AWS Classic
getPolicyDocument
Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws.iam.Policy
.
Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings in your configuration or to use the file
interpolation function to read a raw JSON policy document from a file.
Example Usage
Basic Example
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var examplePolicyDocument = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "1",
Actions =
{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources =
{
"arn:aws:s3:::*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:ListBucket",
},
Resources =
{
$"arn:aws:s3:::{@var.S3_bucket_name}",
},
Conditions =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionArgs
{
Test = "StringLike",
Variable = "s3:prefix",
Values =
{
"",
"home/",
"home/&{aws:username}/",
},
},
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}",
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}/*",
},
},
},
}));
var examplePolicy = new Aws.Iam.Policy("examplePolicy", new Aws.Iam.PolicyArgs
{
Path = "/",
Policy = examplePolicyDocument.Apply(examplePolicyDocument => examplePolicyDocument.Json),
});
}
}
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
examplePolicyDocument, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Sid: pulumi.StringRef("1"),
Actions: []string{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources: []string{
"arn:aws:s3:::*",
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:ListBucket",
},
Resources: []string{
fmt.Sprintf("%v%v", "arn:aws:s3:::", _var.S3_bucket_name),
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
iam.GetPolicyDocumentStatementCondition{
Test: "StringLike",
Variable: "s3:prefix",
Values: []string{
"",
"home/",
"home/&{aws:username}/",
},
},
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:*",
},
Resources: []string{
fmt.Sprintf("%v%v%v", "arn:aws:s3:::", _var.S3_bucket_name, "/home/&{aws:username}"),
fmt.Sprintf("%v%v%v", "arn:aws:s3:::", _var.S3_bucket_name, "/home/&{aws:username}/*"),
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewPolicy(ctx, "examplePolicy", &iam.PolicyArgs{
Path: pulumi.String("/"),
Policy: pulumi.String(examplePolicyDocument.Json),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var examplePolicyDocument = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("1")
.actions(
"s3:ListAllMyBuckets",
"s3:GetBucketLocation")
.resources("arn:aws:s3:::*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("s3:ListBucket")
.resources(String.format("arn:aws:s3:::%s", var_.s3_bucket_name()))
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringLike")
.variable("s3:prefix")
.values(
"",
"home/",
"home/&{aws:username}/")
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("s3:*")
.resources(
String.format("arn:aws:s3:::%s/home/&{{aws:username}}", var_.s3_bucket_name()),
String.format("arn:aws:s3:::%s/home/&{{aws:username}}/*", var_.s3_bucket_name()))
.build())
.build()));
var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()
.path("/")
.policy(examplePolicyDocument.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
import pulumi
import pulumi_aws as aws
example_policy_document = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
sid="1",
actions=[
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
resources=["arn:aws:s3:::*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
actions=["s3:ListBucket"],
resources=[f"arn:aws:s3:::{var['s3_bucket_name']}"],
conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringLike",
variable="s3:prefix",
values=[
"",
"home/",
"home/&{aws:username}/",
],
)],
),
aws.iam.GetPolicyDocumentStatementArgs(
actions=["s3:*"],
resources=[
f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}",
f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}/*",
],
),
])
example_policy = aws.iam.Policy("examplePolicy",
path="/",
policy=example_policy_document.json)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const examplePolicyDocument = aws.iam.getPolicyDocument({
statements: [
{
sid: "1",
actions: [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
resources: ["arn:aws:s3:::*"],
},
{
actions: ["s3:ListBucket"],
resources: [`arn:aws:s3:::${_var.s3_bucket_name}`],
conditions: [{
test: "StringLike",
variable: "s3:prefix",
values: [
"",
"home/",
"home/&{aws:username}/",
],
}],
},
{
actions: ["s3:*"],
resources: [
`arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}`,
`arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}/*`,
],
},
],
});
const examplePolicy = new aws.iam.Policy("examplePolicy", {
path: "/",
policy: examplePolicyDocument.then(examplePolicyDocument => examplePolicyDocument.json),
});
resources:
examplePolicy:
type: aws:iam:Policy
properties:
path: /
policy: ${examplePolicyDocument.json}
variables:
examplePolicyDocument:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: 1
actions:
- s3:ListAllMyBuckets
- s3:GetBucketLocation
resources:
- arn:aws:s3:::*
- actions:
- s3:ListBucket
resources:
