Viewing docs for AWS v5.43.0 (Older version)
published on Tuesday, Mar 10, 2026 by Pulumi
published on Tuesday, Mar 10, 2026 by Pulumi
Viewing docs for AWS v5.43.0 (Older version)
published on Tuesday, Mar 10, 2026 by Pulumi
published on Tuesday, Mar 10, 2026 by Pulumi
Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws.iam.Policy.
Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings in your configuration or to use the file interpolation function to read a raw JSON policy document from a file.
Example Usage
Basic Example
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var examplePolicyDocument = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "1",
Actions = new[]
{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources = new[]
{
"arn:aws:s3:::*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"s3:ListBucket",
},
Resources = new[]
{
$"arn:aws:s3:::{@var.S3_bucket_name}",
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringLike",
Variable = "s3:prefix",
Values = new[]
{
"",
"home/",
"home/&{aws:username}/",
},
},
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}",
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}/*",
},
},
},
});
var examplePolicy = new Aws.Iam.Policy("examplePolicy", new()
{
Path = "/",
PolicyDocument = examplePolicyDocument.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
examplePolicyDocument, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: pulumi.Array{
iam.GetPolicyDocumentStatement{
Sid: pulumi.StringRef("1"),
Actions: []string{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources: []string{
"arn:aws:s3:::*",
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:ListBucket",
},
Resources: []string{
fmt.Sprintf("arn:aws:s3:::%v", _var.S3_bucket_name),
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "StringLike",
Variable: "s3:prefix",
Values: []string{
"",
"home/",
"home/&{aws:username}/",
},
},
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"s3:*",
},
Resources: []string{
fmt.Sprintf("arn:aws:s3:::%v/home/&{aws:username}", _var.S3_bucket_name),
fmt.Sprintf("arn:aws:s3:::%v/home/&{aws:username}/*", _var.S3_bucket_name),
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewPolicy(ctx, "examplePolicy", &iam.PolicyArgs{
Path: pulumi.String("/"),
Policy: *pulumi.String(examplePolicyDocument.Json),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("1")
.actions(
"s3:ListAllMyBuckets",
"s3:GetBucketLocation")
.resources("arn:aws:s3:::*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("s3:ListBucket")
.resources(String.format("arn:aws:s3:::%s", var_.s3_bucket_name()))
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringLike")
.variable("s3:prefix")
.values(
"",
"home/",
"home/&{aws:username}/")
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("s3:*")
.resources(
String.format("arn:aws:s3:::%s/home/&{{aws:username}}", var_.s3_bucket_name()),
String.format("arn:aws:s3:::%s/home/&{{aws:username}}/*", var_.s3_bucket_name()))
.build())
.build());
var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()
.path("/")
.policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const examplePolicyDocument = aws.iam.getPolicyDocument({
statements: [
{
sid: "1",
actions: [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
resources: ["arn:aws:s3:::*"],
},
{
actions: ["s3:ListBucket"],
resources: [`arn:aws:s3:::${_var.s3_bucket_name}`],
conditions: [{
test: "StringLike",
variable: "s3:prefix",
values: [
"",
"home/",
"home/&{aws:username}/",
],
}],
},
{
actions: ["s3:*"],
resources: [
`arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}`,
`arn:aws:s3:::${_var.s3_bucket_name}/home/&{aws:username}/*`,
],
},
],
});
const examplePolicy = new aws.iam.Policy("examplePolicy", {
path: "/",
policy: examplePolicyDocument.then(examplePolicyDocument => examplePolicyDocument.json),
});
import pulumi
import pulumi_aws as aws
example_policy_document = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
sid="1",
actions=[
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
resources=["arn:aws:s3:::*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
actions=["s3:ListBucket"],
resources=[f"arn:aws:s3:::{var['s3_bucket_name']}"],
conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringLike",
variable="s3:prefix",
values=[
"",
"home/",
"home/&{aws:username}/",
],
)],
),
aws.iam.GetPolicyDocumentStatementArgs(
actions=["s3:*"],
resources=[
f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}",
f"arn:aws:s3:::{var['s3_bucket_name']}/home/&{{aws:username}}/*",
],
),
])
example_policy = aws.iam.Policy("examplePolicy",
path="/",
policy=example_policy_document.json)
resources:
examplePolicy:
type: aws:iam:Policy
properties:
path: /
policy: ${examplePolicyDocument.json}
variables:
examplePolicyDocument:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: '1'
actions:
- s3:ListAllMyBuckets
- s3:GetBucketLocation
resources:
- arn:aws:s3:::*
- actions:
- s3:ListBucket
resources:
- arn:aws:s3:::${var.s3_bucket_name}
conditions:
- test: StringLike
variable: s3:prefix
values:
-
- home/
- home/&{aws:username}/
- actions:
- s3:*
resources:
- arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}
- arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*
Example Multiple Condition Keys and Values
