Docs Home
AWS v6.73.0 published on Wednesday, Mar 19, 2025 by Pulumi
aws.iam.getPolicyDocument
Explore with Pulumi AI
- Example Usage
- Basic Example
- Example Multiple Condition Keys and Values
- Example Assume-Role Policy with Multiple Principals
- Example Using A Source Document
- Example Using An Override Document
- Example with Both Source and Override Documents
- Example of Merging Source Documents
- Example of Merging Override Documents
- Using getPolicyDocument
- getPolicyDocument Result
- Supporting Types
- Package Details
Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws.iam.Policy.
Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings in your configuration or to use the file interpolation function to read a raw JSON policy document from a file.
Example Usage
Basic Example
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = aws.iam.getPolicyDocument({
statements: [
{
sid: "1",
actions: [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
resources: ["arn:aws:s3:::*"],
},
{
actions: ["s3:ListBucket"],
resources: [`arn:aws:s3:::${s3BucketName}`],
conditions: [{
test: "StringLike",
variable: "s3:prefix",
values: [
"",
"home/",
"home/&{aws:username}/",
],
}],
},
{
actions: ["s3:*"],
resources: [
`arn:aws:s3:::${s3BucketName}/home/&{aws:username}`,
`arn:aws:s3:::${s3BucketName}/home/&{aws:username}/*`,
],
},
],
});
const examplePolicy = new aws.iam.Policy("example", {
name: "example_policy",
path: "/",
policy: example.then(example => example.json),
});
import pulumi
import pulumi_aws as aws
example = aws.iam.get_policy_document(statements=[
{
"sid": "1",
"actions": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
],
"resources": ["arn:aws:s3:::*"],
},
{
"actions": ["s3:ListBucket"],
"resources": [f"arn:aws:s3:::{s3_bucket_name}"],
"conditions": [{
"test": "StringLike",
"variable": "s3:prefix",
"values": [
"",
"home/",
"home/&{aws:username}/",
],
}],
},
{
"actions": ["s3:*"],
"resources": [
f"arn:aws:s3:::{s3_bucket_name}/home/&{{aws:username}}",
f"arn:aws:s3:::{s3_bucket_name}/home/&{{aws:username}}/*",
],
},
])
example_policy = aws.iam.Policy("example",
name="example_policy",
path="/",
policy=example.json)
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("1"),
Actions: []string{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources: []string{
"arn:aws:s3:::*",
},
},
{
Actions: []string{
"s3:ListBucket",
},
Resources: []string{
fmt.Sprintf("arn:aws:s3:::%v", s3BucketName),
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "StringLike",
Variable: "s3:prefix",
Values: []string{
"",
"home/",
"home/&{aws:username}/",
},
},
},
},
{
Actions: []string{
"s3:*",
},
Resources: []string{
fmt.Sprintf("arn:aws:s3:::%v/home/&{aws:username}", s3BucketName),
fmt.Sprintf("arn:aws:s3:::%v/home/&{aws:username}/*", s3BucketName),
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewPolicy(ctx, "example", &iam.PolicyArgs{
Name: pulumi.String("example_policy"),
Path: pulumi.String("/"),
Policy: pulumi.String(example.Json),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "1",
Actions = new[]
{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources = new[]
{
"arn:aws:s3:::*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"s3:ListBucket",
},
Resources = new[]
{
$"arn:aws:s3:::{s3BucketName}",
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringLike",
Variable = "s3:prefix",
Values = new[]
{
"",
"home/",
"home/&{aws:username}/",
},
},
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
$"arn:aws:s3:::{s3BucketName}/home/&{{aws:username}}",
$"arn:aws:s3:::{s3BucketName}/home/&{{aws:username}}/*",
},
},
},
});
var examplePolicy = new Aws.Iam.Policy("example", new()
{
Name = "example_policy",
Path = "/",
PolicyDocument = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("1")
.actions(
"s3:ListAllMyBuckets",
"s3:GetBucketLocation")
.resources("arn:aws:s3:::*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("s3:ListBucket")
.resources(String.format("arn:aws:s3:::%s", s3BucketName))
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringLike")
.variable("s3:prefix")
.values(
"",
"home/",
"home/&{aws:username}/")
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("s3:*")
.resources(
String.format("arn:aws:s3:::%s/home/&{{aws:username}}", s3BucketName),
String.format("arn:aws:s3:::%s/home/&{{aws:username}}/*", s3BucketName))
.build())
.build());
var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()
.name("example_policy")
.path("/")
.policy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
resources:
examplePolicy:
type: aws:iam:Policy
name: example
properties:
name: example_policy
path: /
policy: ${example.json}
variables:
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: '1'
actions:
- s3:ListAllMyBuckets
- s3:GetBucketLocation
resources:
- arn:aws:s3:::*
- actions:
- s3:ListBucket
resources:
- arn:aws:s3:::${s3BucketName}
conditions:
- test: StringLike
variable: s3:prefix
values:
- ""
- home/
- home/&{aws:username}/
- actions:
- s3:*
resources:
- arn:aws:s3:::${s3BucketName}/home/&{aws:username}
- arn:aws:s3:::${s3BucketName}/home/&{aws:username}/*
Example Multiple Condition Keys and Values
You can specify a condition with multiple keys and values by supplying multiple condition blocks with the same test value, but differing variable and values values.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleMultipleConditionKeysAndValues = aws.iam.getPolicyDocument({
statements: [{
actions: [
"kms:Decrypt",
"kms:GenerateDataKey",
],
resources: ["*"],
conditions: [
{