- arn:aws:s3:::${var.s3_bucket_name}
conditions:
- test: StringLike
variable: s3:prefix
values:
-
- home/
- home/&{aws:username}/
- actions:
- s3:*
resources:
- arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}
- arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*
Example Multiple Condition Keys and Values
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var exampleMultipleConditionKeysAndValues = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"kms:Decrypt",
"kms:GenerateDataKey",
},
Conditions =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionArgs
{
Test = "ForAnyValue:StringEquals",
Values =
{
"pi",
},
Variable = "kms:EncryptionContext:service",
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionArgs
{
Test = "ForAnyValue:StringEquals",
Values =
{
"rds",
},
Variable = "kms:EncryptionContext:aws:pi:service",
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionArgs
{
Test = "ForAnyValue:StringEquals",
Values =
{
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
},
Variable = "kms:EncryptionContext:aws:rds:db-id",
},
},
Resources =
{
"*",
},
},
},
}));
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"kms:Decrypt",
"kms:GenerateDataKey",
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
iam.GetPolicyDocumentStatementCondition{
Test: "ForAnyValue:StringEquals",
Values: []string{
"pi",
},
Variable: "kms:EncryptionContext:service",
},
iam.GetPolicyDocumentStatementCondition{
Test: "ForAnyValue:StringEquals",
Values: []string{
"rds",
},
Variable: "kms:EncryptionContext:aws:pi:service",
},
iam.GetPolicyDocumentStatementCondition{
Test: "ForAnyValue:StringEquals",
Values: []string{
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
},
Variable: "kms:EncryptionContext:aws:rds:db-id",
},
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
return nil
})
}
package generated_program;
import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var exampleMultipleConditionKeysAndValues = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions(
"kms:Decrypt",
"kms:GenerateDataKey")
.conditions(
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.values("pi")
.variable("kms:EncryptionContext:service")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.values("rds")
.variable("kms:EncryptionContext:aws:pi:service")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.values(
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA")
.variable("kms:EncryptionContext:aws:rds:db-id")
.build())
.resources("*")
.build())
.build()));
}
}
import pulumi
import pulumi_aws as aws
example_multiple_condition_keys_and_values = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
actions=[
"kms:Decrypt",
"kms:GenerateDataKey",
],
conditions=[
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="ForAnyValue:StringEquals",
values=["pi"],
variable="kms:EncryptionContext:service",
),
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="ForAnyValue:StringEquals",
values=["rds"],
variable="kms:EncryptionContext:aws:pi:service",
),
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="ForAnyValue:StringEquals",
values=[
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
],
variable="kms:EncryptionContext:aws:rds:db-id",
),
],
resources=["*"],
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleMultipleConditionKeysAndValues = pulumi.output(aws.iam.getPolicyDocument({
statements: [{
actions: [
"kms:Decrypt",
"kms:GenerateDataKey",
],
conditions: [
{
test: "ForAnyValue:StringEquals",
values: ["pi"],
variable: "kms:EncryptionContext:service",
},
{
test: "ForAnyValue:StringEquals",
values: ["rds"],
variable: "kms:EncryptionContext:aws:pi:service",
},
{
test: "ForAnyValue:StringEquals",
values: [
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
],
variable: "kms:EncryptionContext:aws:rds:db-id",
},
],
resources: ["*"],
}],
}));
variables:
exampleMultipleConditionKeysAndValues:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- kms:Decrypt
- kms:GenerateDataKey
conditions:
- test: ForAnyValue:StringEquals
values:
- pi
variable: kms:EncryptionContext:service
- test: ForAnyValue:StringEquals
values:
- rds
variable: kms:EncryptionContext:aws:pi:service
- test: ForAnyValue:StringEquals
values:
- db-AAAAABBBBBCCCCCDDDDDEEEEE
- db-EEEEEDDDDDCCCCCBBBBBAAAAA
variable: kms:EncryptionContext:aws:rds:db-id
resources:
- '*'
Example Assume-Role Policy with Multiple Principals
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var eventStreamBucketRoleAssumeRolePolicy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"sts:AssumeRole",
},
Principals =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Type = "Service",
Identifiers =
{
"firehose.amazonaws.com",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Type = "AWS",
Identifiers =
{
@var.Trusted_role_arn,
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Type = "Federated",
Identifiers =
{
$"arn:aws:iam::{@var.Account_id}:saml-provider/{@var.Provider_name}",
"cognito-identity.amazonaws.com",
},
},
},
},
},
}));
}
}
Coming soon!