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleMultipleConditionKeysAndValues = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"kms:Decrypt",
"kms:GenerateDataKey",
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "ForAnyValue:StringEquals",
Values = new[]
{
"pi",
},
Variable = "kms:EncryptionContext:service",
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "ForAnyValue:StringEquals",
Values = new[]
{
"rds",
},
Variable = "kms:EncryptionContext:aws:pi:service",
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "ForAnyValue:StringEquals",
Values = new[]
{
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
},
Variable = "kms:EncryptionContext:aws:rds:db-id",
},
},
Resources = new[]
{
"*",
},
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"kms:Decrypt",
"kms:GenerateDataKey",
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "ForAnyValue:StringEquals",
Values: []string{
"pi",
},
Variable: "kms:EncryptionContext:service",
},
{
Test: "ForAnyValue:StringEquals",
Values: []string{
"rds",
},
Variable: "kms:EncryptionContext:aws:pi:service",
},
{
Test: "ForAnyValue:StringEquals",
Values: []string{
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
},
Variable: "kms:EncryptionContext:aws:rds:db-id",
},
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var exampleMultipleConditionKeysAndValues = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions(
"kms:Decrypt",
"kms:GenerateDataKey")
.conditions(
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.values("pi")
.variable("kms:EncryptionContext:service")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.values("rds")
.variable("kms:EncryptionContext:aws:pi:service")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.values(
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA")
.variable("kms:EncryptionContext:aws:rds:db-id")
.build())
.resources("*")
.build())
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleMultipleConditionKeysAndValues = aws.iam.getPolicyDocument({
statements: [{
actions: [
"kms:Decrypt",
"kms:GenerateDataKey",
],
conditions: [
{
test: "ForAnyValue:StringEquals",
values: ["pi"],
variable: "kms:EncryptionContext:service",
},
{
test: "ForAnyValue:StringEquals",
values: ["rds"],
variable: "kms:EncryptionContext:aws:pi:service",
},
{
test: "ForAnyValue:StringEquals",
values: [
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
],
variable: "kms:EncryptionContext:aws:rds:db-id",
},
],
resources: ["*"],
}],
});
import pulumi
import pulumi_aws as aws
example_multiple_condition_keys_and_values = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
actions=[
"kms:Decrypt",
"kms:GenerateDataKey",
],
conditions=[
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="ForAnyValue:StringEquals",
values=["pi"],
variable="kms:EncryptionContext:service",
),
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="ForAnyValue:StringEquals",
values=["rds"],
variable="kms:EncryptionContext:aws:pi:service",
),
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="ForAnyValue:StringEquals",
values=[
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
],
variable="kms:EncryptionContext:aws:rds:db-id",
),
],
resources=["*"],
)])
variables:
exampleMultipleConditionKeysAndValues:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- kms:Decrypt
- kms:GenerateDataKey
conditions:
- test: ForAnyValue:StringEquals
values:
- pi
variable: kms:EncryptionContext:service
- test: ForAnyValue:StringEquals
values:
- rds
variable: kms:EncryptionContext:aws:pi:service
- test: ForAnyValue:StringEquals
values:
- db-AAAAABBBBBCCCCCDDDDDEEEEE
- db-EEEEEDDDDDCCCCCBBBBBAAAAA
variable: kms:EncryptionContext:aws:rds:db-id
resources:
- '*'
will evaluate to
using System.Collections.Generic;
using System.Linq;
using Pulumi;
return await Deployment.RunAsync(() =>
{
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
}
}
import * as pulumi from "@pulumi/pulumi";
import pulumi
{}
Example Assume-Role Policy with Multiple Principals
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var eventStreamBucketRoleAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"firehose.amazonaws.com",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
@var.Trusted_role_arn,
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Federated",
Identifiers = new[]
{
$"arn:aws:iam::{@var.Account_id}:saml-provider/{@var.Provider_name}",
"cognito-identity.amazonaws.com",
},
},
},
},
},
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"sts:AssumeRole",
},
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"firehose.amazonaws.com",
},
},
{
Type: "AWS",
Identifiers: interface{}{
_var.Trusted_role_arn,
},
},
{
Type: "Federated",
Identifiers: []string{
fmt.Sprintf("arn:aws:iam::%v:saml-provider/%v", _var.Account_id, _var.Provider_name),
"cognito-identity.amazonaws.com",
},
},
},
},
},
}, nil);
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var eventStreamBucketRoleAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRole")
.principals(
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("firehose.amazonaws.com")
.build(),
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(var_.trusted_role_arn())
.build(),
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Federated")
.identifiers(
String.format("arn:aws:iam::%s:saml-provider/%s", var_.account_id(),var_.provider_name()),
