Docs Home
aws.iam.getPrincipalPolicySimulation
Explore with Pulumi AI
Runs a simulation of the IAM policies of a particular principal against a given hypothetical request.
You can use this data source in conjunction with Preconditions and Postconditions so that your configuration can test either whether it should have sufficient access to do its own work, or whether policies your configuration declares itself are sufficient for their intended use elsewhere.
Note: Correctly using this data source requires familiarity with various details of AWS Identity and Access Management, and how various AWS services integrate with it. For general information on the AWS IAM policy simulator, see Testing IAM policies with the IAM policy simulator. This data source wraps the
iam:SimulatePrincipalPolicyAPI action described on that page.
Example Usage
Self Access-checking Example
The following example raises an error if the credentials passed to the AWS provider do not have access to perform the three actions s3:GetObject, s3:PutObject, and s3:DeleteObject on the S3 bucket with the given ARN.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const s3ObjectAccess = current.then(current => aws.iam.getPrincipalPolicySimulation({
actionNames: [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
],
policySourceArn: current.arn,
resourceArns: ["arn:aws:s3:::my-test-bucket"],
}));
import pulumi
import pulumi_aws as aws
current = aws.get_caller_identity()
s3_object_access = aws.iam.get_principal_policy_simulation(action_names=[
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
],
policy_source_arn=current.arn,
resource_arns=["arn:aws:s3:::my-test-bucket"])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
_, err = iam.LookupPrincipalPolicySimulation(ctx, &iam.LookupPrincipalPolicySimulationArgs{
ActionNames: []string{
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
},
PolicySourceArn: current.Arn,
ResourceArns: []string{
"arn:aws:s3:::my-test-bucket",
},
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var s3ObjectAccess = Aws.Iam.GetPrincipalPolicySimulation.Invoke(new()
{
ActionNames = new[]
{
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
},
PolicySourceArn = current.Apply(getCallerIdentityResult => getCallerIdentityResult.Arn),
ResourceArns = new[]
{
"arn:aws:s3:::my-test-bucket",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPrincipalPolicySimulationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
final var s3ObjectAccess = IamFunctions.getPrincipalPolicySimulation(GetPrincipalPolicySimulationArgs.builder()
.actionNames(
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject")
.policySourceArn(current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.arn()))
.resourceArns("arn:aws:s3:::my-test-bucket")
.build());
}
}
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}
s3ObjectAccess:
fn::invoke:
function: aws:iam:getPrincipalPolicySimulation
arguments:
actionNames:
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
policySourceArn: ${current.arn}
resourceArns:
- arn:aws:s3:::my-test-bucket
If you intend to use this data source to quickly raise an error when the given credentials are insufficient then you must use depends_on inside any resource which would require those credentials, to ensure that the policy check will run first:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.s3.BucketObject("example", {bucket: "my-test-bucket"}, {
dependsOn: [s3ObjectAccess],
});
import pulumi
import pulumi_aws as aws
example = aws.s3.BucketObject("example", bucket="my-test-bucket",
opts = pulumi.ResourceOptions(depends_on=[s3_object_access]))
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := s3.NewBucketObject(ctx, "example", &s3.BucketObjectArgs{
Bucket: pulumi.Any("my-test-bucket"),
}, pulumi.DependsOn([]pulumi.Resource{
s3ObjectAccess,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.S3.BucketObject("example", new()
{
Bucket = "my-test-bucket",
}, new CustomResourceOptions
{
DependsOn =
{
s3ObjectAccess,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketObject;
import com.pulumi.aws.s3.BucketObjectArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BucketObject("example", BucketObjectArgs.builder()
.bucket("my-test-bucket")
.build(), CustomResourceOptions.builder()
.dependsOn(s3ObjectAccess)
.build());
}
}
resources:
example:
type: aws:s3:BucketObject
properties:
bucket: my-test-bucket
options:
dependsOn:
- ${s3ObjectAccess}
Testing the Effect of a Declared Policy
The following example declares an S3 bucket and a user that should have access to the bucket, and then uses aws.iam.getPrincipalPolicySimulation to verify that the user does indeed have access to perform needed operations against the bucket.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const example = new aws.iam.User("example", {name: "example"});
const exampleBucketV2 = new aws.s3.BucketV2("example", {bucket: "my-test-bucket"});
const s3Access = new aws.iam.UserPolicy("s3_access", {
name: "example_s3_access",
user: example.name,
policy: pulumi.jsonStringify({
Version: "2012-10-17",
Statement: [{
Action: "s3:GetObject",
Effect: "Allow",
Resource: exampleBucketV2.arn,
}],
}),
});
const accountAccess = new aws.s3.BucketPolicy("account_access", {
bucket: exampleBucketV2.bucket,
policy: pulumi.jsonStringify({
Version: "2012-10-17",
Statement: [{
Action: "s3:*",
