1. Packages
  2. AWS Classic
  3. API Docs
  4. iam
  5. getPolicyDocument

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.23.0 published on Thursday, Feb 22, 2024 by Pulumi

aws.iam.getPolicyDocument

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.23.0 published on Thursday, Feb 22, 2024 by Pulumi

    Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws.iam.Policy.

    Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings in your configuration or to use the file interpolation function to read a raw JSON policy document from a file.

    Example Usage

    Basic Example

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var examplePolicyDocument = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "1",
                    Actions = new[]
                    {
                        "s3:ListAllMyBuckets",
                        "s3:GetBucketLocation",
                    },
                    Resources = new[]
                    {
                        "arn:aws:s3:::*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "s3:ListBucket",
                    },
                    Resources = new[]
                    {
                        $"arn:aws:s3:::{@var.S3_bucket_name}",
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "StringLike",
                            Variable = "s3:prefix",
                            Values = new[]
                            {
                                "",
                                "home/",
                                "home/&{aws:username}/",
                            },
                        },
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        $"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}",
                        $"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}/*",
                    },
                },
            },
        });
    
        var examplePolicy = new Aws.Iam.Policy("examplePolicy", new()
        {
            Path = "/",
            PolicyDocument = examplePolicyDocument.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
    });
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		examplePolicyDocument, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: pulumi.Array{
    				iam.GetPolicyDocumentStatement{
    					Sid: pulumi.StringRef("1"),
    					Actions: []string{
    						"s3:ListAllMyBuckets",
    						"s3:GetBucketLocation",
    					},
    					Resources: []string{
    						"arn:aws:s3:::*",
    					},
    				},
    				iam.GetPolicyDocumentStatement{
    					Actions: []string{
    						"s3:ListBucket",
    					},
    					Resources: []string{
    						fmt.Sprintf("arn:aws:s3:::%v", _var.S3_bucket_name),
    					},
    					Conditions: []iam.GetPolicyDocumentStatementCondition{
    						{
    							Test:     "StringLike",
    							Variable: "s3:prefix",
    							Values: []string{
    								"",
    								"home/",
    								"home/&{aws:username}/",
    							},
    						},
    					},
    				},
    				iam.GetPolicyDocumentStatement{
    					Actions: []string{
    						"s3:*",
    					},
    					Resources: []string{
    						fmt.Sprintf("arn:aws:s3:::%v/home/&{aws:username}", _var.S3_bucket_name),
    						fmt.Sprintf("arn:aws:s3:::%v/home/&{aws:username}/*", _var.S3_bucket_name),
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewPolicy(ctx, "examplePolicy", &iam.PolicyArgs{
    			Path:   pulumi.String("/"),
    			Policy: *pulumi.String(examplePolicyDocument.Json),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Policy;
    import com.pulumi.aws.iam.PolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("1")
                        .actions(                    
                            "s3:ListAllMyBuckets",
                            "s3:GetBucketLocation")
                        .resources("arn:aws:s3:::*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("s3:ListBucket")
                        .resources(String.format("arn:aws:s3:::%s", var_.s3_bucket_name()))
                        .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                            .test("StringLike")
                            .variable("s3:prefix")
                            .values(                        
                                "",
                                "home/",
                                "home/&{aws:username}/")
                            .build())
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("s3:*")
                        .resources(                    
                            String.format("arn:aws:s3:::%s/home/&{{aws:username}}", var_.s3_bucket_name()),
                            String.format("arn:aws:s3:::%s/home/&{{aws:username}}/*", var_.s3_bucket_name()))
                        .build())
                .build());
    
            var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()        
                .path("/")
                .policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example_policy_document = aws.iam.get_policy_document(statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            sid="1",
            actions=[
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
            ],
            resources=["arn:aws:s3:::*"],
        ),
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["s3:ListBucket"],
            resources=[f"arn:aws:s3:::{var['s3_bucket_name']}"],
            conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
                test="StringLike",
                variable="s3:prefix",
                values=[
                    "",
                    "home/",
                    "home/&{aws:username}/",
                ],
            )],
        ),
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["s3:*"],
            resources=[
                f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}",
                f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}/*",
            ],
        ),
    ])
    example_policy = aws.iam.Policy("examplePolicy",
        path="/",
        policy=example_policy_document.json)
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const examplePolicyDocument = aws.iam.getPolicyDocument({
        statements: [
            {
                sid: "1",
                actions: [
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketLocation",
                ],
                resources: ["arn:aws:s3:::*"],
            },
            {
                actions: ["s3:ListBucket"],
                resources: [`arn:aws:s3:::${_var.s3_bucket_name}`],
                conditions: [{
                    test: "StringLike",
                    variable: "s3:prefix",
                    values: [
                        "",
                        "home/",
                        "home/&{aws:username}/",
                    ],
                }],
            },
            {
                actions: ["s3:*"],
                resources: [
                    `arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}`,
                    `arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}/*`,
                ],
            },
        ],
    });
    const examplePolicy = new aws.iam.Policy("examplePolicy", {
        path: "/",
        policy: examplePolicyDocument.then(examplePolicyDocument => examplePolicyDocument.json),
    });
    