"cognito-identity.amazonaws.com")
.build())
.build())
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const eventStreamBucketRoleAssumeRolePolicy = aws.iam.getPolicyDocument({
statements: [{
actions: ["sts:AssumeRole"],
principals: [
{
type: "Service",
identifiers: ["firehose.amazonaws.com"],
},
{
type: "AWS",
identifiers: [_var.trusted_role_arn],
},
{
type: "Federated",
identifiers: [
`arn:aws:iam::${_var.account_id}:saml-provider/${_var.provider_name}`,
"cognito-identity.amazonaws.com",
],
},
],
}],
});
import pulumi
import pulumi_aws as aws
event_stream_bucket_role_assume_role_policy = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
actions=["sts:AssumeRole"],
principals=[
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=["firehose.amazonaws.com"],
),
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="AWS",
identifiers=[var["trusted_role_arn"]],
),
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="Federated",
identifiers=[
f"arn:aws:iam::{var['account_id']}:saml-provider/{var['provider_name']}",
"cognito-identity.amazonaws.com",
],
),
],
)])
variables:
eventStreamBucketRoleAssumeRolePolicy:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- sts:AssumeRole
principals:
- type: Service
identifiers:
- firehose.amazonaws.com
- type: AWS
identifiers:
- ${var.trusted_role_arn}
- type: Federated
identifiers:
- arn:aws:iam::${var.account_id}:saml-provider/${var.provider_name}
- cognito-identity.amazonaws.com
Example Using A Source Document
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var source = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"ec2:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "SidToOverride",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"*",
},
},
},
});
var sourceDocumentExample = Aws.Iam.GetPolicyDocument.Invoke(new()
{
SourcePolicyDocuments = new[]
{
source.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "SidToOverride",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
});
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
{
Sid: pulumi.StringRef("SidToOverride"),
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
SourcePolicyDocuments: interface{}{
source.Json,
},
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("SidToOverride"),
Actions: []string{
"s3:*",
},
Resources: []string{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
}, nil);
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources("*")
.build())
.build());
final var sourceDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources(
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*")
.build())
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = aws.iam.getPolicyDocument({
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "SidToOverride",
actions: ["s3:*"],
resources: ["*"],
},
],
});
const sourceDocumentExample = source.then(source => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [source.json],
statements: [{
sid: "SidToOverride",
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
}],
}));
import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=["*"],
),
])
source_document_example = aws.iam.get_policy_document(source_policy_documents=[source.json],
statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=[
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
)])
variables:
source:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- ec2:*
resources:
- '*'
- sid: SidToOverride
actions:
- s3:*
resources:
- '*'
sourceDocumentExample:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
sourcePolicyDocuments:
- ${source.json}
statements:
- sid: SidToOverride
actions:
- s3:*
resources:
- arn:aws:s3:::somebucket
- arn:aws:s3:::somebucket/*
will evaluate to
using System.Collections.Generic;
using System.Linq;
using Pulumi;
return await Deployment.RunAsync(() =>
{
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
}
}
import * as pulumi from "@pulumi/pulumi";
import pulumi
{}
Example Using An Override Document
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var @override = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "SidToOverride",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"*",
},
},
},
});
var overridePolicyDocumentExample = Aws.Iam.GetPolicyDocument.Invoke(new()
{
OverridePolicyDocuments = new[]
{
@override.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"ec2:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "SidToOverride",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
});
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("SidToOverride"),
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
OverridePolicyDocuments: interface{}{
override.Json,
},
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
{
Sid: pulumi.StringRef("SidToOverride"),
Actions: []string{
"s3:*",
},
Resources: []string{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
}, nil);
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources("*")
.build())
.build());
final var overridePolicyDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources(
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*")
.build())
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const override = aws.iam.getPolicyDocument({
statements: [{
sid: "SidToOverride",
actions: ["s3:*"],
resources: ["*"],
}],
});