test: "ForAnyValue:StringEquals",
variable: "kms:EncryptionContext:service",
values: ["pi"],
},
{
test: "ForAnyValue:StringEquals",
variable: "kms:EncryptionContext:aws:pi:service",
values: ["rds"],
},
{
test: "ForAnyValue:StringEquals",
variable: "kms:EncryptionContext:aws:rds:db-id",
values: [
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
],
},
],
}],
});
import pulumi
import pulumi_aws as aws
example_multiple_condition_keys_and_values = aws.iam.get_policy_document(statements=[{
"actions": [
"kms:Decrypt",
"kms:GenerateDataKey",
],
"resources": ["*"],
"conditions": [
{
"test": "ForAnyValue:StringEquals",
"variable": "kms:EncryptionContext:service",
"values": ["pi"],
},
{
"test": "ForAnyValue:StringEquals",
"variable": "kms:EncryptionContext:aws:pi:service",
"values": ["rds"],
},
{
"test": "ForAnyValue:StringEquals",
"variable": "kms:EncryptionContext:aws:rds:db-id",
"values": [
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
],
},
],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"kms:Decrypt",
"kms:GenerateDataKey",
},
Resources: []string{
"*",
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "ForAnyValue:StringEquals",
Variable: "kms:EncryptionContext:service",
Values: []string{
"pi",
},
},
{
Test: "ForAnyValue:StringEquals",
Variable: "kms:EncryptionContext:aws:pi:service",
Values: []string{
"rds",
},
},
{
Test: "ForAnyValue:StringEquals",
Variable: "kms:EncryptionContext:aws:rds:db-id",
Values: []string{
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleMultipleConditionKeysAndValues = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"kms:Decrypt",
"kms:GenerateDataKey",
},
Resources = new[]
{
"*",
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "ForAnyValue:StringEquals",
Variable = "kms:EncryptionContext:service",
Values = new[]
{
"pi",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "ForAnyValue:StringEquals",
Variable = "kms:EncryptionContext:aws:pi:service",
Values = new[]
{
"rds",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "ForAnyValue:StringEquals",
Variable = "kms:EncryptionContext:aws:rds:db-id",
Values = new[]
{
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var exampleMultipleConditionKeysAndValues = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions(
"kms:Decrypt",
"kms:GenerateDataKey")
.resources("*")
.conditions(
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.variable("kms:EncryptionContext:service")
.values("pi")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.variable("kms:EncryptionContext:aws:pi:service")
.values("rds")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.variable("kms:EncryptionContext:aws:rds:db-id")
.values(
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA")
.build())
.build())
.build());
}
}
variables:
exampleMultipleConditionKeysAndValues:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- kms:Decrypt
- kms:GenerateDataKey
resources:
- '*'
conditions:
- test: ForAnyValue:StringEquals
variable: kms:EncryptionContext:service
values:
- pi
- test: ForAnyValue:StringEquals
variable: kms:EncryptionContext:aws:pi:service
values:
- rds
- test: ForAnyValue:StringEquals
variable: kms:EncryptionContext:aws:rds:db-id
values:
- db-AAAAABBBBBCCCCCDDDDDEEEEE
- db-EEEEEDDDDDCCCCCBBBBBAAAAA
data.aws_iam_policy_document.example_multiple_condition_keys_and_values.json will evaluate to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"kms:EncryptionContext:aws:pi:service": "rds",
"kms:EncryptionContext:aws:rds:db-id": [
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA"
],
"kms:EncryptionContext:service": "pi"
}
}
}
]
}
Example Assume-Role Policy with Multiple Principals
You can specify multiple principal blocks with different types. You can also use this data source to generate an assume-role policy.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const eventStreamBucketRoleAssumeRolePolicy = aws.iam.getPolicyDocument({
statements: [{
actions: ["sts:AssumeRole"],
principals: [
{
type: "Service",
identifiers: ["firehose.amazonaws.com"],
},
{
type: "AWS",
identifiers: [trustedRoleArn],
},
{
type: "Federated",
identifiers: [
`arn:aws:iam::${accountId}:saml-provider/${providerName}`,
"cognito-identity.amazonaws.com",
],
},
],
}],
});
import pulumi
import pulumi_aws as aws
event_stream_bucket_role_assume_role_policy = aws.iam.get_policy_document(statements=[{
"actions": ["sts:AssumeRole"],
"principals": [
{
"type": "Service",
"identifiers": ["firehose.amazonaws.com"],
},
{
"type": "AWS",
"identifiers": [trusted_role_arn],
},
{
"type": "Federated",
"identifiers": [
f"arn:aws:iam::{account_id}:saml-provider/{provider_name}",
"cognito-identity.amazonaws.com",
],
},
],
}])
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"sts:AssumeRole",
},
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"firehose.amazonaws.com",
},
},
{
Type: "AWS",
Identifiers: interface{}{
trustedRoleArn,
},
},
{
Type: "Federated",
Identifiers: []string{
fmt.Sprintf("arn:aws:iam::%v:saml-provider/%v", accountId, providerName),
"cognito-identity.amazonaws.com",
},
},
},
},
},
}, nil);
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var eventStreamBucketRoleAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"firehose.amazonaws.com",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
trustedRoleArn,
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Federated",
Identifiers = new[]
{
$"arn:aws:iam::{accountId}:saml-provider/{providerName}",
"cognito-identity.amazonaws.com",