    resources:
      examplePolicy:
        type: aws:iam:Policy
        properties:
          path: /
          policy: ${examplePolicyDocument.json}
    variables:
      examplePolicyDocument:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: '1'
                actions:
                  - s3:ListAllMyBuckets
                  - s3:GetBucketLocation
                resources:
                  - arn:aws:s3:::*
              - actions:
                  - s3:ListBucket
                resources:
                  - arn:aws:s3:::${var.s3_bucket_name}
                conditions:
                  - test: StringLike
                    variable: s3:prefix
                    values:
                      -
                      - home/
                      - home/&{aws:username}/
              - actions:
                  - s3:*
                resources:
                  - arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}
                  - arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*
    

    Example Multiple Condition Keys and Values

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var exampleMultipleConditionKeysAndValues = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "kms:Decrypt",
                        "kms:GenerateDataKey",
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "ForAnyValue:StringEquals",
                            Values = new[]
                            {
                                "pi",
                            },
                            Variable = "kms:EncryptionContext:service",
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "ForAnyValue:StringEquals",
                            Values = new[]
                            {
                                "rds",
                            },
                            Variable = "kms:EncryptionContext:aws:pi:service",
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "ForAnyValue:StringEquals",
                            Values = new[]
                            {
                                "db-AAAAABBBBBCCCCCDDDDDEEEEE",
                                "db-EEEEEDDDDDCCCCCBBBBBAAAAA",
                            },
                            Variable = "kms:EncryptionContext:aws:rds:db-id",
                        },
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Actions: []string{
    						"kms:Decrypt",
    						"kms:GenerateDataKey",
    					},
    					Conditions: []iam.GetPolicyDocumentStatementCondition{
    						{
    							Test: "ForAnyValue:StringEquals",
    							Values: []string{
    								"pi",
    							},
    							Variable: "kms:EncryptionContext:service",
    						},
    						{
    							Test: "ForAnyValue:StringEquals",
    							Values: []string{
    								"rds",
    							},
    							Variable: "kms:EncryptionContext:aws:pi:service",
    						},
    						{
    							Test: "ForAnyValue:StringEquals",
    							Values: []string{
    								"db-AAAAABBBBBCCCCCDDDDDEEEEE",
    								"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
    							},
    							Variable: "kms:EncryptionContext:aws:rds:db-id",
    						},
    					},
    					Resources: []string{
    						"*",
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var exampleMultipleConditionKeysAndValues = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .actions(                
                        "kms:Decrypt",
                        "kms:GenerateDataKey")
                    .conditions(                
                        GetPolicyDocumentStatementConditionArgs.builder()
                            .test("ForAnyValue:StringEquals")
                            .values("pi")
                            .variable("kms:EncryptionContext:service")
                            .build(),
                        GetPolicyDocumentStatementConditionArgs.builder()
                            .test("ForAnyValue:StringEquals")
                            .values("rds")
                            .variable("kms:EncryptionContext:aws:pi:service")
                            .build(),
                        GetPolicyDocumentStatementConditionArgs.builder()
                            .test("ForAnyValue:StringEquals")
                            .values(                        
                                "db-AAAAABBBBBCCCCCDDDDDEEEEE",
                                "db-EEEEEDDDDDCCCCCBBBBBAAAAA")
                            .variable("kms:EncryptionContext:aws:rds:db-id")
                            .build())
                    .resources("*")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example_multiple_condition_keys_and_values = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        actions=[
            "kms:Decrypt",
            "kms:GenerateDataKey",
        ],
        conditions=[
            aws.iam.GetPolicyDocumentStatementConditionArgs(
                test="ForAnyValue:StringEquals",
                values=["pi"],
                variable="kms:EncryptionContext:service",
            ),
            aws.iam.GetPolicyDocumentStatementConditionArgs(
                test="ForAnyValue:StringEquals",
                values=["rds"],
                variable="kms:EncryptionContext:aws:pi:service",
            ),
            aws.iam.GetPolicyDocumentStatementConditionArgs(
                test="ForAnyValue:StringEquals",
                values=[
                    "db-AAAAABBBBBCCCCCDDDDDEEEEE",
                    "db-EEEEEDDDDDCCCCCBBBBBAAAAA",
                ],
                variable="kms:EncryptionContext:aws:rds:db-id",
            ),
        ],
        resources=["*"],
    )])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const exampleMultipleConditionKeysAndValues = aws.iam.getPolicyDocument({
        statements: [{
            actions: [
                "kms:Decrypt",
                "kms:GenerateDataKey",
            ],
            conditions: [
                {
                    test: "ForAnyValue:StringEquals",
                    values: ["pi"],
                    variable: "kms:EncryptionContext:service",
                },
                {
                    test: "ForAnyValue:StringEquals",
                    values: ["rds"],
                    variable: "kms:EncryptionContext:aws:pi:service",
                },
                {
                    test: "ForAnyValue:StringEquals",
                    values: [
                        "db-AAAAABBBBBCCCCCDDDDDEEEEE",
                        "db-EEEEEDDDDDCCCCCBBBBBAAAAA",
                    ],
                    variable: "kms:EncryptionContext:aws:rds:db-id",
                },
            ],
            resources: ["*"],
        }],
    });
    