Effect: "Allow",
Principal: {
AWS: current.then(current => current.accountId),
},
Resource: [
exampleBucketV2.arn,
pulumi.interpolate`${exampleBucketV2.arn}/*`,
],
}],
}),
});
const s3ObjectAccess = aws.iam.getPrincipalPolicySimulationOutput({
actionNames: ["s3:GetObject"],
policySourceArn: example.arn,
resourceArns: [exampleBucketV2.arn],
resourcePolicyJson: accountAccess.policy,
});
import pulumi
import json
import pulumi_aws as aws
current = aws.get_caller_identity()
example = aws.iam.User("example", name="example")
example_bucket_v2 = aws.s3.BucketV2("example", bucket="my-test-bucket")
s3_access = aws.iam.UserPolicy("s3_access",
name="example_s3_access",
user=example.name,
policy=pulumi.Output.json_dumps({
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": example_bucket_v2.arn,
}],
}))
account_access = aws.s3.BucketPolicy("account_access",
bucket=example_bucket_v2.bucket,
policy=pulumi.Output.json_dumps({
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Allow",
"Principal": {
"AWS": current.account_id,
},
"Resource": [
example_bucket_v2.arn,
example_bucket_v2.arn.apply(lambda arn: f"{arn}/*"),
],
}],
}))
s3_object_access = aws.iam.get_principal_policy_simulation_output(action_names=["s3:GetObject"],
policy_source_arn=example.arn,
resource_arns=[example_bucket_v2.arn],
resource_policy_json=account_access.policy)
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
example, err := iam.NewUser(ctx, "example", &iam.UserArgs{
Name: pulumi.String("example"),
})
if err != nil {
return err
}
exampleBucketV2, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
Bucket: pulumi.String("my-test-bucket"),
})
if err != nil {
return err
}
_, err = iam.NewUserPolicy(ctx, "s3_access", &iam.UserPolicyArgs{
Name: pulumi.String("example_s3_access"),
User: example.Name,
Policy: exampleBucketV2.Arn.ApplyT(func(arn string) (pulumi.String, error) {
var _zero pulumi.String
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Statement": []map[string]interface{}{
map[string]interface{}{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": arn,
},
},
})
if err != nil {
return _zero, err
}
json0 := string(tmpJSON0)
return pulumi.String(json0), nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
accountAccess, err := s3.NewBucketPolicy(ctx, "account_access", &s3.BucketPolicyArgs{
Bucket: exampleBucketV2.Bucket,
Policy: pulumi.All(exampleBucketV2.Arn, exampleBucketV2.Arn).ApplyT(func(_args []interface{}) (string, error) {
exampleBucketV2Arn := _args[0].(string)
exampleBucketV2Arn1 := _args[1].(string)
var _zero string
tmpJSON1, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Statement": []map[string]interface{}{
map[string]interface{}{
"Action": "s3:*",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": current.AccountId,
},
"Resource": []string{
exampleBucketV2Arn,
fmt.Sprintf("%v/*", exampleBucketV2Arn1),
},
},
},
})
if err != nil {
return _zero, err
}
json1 := string(tmpJSON1)
return json1, nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
_ = iam.LookupPrincipalPolicySimulationOutput(ctx, iam.GetPrincipalPolicySimulationOutputArgs{
ActionNames: pulumi.StringArray{
pulumi.String("s3:GetObject"),
},
PolicySourceArn: example.Arn,
ResourceArns: pulumi.StringArray{
exampleBucketV2.Arn,
},
ResourcePolicyJson: accountAccess.Policy,
}, nil)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var example = new Aws.Iam.User("example", new()
{
Name = "example",
});
var exampleBucketV2 = new Aws.S3.BucketV2("example", new()
{
Bucket = "my-test-bucket",
});
var s3Access = new Aws.Iam.UserPolicy("s3_access", new()
{
Name = "example_s3_access",
User = example.Name,
Policy = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Action"] = "s3:GetObject",
["Effect"] = "Allow",
["Resource"] = exampleBucketV2.Arn,
},
},
})),
});
var accountAccess = new Aws.S3.BucketPolicy("account_access", new()
{
Bucket = exampleBucketV2.Bucket,
Policy = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Action"] = "s3:*",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId),
},
["Resource"] = new[]
{
exampleBucketV2.Arn,
exampleBucketV2.Arn.Apply(arn => $"{arn}/*"),
},
},
},
})),
});
var s3ObjectAccess = Aws.Iam.GetPrincipalPolicySimulation.Invoke(new()
{
ActionNames = new[]
{
"s3:GetObject",
},
PolicySourceArn = example.Arn,
ResourceArns = new[]
{
exampleBucketV2.Arn,
},
ResourcePolicyJson = accountAccess.Policy,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.iam.User;
import com.pulumi.aws.iam.UserArgs;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.iam.UserPolicy;
import com.pulumi.aws.iam.UserPolicyArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPrincipalPolicySimulationArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
var example = new User("example", UserArgs.builder()
.name("example")
.build());
var exampleBucketV2 = new BucketV2("exampleBucketV2", BucketV2Args.builder()
.bucket("my-test-bucket")
.build());
var s3Access = new UserPolicy("s3Access", UserPolicyArgs.builder()
.name("example_s3_access")
.user(example.name())
.policy(exampleBucketV2.arn().applyValue(arn -> serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Action", "s3:GetObject"),
jsonProperty("Effect", "Allow"),
jsonProperty("Resource", arn)
)))
))))
.build());
var accountAccess = new BucketPolicy("accountAccess", BucketPolicyArgs.builder()
.bucket(exampleBucketV2.bucket())