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var eventStreamBucketRoleAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRole")
.principals(
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("firehose.amazonaws.com")
.build(),
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(trustedRoleArn)
.build(),
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Federated")
.identifiers(
String.format("arn:aws:iam::%s:saml-provider/%s", accountId,providerName),
"cognito-identity.amazonaws.com")
.build())
.build())
.build());
}
}
variables:
eventStreamBucketRoleAssumeRolePolicy:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- sts:AssumeRole
principals:
- type: Service
identifiers:
- firehose.amazonaws.com
- type: AWS
identifiers:
- ${trustedRoleArn}
- type: Federated
identifiers:
- arn:aws:iam::${accountId}:saml-provider/${providerName}
- cognito-identity.amazonaws.com
Example Using A Source Document
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = aws.iam.getPolicyDocument({
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "SidToOverride",
actions: ["s3:*"],
resources: ["*"],
},
],
});
const sourceDocumentExample = source.then(source => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [source.json],
statements: [{
sid: "SidToOverride",
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
}],
}));
import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[
{
"actions": ["ec2:*"],
"resources": ["*"],
},
{
"sid": "SidToOverride",
"actions": ["s3:*"],
"resources": ["*"],
},
])
source_document_example = aws.iam.get_policy_document(source_policy_documents=[source.json],
statements=[{
"sid": "SidToOverride",
"actions": ["s3:*"],
"resources": [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
{
Sid: pulumi.StringRef("SidToOverride"),
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
SourcePolicyDocuments: interface{}{
source.Json,
},
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("SidToOverride"),
Actions: []string{
"s3:*",
},
Resources: []string{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
}, nil);
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var source = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"ec2:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "SidToOverride",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"*",
},
},
},
});
var sourceDocumentExample = Aws.Iam.GetPolicyDocument.Invoke(new()
{
SourcePolicyDocuments = new[]
{
source.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "SidToOverride",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources("*")
.build())
.build());
final var sourceDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources(
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*")
.build())
.build());
}
}
variables:
source:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- ec2:*
resources:
- '*'
- sid: SidToOverride
actions:
- s3:*
resources:
- '*'
sourceDocumentExample:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
sourcePolicyDocuments:
- ${source.json}
statements:
- sid: SidToOverride
actions:
- s3:*
resources:
- arn:aws:s3:::somebucket
- arn:aws:s3:::somebucket/*
data.aws_iam_policy_document.source_document_example.json will evaluate to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Sid": "SidToOverride",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::somebucket/*",
"arn:aws:s3:::somebucket"
]
}
]
}
Example Using An Override Document
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const override = aws.iam.getPolicyDocument({
statements: [{
sid: "SidToOverride",
actions: ["s3:*"],
resources: ["*"],
}],
});
const overridePolicyDocumentExample = override.then(override => aws.iam.getPolicyDocument({
overridePolicyDocuments: [override.json],
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "SidToOverride",
actions: ["s3:*"],
resources: [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
},
],
}));
import pulumi
import pulumi_aws as aws
override = aws.iam.get_policy_document(statements=[{
"sid": "SidToOverride",
"actions": ["s3:*"],
"resources": ["*"],
}])
override_policy_document_example = aws.iam.get_policy_document(override_policy_documents=[override.json],
statements=[
{
"actions": ["ec2:*"],
"resources": ["*"],
},
{
"sid": "SidToOverride",
"actions": ["s3:*"],
"resources": [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
],
},
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("SidToOverride"),
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
OverridePolicyDocuments: interface{}{
override.Json,
},
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
{
Sid: pulumi.StringRef("SidToOverride"),
Actions: []string{
"s3:*",
},
Resources: []string{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
}, nil);
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var @override = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "SidToOverride",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"*",
},
},
},
});
var overridePolicyDocumentExample = Aws.Iam.GetPolicyDocument.Invoke(new()
{
OverridePolicyDocuments = new[]
{
@override.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"ec2:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "SidToOverride",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources("*")
.build())
.build());
final var overridePolicyDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources(
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*")
.build())
.build());
}
}
variables:
override:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: SidToOverride
actions:
- s3:*