    variables:
      exampleMultipleConditionKeysAndValues:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - kms:Decrypt
                  - kms:GenerateDataKey
                conditions:
                  - test: ForAnyValue:StringEquals
                    values:
                      - pi
                    variable: kms:EncryptionContext:service
                  - test: ForAnyValue:StringEquals
                    values:
                      - rds
                    variable: kms:EncryptionContext:aws:pi:service
                  - test: ForAnyValue:StringEquals
                    values:
                      - db-AAAAABBBBBCCCCCDDDDDEEEEE
                      - db-EEEEEDDDDDCCCCCBBBBBAAAAA
                    variable: kms:EncryptionContext:aws:rds:db-id
                resources:
                  - '*'
    

    will evaluate to

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    import pulumi
    
    import * as pulumi from "@pulumi/pulumi";
    
    {}
    

    Example Assume-Role Policy with Multiple Principals

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var eventStreamBucketRoleAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "sts:AssumeRole",
                    },
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "firehose.amazonaws.com",
                            },
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                @var.Trusted_role_arn,
                            },
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Federated",
                            Identifiers = new[]
                            {
                                $"arn:aws:iam::{@var.Account_id}:saml-provider/{@var.Provider_name}",
                                "cognito-identity.amazonaws.com",
                            },
                        },
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    _, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Actions: []string{
    "sts:AssumeRole",
    },
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "Service",
    Identifiers: []string{
    "firehose.amazonaws.com",
    },
    },
    {
    Type: "AWS",
    Identifiers: interface{}{
    _var.Trusted_role_arn,
    },
    },
    {
    Type: "Federated",
    Identifiers: []string{
    fmt.Sprintf("arn:aws:iam::%v:saml-provider/%v", _var.Account_id, _var.Provider_name),
    "cognito-identity.amazonaws.com",
    },
    },
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var eventStreamBucketRoleAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .actions("sts:AssumeRole")
                    .principals(                
                        GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("Service")
                            .identifiers("firehose.amazonaws.com")
                            .build(),
                        GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(var_.trusted_role_arn())
                            .build(),
                        GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("Federated")
                            .identifiers(                        
                                String.format("arn:aws:iam::%s:saml-provider/%s", var_.account_id(),var_.provider_name()),
                                "cognito-identity.amazonaws.com")
                            .build())
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    event_stream_bucket_role_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        actions=["sts:AssumeRole"],
        principals=[
            aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                type="Service",
                identifiers=["firehose.amazonaws.com"],
            ),
            aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                type="AWS",
                identifiers=[var["trusted_role_arn"]],
            ),
            aws.iam.GetPolicyDocumentStatementPrincipalArgs(
                type="Federated",
                identifiers=[
                    f"arn:aws:iam::{var['account_id']}:saml-provider/{var['provider_name']}",
                    "cognito-identity.amazonaws.com",
                ],
            ),
        ],
    )])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const eventStreamBucketRoleAssumeRolePolicy = aws.iam.getPolicyDocument({
        statements: [{
            actions: ["sts:AssumeRole"],
            principals: [
                {
                    type: "Service",
                    identifiers: ["firehose.amazonaws.com"],
                },
                {
                    type: "AWS",
                    identifiers: [_var.trusted_role_arn],
                },
                {
                    type: "Federated",
                    identifiers: [
                        `arn:aws:iam::${_var.account_id}:saml-provider/${_var.provider_name}`,
                        "cognito-identity.amazonaws.com",
                    ],
                },
            ],
        }],
    });
    
    variables:
      eventStreamBucketRoleAssumeRolePolicy:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - sts:AssumeRole
                principals:
                  - type: Service
                    identifiers:
                      - firehose.amazonaws.com
                  - type: AWS
                    identifiers:
                      - ${var.trusted_role_arn}
                  - type: Federated
                    identifiers:
                      - arn:aws:iam::${var.account_id}:saml-provider/${var.provider_name}
                      - cognito-identity.amazonaws.com
    