package generated_program;
import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var eventStreamBucketRoleAssumeRolePolicy = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRole")
.principals(
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("firehose.amazonaws.com")
.build(),
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(var_.trusted_role_arn())
.build(),
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Federated")
.identifiers(
String.format("arn:aws:iam::%s:saml-provider/%s", var_.account_id(),var_.provider_name()),
"cognito-identity.amazonaws.com")
.build())
.build())
.build()));
}
}
import pulumi
import pulumi_aws as aws
event_stream_bucket_role_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
actions=["sts:AssumeRole"],
principals=[
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=["firehose.amazonaws.com"],
),
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="AWS",
identifiers=[var["trusted_role_arn"]],
),
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Federated",
identifiers=[
f"arn:aws:iam::{var['account_id']}:saml-provider/{var['provider_name']}",
"cognito-identity.amazonaws.com",
],
),
],
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const eventStreamBucketRoleAssumeRolePolicy = aws.iam.getPolicyDocument({
statements: [{
actions: ["sts:AssumeRole"],
principals: [
{
type: "Service",
identifiers: ["firehose.amazonaws.com"],
},
{
type: "AWS",
identifiers: [_var.trusted_role_arn],
},
{
type: "Federated",
identifiers: [
`arn:aws:iam::${_var.account_id}:saml-provider/${_var.provider_name}`,
"cognito-identity.amazonaws.com",
],
},
],
}],
});
variables:
eventStreamBucketRoleAssumeRolePolicy:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- sts:AssumeRole
principals:
- type: Service
identifiers:
- firehose.amazonaws.com
- type: AWS
identifiers:
- ${var.trusted_role_arn}
- type: Federated
identifiers:
- arn:aws:iam::${var.account_id}:saml-provider/${var.provider_name}
- cognito-identity.amazonaws.com
Example Using A Source Document
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "SidToOverride",
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
},
},
}));
var sourceDocumentExample = source.Apply(source => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
SourcePolicyDocuments =
{
source.Json,
},
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "SidToOverride",
Actions =
{
"s3:*",
},
Resources =
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
})));
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var source = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources("*")
.build())
.build()));
final var sourceDocumentExample = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(source.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources(
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*")
.build())
.build()));
}
}
import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=["*"],
),
])
source_document_example = aws.iam.get_policy_document(source_policy_documents=[source.json],
statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=[
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = aws.iam.getPolicyDocument({
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "SidToOverride",
actions: ["s3:*"],
resources: ["*"],
},
],
});
const sourceDocumentExample = source.then(source => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [source.json],
statements: [{
sid: "SidToOverride",
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
}],
}));
variables:
source:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- ec2:*
resources:
- '*'
- sid: SidToOverride
actions:
- s3:*
resources:
- '*'
sourceDocumentExample:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
sourcePolicyDocuments:
- ${source.json}
statements:
- sid: SidToOverride
actions:
- s3:*
resources:
- arn:aws:s3:::somebucket
- arn:aws:s3:::somebucket/*
Example Using An Override Document
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "SidToOverride",
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
},
},
}));
var overridePolicyDocumentExample = @override.Apply(@override => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
OverridePolicyDocuments =
{
@override.Json,
},
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "SidToOverride",
Actions =
{
"s3:*",
},
Resources =
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
})));
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var override = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources("*")
.build())
.build()));
final var overridePolicyDocumentExample = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.overridePolicyDocuments(override.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources(
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*")
.build())
.build()));
}
}
import pulumi
import pulumi_aws as aws
override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=["*"],
)])
override_policy_document_example = aws.iam.get_policy_document(override_policy_documents=[override.json],
statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=[
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
),
])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const override = aws.iam.getPolicyDocument({
statements: [{
sid: "SidToOverride",
actions: ["s3:*"],
resources: ["*"],
}],
});
const overridePolicyDocumentExample = override.then(override => aws.iam.getPolicyDocument({
overridePolicyDocuments: [override.json],
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "SidToOverride",
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
},
],
}));
variables:
override:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: SidToOverride
actions:
- s3:*
resources:
- '*'
overridePolicyDocumentExample:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
overridePolicyDocuments:
- ${override.json}
statements:
- actions:
- ec2:*
resources:
- '*'
- sid: SidToOverride
actions:
- s3:*
resources:
- arn:aws:s3:::somebucket
- arn:aws:s3:::somebucket/*
Example with Both Source and Override Documents
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceholder",
Actions =
{
"ec2:DescribeAccountAttributes",
},
Resources =
{
"*",
},
},
},
}));
var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceholder",
Actions =
{