resources:
- '*'
overridePolicyDocumentExample:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
overridePolicyDocuments:
- ${override.json}
statements:
- actions:
- ec2:*
resources:
- '*'
- sid: SidToOverride
actions:
- s3:*
resources:
- arn:aws:s3:::somebucket
- arn:aws:s3:::somebucket/*
data.aws_iam_policy_document.override_policy_document_example.json will evaluate to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Sid": "SidToOverride",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Example with Both Source and Override Documents
You can also combine source_policy_documents and override_policy_documents in the same document.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const source = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceholder",
actions: ["ec2:DescribeAccountAttributes"],
resources: ["*"],
}],
});
const override = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceholder",
actions: ["s3:GetObject"],
resources: ["*"],
}],
});
const politik = Promise.all([source, override]).then(([source, override]) => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [source.json],
overridePolicyDocuments: [override.json],
}));
import pulumi
import pulumi_aws as aws
source = aws.iam.get_policy_document(statements=[{
"sid": "OverridePlaceholder",
"actions": ["ec2:DescribeAccountAttributes"],
"resources": ["*"],
}])
override = aws.iam.get_policy_document(statements=[{
"sid": "OverridePlaceholder",
"actions": ["s3:GetObject"],
"resources": ["*"],
}])
politik = aws.iam.get_policy_document(source_policy_documents=[source.json],
override_policy_documents=[override.json])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceholder"),
Actions: []string{
"ec2:DescribeAccountAttributes",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceholder"),
Actions: []string{
"s3:GetObject",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
SourcePolicyDocuments: interface{}{
source.Json,
},
OverridePolicyDocuments: interface{}{
override.Json,
},
}, nil);
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var source = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceholder",
Actions = new[]
{
"ec2:DescribeAccountAttributes",
},
Resources = new[]
{
"*",
},
},
},
});
var @override = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceholder",
Actions = new[]
{
"s3:GetObject",
},
Resources = new[]
{
"*",
},
},
},
});
var politik = Aws.Iam.GetPolicyDocument.Invoke(new()
{
SourcePolicyDocuments = new[]
{
source.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
OverridePolicyDocuments = new[]
{
@override.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceholder")
.actions("ec2:DescribeAccountAttributes")
.resources("*")
.build())
.build());
final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceholder")
.actions("s3:GetObject")
.resources("*")
.build())
.build());
final var politik = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
variables:
source:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: OverridePlaceholder
actions:
- ec2:DescribeAccountAttributes
resources:
- '*'
override:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: OverridePlaceholder
actions:
- s3:GetObject
resources:
- '*'
politik:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
sourcePolicyDocuments:
- ${source.json}
overridePolicyDocuments:
- ${override.json}
data.aws_iam_policy_document.politik.json will evaluate to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OverridePlaceholder",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*"
}
]
}
Example of Merging Source Documents
Multiple documents can be combined using the source_policy_documents or override_policy_documents attributes. source_policy_documents requires that all documents have unique Sids, while override_policy_documents will iteratively override matching Sids.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const sourceOne = aws.iam.getPolicyDocument({
statements: [
{
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "UniqueSidOne",
actions: ["s3:*"],
resources: ["*"],
},
],
});
const sourceTwo = aws.iam.getPolicyDocument({
statements: [
{
sid: "UniqueSidTwo",
actions: ["iam:*"],
resources: ["*"],
},
{
actions: ["lambda:*"],
resources: ["*"],
},
],
});
const combined = Promise.all([sourceOne, sourceTwo]).then(([sourceOne, sourceTwo]) => aws.iam.getPolicyDocument({
sourcePolicyDocuments: [
sourceOne.json,
sourceTwo.json,
],
}));
import pulumi
import pulumi_aws as aws
source_one = aws.iam.get_policy_document(statements=[
{
"actions": ["ec2:*"],
"resources": ["*"],
},
{
"sid": "UniqueSidOne",
"actions": ["s3:*"],
"resources": ["*"],
},
])
source_two = aws.iam.get_policy_document(statements=[
{
"sid": "UniqueSidTwo",
"actions": ["iam:*"],
"resources": ["*"],
},
{
"actions": ["lambda:*"],
"resources": ["*"],
},
])
combined = aws.iam.get_policy_document(source_policy_documents=[
source_one.json,
source_two.json,
])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
sourceOne, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
{
Sid: pulumi.StringRef("UniqueSidOne"),
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
sourceTwo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("UniqueSidTwo"),
Actions: []string{
"iam:*",
},
Resources: []string{
"*",
},
},
{
Actions: []string{
"lambda:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
SourcePolicyDocuments: interface{}{
sourceOne.Json,
sourceTwo.Json,
},
}, nil);