const overridePolicyDocumentExample = override.then(override => aws.iam.getPolicyDocument({
overridePolicyDocuments: [override.json],
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "SidToOverride",
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
},
],
}));
import pulumi
import pulumi_aws as aws
override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=["*"],
)])
override_policy_document_example = aws.iam.get_policy_document(override_policy_documents=[override.json],
statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="SidToOverride",
actions=["s3:*"],
resources=[
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
),
])
variables:
override:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: SidToOverride
actions:
- s3:*
resources:
- '*'
overridePolicyDocumentExample:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
overridePolicyDocuments:
- ${override.json}
statements:
- actions:
- ec2:*
resources:
- '*'
- sid: SidToOverride
actions:
- s3:*
resources:
- arn:aws:s3:::somebucket
- arn:aws:s3:::somebucket/*
will evaluate to
using System.Collections.Generic;
using System.Linq;
using Pulumi;
return await Deployment.RunAsync(() =>
{
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
}
}
import * as pulumi from "@pulumi/pulumi";
import pulumi
{}
Example with Both Source and Override Documents
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var source = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceholder",
Actions = new[]
{
"ec2:DescribeAccountAttributes",
},
Resources = new[]
{
"*",
},
},
},
});
var @override = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceholder",
Actions = new[]
{
"s3:GetObject",
},
Resources = new[]
{
"*",
},
},
},
});
var politik = Aws.Iam.GetPolicyDocument.Invoke(new()
{
SourcePolicyDocuments = new[]
{
source.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
OverridePolicyDocuments = new[]
{
@override.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
});
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceholder"),
Actions: []string{
"ec2:DescribeAccountAttributes",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceholder"),
Actions: []string{
"s3:GetObject",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
SourcePolicyDocuments: interface{}{
source.Json,
},
OverridePolicyDocuments: interface{}{
override.Json,
},
}, nil);
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceholder")
.actions("ec2:DescribeAccountAttributes")
.resources("*")
.build())
.build());
final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceholder")
.actions("s3:GetObject")
.resources("*")
.build())
.build());
final var politik = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceholder",
actions: ["ec2:DescribeAccountAttributes"],
resources: ["*"],
}],
});
const override = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceholder",
actions: ["s3:GetObject"],
resources: ["*"],
}],
});
const politik = Promise.all([source, override]).then(([source, override]) => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [source.json],
overridePolicyDocuments: [override.json],
}));
import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceholder",
actions=["ec2:DescribeAccountAttributes"],
resources=["*"],
)])
override = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceholder",
actions=["s3:GetObject"],
resources=["*"],
)])
politik = aws.iam.get_policy_document(source_policy_documents=[source.json],
override_policy_documents=[override.json])
variables:
source:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: OverridePlaceholder
actions:
- ec2:DescribeAccountAttributes
resources:
- '*'
override:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: OverridePlaceholder
actions:
- s3:GetObject
resources:
- '*'
politik:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
sourcePolicyDocuments:
- ${source.json}
overridePolicyDocuments:
- ${override.json}
will evaluate to
using System.Collections.Generic;
using System.Linq;
using Pulumi;
return await Deployment.RunAsync(() =>
{
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
}
}
import * as pulumi from "@pulumi/pulumi";
import pulumi
{}
Example of Merging Source Documents
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var sourceOne = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"ec2:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "UniqueSidOne",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"*",
},
},
},
});
var sourceTwo = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "UniqueSidTwo",
Actions = new[]
{
"iam:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"lambda:*",
},
Resources = new[]
{
"*",
},
},
},
});
var combined = Aws.Iam.GetPolicyDocument.Invoke(new()
{
SourcePolicyDocuments = new[]
{
sourceOne.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
sourceTwo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
});
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
sourceOne, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
{
Sid: pulumi.StringRef("UniqueSidOne"),
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
sourceTwo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: pulumi.Array{
iam.GetPolicyDocumentStatement{
Sid: pulumi.StringRef("UniqueSidTwo"),
Actions: []string{
"iam:*",
},
Resources: []string{
"*",
},
},
iam.GetPolicyDocumentStatement{
Actions: []string{