"s3:GetObject",
},
Resources =
{
"*",
},
},
},
}));
var politik = Output.Tuple(source, @override).Apply(values =>
{
var source = values.Item1;
var @override = values.Item2;
return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
SourcePolicyDocuments =
{
source.Json,
},
OverridePolicyDocuments =
{
@override.Json,
},
}));
});
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var source = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceholder")
.actions("ec2:DescribeAccountAttributes")
.resources("*")
.build())
.build()));
final var override = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceholder")
.actions("s3:GetObject")
.resources("*")
.build())
.build()));
final var politik = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(source.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.overridePolicyDocuments(override.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build()));
}
}
import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceholder",
actions=["ec2:DescribeAccountAttributes"],
resources=["*"],
)])
override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceholder",
actions=["s3:GetObject"],
resources=["*"],
)])
politik = aws.iam.get_policy_document(source_policy_documents=[source.json],
override_policy_documents=[override.json])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceholder",
actions: ["ec2:DescribeAccountAttributes"],
resources: ["*"],
}],
});
const override = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceholder",
actions: ["s3:GetObject"],
resources: ["*"],
}],
});
const politik = Promise.all([source, override]).then(([source, override]) => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [source.json],
overridePolicyDocuments: [override.json],
}));
variables:
source:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: OverridePlaceholder
actions:
- ec2:DescribeAccountAttributes
resources:
- '*'
override:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: OverridePlaceholder
actions:
- s3:GetObject
resources:
- '*'
politik:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
sourcePolicyDocuments:
- ${source.json}
overridePolicyDocuments:
- ${override.json}
Example of Merging Source Documents
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var sourceOne = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "UniqueSidOne",
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
},
},
}));
var sourceTwo = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "UniqueSidTwo",
Actions =
{
"iam:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"lambda:*",
},
Resources =
{
"*",
},
},
},
}));
var combined = Output.Tuple(sourceOne, sourceTwo).Apply(values =>
{
var sourceOne = values.Item1;
var sourceTwo = values.Item2;
return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
SourcePolicyDocuments =
{
sourceOne.Json,
sourceTwo.Json,
},
}));
});
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var sourceOne = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("UniqueSidOne")
.actions("s3:*")
.resources("*")
.build())
.build()));
final var sourceTwo = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("UniqueSidTwo")
.actions("iam:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("lambda:*")
.resources("*")
.build())
.build()));
final var combined = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(
sourceOne.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
sourceTwo.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build()));
}
}
import pulumi
import pulumi_aws as aws
source_one = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="UniqueSidOne",
actions=["s3:*"],
resources=["*"],
),
])
source_two = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
sid="UniqueSidTwo",
actions=["iam:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
actions=["lambda:*"],
resources=["*"],
),
])
combined = aws.iam.get_policy_document(source_policy_documents=[
source_one.json,
source_two.json,
])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const sourceOne = aws.iam.getPolicyDocument({
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "UniqueSidOne",
actions: ["s3:*"],
resources: ["*"],
},
],
});
const sourceTwo = aws.iam.getPolicyDocument({
statements: [
{
sid: "UniqueSidTwo",
actions: ["iam:*"],
resources: ["*"],
},
{
actions: ["lambda:*"],
resources: ["*"],
},
],
});
const combined = Promise.all([sourceOne, sourceTwo]).then(([sourceOne, sourceTwo]) => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [
sourceOne.json,
sourceTwo.json,
],
}));
variables:
sourceOne:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- ec2:*
resources:
- '*'
- sid: UniqueSidOne
actions:
- s3:*
resources:
- '*'
sourceTwo:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: UniqueSidTwo
actions:
- iam:*
resources:
- '*'
- actions:
- lambda:*
resources:
- '*'
combined:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
sourcePolicyDocuments:
- ${sourceOne.json}
- ${sourceTwo.json}
Example of Merging Override Documents
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var policyOne = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceHolderOne",
Effect = "Allow",
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
},
},
}));
var policyTwo = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Effect = "Allow",
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceHolderTwo",
Effect = "Allow",
Actions =
{
"iam:*",
},
Resources =
{
"*",
},
},
},
}));
var policyThree = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceHolderOne",
Effect = "Deny",
Actions =
{
"logs:*",
},
Resources =
{
"*",
},
},
},
}));
var combined = Output.Tuple(policyOne, policyTwo, policyThree).Apply(values =>
{
var policyOne = values.Item1;
var policyTwo = values.Item2;
var policyThree = values.Item3;
return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
OverridePolicyDocuments =
{
policyOne.Json,
policyTwo.Json,
policyThree.Json,
},
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceHolderTwo",
Effect = "Deny",
Actions =
{
"*",
},
Resources =
{
"*",
},
},
},
}));
});
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var policyOne = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderOne")
.effect("Allow")
.actions("s3:*")
.resources("*")
.build())
.build()));