.policy(Output.tuple(exampleBucketV2.arn(), exampleBucketV2.arn()).applyValue(values -> {
var exampleBucketV2Arn = values.t1;
var exampleBucketV2Arn1 = values.t2;
return serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Action", "s3:*"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId()))
)),
jsonProperty("Resource", jsonArray(
exampleBucketV2Arn,
String.format("%s/*", exampleBucketV2Arn1)
))
)))
));
}))
.build());
final var s3ObjectAccess = IamFunctions.getPrincipalPolicySimulation(GetPrincipalPolicySimulationArgs.builder()
.actionNames("s3:GetObject")
.policySourceArn(example.arn())
.resourceArns(exampleBucketV2.arn())
.resourcePolicyJson(accountAccess.policy())
.build());
}
}
resources:
example:
type: aws:iam:User
properties:
name: example
exampleBucketV2:
type: aws:s3:BucketV2
name: example
properties:
bucket: my-test-bucket
s3Access:
type: aws:iam:UserPolicy
name: s3_access
properties:
name: example_s3_access
user: ${example.name}
policy:
fn::toJSON:
Version: 2012-10-17
Statement:
- Action: s3:GetObject
Effect: Allow
Resource: ${exampleBucketV2.arn}
accountAccess:
type: aws:s3:BucketPolicy
name: account_access
properties:
bucket: ${exampleBucketV2.bucket}
policy:
fn::toJSON:
Version: 2012-10-17
Statement:
- Action: s3:*
Effect: Allow
Principal:
AWS: ${current.accountId}
Resource:
- ${exampleBucketV2.arn}
- ${exampleBucketV2.arn}/*
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}
s3ObjectAccess:
fn::invoke:
function: aws:iam:getPrincipalPolicySimulation
arguments:
actionNames:
- s3:GetObject
policySourceArn: ${example.arn}
resourceArns:
- ${exampleBucketV2.arn}
resourcePolicyJson: ${accountAccess.policy}
When using aws.iam.getPrincipalPolicySimulation to test the effect of a policy declared elsewhere in the same configuration, it’s important to use depends_on to make sure that the needed policy has been fully created or updated before running the simulation.
Using getPrincipalPolicySimulation
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPrincipalPolicySimulation(args: GetPrincipalPolicySimulationArgs, opts?: InvokeOptions): Promise<GetPrincipalPolicySimulationResult>
function getPrincipalPolicySimulationOutput(args: GetPrincipalPolicySimulationOutputArgs, opts?: InvokeOptions): Output<GetPrincipalPolicySimulationResult>def get_principal_policy_simulation(action_names: Optional[Sequence[str]] = None,
additional_policies_jsons: Optional[Sequence[str]] = None,
caller_arn: Optional[str] = None,
contexts: Optional[Sequence[GetPrincipalPolicySimulationContext]] = None,
permissions_boundary_policies_jsons: Optional[Sequence[str]] = None,
policy_source_arn: Optional[str] = None,
resource_arns: Optional[Sequence[str]] = None,
resource_handling_option: Optional[str] = None,
resource_owner_account_id: Optional[str] = None,
resource_policy_json: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetPrincipalPolicySimulationResult
def get_principal_policy_simulation_output(action_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
additional_policies_jsons: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
caller_arn: Optional[pulumi.Input[str]] = None,
contexts: Optional[pulumi.Input[Sequence[pulumi.Input[GetPrincipalPolicySimulationContextArgs]]]] = None,
permissions_boundary_policies_jsons: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
policy_source_arn: Optional[pulumi.Input[str]] = None,
resource_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
resource_handling_option: Optional[pulumi.Input[str]] = None,
resource_owner_account_id: Optional[pulumi.Input[str]] = None,
resource_policy_json: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPrincipalPolicySimulationResult]func LookupPrincipalPolicySimulation(ctx *Context, args *LookupPrincipalPolicySimulationArgs, opts ...InvokeOption) (*LookupPrincipalPolicySimulationResult, error)
func LookupPrincipalPolicySimulationOutput(ctx *Context, args *LookupPrincipalPolicySimulationOutputArgs, opts ...InvokeOption) LookupPrincipalPolicySimulationResultOutput> Note: This function is named LookupPrincipalPolicySimulation in the Go SDK.
public static class GetPrincipalPolicySimulation
{
public static Task<GetPrincipalPolicySimulationResult> InvokeAsync(GetPrincipalPolicySimulationArgs args, InvokeOptions? opts = null)
public static Output<GetPrincipalPolicySimulationResult> Invoke(GetPrincipalPolicySimulationInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetPrincipalPolicySimulationResult> getPrincipalPolicySimulation(GetPrincipalPolicySimulationArgs args, InvokeOptions options)
public static Output<GetPrincipalPolicySimulationResult> getPrincipalPolicySimulation(GetPrincipalPolicySimulationArgs args, InvokeOptions options)
fn::invoke:
function: aws:iam/getPrincipalPolicySimulation:getPrincipalPolicySimulation
arguments:
# arguments dictionaryThe following arguments are supported:
- Action
Names List<string> A set of IAM action names to run simulations for. Each entry in this set adds an additional hypothetical request to the simulation.
Action names consist of a service prefix and an action verb separated by a colon, such as
s3:GetObject. Refer to Actions, resources, and condition keys for AWS services to see the full set of possible IAM action names across all AWS services.- Policy
Source stringArn The ARN of the IAM user, group, or role whose policies will be included in the simulation.