"lambda:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
SourcePolicyDocuments: interface{}{
sourceOne.Json,
sourceTwo.Json,
},
}, nil);
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var sourceOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("UniqueSidOne")
.actions("s3:*")
.resources("*")
.build())
.build());
final var sourceTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("UniqueSidTwo")
.actions("iam:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("lambda:*")
.resources("*")
.build())
.build());
final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(
sourceOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
sourceTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const sourceOne = aws.iam.getPolicyDocument({
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "UniqueSidOne",
actions: ["s3:*"],
resources: ["*"],
},
],
});
const sourceTwo = aws.iam.getPolicyDocument({
statements: [
{
sid: "UniqueSidTwo",
actions: ["iam:*"],
resources: ["*"],
},
{
actions: ["lambda:*"],
resources: ["*"],
},
],
});
const combined = Promise.all([sourceOne, sourceTwo]).then(([sourceOne, sourceTwo]) => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [
sourceOne.json,
sourceTwo.json,
],
}));
import pulumi
import pulumi_aws as aws
source_one = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="UniqueSidOne",
actions=["s3:*"],
resources=["*"],
),
])
source_two = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
sid="UniqueSidTwo",
actions=["iam:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
actions=["lambda:*"],
resources=["*"],
),
])
combined = aws.iam.get_policy_document(source_policy_documents=[
source_one.json,
source_two.json,
])
variables:
sourceOne:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- actions:
- ec2:*
resources:
- '*'
- sid: UniqueSidOne
actions:
- s3:*
resources:
- '*'
sourceTwo:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: UniqueSidTwo
actions:
- iam:*
resources:
- '*'
- actions:
- lambda:*
resources:
- '*'
combined:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
sourcePolicyDocuments:
- ${sourceOne.json}
- ${sourceTwo.json}
will evaluate to
using System.Collections.Generic;
using System.Linq;
using Pulumi;
return await Deployment.RunAsync(() =>
{
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
}
}
import * as pulumi from "@pulumi/pulumi";
import pulumi
{}
Example of Merging Override Documents
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var policyOne = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceHolderOne",
Effect = "Allow",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"*",
},
},
},
});
var policyTwo = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"ec2:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceHolderTwo",
Effect = "Allow",
Actions = new[]
{
"iam:*",
},
Resources = new[]
{
"*",
},
},
},
});
var policyThree = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceHolderOne",
Effect = "Deny",
Actions = new[]
{
"logs:*",
},
Resources = new[]
{
"*",
},
},
},
});
var combined = Aws.Iam.GetPolicyDocument.Invoke(new()
{
OverridePolicyDocuments = new[]
{
policyOne.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
policyTwo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
policyThree.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceHolderTwo",
Effect = "Deny",
Actions = new[]
{
"*",
},
Resources = new[]
{
"*",
},
},
},
});
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
policyOne, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceHolderOne"),
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
policyTwo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
{
Sid: pulumi.StringRef("OverridePlaceHolderTwo"),
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"iam:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
policyThree, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceHolderOne"),
Effect: pulumi.StringRef("Deny"),
Actions: []string{
"logs:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
OverridePolicyDocuments: interface{}{
policyOne.Json,
policyTwo.Json,
policyThree.Json,
},
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceHolderTwo"),
Effect: pulumi.StringRef("Deny"),
Actions: []string{
"*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var policyOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderOne")
.effect("Allow")
.actions("s3:*")
.resources("*")
.build())
.build());
final var policyTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderTwo")
.effect("Allow")
.actions("iam:*")
.resources("*")
.build())
.build());
final var policyThree = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderOne")
.effect("Deny")
.actions("logs:*")
.resources("*")
.build())
.build());
final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.overridePolicyDocuments(
policyOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
policyTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
policyThree.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderTwo")
.effect("Deny")
.actions("*")
.resources("*")
.build())
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const policyOne = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceHolderOne",
effect: "Allow",
actions: ["s3:*"],
resources: ["*"],
}],
});
const policyTwo = aws.iam.getPolicyDocument({
