolicy: ${readOnlyPolicy}

Create ReadOnlyPolicy Resource

new ReadOnlyPolicy(name: string, args: ReadOnlyPolicyArgs, opts?: CustomResourceOptions);
@overload
def ReadOnlyPolicy(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   additional_policy_json: Optional[str] = None,
                   allow_cloudwatch_logs_query: Optional[bool] = None,
                   allow_predefined_sts_actions: Optional[bool] = None,
                   allow_web_console_services: Optional[bool] = None,
                   allowed_services: Optional[Sequence[str]] = None,
                   description: Optional[str] = None,
                   name: Optional[str] = None,
                   path: Optional[str] = None,
                   tags: Optional[Mapping[str, str]] = None,
                   web_console_services: Optional[Sequence[str]] = None)
@overload
def ReadOnlyPolicy(resource_name: str,
                   args: ReadOnlyPolicyArgs,
                   opts: Optional[ResourceOptions] = None)
func NewReadOnlyPolicy(ctx *Context, name string, args ReadOnlyPolicyArgs, opts ...ResourceOption) (*ReadOnlyPolicy, error)
public ReadOnlyPolicy(string name, ReadOnlyPolicyArgs args, CustomResourceOptions? opts = null)
public ReadOnlyPolicy(String name, ReadOnlyPolicyArgs args)
public ReadOnlyPolicy(String name, ReadOnlyPolicyArgs args, CustomResourceOptions options)
type: aws-iam:ReadOnlyPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args ReadOnlyPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ReadOnlyPolicyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ReadOnlyPolicyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ReadOnlyPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args ReadOnlyPolicyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

ReadOnlyPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The ReadOnlyPolicy resource accepts the following input properties:

Name string

The name of the policy.

AdditionalPolicyJson string

JSON policy document if you want to add custom actions.

AllowCloudwatchLogsQuery bool

Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.

AllowPredefinedStsActions bool

Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.

AllowWebConsoleServices bool

Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).

AllowedServices List<string>

List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.

Description string

The description of the policy.

Path string

The path of the policy in IAM.

Tags Dictionary<string, string>

A map of tags to add.

WebConsoleServices List<string>

List of web console services to allow.

Name string

The name of the policy.

AdditionalPolicyJson string

JSON policy document if you want to add custom actions.

AllowCloudwatchLogsQuery bool

Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.

AllowPredefinedStsActions bool

Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.

AllowWebConsoleServices bool

Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).

AllowedServices []string

List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.

Description string

The description of the policy.

Path string

The path of the policy in IAM.

Tags map[string]string

A map of tags to add.

WebConsoleServices []string

List of web console services to allow.

name String

The name of the policy.

additionalPolicyJson String

JSON policy document if you want to add custom actions.

allowCloudwatchLogsQuery Boolean

Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.

allowPredefinedStsActions Boolean

Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.

allowWebConsoleServices Boolean

Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).

allowedServices List<String>

List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.

description String

The description of the policy.

path String

The path of the policy in IAM.

tags Map<String,String>

A map of tags to add.

webConsoleServices List<String>

List of web console services to allow.

name string

The name of the policy.

additionalPolicyJson string

JSON policy document if you want to add custom actions.

allowCloudwatchLogsQuery boolean

Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.

allowPredefinedStsActions boolean

Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.

allowWebConsoleServices boolean

Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).

allowedServices string[]

List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.

description string

The description of the policy.

path string

The path of the policy in IAM.

tags {[key: string]: string}

A map of tags to add.

webConsoleServices string[]

List of web console services to allow.

name str

The name of the policy.

additional_policy_json str

JSON policy document if you want to add custom actions.

allow_cloudwatch_logs_query bool

Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.

allow_predefined_sts_actions bool

Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.

allow_web_console_services bool

Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).

allowed_services Sequence[str]

List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.

description str

The description of the policy.

path str

The path of the policy in IAM.

tags Mapping[str, str]

A map of tags to add.

web_console_services Sequence[str]

List of web console services to allow.

name String

The name of the policy.

additionalPolicyJson String

JSON policy document if you want to add custom actions.

allowCloudwatchLogsQuery Boolean

Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.

allowPredefinedStsActions Boolean

Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.

allowWebConsoleServices Boolean

Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).

allowedServices List<String>

List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.

description String

The description of the policy.

path String

The path of the policy in IAM.

tags Map<String>

A map of tags to add.

webConsoleServices List<String>

List of web console services to allow.

Outputs

All input properties are implicitly available as output properties. Additionally, the ReadOnlyPolicy resource produces the following output properties:

Arn string

The ARN assigned by AWS to this policy.

Id string

The policy's ID.

Policy string

The policy document.

PolicyJson string

Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

Arn string

The ARN assigned by AWS to this policy.

Id string

The policy's ID.

Policy string

The policy document.

PolicyJson string

Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

arn String

The ARN assigned by AWS to this policy.

id String

The policy's ID.

policy String

The policy document.

policyJson String

Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

arn string

The ARN assigned by AWS to this policy.

id string

The policy's ID.

policy string

The policy document.

policyJson string

Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

arn str

The ARN assigned by AWS to this policy.

id str

The policy's ID.

policy str

The policy document.

policy_json str

Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

arn String

The ARN assigned by AWS to this policy.

id String

The policy's ID.

policy String

The policy document.

policyJson String

Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.

Package Details

Repository
aws-iam
License