    Example Using A Source Document

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var source = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "ec2:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "SidToOverride",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var sourceDocumentExample = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            SourcePolicyDocuments = new[]
            {
                source.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "SidToOverride",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "arn:aws:s3:::somebucket",
                        "arn:aws:s3:::somebucket/*",
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Actions: []string{
    "ec2:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("SidToOverride"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    SourcePolicyDocuments: interface{}{
    source.Json,
    },
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("SidToOverride"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "arn:aws:s3:::somebucket",
    "arn:aws:s3:::somebucket/*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("ec2:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("SidToOverride")
                        .actions("s3:*")
                        .resources("*")
                        .build())
                .build());
    
            final var sourceDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("SidToOverride")
                    .actions("s3:*")
                    .resources(                
                        "arn:aws:s3:::somebucket",
                        "arn:aws:s3:::somebucket/*")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    source = aws.iam.get_policy_document(statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["ec2:*"],
            resources=["*"],
        ),
        aws.iam.GetPolicyDocumentStatementArgs(
            sid="SidToOverride",
            actions=["s3:*"],
            resources=["*"],
        ),
    ])
    source_document_example = aws.iam.get_policy_document(source_policy_documents=[source.json],
        statements=[aws.iam.GetPolicyDocumentStatementArgs(
            sid="SidToOverride",
            actions=["s3:*"],
            resources=[
                "arn:aws:s3:::somebucket",
                "arn:aws:s3:::somebucket/*",
            ],
        )])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const source = aws.iam.getPolicyDocument({
        statements: [
            {
                actions: ["ec2:*"],
                resources: ["*"],
            },
            {
                sid: "SidToOverride",
                actions: ["s3:*"],
                resources: ["*"],
            },
        ],
    });
    const sourceDocumentExample = source.then(source => aws.iam.getPolicyDocument({
        sourcePolicyDocuments: [source.json],
        statements: [{
            sid: "SidToOverride",
            actions: ["s3:*"],
            resources: [
                "arn:aws:s3:::somebucket",
                "arn:aws:s3:::somebucket/*",
            ],
        }],
    }));
    
    variables:
      source:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - ec2:*
                resources:
                  - '*'
              - sid: SidToOverride
                actions:
                  - s3:*
                resources:
                  - '*'
      sourceDocumentExample:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            sourcePolicyDocuments:
              - ${source.json}
            statements:
              - sid: SidToOverride
                actions:
                  - s3:*
                resources:
                  - arn:aws:s3:::somebucket
                  - arn:aws:s3:::somebucket/*
    

    will evaluate to

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    import pulumi
    
    import * as pulumi from "@pulumi/pulumi";
    
    {}
    

    Example Using An Override Document

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var @override = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "SidToOverride",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var overridePolicyDocumentExample = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            OverridePolicyDocuments = new[]
            {
                @override.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "ec2:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "SidToOverride",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "arn:aws:s3:::somebucket",
                        "arn:aws:s3:::somebucket/*",
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("SidToOverride"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    OverridePolicyDocuments: interface{}{
    override.Json,
    },
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Actions: []string{
    "ec2:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("SidToOverride"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "arn:aws:s3:::somebucket",
    "arn:aws:s3:::somebucket/*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("SidToOverride")
                    .actions("s3:*")
                    .resources("*")
                    .build())
                .build());
    
            final var overridePolicyDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("ec2:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("SidToOverride")
                        .actions("s3:*")
                        .resources(                    
                            "arn:aws:s3:::somebucket",
                            "arn:aws:s3:::somebucket/*")
                        .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        sid="SidToOverride",
        actions=["s3:*"],
        resources=["*"],
    )])
    override_policy_document_example = aws.iam.get_policy_document(override_policy_documents=[override.json],
        statements=[
            aws.iam.GetPolicyDocumentStatementArgs(
                actions=["ec2:*"],
                resources=["*"],
            ),
            aws.iam.GetPolicyDocumentStatementArgs(
                sid="SidToOverride",
                actions=["s3:*"],
                resources=[
                    "arn:aws:s3:::somebucket",
                    "arn:aws:s3:::somebucket/*",
                ],
            ),
        ])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const override = aws.iam.getPolicyDocument({
        statements: [{
            sid: "SidToOverride",
            actions: ["s3:*"],
            resources: ["*"],
        }],
    });
    const overridePolicyDocumentExample = override.then(override => aws.iam.getPolicyDocument({
        overridePolicyDocuments: [override.json],
        statements: [
            {
                actions: ["ec2:*"],
                resources: ["*"],
            },
            {
                sid: "SidToOverride",
                actions: ["s3:*"],
                resources: [
                    "arn:aws:s3:::somebucket",
                    "arn:aws:s3:::somebucket/*",
                ],
            },
        ],
    }));
    
    variables:
      override:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: SidToOverride
                actions:
                  - s3:*
                resources:
                  - '*'
      overridePolicyDocumentExample:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            overridePolicyDocuments:
              - ${override.json}
            statements:
              - actions:
                  - ec2:*
                resources:
                  - '*'
              - sid: SidToOverride
                actions:
                  - s3:*
                resources:
                  - arn:aws:s3:::somebucket
                  - arn:aws:s3:::somebucket/*
    

    will evaluate to

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    import pulumi
    
    import * as pulumi from "@pulumi/pulumi";
    