You must closely match the form of the real service request you are simulating in order to achieve a realistic result. You can use the following additional arguments to specify other characteristics of the simulated requests:
- Additional
Policies List<string>Jsons - A set of additional principal policy documents to include in the simulation. The simulator will behave as if each of these policies were associated with the object specified in
policy_source_arn, allowing you to test the effect of hypothetical policies not yet created. - Caller
Arn string - The ARN of an user that will appear as the "caller" of the simulated requests. If you do not specify
caller_arnthen the simulation will use thepolicy_source_arninstead, if it contains a user ARN. - Contexts
List<Get
Principal Policy Simulation Context> Each
contextblock defines an entry in the table of additional context keys in the simulated request.IAM uses context keys for both custom conditions and for interpolating dynamic request-specific values into policy values. If you use policies that include those features then you will need to provide suitable example values for those keys to achieve a realistic simulation.
- Permissions
Boundary List<string>Policies Jsons - A set of permissions boundary policy documents to include in the simulation.
- Resource
Arns List<string> A set of ARNs of resources to include in the simulation.
This argument is important for actions that have either required or optional resource types listed in Actions, resources, and condition keys for AWS services, and you must provide ARNs that identify AWS objects of the appropriate types for the chosen actions.
The policy simulator only automatically loads policies associated with the
policy_source_arn, so if your given resources have their own resource-level policy then you'll also need to provide that explicitly using theresource_policy_jsonargument to achieve a realistic simulation.- Resource
Handling stringOption Specifies a special simulation type to run. Some EC2 actions require special simulation behaviors and a particular set of resource ARNs to achieve a realistic result.
For more details, see the
ResourceHandlingOptionrequest parameter for the underlyingiam:SimulatePrincipalPolicyaction.- Resource
Owner stringAccount Id - An AWS account ID to use for any resource ARN in
resource_arnsthat doesn't include its own AWS account ID. If unspecified, the simulator will use the account ID from thecaller_arnargument as a placeholder. - Resource
Policy stringJson An IAM policy document representing the resource-level policy of all of the resources specified in
resource_arns.The policy simulator cannot automatically load policies that are associated with individual resources, as described in the documentation for
resource_arnsabove.
- Action
Names []string A set of IAM action names to run simulations for. Each entry in this set adds an additional hypothetical request to the simulation.
Action names consist of a service prefix and an action verb separated by a colon, such as
s3:GetObject. Refer to Actions, resources, and condition keys for AWS services to see the full set of possible IAM action names across all AWS services.- Policy
Source stringArn The ARN of the IAM user, group, or role whose policies will be included in the simulation.
You must closely match the form of the real service request you are simulating in order to achieve a realistic result. You can use the following additional arguments to specify other characteristics of the simulated requests:
- Additional
Policies []stringJsons - A set of additional principal policy documents to include in the simulation. The simulator will behave as if each of these policies were associated with the object specified in
policy_source_arn, allowing you to test the effect of hypothetical policies not yet created. - Caller
Arn string - The ARN of an user that will appear as the "caller" of the simulated requests. If you do not specify
caller_arnthen the simulation will use thepolicy_source_arninstead, if it contains a user ARN. - Contexts
[]Get
Principal Policy Simulation Context Each
contextblock defines an entry in the table of additional context keys in the simulated request.IAM uses context keys for both custom conditions and for interpolating dynamic request-specific values into policy values. If you use policies that include those features then you will need to provide suitable example values for those keys to achieve a realistic simulation.
- Permissions
Boundary []stringPolicies Jsons - A set of permissions boundary policy documents to include in the simulation.
- Resource
Arns []string A set of ARNs of resources to include in the simulation.
This argument is important for actions that have either required or optional resource types listed in Actions, resources, and condition keys for AWS services, and you must provide ARNs that identify AWS objects of the appropriate types for the chosen actions.
The policy simulator only automatically loads policies associated with the
policy_source_arn, so if your given resources have their own resource-level policy then you'll also need to provide that explicitly using theresource_policy_jsonargument to achieve a realistic simulation.- Resource
Handling stringOption Specifies a special simulation type to run. Some EC2 actions require special simulation behaviors and a particular set of resource ARNs to achieve a realistic result.
For more details, see the
ResourceHandlingOptionrequest parameter for the underlyingiam:SimulatePrincipalPolicyaction.- Resource
Owner stringAccount Id - An AWS account ID to use for any resource ARN in
resource_arnsthat doesn't include its own AWS account ID. If unspecified, the simulator will use the account ID from thecaller_arnargument as a placeholder. - Resource
Policy stringJson An IAM policy document representing the resource-level policy of all of the resources specified in
resource_arns.The policy simulator cannot automatically load policies that are associated with individual resources, as described in the documentation for
resource_arnsabove.
- action
Names List<String> A set of IAM action names to run simulations for. Each entry in this set adds an additional hypothetical request to the simulation.
Action names consist of a service prefix and an action verb separated by a colon, such as
s3:GetObject. Refer to Actions, resources, and condition keys for AWS services to see the full set of possible IAM action names across all AWS services.- policy
Source StringArn The ARN of the IAM user, group, or role whose policies will be included in the simulation.