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var sourceOne = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"ec2:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "UniqueSidOne",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"*",
},
},
},
});
var sourceTwo = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "UniqueSidTwo",
Actions = new[]
{
"iam:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Actions = new[]
{
"lambda:*",
},
Resources = new[]
{
"*",
},
},
},
});
var combined = Aws.Iam.GetPolicyDocument.Invoke(new()
{
SourcePolicyDocuments = new[]
{
sourceOne.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
sourceTwo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var sourceOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("UniqueSidOne")
.actions("s3:*")
.resources("*")
.build())
.build());
final var sourceTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("UniqueSidTwo")
.actions("iam:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("lambda:*")
.resources("*")
.build())
.build());
final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(
sourceOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
sourceTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}
variables:
sourceOne:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- actions:
- ec2:*
resources:
- '*'
- sid: UniqueSidOne
actions:
- s3:*
resources:
- '*'
sourceTwo:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: UniqueSidTwo
actions:
- iam:*
resources:
- '*'
- actions:
- lambda:*
resources:
- '*'
combined:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
sourcePolicyDocuments:
- ${sourceOne.json}
- ${sourceTwo.json}
data.aws_iam_policy_document.combined.json will evaluate to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Sid": "UniqueSidOne",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Sid": "UniqueSidTwo",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": "lambda:*",
"Resource": "*"
}
]
}
Example of Merging Override Documents
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const policyOne = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceHolderOne",
effect: "Allow",
actions: ["s3:*"],
resources: ["*"],
}],
});
const policyTwo = aws.iam.getPolicyDocument({
statements: [
{
effect: "Allow",
actions: ["ec2:*"],
resources: ["*"],
},
{
sid: "OverridePlaceHolderTwo",
effect: "Allow",
actions: ["iam:*"],
resources: ["*"],
},
],
});
const policyThree = aws.iam.getPolicyDocument({
statements: [{
sid: "OverridePlaceHolderOne",
effect: "Deny",
actions: ["logs:*"],
resources: ["*"],
}],
});
const combined = Promise.all([policyOne, policyTwo, policyThree]).then(([policyOne, policyTwo, policyThree]) => aws.iam.getPolicyDocument({
overridePolicyDocuments: [
policyOne.json,
policyTwo.json,
policyThree.json,
],
statements: [{
sid: "OverridePlaceHolderTwo",
effect: "Deny",
actions: ["*"],
resources: ["*"],
}],
}));
import pulumi
import pulumi_aws as aws
policy_one = aws.iam.get_policy_document(statements=[{
"sid": "OverridePlaceHolderOne",
"effect": "Allow",
"actions": ["s3:*"],
"resources": ["*"],
}])
policy_two = aws.iam.get_policy_document(statements=[
{
"effect": "Allow",
"actions": ["ec2:*"],
"resources": ["*"],
},
{
"sid": "OverridePlaceHolderTwo",
"effect": "Allow",
"actions": ["iam:*"],
"resources": ["*"],
},
])
policy_three = aws.iam.get_policy_document(statements=[{
"sid": "OverridePlaceHolderOne",
"effect": "Deny",
"actions": ["logs:*"],
"resources": ["*"],
}])
combined = aws.iam.get_policy_document(override_policy_documents=[
policy_one.json,
policy_two.json,
policy_three.json,
],
statements=[{
"sid": "OverridePlaceHolderTwo",
"effect": "Deny",
"actions": ["*"],
"resources": ["*"],
}])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
policyOne, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceHolderOne"),
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"s3:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
policyTwo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"ec2:*",
},
Resources: []string{
"*",
},
},
{
Sid: pulumi.StringRef("OverridePlaceHolderTwo"),
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"iam:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
policyThree, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceHolderOne"),
Effect: pulumi.StringRef("Deny"),
Actions: []string{
"logs:*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
_, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
OverridePolicyDocuments: interface{}{
policyOne.Json,
policyTwo.Json,
policyThree.Json,
},
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("OverridePlaceHolderTwo"),
Effect: pulumi.StringRef("Deny"),
Actions: []string{
"*",
},
Resources: []string{
"*",
},
},
},
}, nil);
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var policyOne = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceHolderOne",
Effect = "Allow",
Actions = new[]
{
"s3:*",
},
Resources = new[]
{
"*",
},
},
},
});
var policyTwo = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"ec2:*",
},
Resources = new[]
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceHolderTwo",
Effect = "Allow",
Actions = new[]
{
"iam:*",
},
Resources = new[]
{
"*",
},
},
},
});
var policyThree = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceHolderOne",
Effect = "Deny",
Actions = new[]
{
"logs:*",
},
Resources = new[]
{
"*",
},
},
},
});
var combined = Aws.Iam.GetPolicyDocument.Invoke(new()
{
OverridePolicyDocuments = new[]
{
policyOne.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
policyTwo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