    {}
    

    Example with Both Source and Override Documents

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var source = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceholder",
                    Actions = new[]
                    {
                        "ec2:DescribeAccountAttributes",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var @override = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceholder",
                    Actions = new[]
                    {
                        "s3:GetObject",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var politik = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            SourcePolicyDocuments = new[]
            {
                source.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
            OverridePolicyDocuments = new[]
            {
                @override.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceholder"),
    Actions: []string{
    "ec2:DescribeAccountAttributes",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceholder"),
    Actions: []string{
    "s3:GetObject",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    SourcePolicyDocuments: interface{}{
    source.Json,
    },
    OverridePolicyDocuments: interface{}{
    override.Json,
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceholder")
                    .actions("ec2:DescribeAccountAttributes")
                    .resources("*")
                    .build())
                .build());
    
            final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceholder")
                    .actions("s3:GetObject")
                    .resources("*")
                    .build())
                .build());
    
            final var politik = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    source = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        sid="OverridePlaceholder",
        actions=["ec2:DescribeAccountAttributes"],
        resources=["*"],
    )])
    override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        sid="OverridePlaceholder",
        actions=["s3:GetObject"],
        resources=["*"],
    )])
    politik = aws.iam.get_policy_document(source_policy_documents=[source.json],
        override_policy_documents=[override.json])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const source = aws.iam.getPolicyDocument({
        statements: [{
            sid: "OverridePlaceholder",
            actions: ["ec2:DescribeAccountAttributes"],
            resources: ["*"],
        }],
    });
    const override = aws.iam.getPolicyDocument({
        statements: [{
            sid: "OverridePlaceholder",
            actions: ["s3:GetObject"],
            resources: ["*"],
        }],
    });
    const politik = Promise.all([source, override]).then(([source, override]) => aws.iam.getPolicyDocument({
        sourcePolicyDocuments: [source.json],
        overridePolicyDocuments: [override.json],
    }));
    
    variables:
      source:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: OverridePlaceholder
                actions:
                  - ec2:DescribeAccountAttributes
                resources:
                  - '*'
      override:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: OverridePlaceholder
                actions:
                  - s3:GetObject
                resources:
                  - '*'
      politik:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            sourcePolicyDocuments:
              - ${source.json}
            overridePolicyDocuments:
              - ${override.json}
    

    will evaluate to

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    import pulumi
    
    import * as pulumi from "@pulumi/pulumi";
    
    {}
    

    Example of Merging Source Documents

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var sourceOne = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "ec2:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "UniqueSidOne",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var sourceTwo = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "UniqueSidTwo",
                    Actions = new[]
                    {
                        "iam:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "lambda:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var combined = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            SourcePolicyDocuments = new[]
            {
                sourceOne.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
                sourceTwo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    sourceOne, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Actions: []string{
    "ec2:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("UniqueSidOne"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    sourceTwo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: pulumi.Array{
    iam.GetPolicyDocumentStatement{
    Sid: pulumi.StringRef("UniqueSidTwo"),
    Actions: []string{
    "iam:*",
    },
    Resources: []string{
    "*",
    },
    },
    iam.GetPolicyDocumentStatement{
    Actions: []string{
    "lambda:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    SourcePolicyDocuments: interface{}{
    sourceOne.Json,
    sourceTwo.Json,
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var sourceOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("ec2:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("UniqueSidOne")
                        .actions("s3:*")
                        .resources("*")
                        .build())
                .build());
    
            final var sourceTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("UniqueSidTwo")
                        .actions("iam:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("lambda:*")
                        .resources("*")
                        .build())
                .build());
    
            final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .sourcePolicyDocuments(            
                    sourceOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
                    sourceTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    source_one = aws.iam.get_policy_document(statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["ec2:*"],
            resources=["*"],
        ),
        aws.iam.GetPolicyDocumentStatementArgs(
            sid="UniqueSidOne",
            actions=["s3:*"],
            resources=["*"],
        ),
    ])
    source_two = aws.iam.get_policy_document(statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            sid="UniqueSidTwo",
            actions=["iam:*"],
            resources=["*"],
        ),
        aws.iam.GetPolicyDocumentStatementArgs(
            actions=["lambda:*"],
            resources=["*"],
        ),
    ])
    combined = aws.iam.get_policy_document(source_policy_documents=[
        source_one.json,
        source_two.json,
    ])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const sourceOne = aws.iam.getPolicyDocument({
        statements: [
            {
                actions: ["ec2:*"],
                resources: ["*"],
            },
            {
                sid: "UniqueSidOne",
                actions: ["s3:*"],
                resources: ["*"],
            },
        ],
    });
    const sourceTwo = aws.iam.getPolicyDocument({
        statements: [
            {
                sid: "UniqueSidTwo",
                actions: ["iam:*"],
                resources: ["*"],
            },
            {
                actions: ["lambda:*"],
                resources: ["*"],
            },
        ],
    });
    const combined = Promise.all([sourceOne, sourceTwo]).then(([sourceOne, sourceTwo]) => aws.iam.getPolicyDocument({
        sourcePolicyDocuments: [
            sourceOne.json,
            sourceTwo.json,
        ],
    }));
    