statements: [
{
effect: "Allow",
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "OverridePlaceHolderTwo",
effect: "Allow",
actions: ["iam:*"],
resources: ["*"],
},
],
});
const policyThree = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceHolderOne",
effect: "Deny",
actions: ["logs:*"],
resources: ["*"],
}],
});
const combined = Promise.all([policyOne, policyTwo, policyThree]).then(([policyOne, policyTwo, policyThree]) => aws.iam.getPolicyDocument({
overridePolicyDocuments: [
policyOne.json,
policyTwo.json,
policyThree.json,
],
statements: [{
sid: "OverridePlaceHolderTwo",
effect: "Deny",
actions: ["*"],
resources: ["*"],
}],
}));
import pulumi
import pulumi_aws as aws
policy_one = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderOne",
effect="Allow",
actions=["s3:*"],
resources=["*"],
)])
policy_two = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["ec2:*"],
resources=["*"],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderTwo",
effect="Allow",
actions=["iam:*"],
resources=["*"],
),
])
policy_three = aws.iam.get_policy_document(statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderOne",
effect="Deny",
actions=["logs:*"],
resources=["*"],
)])
combined = aws.iam.get_policy_document(override_policy_documents=[
policy_one.json,
policy_two.json,
policy_three.json,
],
statements=[aws.iam.GetPolicyDocumentStatementArgs(
sid="OverridePlaceHolderTwo",
effect="Deny",
actions=["*"],
resources=["*"],
)])
variables:
policyOne:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: OverridePlaceHolderOne
effect: Allow
actions:
- s3:*
resources:
- '*'
policyTwo:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
actions:
- ec2:*
resources:
- '*'
- sid: OverridePlaceHolderTwo
effect: Allow
actions:
- iam:*
resources:
- '*'
policyThree:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: OverridePlaceHolderOne
effect: Deny
actions:
- logs:*
resources:
- '*'
combined:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
overridePolicyDocuments:
- ${policyOne.json}
- ${policyTwo.json}
- ${policyThree.json}
statements:
- sid: OverridePlaceHolderTwo
effect: Deny
actions:
- '*'
resources:
- '*'
will evaluate to
using System.Collections.Generic;
using System.Linq;
using Pulumi;
return await Deployment.RunAsync(() =>
{
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
}
}
import * as pulumi from "@pulumi/pulumi";
import pulumi
{}
Using getPolicyDocument
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>def get_policy_document(override_json: Optional[str] = None,
override_policy_documents: Optional[Sequence[str]] = None,
policy_id: Optional[str] = None,
source_json: Optional[str] = None,
source_policy_documents: Optional[Sequence[str]] = None,
statements: Optional[Sequence[GetPolicyDocumentStatement]] = None,
version: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
def get_policy_document_output(override_json: Optional[pulumi.Input[str]] = None,
override_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
policy_id: Optional[pulumi.Input[str]] = None,
source_json: Optional[pulumi.Input[str]] = None,
source_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
statements: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentStatementArgs]]]] = None,
version: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput> Note: This function is named GetPolicyDocument in the Go SDK.
public static class GetPolicyDocument
{
public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
public static Output<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
fn::invoke:
function: aws:iam/getPolicyDocument:getPolicyDocument
arguments:
# arguments dictionaryThe following arguments are supported:
- Override
Json string IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document.NOTE: Statements without a
sidcannot be overridden. In other words, a statement without asidfrom documents assigned to thesource_jsonorsource_policy_documentsarguments cannot be overridden by statements from documents assigned to theoverride_jsonoroverride_policy_documentsarguments.- Override
Policy List<string>Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. - Policy
Id string - ID for the policy document.
- Source
Json string - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - Source
Policy List<string>Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - Statements
List<Get
Policy Document Statement> - Configuration block for a policy statement. Detailed below.
- Version string
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- Override
Json string IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document.NOTE: Statements without a
sidcannot be overridden. In other words, a statement without asidfrom documents assigned to thesource_jsonorsource_policy_documentsarguments cannot be overridden by statements from documents assigned to theoverride_jsonoroverride_policy_documentsarguments.- Override
Policy []stringDocuments - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. - Policy
Id string - ID for the policy document.
- Source
Json string - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - Source
Policy []stringDocuments - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - Statements
[]Get
Policy Document Statement - Configuration block for a policy statement. Detailed below.