final var policyTwo = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderTwo")
.effect("Allow")
.actions("iam:*")
.resources("*")
.build())
.build()));
final var policyThree = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderOne")
.effect("Deny")
.actions("logs:*")
.resources("*")
.build())
.build()));
final var combined = Output.of(IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.overridePolicyDocuments(
policyOne.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
policyTwo.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
policyThree.apply(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderTwo")
.effect("Deny")
.actions("*")
.resources("*")
.build())
.build()));
}
}
import pulumi
import pulumi_aws as aws
policy_one = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderOne",
effect="Allow",
actions=["s3:*"],
resources=["*"],
)])
policy_two = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderTwo",
effect="Allow",
actions=["iam:*"],
resources=["*"],
),
])
policy_three = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderOne",
effect="Deny",
actions=["logs:*"],
resources=["*"],
)])
combined = aws.iam.get_policy_document(override_policy_documents=[
policy_one.json,
policy_two.json,
policy_three.json,
],
statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderTwo",
effect="Deny",
actions=["*"],
resources=["*"],
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const policyOne = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceHolderOne",
effect: "Allow",
actions: ["s3:*"],
resources: ["*"],
}],
});
const policyTwo = aws.iam.getPolicyDocument({
statements: [
{
effect: "Allow",
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "OverridePlaceHolderTwo",
effect: "Allow",
actions: ["iam:*"],
resources: ["*"],
},
],
});
const policyThree = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceHolderOne",
effect: "Deny",
actions: ["logs:*"],
resources: ["*"],
}],
});
const combined = Promise.all([policyOne, policyTwo, policyThree]).then(([policyOne, policyTwo, policyThree]) => aws.iam.getPolicyDocument({
overridePolicyDocuments: [
policyOne.json,
policyTwo.json,
policyThree.json,
],
statements: [{
sid: "OverridePlaceHolderTwo",
effect: "Deny",
actions: ["*"],
resources: ["*"],
}],
}));
variables:
policyOne:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: OverridePlaceHolderOne
effect: Allow
actions:
- s3:*
resources:
- '*'
policyTwo:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
actions:
- ec2:*
resources:
- '*'
- sid: OverridePlaceHolderTwo
effect: Allow
actions:
- iam:*
resources:
- '*'
policyThree:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: OverridePlaceHolderOne
effect: Deny
actions:
- logs:*
resources:
- '*'
combined:
Fn::Invoke:
Function: aws:iam:getPolicyDocument
Arguments:
overridePolicyDocuments:
- ${policyOne.json}
- ${policyTwo.json}
- ${policyThree.json}
statements:
- sid: OverridePlaceHolderTwo
effect: Deny
actions:
- '*'
resources:
- '*'
Using getPolicyDocument
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>
def get_policy_document(override_json: Optional[str] = None,
override_policy_documents: Optional[Sequence[str]] = None,
policy_id: Optional[str] = None,
source_json: Optional[str] = None,
source_policy_documents: Optional[Sequence[str]] = None,
statements: Optional[Sequence[GetPolicyDocumentStatement]] = None,
version: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
def get_policy_document_output(override_json: Optional[pulumi.Input[str]] = None,
override_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
policy_id: Optional[pulumi.Input[str]] = None,
source_json: Optional[pulumi.Input[str]] = None,
source_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
statements: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentStatementArgs]]]] = None,
version: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]
func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput
> Note: This function is named GetPolicyDocument
in the Go SDK.
public static class GetPolicyDocument
{
public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
Fn::Invoke:
Function: aws:iam/getPolicyDocument:getPolicyDocument
Arguments:
# Arguments dictionary
The following arguments are supported:
- Override
Json string - IAM policy document whose statements with non-blank
sid
s will override statements with the samesid
from documents assigned to thesource_json
,source_policy_documents
, andoverride_policy_documents
arguments. Non-overriding statements will be added to the exported document.
Use the attribute "override_policy_documents" instead.
- IAM policy document whose statements with non-blank
- Override
Policy List<string>Documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sid
s will override statements with the samesid
from earlier documents in the list. Statements with non-blanksid
s will also override statements with the samesid
from documents provided in thesource_json
andsource_policy_documents
arguments. Non-overriding statements will be added to the exported document.- Policy
Id string ID for the policy document.
- Source
Json string - IAM policy document used as a base for the exported policy document. Statements with the same
sid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.
Use the attribute "source_policy_documents" instead.
- IAM policy document used as a base for the exported policy document. Statements with the same
- Source
Policy List<string>Documents List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documents
orsource_json
must have uniquesid
s. Statements with the samesid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.- Statements
List<Pulumi.
Aws. Iam. Inputs. Get Policy Document Statement> Configuration block for a policy statement. Detailed below.
- Version string
IAM policy document version. Valid values are
2008-10-17
and2012-10-17
. Defaults to2012-10-17
. For more information, see the AWS IAM User Guide.
- Override
Json string - IAM policy document whose statements with non-blank
sid
s will override statements with the samesid
from documents assigned to thesource_json
,source_policy_documents
, andoverride_policy_documents
arguments. Non-overriding statements will be added to the exported document.
Use the attribute "override_policy_documents" instead.