policyThree.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
},
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "OverridePlaceHolderTwo",
Effect = "Deny",
Actions = new[]
{
"*",
},
Resources = new[]
{
"*",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var policyOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderOne")
.effect("Allow")
.actions("s3:*")
.resources("*")
.build())
.build());
final var policyTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderTwo")
.effect("Allow")
.actions("iam:*")
.resources("*")
.build())
.build());
final var policyThree = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderOne")
.effect("Deny")
.actions("logs:*")
.resources("*")
.build())
.build());
final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.overridePolicyDocuments(
policyOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
policyTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
policyThree.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderTwo")
.effect("Deny")
.actions("*")
.resources("*")
.build())
.build());
}
}
variables:
policyOne:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: OverridePlaceHolderOne
effect: Allow
actions:
- s3:*
resources:
- '*'
policyTwo:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- ec2:*
resources:
- '*'
- sid: OverridePlaceHolderTwo
effect: Allow
actions:
- iam:*
resources:
- '*'
policyThree:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: OverridePlaceHolderOne
effect: Deny
actions:
- logs:*
resources:
- '*'
combined:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
overridePolicyDocuments:
- ${policyOne.json}
- ${policyTwo.json}
- ${policyThree.json}
statements:
- sid: OverridePlaceHolderTwo
effect: Deny
actions:
- '*'
resources:
- '*'
data.aws_iam_policy_document.combined.json will evaluate to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OverridePlaceholderTwo",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Sid": "OverridePlaceholderOne",
"Effect": "Deny",
"Action": "logs:*",
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
]
}
Using getPolicyDocument
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>def get_policy_document(override_json: Optional[str] = None,
override_policy_documents: Optional[Sequence[str]] = None,
policy_id: Optional[str] = None,
source_json: Optional[str] = None,
source_policy_documents: Optional[Sequence[str]] = None,
statements: Optional[Sequence[GetPolicyDocumentStatement]] = None,
version: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
def get_policy_document_output(override_json: Optional[pulumi.Input[str]] = None,
override_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
policy_id: Optional[pulumi.Input[str]] = None,
source_json: Optional[pulumi.Input[str]] = None,
source_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
statements: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentStatementArgs]]]] = None,
version: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput> Note: This function is named GetPolicyDocument in the Go SDK.
public static class GetPolicyDocument
{
public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
public static Output<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
fn::invoke:
function: aws:iam/getPolicyDocument:getPolicyDocument
arguments:
# arguments dictionaryThe following arguments are supported:
- Override
Json string - Override
Policy List<string>Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfromsource_policy_documents. Non-overriding statements will be added to the exported document. - Policy
Id string - ID for the policy document.
- Source
Json string - Source
Policy List<string>Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsmust have uniquesids. Statements with the samesidfromoverride_policy_documentswill override source statements. - Statements
List<Get
Policy Document Statement> - Configuration block for a policy statement. Detailed below.
- Version string
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- Override
Json string - Override
Policy []stringDocuments - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfromsource_policy_documents. Non-overriding statements will be added to the exported document. - Policy
Id string - ID for the policy document.
- Source
Json string - Source
Policy []stringDocuments - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsmust have uniquesids. Statements with the samesidfromoverride_policy_documentswill override source statements. - Statements
[]Get
Policy Document Statement - Configuration block for a policy statement. Detailed below.
- Version string
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override
Json String - override
Policy List<String>Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfromsource_policy_documents. Non-overriding statements will be added to the exported document. - policy
Id String - ID for the policy document.
- source
Json String - source
Policy List<String>Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsmust have uniquesids. Statements with the samesidfromoverride_policy_documentswill override source statements. - statements
List<Get
Policy Document Statement> - Configuration block for a policy statement. Detailed below.
- version String
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override
Json string - override
Policy string[]Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfromsource_policy_documents. Non-overriding statements will be added to the exported document. - policy
Id string - ID for the policy document.