- Version string
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override
Json String IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document.NOTE: Statements without a
sidcannot be overridden. In other words, a statement without asidfrom documents assigned to thesource_jsonorsource_policy_documentsarguments cannot be overridden by statements from documents assigned to theoverride_jsonoroverride_policy_documentsarguments.- override
Policy List<String>Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. - policy
Id String - ID for the policy document.
- source
Json String - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - source
Policy List<String>Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - statements
List<Get
Policy Document Statement> - Configuration block for a policy statement. Detailed below.
- version String
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override
Json string IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document.NOTE: Statements without a
sidcannot be overridden. In other words, a statement without asidfrom documents assigned to thesource_jsonorsource_policy_documentsarguments cannot be overridden by statements from documents assigned to theoverride_jsonoroverride_policy_documentsarguments.- override
Policy string[]Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. - policy
Id string - ID for the policy document.
- source
Json string - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - source
Policy string[]Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - statements
Get
Policy Document Statement[] - Configuration block for a policy statement. Detailed below.
- version string
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override_
json str IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document.NOTE: Statements without a
sidcannot be overridden. In other words, a statement without asidfrom documents assigned to thesource_jsonorsource_policy_documentsarguments cannot be overridden by statements from documents assigned to theoverride_jsonoroverride_policy_documentsarguments.- override_
policy_ Sequence[str]documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. - policy_
id str - ID for the policy document.
- source_
json str - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - source_
policy_ Sequence[str]documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - statements
Sequence[Get
Policy Document Statement] - Configuration block for a policy statement. Detailed below.
- version str
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override
Json String IAM policy document whose statements with non-blank
sids will override statements with the samesidfrom documents assigned to thesource_json,source_policy_documents, andoverride_policy_documentsarguments. Non-overriding statements will be added to the exported document.NOTE: Statements without a
sidcannot be overridden. In other words, a statement without asidfrom documents assigned to thesource_jsonorsource_policy_documentsarguments cannot be overridden by statements from documents assigned to theoverride_jsonoroverride_policy_documentsarguments.- override
Policy List<String>Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfrom documents provided in thesource_jsonandsource_policy_documentsarguments. Non-overriding statements will be added to the exported document. - policy
Id String - ID for the policy document.
- source
Json String - IAM policy document used as a base for the exported policy document. Statements with the same
sidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - source
Policy List<String>Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsorsource_jsonmust have uniquesids. Statements with the samesidfrom documents assigned to theoverride_jsonandoverride_policy_documentsarguments will override source statements. - statements List<Property Map>
- Configuration block for a policy statement. Detailed below.
- version String
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
getPolicyDocument Result
The following output properties are available:
- Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- Standard JSON policy document rendered based on the arguments above.
- Override
Json string - Override
Policy List<string>Documents - Policy
Id string - Source
Json string - Source
Policy List<string>Documents - Statements
List<Get
Policy Document Statement> - Version string
- Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- Standard JSON policy document rendered based on the arguments above.
- Override
Json string - Override
Policy []stringDocuments - Policy
Id string - Source
Json string - Source
Policy []stringDocuments - Statements
[]Get
Policy Document Statement - Version string
- id String
- The provider-assigned unique ID for this managed resource.
- json String
- Standard JSON policy document rendered based on the arguments above.
- override
Json String - override
Policy List<String>Documents - policy
Id String - source
Json String - source
Policy List<String>Documents - statements
List<Get
Policy Document Statement> - version String
- id string
- The provider-assigned unique ID for this managed resource.
- json string
- Standard JSON policy document rendered based on the arguments above.
- override
Json string - override
Policy string[]Documents - policy
Id string - source
Json string - source
Policy string[]Documents - statements
Get
Policy Document Statement[] - version string
- id str
- The provider-assigned unique ID for this managed resource.
- json str
- Standard JSON policy document rendered based on the arguments above.
- override_
json str - override_
policy_ Sequence[str]documents - policy_
id str - source_
json str - source_
policy_ Sequence[str]documents - statements
Sequence[Get
Policy Document Statement] - version str
- id String
- The provider-assigned unique ID for this managed resource.
- json String
- Standard JSON policy document rendered based on the arguments above.