- IAM policy document whose statements with non-blank
- Override
Policy []stringDocuments List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sid
s will override statements with the samesid
from earlier documents in the list. Statements with non-blanksid
s will also override statements with the samesid
from documents provided in thesource_json
andsource_policy_documents
arguments. Non-overriding statements will be added to the exported document.- Policy
Id string ID for the policy document.
- Source
Json string - IAM policy document used as a base for the exported policy document. Statements with the same
sid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.
Use the attribute "source_policy_documents" instead.
- IAM policy document used as a base for the exported policy document. Statements with the same
- Source
Policy []stringDocuments List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documents
orsource_json
must have uniquesid
s. Statements with the samesid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.- Statements
[]Get
Policy Document Statement Configuration block for a policy statement. Detailed below.
- Version string
IAM policy document version. Valid values are
2008-10-17
and2012-10-17
. Defaults to2012-10-17
. For more information, see the AWS IAM User Guide.
- override
Json String - IAM policy document whose statements with non-blank
sid
s will override statements with the samesid
from documents assigned to thesource_json
,source_policy_documents
, andoverride_policy_documents
arguments. Non-overriding statements will be added to the exported document.
Use the attribute "override_policy_documents" instead.
- IAM policy document whose statements with non-blank
- override
Policy List<String>Documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sid
s will override statements with the samesid
from earlier documents in the list. Statements with non-blanksid
s will also override statements with the samesid
from documents provided in thesource_json
andsource_policy_documents
arguments. Non-overriding statements will be added to the exported document.- policy
Id String ID for the policy document.
- source
Json String - IAM policy document used as a base for the exported policy document. Statements with the same
sid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.
Use the attribute "source_policy_documents" instead.
- IAM policy document used as a base for the exported policy document. Statements with the same
- source
Policy List<String>Documents List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documents
orsource_json
must have uniquesid
s. Statements with the samesid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.- statements
List<Get
Policy Document Statement> Configuration block for a policy statement. Detailed below.
- version String
IAM policy document version. Valid values are
2008-10-17
and2012-10-17
. Defaults to2012-10-17
. For more information, see the AWS IAM User Guide.
- override
Json string - IAM policy document whose statements with non-blank
sid
s will override statements with the samesid
from documents assigned to thesource_json
,source_policy_documents
, andoverride_policy_documents
arguments. Non-overriding statements will be added to the exported document.
Use the attribute "override_policy_documents" instead.
- IAM policy document whose statements with non-blank
- override
Policy string[]Documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sid
s will override statements with the samesid
from earlier documents in the list. Statements with non-blanksid
s will also override statements with the samesid
from documents provided in thesource_json
andsource_policy_documents
arguments. Non-overriding statements will be added to the exported document.- policy
Id string ID for the policy document.
- source
Json string - IAM policy document used as a base for the exported policy document. Statements with the same
sid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.
Use the attribute "source_policy_documents" instead.
- IAM policy document used as a base for the exported policy document. Statements with the same
- source
Policy string[]Documents List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documents
orsource_json
must have uniquesid
s. Statements with the samesid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.- statements
Get
Policy Document Statement[] Configuration block for a policy statement. Detailed below.
- version string
IAM policy document version. Valid values are
2008-10-17
and2012-10-17
. Defaults to2012-10-17
. For more information, see the AWS IAM User Guide.
- override_
json str - IAM policy document whose statements with non-blank
sid
s will override statements with the samesid
from documents assigned to thesource_json
,source_policy_documents
, andoverride_policy_documents
arguments. Non-overriding statements will be added to the exported document.
Use the attribute "override_policy_documents" instead.
- IAM policy document whose statements with non-blank
- override_
policy_ Sequence[str]documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sid
s will override statements with the samesid
from earlier documents in the list. Statements with non-blanksid
s will also override statements with the samesid
from documents provided in thesource_json
andsource_policy_documents
arguments. Non-overriding statements will be added to the exported document.- policy_
id str ID for the policy document.
- source_
json str - IAM policy document used as a base for the exported policy document. Statements with the same
sid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.
Use the attribute "source_policy_documents" instead.
- IAM policy document used as a base for the exported policy document. Statements with the same
- source_
policy_ Sequence[str]documents List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documents
orsource_json
must have uniquesid
s. Statements with the samesid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.- statements
Sequence[Get
Policy Document Statement] Configuration block for a policy statement. Detailed below.
- version str
IAM policy document version. Valid values are
2008-10-17
and2012-10-17
. Defaults to2012-10-17
. For more information, see the AWS IAM User Guide.
- override
Json String - IAM policy document whose statements with non-blank
sid
s will override statements with the samesid
from documents assigned to thesource_json
,source_policy_documents
, andoverride_policy_documents
arguments. Non-overriding statements will be added to the exported document.