    variables:
      sourceOne:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - ec2:*
                resources:
                  - '*'
              - sid: UniqueSidOne
                actions:
                  - s3:*
                resources:
                  - '*'
      sourceTwo:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: UniqueSidTwo
                actions:
                  - iam:*
                resources:
                  - '*'
              - actions:
                  - lambda:*
                resources:
                  - '*'
      combined:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            sourcePolicyDocuments:
              - ${sourceOne.json}
              - ${sourceTwo.json}
    

    will evaluate to

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    import pulumi
    
    import * as pulumi from "@pulumi/pulumi";
    
    {}
    

    Example of Merging Override Documents

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var policyOne = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceHolderOne",
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var policyTwo = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "ec2:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceHolderTwo",
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "iam:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var policyThree = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceHolderOne",
                    Effect = "Deny",
                    Actions = new[]
                    {
                        "logs:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var combined = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            OverridePolicyDocuments = new[]
            {
                policyOne.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
                policyTwo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
                policyThree.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceHolderTwo",
                    Effect = "Deny",
                    Actions = new[]
                    {
                        "*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    policyOne, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceHolderOne"),
    Effect: pulumi.StringRef("Allow"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    policyTwo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Effect: pulumi.StringRef("Allow"),
    Actions: []string{
    "ec2:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("OverridePlaceHolderTwo"),
    Effect: pulumi.StringRef("Allow"),
    Actions: []string{
    "iam:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    policyThree, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceHolderOne"),
    Effect: pulumi.StringRef("Deny"),
    Actions: []string{
    "logs:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    OverridePolicyDocuments: interface{}{
    policyOne.Json,
    policyTwo.Json,
    policyThree.Json,
    },
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceHolderTwo"),
    Effect: pulumi.StringRef("Deny"),
    Actions: []string{
    "*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var policyOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceHolderOne")
                    .effect("Allow")
                    .actions("s3:*")
                    .resources("*")
                    .build())
                .build());
    
            final var policyTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .effect("Allow")
                        .actions("ec2:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("OverridePlaceHolderTwo")
                        .effect("Allow")
                        .actions("iam:*")
                        .resources("*")
                        .build())
                .build());
    
            final var policyThree = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceHolderOne")
                    .effect("Deny")
                    .actions("logs:*")
                    .resources("*")
                    .build())
                .build());
    
            final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .overridePolicyDocuments(            
                    policyOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
                    policyTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
                    policyThree.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceHolderTwo")
                    .effect("Deny")
                    .actions("*")
                    .resources("*")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    policy_one = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        sid="OverridePlaceHolderOne",
        effect="Allow",
        actions=["s3:*"],
        resources=["*"],
    )])
    policy_two = aws.iam.get_policy_document(statements=[
        aws.iam.GetPolicyDocumentStatementArgs(
            effect="Allow",
            actions=["ec2:*"],
            resources=["*"],
        ),
        aws.iam.GetPolicyDocumentStatementArgs(
            sid="OverridePlaceHolderTwo",
            effect="Allow",
            actions=["iam:*"],
            resources=["*"],
        ),
    ])
    policy_three = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
        sid="OverridePlaceHolderOne",
        effect="Deny",
        actions=["logs:*"],
        resources=["*"],
    )])
    combined = aws.iam.get_policy_document(override_policy_documents=[
            policy_one.json,
            policy_two.json,
            policy_three.json,
        ],
        statements=[aws.iam.GetPolicyDocumentStatementArgs(
            sid="OverridePlaceHolderTwo",
            effect="Deny",
            actions=["*"],
            resources=["*"],
        )])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const policyOne = aws.iam.getPolicyDocument({
        statements: [{
            sid: "OverridePlaceHolderOne",
            effect: "Allow",
            actions: ["s3:*"],
            resources: ["*"],
        }],
    });
    const policyTwo = aws.iam.getPolicyDocument({
        statements: [
            {
                effect: "Allow",
                actions: ["ec2:*"],
                resources: ["*"],
            },
            {
                sid: "OverridePlaceHolderTwo",
                effect: "Allow",
                actions: ["iam:*"],
                resources: ["*"],
            },
        ],
    });
    const policyThree = aws.iam.getPolicyDocument({
        statements: [{
            sid: "OverridePlaceHolderOne",
            effect: "Deny",
            actions: ["logs:*"],
            resources: ["*"],
        }],
    });
    const combined = Promise.all([policyOne, policyTwo, policyThree]).then(([policyOne, policyTwo, policyThree]) => aws.iam.getPolicyDocument({
        overridePolicyDocuments: [
            policyOne.json,
            policyTwo.json,
            policyThree.json,
        ],
        statements: [{
            sid: "OverridePlaceHolderTwo",
            effect: "Deny",
            actions: ["*"],
            resources: ["*"],
        }],
    }));
    
