getPolicyDocument
Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws.iam.Policy.
Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings in your configuration or to use the file interpolation function to read a raw JSON policy document from a file.
Example Usage
Basic Example
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var examplePolicyDocument = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "1",
Actions =
{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources =
{
"arn:aws:s3:::*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:ListBucket",
},
Resources =
{
$"arn:aws:s3:::{@var.S3_bucket_name}",
},
Conditions =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionArgs
{
Test = "StringLike",
Variable = "s3:prefix",
Values =
{
"",
"home/",
"home/&{aws:username}/",
},
},
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}",
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}/*",
},
},
},
}));
var examplePolicy = new Aws.Iam.Policy("examplePolicy", new Aws.Iam.PolicyArgs
{
Path = "/",
Policy = examplePolicyDocument.Apply(examplePolicyDocument => examplePolicyDocument.Json),
});
}
}
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
examplePolicyDocument, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Sid: "1",
Actions: []string{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources: []string{
"arn:aws:s3:::*",
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:ListBucket",
},
Resources: []string{
fmt.Sprintf("%v%v", "arn:aws:s3:::", _var.S3_bucket_name),
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
iam.GetPolicyDocumentStatementCondition{
Test: "StringLike",
Variable: "s3:prefix",
Values: []string{
"",
"home/",
"home/&{aws:username}/",
},
},
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:*",
},
Resources: []string{
fmt.Sprintf("%v%v%v", "arn:aws:s3:::", _var.S3_bucket_name, "/home/&{aws:username}"),
fmt.Sprintf("%v%v%v", "arn:aws:s3:::", _var.S3_bucket_name, "/home/&{aws:username}/*"),
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewPolicy(ctx, "examplePolicy", &iam.PolicyArgs{
Path: pulumi.String("/"),
Policy: pulumi.String(examplePolicyDocument.Json),
})
if err != nil {
return err
}
return nil
})
}
import pulumi
import pulumi_aws as aws
example_policy_document = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
sid="1",
actions=[
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
resources=["arn:aws:s3:::*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
actions=["s3:ListBucket"],
resources=[f"arn:aws:s3:::{var['s3_bucket_name']}"],
conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringLike",
variable="s3:prefix",
values=[
"",
"home/",
"home/&{aws:username}/",
],
)],
),
aws.iam.GetPolicyDocumentStatementArgs(
actions=["s3:*"],
resources=[
f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}",
f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}/*",
],
),
])
example_policy = aws.iam.Policy("examplePolicy",
path="/",
policy=example_policy_document.json)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const examplePolicyDocument = aws.iam.getPolicyDocument({
statements: [
{
sid: "1",
actions: [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
resources: ["arn:aws:s3:::*"],
},
{
actions: ["s3:ListBucket"],
resources: [`arn:aws:s3:::${_var.s3_bucket_name}`],
conditions: [{
test: "StringLike",
variable: "s3:prefix",
values: [
"",
"home/",
"home/&{aws:username}/",
],
}],
},
{
actions: ["s3:*"],
resources: [
`arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}`,
`arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}/*`,
],
},
],
});
const examplePolicy = new aws.iam.Policy("examplePolicy", {
path: "/",
policy: examplePolicyDocument.then(examplePolicyDocument => examplePolicyDocument.json),
});
Example Assume-Role Policy with Multiple Principals
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var eventStreamBucketRoleAssumeRolePolicy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"sts:AssumeRole",
},
Principals =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Type = "Service",
Identifiers =
{
"firehose.amazonaws.com",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Type = "AWS",
Identifiers =
{
@var.Trusted_role_arn,
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Type = "Federated",
Identifiers =
{
$"arn:aws:iam::{@var.Account_id}:saml-provider/{@var.Provider_name}",
"cognito-identity.amazonaws.com",
},
},
},
},
},
}));
}
}
Coming soon!