- override
Json String - override
Policy List<String>Documents - policy
Id String - source
Json String - source
Policy List<String>Documents - statements List<Property Map>
- version String
Supporting Types
GetPolicyDocumentStatement
- Actions List<string>
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - Conditions
List<Get
Policy Document Statement Condition> - Configuration block for a condition. Detailed below.
- Effect string
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - Not
Actions List<string> - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- Not
Principals List<GetPolicy Document Statement Not Principal> - Like
principalsexcept these are principals that the statement does not apply to. - Not
Resources List<string> - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - Principals
List<Get
Policy Document Statement Principal> - Configuration block for principals. Detailed below.
- Resources List<string>
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - Sid string
- Sid (statement ID) is an identifier for a policy statement.
- Actions []string
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - Conditions
[]Get
Policy Document Statement Condition - Configuration block for a condition. Detailed below.
- Effect string
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - Not
Actions []string - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- Not
Principals []GetPolicy Document Statement Not Principal - Like
principalsexcept these are principals that the statement does not apply to. - Not
Resources []string - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - Principals
[]Get
Policy Document Statement Principal - Configuration block for principals. Detailed below.
- Resources []string
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - Sid string
- Sid (statement ID) is an identifier for a policy statement.
- actions List<String>
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - conditions
List<Get
Policy Document Statement Condition> - Configuration block for a condition. Detailed below.
- effect String
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - not
Actions List<String> - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not
Principals List<GetPolicy Document Statement Not Principal> - Like
principalsexcept these are principals that the statement does not apply to. - not
Resources List<String> - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - principals
List<Get
Policy Document Statement Principal> - Configuration block for principals. Detailed below.
- resources List<String>
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid String
- Sid (statement ID) is an identifier for a policy statement.
- actions string[]
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - conditions
Get
Policy Document Statement Condition[] - Configuration block for a condition. Detailed below.
- effect string
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - not
Actions string[] - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not
Principals GetPolicy Document Statement Not Principal[] - Like
principalsexcept these are principals that the statement does not apply to. - not
Resources string[] - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - principals
Get
Policy Document Statement Principal[] - Configuration block for principals. Detailed below.
- resources string[]
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid string
- Sid (statement ID) is an identifier for a policy statement.
- actions Sequence[str]
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - conditions
Sequence[Get
Policy Document Statement Condition] - Configuration block for a condition. Detailed below.
- effect str
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - not_
actions Sequence[str] - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not_
principals Sequence[GetPolicy Document Statement Not Principal] - Like
principalsexcept these are principals that the statement does not apply to. - not_
resources Sequence[str] - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - principals
Sequence[Get
Policy Document Statement Principal] - Configuration block for principals. Detailed below.
- resources Sequence[str]
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid str
- Sid (statement ID) is an identifier for a policy statement.
- actions List<String>
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - conditions List<Property Map>
- Configuration block for a condition. Detailed below.
- effect String
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - not
Actions List<String> - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not
Principals List<Property Map> - Like
principalsexcept these are principals that the statement does not apply to. - not
Resources List<String> - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - principals List<Property Map>
- Configuration block for principals. Detailed below.
- resources List<String>
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid String
- Sid (statement ID) is an identifier for a policy statement.
GetPolicyDocumentStatementCondition
- Test string
- Name of the IAM condition operator to evaluate.
- Values List<string>
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- Variable string
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- Test string
- Name of the IAM condition operator to evaluate.
- Values []string
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- Variable string
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test String
- Name of the IAM condition operator to evaluate.
- values List<String>
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable String
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test string
- Name of the IAM condition operator to evaluate.
- values string[]
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable string
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test str
- Name of the IAM condition operator to evaluate.
- values Sequence[str]
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable str
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test String
- Name of the IAM condition operator to evaluate.
- values List<String>
- Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable String
- Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
GetPolicyDocumentStatementNotPrincipal
- Identifiers List<string>
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- Identifiers []string
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers List<String>
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type String
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers string[]
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers Sequence[str]
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type str
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers List<String>
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type String
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
GetPolicyDocumentStatementPrincipal
- Identifiers List<string>
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- Identifiers []string
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers List<String>
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type String
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers string[]
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type string
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers Sequence[str]
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type str
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers List<String>
- List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type String
- Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
Viewing docs for AWS v5.43.0 (Older version)
published on Tuesday, Mar 10, 2026 by Pulumi
published on Tuesday, Mar 10, 2026 by Pulumi