    variables:
      policyOne:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: OverridePlaceHolderOne
                effect: Allow
                actions:
                  - s3:*
                resources:
                  - '*'
      policyTwo:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - effect: Allow
                actions:
                  - ec2:*
                resources:
                  - '*'
              - sid: OverridePlaceHolderTwo
                effect: Allow
                actions:
                  - iam:*
                resources:
                  - '*'
      policyThree:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: OverridePlaceHolderOne
                effect: Deny
                actions:
                  - logs:*
                resources:
                  - '*'
      combined:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            overridePolicyDocuments:
              - ${policyOne.json}
              - ${policyTwo.json}
              - ${policyThree.json}
            statements:
              - sid: OverridePlaceHolderTwo
                effect: Deny
                actions:
                  - '*'
                resources:
                  - '*'
    

    will evaluate to

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    
    return await Deployment.RunAsync(() => 
    {
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
        }
    }
    
    import pulumi
    
    import * as pulumi from "@pulumi/pulumi";
    
    {}
    

    Using getPolicyDocument

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
    function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>
    def get_policy_document(override_policy_documents: Optional[Sequence[str]] = None,
                            policy_id: Optional[str] = None,
                            source_policy_documents: Optional[Sequence[str]] = None,
                            statements: Optional[Sequence[GetPolicyDocumentStatement]] = None,
                            version: Optional[str] = None,
                            opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
    def get_policy_document_output(override_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                            policy_id: Optional[pulumi.Input[str]] = None,
                            source_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                            statements: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentStatementArgs]]]] = None,
                            version: Optional[pulumi.Input[str]] = None,
                            opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]
    func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
    func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput

    > Note: This function is named GetPolicyDocument in the Go SDK.

    public static class GetPolicyDocument 
    {
        public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
        public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: aws:iam/getPolicyDocument:getPolicyDocument
      arguments:
        # arguments dictionary

    The following arguments are supported:

    OverridePolicyDocuments List<string>
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    PolicyId string
    ID for the policy document.
    SourcePolicyDocuments List<string>
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    Statements List<GetPolicyDocumentStatement>
    Configuration block for a policy statement. Detailed below.
    Version string
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    OverridePolicyDocuments []string
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    PolicyId string
    ID for the policy document.
    SourcePolicyDocuments []string
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    Statements []GetPolicyDocumentStatement
    Configuration block for a policy statement. Detailed below.
    Version string
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    overridePolicyDocuments List<String>
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    policyId String
    ID for the policy document.
    sourcePolicyDocuments List<String>
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    statements List<GetPolicyDocumentStatement>
    Configuration block for a policy statement. Detailed below.
    version String
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    overridePolicyDocuments string[]
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    policyId string
    ID for the policy document.
    sourcePolicyDocuments string[]
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    statements GetPolicyDocumentStatement[]
    Configuration block for a policy statement. Detailed below.
    version string
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    override_policy_documents Sequence[str]
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    policy_id str
    ID for the policy document.
    source_policy_documents Sequence[str]
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    statements Sequence[GetPolicyDocumentStatement]
    Configuration block for a policy statement. Detailed below.
    version str
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    overridePolicyDocuments List<String>
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    policyId String
    ID for the policy document.
    sourcePolicyDocuments List<String>
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    statements List<Property Map>
    Configuration block for a policy statement. Detailed below.
    version String
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.

    getPolicyDocument Result

    The following output properties are available:

    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    Standard JSON policy document rendered based on the arguments above.
    OverridePolicyDocuments List<string>
    PolicyId string
    SourcePolicyDocuments List<string>
    Statements List<GetPolicyDocumentStatement>
    Version string
    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    Standard JSON policy document rendered based on the arguments above.
    OverridePolicyDocuments []string
    PolicyId string
    SourcePolicyDocuments []string
    Statements []GetPolicyDocumentStatement
    Version string
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    Standard JSON policy document rendered based on the arguments above.
    overridePolicyDocuments List<String>
    policyId String
    sourcePolicyDocuments List<String>
    statements List<GetPolicyDocumentStatement>
    version String
    id string
    The provider-assigned unique ID for this managed resource.
    json string
    Standard JSON policy document rendered based on the arguments above.
    overridePolicyDocuments string[]
    policyId string
    sourcePolicyDocuments string[]
    statements GetPolicyDocumentStatement[]
    version string
    id str
    The provider-assigned unique ID for this managed resource.
    json str
    Standard JSON policy document rendered based on the arguments above.
    override_policy_documents Sequence[str]
    policy_id str
    source_policy_documents Sequence[str]
    statements Sequence[GetPolicyDocumentStatement]
    version str
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    Standard JSON policy document rendered based on the arguments above.
    overridePolicyDocuments List<String>
    policyId String
    sourcePolicyDocuments List<String>
    statements List<Property Map>
    version String