import pulumi
import pulumi_aws as aws
event_stream_bucket_role_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
actions=["sts:AssumeRole"],
principals=[
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=["firehose.amazonaws.com"],
),
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="AWS",
identifiers=[var["trusted_role_arn"]],
),
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Federated",
identifiers=[
f"arn:aws:iam::{var['account_id']}:saml-provider/{var['provider_name']}",
"cognito-identity.amazonaws.com",
],
),
],
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const eventStreamBucketRoleAssumeRolePolicy = aws.iam.getPolicyDocument({
statements: [{
actions: ["sts:AssumeRole"],
principals: [
{
type: "Service",
identifiers: ["firehose.amazonaws.com"],
},
{
type: "AWS",
identifiers: [_var.trusted_role_arn],
},
{
type: "Federated",
identifiers: [
`arn:aws:iam::${_var.account_id}:saml-provider/${_var.provider_name}`,
"cognito-identity.amazonaws.com",
],
},
],
}],
});
Example Using A Source Document
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "SidToOverride",
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
},
},
}));
var sourceJsonExample = source.Apply(source => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
SourceJson = source.Json,
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "SidToOverride",
Actions =
{
"s3:*",
},
Resources =
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
})));
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
iam.GetPolicyDocumentStatement{
Sid: "SidToOverride",
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
opt0 := source.Json
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
SourceJson: &opt0,
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Sid: "SidToOverride",
Actions: []string{
"s3:*",
},
Resources: []string{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
}, nil)
if err != nil {
return err
}
return nil
})
}
import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=["*"],
),
])
source_json_example = aws.iam.get_policy_document(source_json=source.json,
statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=[
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = aws.iam.getPolicyDocument({
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "SidToOverride",
actions: ["s3:*"],
resources: ["*"],
},
],
});
const sourceJsonExample = source.then(source => aws.iam.getPolicyDocument({
sourceJson: source.json,
statements: [{
sid: "SidToOverride",
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
}],
}));
Example Using An Override Document
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "SidToOverride",
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
},
},
}));
var overrideJsonExample = @override.Apply(@override => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
OverrideJson = @override.Json,
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "SidToOverride",
Actions =
{
"s3:*",
},
Resources =
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
})));
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Sid: "SidToOverride",
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
opt0 := override.Json
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
OverrideJson: &opt0,
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
iam.GetPolicyDocumentStatement{
Sid: "SidToOverride",
Actions: []string{
"s3:*",
},
Resources: []string{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
}, nil)
if err != nil {
return err
}
return nil
})
}
import pulumi
import pulumi_aws as aws
override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=["*"],
)])
override_json_example = aws.iam.get_policy_document(override_json=override.json,
statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=[
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
),
])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const override = aws.iam.getPolicyDocument({
statements: [{
sid: "SidToOverride",
actions: ["s3:*"],
resources: ["*"],
}],
});
const overrideJsonExample = override.then(override => aws.iam.getPolicyDocument({
overrideJson: override.json,
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "SidToOverride",
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
},
],
}));
Example with Both Source and Override Documents
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceholder",
Actions =
{
"ec2:DescribeAccountAttributes",
},
Resources =
{
"*",
},
},
},
}));
var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceholder",
Actions =
{
"s3:GetObject",
},
Resources =
{
"*",
},
},
},
}));
var politik = Output.Tuple(source, @override).Apply(values =>
{
var source = values.Item1;
var @override = values.Item2;
return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
SourceJson = source.Json,
OverrideJson = @override.Json,
}));
});
}
}
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Sid: "OverridePlaceholder",
Actions: []string{
"ec2:DescribeAccountAttributes",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
iam.GetPolicyDocumentStatement{
Sid: "OverridePlaceholder",
Actions: []string{
"s3:GetObject",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
opt0 := source.Json
opt1 := override.Json
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
SourceJson: &opt0,
OverrideJson: &opt1,
}, nil)
if err != nil {
return err
}
return nil
})
}
import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceholder",
actions=["ec2:DescribeAccountAttributes"],
resources=["*"],
)])
override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceholder",
actions=["s3:GetObject"],
resources=["*"],
)])
politik = aws.iam.get_policy_document(source_json=source.json,
override_json=override.json)
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceholder",
actions: ["ec2:DescribeAccountAttributes"],
resources: ["*"],
}],
});
const override = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceholder",
actions: ["s3:GetObject"],
resources: ["*"],
}],
});
const politik = Promise.all([source, override]).then(([source, override]) => aws.iam.getPolicyDocument({
sourceJson: source.json,
overrideJson: override.json,
}));
Example of Merging Source Documents
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var sourceOne = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "UniqueSidOne",
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
},
},
}));
var sourceTwo = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "UniqueSidTwo",
Actions =
{
"iam:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"lambda:*",
},
Resources =
{
"*",
},
},
},
}));
var combined = Output.Tuple(sourceOne, sourceTwo).Apply(values =>
{
var sourceOne = values.Item1;
var sourceTwo = values.Item2;
return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
SourcePolicyDocuments =
{
sourceOne.Json,
sourceTwo.Json,
},
}));
});
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