You must closely match the form of the real service request you are simulating in order to achieve a realistic result. You can use the following additional arguments to specify other characteristics of the simulated requests:
- additional
Policies List<String>Jsons - A set of additional principal policy documents to include in the simulation. The simulator will behave as if each of these policies were associated with the object specified in
policy_source_arn, allowing you to test the effect of hypothetical policies not yet created. - caller
Arn String - The ARN of an user that will appear as the "caller" of the simulated requests. If you do not specify
caller_arnthen the simulation will use thepolicy_source_arninstead, if it contains a user ARN. - contexts
List<Get
Principal Policy Simulation Context> Each
contextblock defines an entry in the table of additional context keys in the simulated request.IAM uses context keys for both custom conditions and for interpolating dynamic request-specific values into policy values. If you use policies that include those features then you will need to provide suitable example values for those keys to achieve a realistic simulation.
- permissions
Boundary List<String>Policies Jsons - A set of permissions boundary policy documents to include in the simulation.
- resource
Arns List<String> A set of ARNs of resources to include in the simulation.
This argument is important for actions that have either required or optional resource types listed in Actions, resources, and condition keys for AWS services, and you must provide ARNs that identify AWS objects of the appropriate types for the chosen actions.
The policy simulator only automatically loads policies associated with the
policy_source_arn, so if your given resources have their own resource-level policy then you'll also need to provide that explicitly using theresource_policy_jsonargument to achieve a realistic simulation.- resource
Handling StringOption Specifies a special simulation type to run. Some EC2 actions require special simulation behaviors and a particular set of resource ARNs to achieve a realistic result.
For more details, see the
ResourceHandlingOptionrequest parameter for the underlyingiam:SimulatePrincipalPolicyaction.- resource
Owner StringAccount Id - An AWS account ID to use for any resource ARN in
resource_arnsthat doesn't include its own AWS account ID. If unspecified, the simulator will use the account ID from thecaller_arnargument as a placeholder. - resource
Policy StringJson An IAM policy document representing the resource-level policy of all of the resources specified in
resource_arns.The policy simulator cannot automatically load policies that are associated with individual resources, as described in the documentation for
resource_arnsabove.
- action
Names string[] A set of IAM action names to run simulations for. Each entry in this set adds an additional hypothetical request to the simulation.
Action names consist of a service prefix and an action verb separated by a colon, such as
s3:GetObject. Refer to Actions, resources, and condition keys for AWS services to see the full set of possible IAM action names across all AWS services.- policy
Source stringArn The ARN of the IAM user, group, or role whose policies will be included in the simulation.
You must closely match the form of the real service request you are simulating in order to achieve a realistic result. You can use the following additional arguments to specify other characteristics of the simulated requests:
- additional
Policies string[]Jsons - A set of additional principal policy documents to include in the simulation. The simulator will behave as if each of these policies were associated with the object specified in
policy_source_arn, allowing you to test the effect of hypothetical policies not yet created. - caller
Arn string - The ARN of an user that will appear as the "caller" of the simulated requests. If you do not specify
caller_arnthen the simulation will use thepolicy_source_arninstead, if it contains a user ARN. - contexts
Get
Principal Policy Simulation Context[] Each
contextblock defines an entry in the table of additional context keys in the simulated request.IAM uses context keys for both custom conditions and for interpolating dynamic request-specific values into policy values. If you use policies that include those features then you will need to provide suitable example values for those keys to achieve a realistic simulation.
- permissions
Boundary string[]Policies Jsons - A set of permissions boundary policy documents to include in the simulation.
- resource
Arns string[] A set of ARNs of resources to include in the simulation.
This argument is important for actions that have either required or optional resource types listed in Actions, resources, and condition keys for AWS services, and you must provide ARNs that identify AWS objects of the appropriate types for the chosen actions.
The policy simulator only automatically loads policies associated with the
policy_source_arn, so if your given resources have their own resource-level policy then you'll also need to provide that explicitly using theresource_policy_jsonargument to achieve a realistic simulation.- resource
Handling stringOption Specifies a special simulation type to run. Some EC2 actions require special simulation behaviors and a particular set of resource ARNs to achieve a realistic result.
For more details, see the
ResourceHandlingOptionrequest parameter for the underlyingiam:SimulatePrincipalPolicyaction.- resource
Owner stringAccount Id - An AWS account ID to use for any resource ARN in
resource_arnsthat doesn't include its own AWS account ID. If unspecified, the simulator will use the account ID from thecaller_arnargument as a placeholder. - resource
Policy stringJson An IAM policy document representing the resource-level policy of all of the resources specified in
resource_arns.The policy simulator cannot automatically load policies that are associated with individual resources, as described in the documentation for
resource_arnsabove.
- action_
names Sequence[str] A set of IAM action names to run simulations for. Each entry in this set adds an additional hypothetical request to the simulation.
Action names consist of a service prefix and an action verb separated by a colon, such as
s3:GetObject. Refer to Actions, resources, and condition keys for AWS services to see the full set of possible IAM action names across all AWS services.- policy_
source_ strarn The ARN of the IAM user, group, or role whose policies will be included in the simulation.
You must closely match the form of the real service request you are simulating in order to achieve a realistic result. You can use the following additional arguments to specify other characteristics of the simulated requests:
- additional_
policies_ Sequence[str]jsons - A set of additional principal policy documents to include in the simulation. The simulator will behave as if each of these policies were associated with the object specified in
policy_source_arn, allowing you to test the effect of hypothetical policies not yet created. - caller_
arn str - The ARN of an user that will appear as the "caller" of the simulated requests. If you do not specify
caller_arnthen the simulation will use thepolicy_source_arninstead, if it contains a user ARN. - contexts
Sequence[Get
Principal Policy Simulation Context] Each
contextblock defines an entry in the table of additional context keys in the simulated request.IAM uses context keys for both custom conditions and for interpolating dynamic request-specific values into policy values. If you use policies that include those features then you will need to provide suitable example values for those keys to achieve a realistic simulation.