    Supporting Types

    GetPolicyDocumentStatement

    Actions List<string>
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    Conditions List<GetPolicyDocumentStatementCondition>
    Configuration block for a condition. Detailed below.
    Effect string
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    NotActions List<string>
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    NotPrincipals List<GetPolicyDocumentStatementNotPrincipal>
    Like principals except these are principals that the statement does not apply to.
    NotResources List<string>
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    Principals List<GetPolicyDocumentStatementPrincipal>
    Configuration block for principals. Detailed below.
    Resources List<string>
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    Sid string
    Sid (statement ID) is an identifier for a policy statement.
    Actions []string
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    Conditions []GetPolicyDocumentStatementCondition
    Configuration block for a condition. Detailed below.
    Effect string
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    NotActions []string
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    NotPrincipals []GetPolicyDocumentStatementNotPrincipal
    Like principals except these are principals that the statement does not apply to.
    NotResources []string
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    Principals []GetPolicyDocumentStatementPrincipal
    Configuration block for principals. Detailed below.
    Resources []string
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    Sid string
    Sid (statement ID) is an identifier for a policy statement.
    actions List<String>
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    conditions List<GetPolicyDocumentStatementCondition>
    Configuration block for a condition. Detailed below.
    effect String
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    notActions List<String>
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    notPrincipals List<GetPolicyDocumentStatementNotPrincipal>
    Like principals except these are principals that the statement does not apply to.
    notResources List<String>
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    principals List<GetPolicyDocumentStatementPrincipal>
    Configuration block for principals. Detailed below.
    resources List<String>
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    sid String
    Sid (statement ID) is an identifier for a policy statement.
    actions string[]
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    conditions GetPolicyDocumentStatementCondition[]
    Configuration block for a condition. Detailed below.
    effect string
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    notActions string[]
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    notPrincipals GetPolicyDocumentStatementNotPrincipal[]
    Like principals except these are principals that the statement does not apply to.
    notResources string[]
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    principals GetPolicyDocumentStatementPrincipal[]
    Configuration block for principals. Detailed below.
    resources string[]
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    sid string
    Sid (statement ID) is an identifier for a policy statement.
    actions Sequence[str]
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    conditions Sequence[GetPolicyDocumentStatementCondition]
    Configuration block for a condition. Detailed below.
    effect str
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    not_actions Sequence[str]
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    not_principals Sequence[GetPolicyDocumentStatementNotPrincipal]
    Like principals except these are principals that the statement does not apply to.
    not_resources Sequence[str]
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    principals Sequence[GetPolicyDocumentStatementPrincipal]
    Configuration block for principals. Detailed below.
    resources Sequence[str]
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    sid str
    Sid (statement ID) is an identifier for a policy statement.
    actions List<String>
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    conditions List<Property Map>
    Configuration block for a condition. Detailed below.
    effect String
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    notActions List<String>
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    notPrincipals List<Property Map>
    Like principals except these are principals that the statement does not apply to.
    notResources List<String>
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    principals List<Property Map>
    Configuration block for principals. Detailed below.
    resources List<String>
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    sid String
    Sid (statement ID) is an identifier for a policy statement.

    GetPolicyDocumentStatementCondition

    Test string
    Name of the IAM condition operator to evaluate.
    Values List<string>
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    Variable string
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    Test string
    Name of the IAM condition operator to evaluate.
    Values []string
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    Variable string
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    test String
    Name of the IAM condition operator to evaluate.
    values List<String>
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    variable String
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    test string
    Name of the IAM condition operator to evaluate.
    values string[]
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    variable string
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    test str
    Name of the IAM condition operator to evaluate.
    values Sequence[str]
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    variable str
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    test String
    Name of the IAM condition operator to evaluate.
    values List<String>
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    variable String
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.

    GetPolicyDocumentStatementNotPrincipal

    Identifiers List<string>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    Type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    Identifiers []string
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    Type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers List<String>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type String
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers string[]
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers Sequence[str]
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type str
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers List<String>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type String
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.

    GetPolicyDocumentStatementPrincipal

    Identifiers List<string>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    Type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    Identifiers []string
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    Type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers List<String>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type String
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers string[]
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers Sequence[str]
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type str
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers List<String>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type String
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.23.0 published on Thursday, Feb 22, 2024 by Pulumi