import pulumi
import pulumi_aws as aws
source_one = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="UniqueSidOne",
actions=["s3:*"],
resources=["*"],
),
])
source_two = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
sid="UniqueSidTwo",
actions=["iam:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
actions=["lambda:*"],
resources=["*"],
),
])
combined = aws.iam.get_policy_document(source_policy_documents=[
source_one.json,
source_two.json,
])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const sourceOne = aws.iam.getPolicyDocument({
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "UniqueSidOne",
actions: ["s3:*"],
resources: ["*"],
},
],
});
const sourceTwo = aws.iam.getPolicyDocument({
statements: [
{
sid: "UniqueSidTwo",
actions: ["iam:*"],
resources: ["*"],
},
{
actions: ["lambda:*"],
resources: ["*"],
},
],
});
const combined = Promise.all([sourceOne, sourceTwo]).then(([sourceOne, sourceTwo]) => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [
sourceOne.json,
sourceTwo.json,
],
}));
Example of Merging Override Documents
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var policyOne = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceHolderOne",
Effect = "Allow",
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
},
},
}));
var policyTwo = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Effect = "Allow",
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceHolderTwo",
Effect = "Allow",
Actions =
{
"iam:*",
},
Resources =
{
"*",
},
},
},
}));
var policyThree = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceHolderOne",
Effect = "Deny",
Actions =
{
"logs:*",
},
Resources =
{
"*",
},
},
},
}));
var combined = Output.Tuple(policyOne, policyTwo, policyThree).Apply(values =>
{
var policyOne = values.Item1;
var policyTwo = values.Item2;
var policyThree = values.Item3;
return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
OverridePolicyDocuments =
{
policyOne.Json,
policyTwo.Json,
policyThree.Json,
},
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Sid = "OverridePlaceHolderTwo",
Effect = "Deny",
Actions =
{
"*",
},
Resources =
{
"*",
},
},
},
}));
});
}
}
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
import pulumi
import pulumi_aws as aws
policy_one = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderOne",
effect="Allow",
actions=["s3:*"],
resources=["*"],
)])
policy_two = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderTwo",
effect="Allow",
actions=["iam:*"],
resources=["*"],
),
])
policy_three = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderOne",
effect="Deny",
actions=["logs:*"],
resources=["*"],
)])
combined = aws.iam.get_policy_document(override_policy_documents=[
policy_one.json,
policy_two.json,
policy_three.json,
],
statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderTwo",
effect="Deny",
actions=["*"],
resources=["*"],
)])
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const policyOne = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceHolderOne",
effect: "Allow",
actions: ["s3:*"],
resources: ["*"],
}],
});
const policyTwo = aws.iam.getPolicyDocument({
statements: [
{
effect: "Allow",
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "OverridePlaceHolderTwo",
effect: "Allow",
actions: ["iam:*"],
resources: ["*"],
},
],
});
const policyThree = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceHolderOne",
effect: "Deny",
actions: ["logs:*"],
resources: ["*"],
}],
});
const combined = Promise.all([policyOne, policyTwo, policyThree]).then(([policyOne, policyTwo, policyThree]) => aws.iam.getPolicyDocument({
overridePolicyDocuments: [
policyOne.json,
policyTwo.json,
policyThree.json,
],
statements: [{
sid: "OverridePlaceHolderTwo",
effect: "Deny",
actions: ["*"],
resources: ["*"],
}],
}));
Using getPolicyDocument
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>def get_policy_document(override_json: Optional[str] = None,
override_policy_documents: Optional[Sequence[str]] = None,
policy_id: Optional[str] = None,
source_json: Optional[str] = None,
source_policy_documents: Optional[Sequence[str]] = None,
statements: Optional[Sequence[GetPolicyDocumentStatement]] = None,
version: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
def get_policy_document_output(override_json: Optional[pulumi.Input[str]] = None,
override_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
policy_id: Optional[pulumi.Input[str]] = None,
source_json: Optional[pulumi.Input[str]] = None,
source_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
statements: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentStatementArgs]]]] = None,
version: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput> Note: This function is named GetPolicyDocument in the Go SDK.
public static class GetPolicyDocument
{
public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
}The following arguments are supported:
-
Override
Json string - IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document. -
Override
Policy List<string>Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. -
Policy
Id string - ID for the policy document.
-
Source
Json string - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. -
Source
Policy List<string>Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. -
Statements
List<Pulumi.
Aws. Iam. Inputs. Get Policy Document Statement> - Configuration block for a policy statement. Detailed below.
- Version string
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
-
Override
Json string - IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document. -
Override
Policy []stringDocuments - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. -
Policy
Id string - ID for the policy document.
-
Source
Json string - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. -
Source
Policy []stringDocuments - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. -
Statements
[]Get
Policy Document Statement - Configuration block for a policy statement. Detailed below.
- Version string
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
-
override
Json string - IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document. -
override
Policy string[]Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. -
policy
Id string - ID for the policy document.
-
source
Json string - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. -
source
Policy string[]Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. -
statements
Get
Policy Document Statement[] - Configuration block for a policy statement. Detailed below.
- version string
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
-
override_
json str - IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document. -
override_
policy_ Sequence[str]documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. -
policy_
id str - ID for the policy document.