- source
Json string - source
Policy string[]Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsmust have uniquesids. Statements with the samesidfromoverride_policy_documentswill override source statements. - statements
Get
Policy Document Statement[] - Configuration block for a policy statement. Detailed below.
- version string
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override_
json str - override_
policy_ Sequence[str]documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfromsource_policy_documents. Non-overriding statements will be added to the exported document. - policy_
id str - ID for the policy document.
- source_
json str - source_
policy_ Sequence[str]documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsmust have uniquesids. Statements with the samesidfromoverride_policy_documentswill override source statements. - statements
Sequence[Get
Policy Document Statement] - Configuration block for a policy statement. Detailed below.
- version str
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
- override
Json String - override
Policy List<String>Documents - List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank
sids will override statements with the samesidfrom earlier documents in the list. Statements with non-blanksids will also override statements with the samesidfromsource_policy_documents. Non-overriding statements will be added to the exported document. - policy
Id String - ID for the policy document.
- source
Json String - source
Policy List<String>Documents - List of IAM policy documents that are merged together into the exported document. Statements defined in
source_policy_documentsmust have uniquesids. Statements with the samesidfromoverride_policy_documentswill override source statements. - statements List<Property Map>
- Configuration block for a policy statement. Detailed below.
- version String
- IAM policy document version. Valid values are
2008-10-17and2012-10-17. Defaults to2012-10-17. For more information, see the AWS IAM User Guide.
getPolicyDocument Result
The following output properties are available:
- Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- Standard JSON policy document rendered based on the arguments above.
- Minified
Json string - Minified JSON policy document rendered based on the arguments above.
- Override
Json string - Override
Policy List<string>Documents - Policy
Id string - Source
Json string - Source
Policy List<string>Documents - Statements
List<Get
Policy Document Statement> - Version string
- Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- Standard JSON policy document rendered based on the arguments above.
- Minified
Json string - Minified JSON policy document rendered based on the arguments above.
- Override
Json string - Override
Policy []stringDocuments - Policy
Id string - Source
Json string - Source
Policy []stringDocuments - Statements
[]Get
Policy Document Statement - Version string
- id String
- The provider-assigned unique ID for this managed resource.
- json String
- Standard JSON policy document rendered based on the arguments above.
- minified
Json String - Minified JSON policy document rendered based on the arguments above.
- override
Json String - override
Policy List<String>Documents - policy
Id String - source
Json String - source
Policy List<String>Documents - statements
List<Get
Policy Document Statement> - version String
- id string
- The provider-assigned unique ID for this managed resource.
- json string
- Standard JSON policy document rendered based on the arguments above.
- minified
Json string - Minified JSON policy document rendered based on the arguments above.
- override
Json string - override
Policy string[]Documents - policy
Id string - source
Json string - source
Policy string[]Documents - statements
Get
Policy Document Statement[] - version string
- id str
- The provider-assigned unique ID for this managed resource.
- json str
- Standard JSON policy document rendered based on the arguments above.
- minified_
json str - Minified JSON policy document rendered based on the arguments above.
- override_
json str - override_
policy_ Sequence[str]documents - policy_
id str - source_
json str - source_
policy_ Sequence[str]documents - statements
Sequence[Get
Policy Document Statement] - version str
- id String
- The provider-assigned unique ID for this managed resource.
- json String
- Standard JSON policy document rendered based on the arguments above.
- minified
Json String - Minified JSON policy document rendered based on the arguments above.
- override
Json String - override
Policy List<String>Documents - policy
Id String - source
Json String - source
Policy List<String>Documents - statements List<Property Map>
- version String
Supporting Types
GetPolicyDocumentStatement
- Actions List<string>
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - Conditions
List<Get
Policy Document Statement Condition> - Configuration block for a condition. Detailed below.
- Effect string
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - Not
Actions List<string> - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- Not
Principals List<GetPolicy Document Statement Not Principal> - Like
principalsexcept these are principals that the statement does not apply to. - Not
Resources List<string> - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - Principals
List<Get
Policy Document Statement Principal> - Configuration block for principals. Detailed below.
- Resources List<string>
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - Sid string
- Sid (statement ID) is an identifier for a policy statement.
- Actions []string
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - Conditions
[]Get
Policy Document Statement Condition - Configuration block for a condition. Detailed below.
- Effect string
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - Not
Actions []string - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- Not
Principals []GetPolicy Document Statement Not Principal - Like
principalsexcept these are principals that the statement does not apply to. - Not
Resources []string - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - Principals
[]Get
Policy Document Statement Principal - Configuration block for principals. Detailed below.
- Resources []string
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - Sid string
- Sid (statement ID) is an identifier for a policy statement.
- actions List<String>
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - conditions
List<Get
Policy Document Statement Condition> - Configuration block for a condition. Detailed below.