Use the attribute "override_policy_documents" instead.
- IAM policy document whose statements with non-blank
- override
Policy List<String>Documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sid
s will override statements with the samesid
from earlier documents in the list. Statements with non-blanksid
s will also override statements with the samesid
from documents provided in thesource_json
andsource_policy_documents
arguments. Non-overriding statements will be added to the exported document.- policy
Id String ID for the policy document.
- source
Json String - IAM policy document used as a base for the exported policy document. Statements with the same
sid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.
Use the attribute "source_policy_documents" instead.
- IAM policy document used as a base for the exported policy document. Statements with the same
- source
Policy List<String>Documents List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documents
orsource_json
must have uniquesid
s. Statements with the samesid
from documents assigned to theoverride_json
andoverride_policy_documents
arguments will override source statements.- statements List<Property Map>
Configuration block for a policy statement. Detailed below.
- version String
IAM policy document version. Valid values are
2008-10-17
and2012-10-17
. Defaults to2012-10-17
. For more information, see the AWS IAM User Guide.
getPolicyDocument Result
The following output properties are available:
- Id string
The provider-assigned unique ID for this managed resource.
- Json string
Standard JSON policy document rendered based on the arguments above.
- Override
Json string Use the attribute "override_policy_documents" instead.
- Override
Policy List<string>Documents - Policy
Id string - Source
Json string Use the attribute "source_policy_documents" instead.
- Source
Policy List<string>Documents - Statements
List<Pulumi.
Aws. Iam. Outputs. Get Policy Document Statement> - Version string
- Id string
The provider-assigned unique ID for this managed resource.
- Json string
Standard JSON policy document rendered based on the arguments above.
- Override
Json string Use the attribute "override_policy_documents" instead.
- Override
Policy []stringDocuments - Policy
Id string - Source
Json string Use the attribute "source_policy_documents" instead.
- Source
Policy []stringDocuments - Statements
[]Get
Policy Document Statement - Version string
- id String
The provider-assigned unique ID for this managed resource.
- json String
Standard JSON policy document rendered based on the arguments above.
- override
Json String Use the attribute "override_policy_documents" instead.
- override
Policy List<String>Documents - policy
Id String - source
Json String Use the attribute "source_policy_documents" instead.
- source
Policy List<String>Documents - statements
List<Get
Policy Document Statement> - version String
- id string
The provider-assigned unique ID for this managed resource.
- json string
Standard JSON policy document rendered based on the arguments above.
- override
Json string Use the attribute "override_policy_documents" instead.
- override
Policy string[]Documents - policy
Id string - source
Json string Use the attribute "source_policy_documents" instead.
- source
Policy string[]Documents - statements
Get
Policy Document Statement[] - version string
- id str
The provider-assigned unique ID for this managed resource.
- json str
Standard JSON policy document rendered based on the arguments above.
- override_
json str Use the attribute "override_policy_documents" instead.
- override_
policy_ Sequence[str]documents - policy_
id str - source_
json str Use the attribute "source_policy_documents" instead.
- source_
policy_ Sequence[str]documents - statements
Sequence[Get
Policy Document Statement] - version str
- id String
The provider-assigned unique ID for this managed resource.
- json String
Standard JSON policy document rendered based on the arguments above.
- override
Json String Use the attribute "override_policy_documents" instead.
- override
Policy List<String>Documents - policy
Id String - source
Json String Use the attribute "source_policy_documents" instead.
- source
Policy List<String>Documents - statements List<Property Map>
- version String
Supporting Types
GetPolicyDocumentStatement
- Actions List<string>
List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]
.- Conditions
List<Pulumi.
Aws. Iam. Inputs. Get Policy Document Statement Condition> Configuration block for a condition. Detailed below.
- Effect string
Whether this statement allows or denies the given actions. Valid values are
Allow
andDeny
. Defaults toAllow
.- Not
Actions List<string> List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- Not
Principals List<Pulumi.Aws. Iam. Inputs. Get Policy Document Statement Not Principal> Like
principals
except these are principals that the statement does not apply to.- Not
Resources List<string> List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources
.- Principals
List<Pulumi.
Aws. Iam. Inputs. Get Policy Document Statement Principal> Configuration block for principals. Detailed below.
- Resources List<string>
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources
.- Sid string
Sid (statement ID) is an identifier for a policy statement.
- Actions []string
List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]
.- Conditions
[]Get
Policy Document Statement Condition Configuration block for a condition. Detailed below.
- Effect string
Whether this statement allows or denies the given actions. Valid values are
Allow
andDeny
. Defaults toAllow
.- Not
Actions []string List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- Not
Principals []GetPolicy Document Statement Not Principal Like
principals
except these are principals that the statement does not apply to.- Not
Resources []string List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources
.- Principals
[]Get
Policy Document Statement Principal Configuration block for principals. Detailed below.