- permissions_
boundary_ Sequence[str]policies_ jsons - A set of permissions boundary policy documents to include in the simulation.
- resource_
arns Sequence[str] A set of ARNs of resources to include in the simulation.
This argument is important for actions that have either required or optional resource types listed in Actions, resources, and condition keys for AWS services, and you must provide ARNs that identify AWS objects of the appropriate types for the chosen actions.
The policy simulator only automatically loads policies associated with the
policy_source_arn, so if your given resources have their own resource-level policy then you'll also need to provide that explicitly using theresource_policy_jsonargument to achieve a realistic simulation.- resource_
handling_ stroption Specifies a special simulation type to run. Some EC2 actions require special simulation behaviors and a particular set of resource ARNs to achieve a realistic result.
For more details, see the
ResourceHandlingOptionrequest parameter for the underlyingiam:SimulatePrincipalPolicyaction.- resource_
owner_ straccount_ id - An AWS account ID to use for any resource ARN in
resource_arnsthat doesn't include its own AWS account ID. If unspecified, the simulator will use the account ID from thecaller_arnargument as a placeholder. - resource_
policy_ strjson An IAM policy document representing the resource-level policy of all of the resources specified in
resource_arns.The policy simulator cannot automatically load policies that are associated with individual resources, as described in the documentation for
resource_arnsabove.
- action
Names List<String> A set of IAM action names to run simulations for. Each entry in this set adds an additional hypothetical request to the simulation.
Action names consist of a service prefix and an action verb separated by a colon, such as
s3:GetObject. Refer to Actions, resources, and condition keys for AWS services to see the full set of possible IAM action names across all AWS services.- policy
Source StringArn The ARN of the IAM user, group, or role whose policies will be included in the simulation.
You must closely match the form of the real service request you are simulating in order to achieve a realistic result. You can use the following additional arguments to specify other characteristics of the simulated requests:
- additional
Policies List<String>Jsons - A set of additional principal policy documents to include in the simulation. The simulator will behave as if each of these policies were associated with the object specified in
policy_source_arn, allowing you to test the effect of hypothetical policies not yet created. - caller
Arn String - The ARN of an user that will appear as the "caller" of the simulated requests. If you do not specify
caller_arnthen the simulation will use thepolicy_source_arninstead, if it contains a user ARN. - contexts List<Property Map>
Each
contextblock defines an entry in the table of additional context keys in the simulated request.IAM uses context keys for both custom conditions and for interpolating dynamic request-specific values into policy values. If you use policies that include those features then you will need to provide suitable example values for those keys to achieve a realistic simulation.
- permissions
Boundary List<String>Policies Jsons - A set of permissions boundary policy documents to include in the simulation.
- resource
Arns List<String> A set of ARNs of resources to include in the simulation.
This argument is important for actions that have either required or optional resource types listed in Actions, resources, and condition keys for AWS services, and you must provide ARNs that identify AWS objects of the appropriate types for the chosen actions.
The policy simulator only automatically loads policies associated with the
policy_source_arn, so if your given resources have their own resource-level policy then you'll also need to provide that explicitly using theresource_policy_jsonargument to achieve a realistic simulation.- resource
Handling StringOption Specifies a special simulation type to run. Some EC2 actions require special simulation behaviors and a particular set of resource ARNs to achieve a realistic result.
For more details, see the
ResourceHandlingOptionrequest parameter for the underlyingiam:SimulatePrincipalPolicyaction.- resource
Owner StringAccount Id - An AWS account ID to use for any resource ARN in
resource_arnsthat doesn't include its own AWS account ID. If unspecified, the simulator will use the account ID from thecaller_arnargument as a placeholder. - resource
Policy StringJson An IAM policy document representing the resource-level policy of all of the resources specified in
resource_arns.The policy simulator cannot automatically load policies that are associated with individual resources, as described in the documentation for
resource_arnsabove.