-
source_
json str - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. -
source_
policy_ Sequence[str]documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. -
statements
Sequence[Get
Policy Document Statement] - Configuration block for a policy statement. Detailed below.
- version str
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
getPolicyDocument Result
The following output properties are available:
- Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- Standard JSON policy document rendered based on the arguments above.
-
Override
Json string -
Override
Policy List<string>Documents -
Policy
Id string -
Source
Json string -
Source
Policy List<string>Documents -
Statements
List<Pulumi.
Aws. Iam. Outputs. Get Policy Document Statement> - Version string
- Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- Standard JSON policy document rendered based on the arguments above.
-
Override
Json string -
Override
Policy []stringDocuments -
Policy
Id string -
Source
Json string -
Source
Policy []stringDocuments -
Statements
[]Get
Policy Document Statement - Version string
- id string
- The provider-assigned unique ID for this managed resource.
- json string
- Standard JSON policy document rendered based on the arguments above.
-
override
Json string -
override
Policy string[]Documents -
policy
Id string -
source
Json string -
source
Policy string[]Documents -
statements
Get
Policy Document Statement[] - version string
- id str
- The provider-assigned unique ID for this managed resource.
- json str
- Standard JSON policy document rendered based on the arguments above.
-
override_
json str -
override_
policy_ Sequence[str]documents -
policy_
id str -
source_
json str -
source_
policy_ Sequence[str]documents -
statements
Sequence[Get
Policy Document Statement] - version str
Supporting Types
GetPolicyDocumentStatement
- Actions List<string>
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. -
Conditions
List<Pulumi.
Aws. Iam. Inputs. Get Policy Document Statement Condition> - Configuration block for a condition. Detailed below.
- Effect string
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. -
Not
Actions List<string> - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
-
Not
Principals List<Pulumi.Aws. Iam. Inputs. Get Policy Document Statement Not Principal> - Like
principalsexcept these are principals that the statement does not apply to. -
Not
Resources List<string> - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. -
Principals
List<Pulumi.
Aws. Iam. Inputs. Get Policy Document Statement Principal> - Configuration block for principals. Detailed below.
- Resources List<string>
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - Sid string
- Sid (statement ID) is an identifier for a policy statement.
- Actions []string
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. -
Conditions
[]Get
Policy Document Statement Condition - Configuration block for a condition. Detailed below.
- Effect string
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. -
Not
Actions []string - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
-
Not
Principals []GetPolicy Document Statement Not Principal - Like
principalsexcept these are principals that the statement does not apply to. -
Not
Resources []string - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. -
Principals
[]Get
Policy Document Statement Principal - Configuration block for principals. Detailed below.
- Resources []string
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - Sid string
- Sid (statement ID) is an identifier for a policy statement.
- actions string[]
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. -
conditions
Get
Policy Document Statement Condition[] - Configuration block for a condition. Detailed below.
- effect string
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. -
not
Actions string[] - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
-
not
Principals GetPolicy Document Statement Not Principal[] - Like
principalsexcept these are principals that the statement does not apply to. -
not
Resources string[] - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. -
principals
Get
Policy Document Statement Principal[] - Configuration block for principals. Detailed below.
- resources string[]
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid string
- Sid (statement ID) is an identifier for a policy statement.
- actions Sequence[str]
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. -
conditions
Sequence[Get
Policy Document Statement Condition] - Configuration block for a condition. Detailed below.
- effect str
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. -
not_
actions Sequence[str] - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
-
not_
principals Sequence[GetPolicy Document Statement Not Principal] - Like
principalsexcept these are principals that the statement does not apply to. -
not_
resources Sequence[str] - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. -
principals
Sequence[Get
Policy Document Statement Principal] - Configuration block for principals. Detailed below.
- resources Sequence[str]
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid str
- Sid (statement ID) is an identifier for a policy statement.
GetPolicyDocumentStatementCondition
- Test string
- Name of the IAM condition operator to evaluate.
- Values List<string>
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an “OR” boolean operation.
- Variable string
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- Test string
- Name of the IAM condition operator to evaluate.
- Values []string
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an “OR” boolean operation.
- Variable string
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test string
- Name of the IAM condition operator to evaluate.
- values string[]
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an “OR” boolean operation.
- variable string
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test str
- Name of the IAM condition operator to evaluate.
- values Sequence[str]
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an “OR” boolean operation.
- variable str
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
GetPolicyDocumentStatementNotPrincipal
- Identifiers List<string>
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- Identifiers []string
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers string[]
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers Sequence[str]
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type str
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
GetPolicyDocumentStatementPrincipal
- Identifiers List<string>
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- Identifiers []string
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers string[]
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers Sequence[str]
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type str
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
Package Details
- Repository
- https://github.com/pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.