- Resources []string
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources
.- Sid string
Sid (statement ID) is an identifier for a policy statement.
- actions List<String>
List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]
.- conditions
List<Get
Policy Document Statement Condition> Configuration block for a condition. Detailed below.
- effect String
Whether this statement allows or denies the given actions. Valid values are
Allow
andDeny
. Defaults toAllow
.- not
Actions List<String> List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not
Principals List<GetPolicy Document Statement Not Principal> Like
principals
except these are principals that the statement does not apply to.- not
Resources List<String> List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources
.- principals
List<Get
Policy Document Statement Principal> Configuration block for principals. Detailed below.
- resources List<String>
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources
.- sid String
Sid (statement ID) is an identifier for a policy statement.
- actions string[]
List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]
.- conditions
Get
Policy Document Statement Condition[] Configuration block for a condition. Detailed below.
- effect string
Whether this statement allows or denies the given actions. Valid values are
Allow
andDeny
. Defaults toAllow
.- not
Actions string[] List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not
Principals GetPolicy Document Statement Not Principal[] Like
principals
except these are principals that the statement does not apply to.- not
Resources string[] List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources
.- principals
Get
Policy Document Statement Principal[] Configuration block for principals. Detailed below.
- resources string[]
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources
.- sid string
Sid (statement ID) is an identifier for a policy statement.
- actions Sequence[str]
List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]
.- conditions
Sequence[Get
Policy Document Statement Condition] Configuration block for a condition. Detailed below.
- effect str
Whether this statement allows or denies the given actions. Valid values are
Allow
andDeny
. Defaults toAllow
.- not_
actions Sequence[str] List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not_
principals Sequence[GetPolicy Document Statement Not Principal] Like
principals
except these are principals that the statement does not apply to.- not_
resources Sequence[str] List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources
.- principals
Sequence[Get
Policy Document Statement Principal] Configuration block for principals. Detailed below.
- resources Sequence[str]
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources
.- sid str
Sid (statement ID) is an identifier for a policy statement.
- actions List<String>
List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]
.- conditions List<Property Map>
Configuration block for a condition. Detailed below.
- effect String
Whether this statement allows or denies the given actions. Valid values are
Allow
andDeny
. Defaults toAllow
.- not
Actions List<String> List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not
Principals List<Property Map> Like
principals
except these are principals that the statement does not apply to.- not
Resources List<String> List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources
.- principals List<Property Map>
Configuration block for principals. Detailed below.
- resources List<String>
List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources
.- sid String
Sid (statement ID) is an identifier for a policy statement.
GetPolicyDocumentStatementCondition
- Test string
Name of the IAM condition operator to evaluate.
- Values List<string>
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- Variable string
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:
or service-specific variables prefixed with the service name.
- Test string
Name of the IAM condition operator to evaluate.
- Values []string
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- Variable string
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:
or service-specific variables prefixed with the service name.
- test String
Name of the IAM condition operator to evaluate.
- values List<String>
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable String
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:
or service-specific variables prefixed with the service name.
- test string
Name of the IAM condition operator to evaluate.
- values string[]
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable string
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:
or service-specific variables prefixed with the service name.
- test str
Name of the IAM condition operator to evaluate.
- values Sequence[str]
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable str
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:
or service-specific variables prefixed with the service name.
- test String
Name of the IAM condition operator to evaluate.
- values List<String>
Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable String
Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:
or service-specific variables prefixed with the service name.
GetPolicyDocumentStatementNotPrincipal
- Identifiers List<string>
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- Type string
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- Identifiers []string
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- Type string
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- identifiers List<String>
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- type String
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- identifiers string[]
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- type string
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- identifiers Sequence[str]
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- type str
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- identifiers List<String>
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- type String
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
GetPolicyDocumentStatementPrincipal
- Identifiers List<string>
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- Type string
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- Identifiers []string
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- Type string
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- identifiers List<String>
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- type String
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- identifiers string[]
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- type string
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- identifiers Sequence[str]
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- type str
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
- identifiers List<String>
List of identifiers for principals. When
type
isAWS
, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role
. Whentype
isService
, these are AWS Service roles, e.g.,lambda.amazonaws.com
. Whentype
isFederated
, these are web identity users or SAML provider ARNs, e.g.,accounts.google.com
orarn:aws:iam::12345678901:saml-provider/yak-saml-provider
. Whentype
isCanonicalUser
, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be
.- type String
Type of principal. Valid values include
AWS
,Service
,Federated
,CanonicalUser
and*
.
Package Details
- Repository
- https://github.com/pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
aws
Terraform Provider.