getPrincipalPolicySimulation Result
The following output properties are available:
- Action
Names List<string> - All
Allowed bool trueif all of the simulation results have decision "allowed", orfalseotherwise.- Id string
- Policy
Source stringArn - Results
List<Get
Principal Policy Simulation Result> - A set of result objects, one for each of the simulated requests, with the following nested attributes:
- Additional
Policies List<string>Jsons - Caller
Arn string - Contexts
List<Get
Principal Policy Simulation Context> - Permissions
Boundary List<string>Policies Jsons - Resource
Arns List<string> - Resource
Handling stringOption - Resource
Owner stringAccount Id - Resource
Policy stringJson
- Action
Names []string - All
Allowed bool trueif all of the simulation results have decision "allowed", orfalseotherwise.- Id string
- Policy
Source stringArn - Results
[]Get
Principal Policy Simulation Result - A set of result objects, one for each of the simulated requests, with the following nested attributes:
- Additional
Policies []stringJsons - Caller
Arn string - Contexts
[]Get
Principal Policy Simulation Context - Permissions
Boundary []stringPolicies Jsons - Resource
Arns []string - Resource
Handling stringOption - Resource
Owner stringAccount Id - Resource
Policy stringJson
- action
Names List<String> - all
Allowed Boolean trueif all of the simulation results have decision "allowed", orfalseotherwise.- id String
- policy
Source StringArn - results
List<Get
Principal Policy Simulation Result> - A set of result objects, one for each of the simulated requests, with the following nested attributes:
- additional
Policies List<String>Jsons - caller
Arn String - contexts
List<Get
Principal Policy Simulation Context> - permissions
Boundary List<String>Policies Jsons - resource
Arns List<String> - resource
Handling StringOption - resource
Owner StringAccount Id - resource
Policy StringJson
- action
Names string[] - all
Allowed boolean trueif all of the simulation results have decision "allowed", orfalseotherwise.- id string
- policy
Source stringArn - results
Get
Principal Policy Simulation Result[] - A set of result objects, one for each of the simulated requests, with the following nested attributes:
- additional
Policies string[]Jsons - caller
Arn string - contexts
Get
Principal Policy Simulation Context[] - permissions
Boundary string[]Policies Jsons - resource
Arns string[] - resource
Handling stringOption - resource
Owner stringAccount Id - resource
Policy stringJson
- action_
names Sequence[str] - all_
allowed bool trueif all of the simulation results have decision "allowed", orfalseotherwise.- id str
- policy_
source_ strarn - results
Sequence[Get
Principal Policy Simulation Result] - A set of result objects, one for each of the simulated requests, with the following nested attributes:
- additional_
policies_ Sequence[str]jsons - caller_
arn str - contexts
Sequence[Get
Principal Policy Simulation Context] - permissions_
boundary_ Sequence[str]policies_ jsons - resource_
arns Sequence[str] - resource_
handling_ stroption - resource_
owner_ straccount_ id - resource_
policy_ strjson
- action
Names List<String> - all
Allowed Boolean trueif all of the simulation results have decision "allowed", orfalseotherwise.- id String
- policy
Source StringArn - results List<Property Map>
- A set of result objects, one for each of the simulated requests, with the following nested attributes:
- additional
Policies List<String>Jsons - caller
Arn String - contexts List<Property Map>
- permissions
Boundary List<String>Policies Jsons - resource
Arns List<String> - resource
Handling StringOption - resource
Owner StringAccount Id - resource
Policy StringJson
Supporting Types
GetPrincipalPolicySimulationContext
- Key string
The context condition key to set.
If you have policies containing
Conditionelements or using dynamic interpolations then you will need to provide suitable values for each condition key your policies use. See Actions, resources, and condition keys for AWS services to find the various condition keys that are normally provided for real requests to each action of each AWS service.- Type string
An IAM value type that determines how the policy simulator will interpret the strings given in
values.For more information, see the
ContextKeyTypefield ofiam.ContextEntryin the underlying API.- Values List<string>
- A set of one or more values for this context entry.
- Key string
The context condition key to set.
If you have policies containing
Conditionelements or using dynamic interpolations then you will need to provide suitable values for each condition key your policies use. See Actions, resources, and condition keys for AWS services to find the various condition keys that are normally provided for real requests to each action of each AWS service.- Type string
An IAM value type that determines how the policy simulator will interpret the strings given in
values.For more information, see the
ContextKeyTypefield ofiam.ContextEntryin the underlying API.- Values []string
- A set of one or more values for this context entry.
- key String
The context condition key to set.
If you have policies containing
Conditionelements or using dynamic interpolations then you will need to provide suitable values for each condition key your policies use. See Actions, resources, and condition keys for AWS services to find the various condition keys that are normally provided for real requests to each action of each AWS service.- type String
An IAM value type that determines how the policy simulator will interpret the strings given in
values.For more information, see the
ContextKeyTypefield ofiam.ContextEntryin the underlying API.- values List<String>
- A set of one or more values for this context entry.
- key string
The context condition key to set.
If you have policies containing
Conditionelements or using dynamic interpolations then you will need to provide suitable values for each condition key your policies use. See Actions, resources, and condition keys for AWS services to find the various condition keys that are normally provided for real requests to each action of each AWS service.- type string
An IAM value type that determines how the policy simulator will interpret the strings given in
values.For more information, see the
ContextKeyTypefield ofiam.ContextEntryin the underlying API.- values string[]
- A set of one or more values for this context entry.
- key str
The context condition key to set.
If you have policies containing
Conditionelements or using dynamic interpolations then you will need to provide suitable values for each condition key your policies use. See Actions, resources, and condition keys for AWS services to find the various condition keys that are normally provided for real requests to each action of each AWS service.- type str
An IAM value type that determines how the policy simulator will interpret the strings given in
values.For more information, see the
ContextKeyTypefield ofiam.ContextEntryin the underlying API.- values Sequence[str]
- A set of one or more values for this context entry.
- key String
The context condition key to set.
If you have policies containing
Conditionelements or using dynamic interpolations then you will need to provide suitable values for each condition key your policies use. See Actions, resources, and condition keys for AWS services to find the various condition keys that are normally provided for real requests to each action of each AWS service.- type String
An IAM value type that determines how the policy simulator will interpret the strings given in
values.For more information, see the
ContextKeyTypefield ofiam.ContextEntryin the underlying API.- values List<String>
- A set of one or more values for this context entry.