- effect String
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - not
Actions List<String> - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not
Principals List<GetPolicy Document Statement Not Principal> - Like
principalsexcept these are principals that the statement does not apply to. - not
Resources List<String> - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - principals
List<Get
Policy Document Statement Principal> - Configuration block for principals. Detailed below.
- resources List<String>
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid String
- Sid (statement ID) is an identifier for a policy statement.
- actions string[]
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - conditions
Get
Policy Document Statement Condition[] - Configuration block for a condition. Detailed below.
- effect string
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - not
Actions string[] - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not
Principals GetPolicy Document Statement Not Principal[] - Like
principalsexcept these are principals that the statement does not apply to. - not
Resources string[] - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - principals
Get
Policy Document Statement Principal[] - Configuration block for principals. Detailed below.
- resources string[]
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid string
- Sid (statement ID) is an identifier for a policy statement.
- actions Sequence[str]
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - conditions
Sequence[Get
Policy Document Statement Condition] - Configuration block for a condition. Detailed below.
- effect str
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - not_
actions Sequence[str] - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not_
principals Sequence[GetPolicy Document Statement Not Principal] - Like
principalsexcept these are principals that the statement does not apply to. - not_
resources Sequence[str] - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - principals
Sequence[Get
Policy Document Statement Principal] - Configuration block for principals. Detailed below.
- resources Sequence[str]
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid str
- Sid (statement ID) is an identifier for a policy statement.
- actions List<String>
- List of actions that this statement either allows or denies. For example,
["ec2:RunInstances", "s3:*"]. - conditions List<Property Map>
- Configuration block for a condition. Detailed below.
- effect String
- Whether this statement allows or denies the given actions. Valid values are
AllowandDeny. Defaults toAllow. - not
Actions List<String> - List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
- not
Principals List<Property Map> - Like
principalsexcept these are principals that the statement does not apply to. - not
Resources List<String> - List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with
resources. - principals List<Property Map>
- Configuration block for principals. Detailed below.
- resources List<String>
- List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with
not_resources. - sid String
- Sid (statement ID) is an identifier for a policy statement.
GetPolicyDocumentStatementCondition
- Test
This property is required. string - Name of the IAM condition operator to evaluate.
- Values
This property is required. List<string> - Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- Variable
This property is required. string - Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- Test
This property is required. string - Name of the IAM condition operator to evaluate.
- Values
This property is required. []string - Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- Variable
This property is required. string - Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test
This property is required. String - Name of the IAM condition operator to evaluate.
- values
This property is required. List<String> - Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable
This property is required. String - Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test
This property is required. string - Name of the IAM condition operator to evaluate.
- values
This property is required. string[] - Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable
This property is required. string - Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test
This property is required. str - Name of the IAM condition operator to evaluate.
- values
This property is required. Sequence[str] - Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable
This property is required. str - Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
- test
This property is required. String - Name of the IAM condition operator to evaluate.
- values
This property is required. List<String> - Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
- variable
This property is required. String - Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with
aws:or service-specific variables prefixed with the service name.
GetPolicyDocumentStatementNotPrincipal
- Identifiers
This property is required. List<string> - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type
This property is required. string - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- Identifiers
This property is required. []string - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type
This property is required. string - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers
This property is required. List<String> - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type
This property is required. String - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers
This property is required. string[] - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type
This property is required. string - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers
This property is required. Sequence[str] - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type
This property is required. str - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers
This property is required. List<String> - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type
This property is required. String - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
GetPolicyDocumentStatementPrincipal
- Identifiers
This property is required. List<string> - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type
This property is required. string - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- Identifiers
This property is required. []string - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - Type
This property is required. string - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers
This property is required. List<String> - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type
This property is required. String - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers
This property is required. string[] - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type
This property is required. string - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers
This property is required. Sequence[str] - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type
This property is required. str - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
- identifiers
This property is required. List<String> - List of identifiers for principals. When
typeisAWS, these are IAM principal ARNs, e.g.,arn:aws:iam::12345678901:role/yak-role. WhentypeisService, these are AWS Service roles, e.g.,lambda.amazonaws.com. WhentypeisFederated, these are web identity users or SAML provider ARNs, e.g.,accounts.google.comorarn:aws:iam::12345678901:saml-provider/yak-saml-provider. WhentypeisCanonicalUser, these are canonical user IDs, e.g.,79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be. - type
This property is required. String - Type of principal. Valid values include
AWS,Service,Federated,CanonicalUserand*.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
- Example Usage
- Basic Example
- Example Multiple Condition Keys and Values
- Example Assume-Role Policy with Multiple Principals
- Example Using A Source Document
- Example Using An Override Document
- Example with Both Source and Override Documents
- Example of Merging Source Documents
- Example of Merging Override Documents
- Using getPolicyDocument
- getPolicyDocument Result
- Supporting Types
- Package Details