GetPrincipalPolicySimulationResult
- Action
Name string - The name of the single IAM action used for this particular request.
- Allowed bool
trueifdecisionis "allowed", andfalseotherwise.- Decision string
- The raw decision determined from all of the policies in scope; either "allowed", "explicitDeny", or "implicitDeny".
- Decision
Details Dictionary<string, string> - A map of arbitrary metadata entries returned by the policy simulator for this request.
- Matched
Statements List<GetPrincipal Policy Simulation Result Matched Statement> - A nested set of objects describing which policies contained statements that were relevant to this simulation request. Each object has attributes
source_policy_idandsource_policy_typeto identify one of the policies. - Missing
Context List<string>Keys - A set of context keys (or condition keys) that were needed by some of the policies contributing to this result but not specified using a
contextblock in the configuration. Missing or incorrect context keys will typically cause a simulated request to be disallowed. - Resource
Arn string - ARN of the resource that was used for this particular request. When you specify multiple actions and multiple resource ARNs, that causes a separate policy request for each combination of unique action and resource.
- Action
Name string - The name of the single IAM action used for this particular request.
- Allowed bool
trueifdecisionis "allowed", andfalseotherwise.- Decision string
- The raw decision determined from all of the policies in scope; either "allowed", "explicitDeny", or "implicitDeny".
- Decision
Details map[string]string - A map of arbitrary metadata entries returned by the policy simulator for this request.
- Matched
Statements []GetPrincipal Policy Simulation Result Matched Statement - A nested set of objects describing which policies contained statements that were relevant to this simulation request. Each object has attributes
source_policy_idandsource_policy_typeto identify one of the policies. - Missing
Context []stringKeys - A set of context keys (or condition keys) that were needed by some of the policies contributing to this result but not specified using a
contextblock in the configuration. Missing or incorrect context keys will typically cause a simulated request to be disallowed. - Resource
Arn string - ARN of the resource that was used for this particular request. When you specify multiple actions and multiple resource ARNs, that causes a separate policy request for each combination of unique action and resource.
- action
Name String - The name of the single IAM action used for this particular request.
- allowed Boolean
trueifdecisionis "allowed", andfalseotherwise.- decision String
- The raw decision determined from all of the policies in scope; either "allowed", "explicitDeny", or "implicitDeny".
- decision
Details Map<String,String> - A map of arbitrary metadata entries returned by the policy simulator for this request.
- matched
Statements List<GetPrincipal Policy Simulation Result Matched Statement> - A nested set of objects describing which policies contained statements that were relevant to this simulation request. Each object has attributes
source_policy_idandsource_policy_typeto identify one of the policies. - missing
Context List<String>Keys - A set of context keys (or condition keys) that were needed by some of the policies contributing to this result but not specified using a
contextblock in the configuration. Missing or incorrect context keys will typically cause a simulated request to be disallowed. - resource
Arn String - ARN of the resource that was used for this particular request. When you specify multiple actions and multiple resource ARNs, that causes a separate policy request for each combination of unique action and resource.
- action
Name string - The name of the single IAM action used for this particular request.
- allowed boolean
trueifdecisionis "allowed", andfalseotherwise.- decision string
- The raw decision determined from all of the policies in scope; either "allowed", "explicitDeny", or "implicitDeny".
- decision
Details {[key: string]: string} - A map of arbitrary metadata entries returned by the policy simulator for this request.
- matched
Statements GetPrincipal Policy Simulation Result Matched Statement[] - A nested set of objects describing which policies contained statements that were relevant to this simulation request. Each object has attributes
source_policy_idandsource_policy_typeto identify one of the policies. - missing
Context string[]Keys - A set of context keys (or condition keys) that were needed by some of the policies contributing to this result but not specified using a
contextblock in the configuration. Missing or incorrect context keys will typically cause a simulated request to be disallowed. - resource
Arn string - ARN of the resource that was used for this particular request. When you specify multiple actions and multiple resource ARNs, that causes a separate policy request for each combination of unique action and resource.
- action_
name str - The name of the single IAM action used for this particular request.
- allowed bool
trueifdecisionis "allowed", andfalseotherwise.- decision str
- The raw decision determined from all of the policies in scope; either "allowed", "explicitDeny", or "implicitDeny".
- decision_
details Mapping[str, str] - A map of arbitrary metadata entries returned by the policy simulator for this request.
- matched_
statements Sequence[GetPrincipal Policy Simulation Result Matched Statement] - A nested set of objects describing which policies contained statements that were relevant to this simulation request. Each object has attributes
source_policy_idandsource_policy_typeto identify one of the policies. - missing_
context_ Sequence[str]keys - A set of context keys (or condition keys) that were needed by some of the policies contributing to this result but not specified using a
contextblock in the configuration. Missing or incorrect context keys will typically cause a simulated request to be disallowed. - resource_
arn str - ARN of the resource that was used for this particular request. When you specify multiple actions and multiple resource ARNs, that causes a separate policy request for each combination of unique action and resource.
- action
Name String - The name of the single IAM action used for this particular request.
- allowed Boolean
trueifdecisionis "allowed", andfalseotherwise.- decision String
- The raw decision determined from all of the policies in scope; either "allowed", "explicitDeny", or "implicitDeny".
- decision
Details Map<String> - A map of arbitrary metadata entries returned by the policy simulator for this request.
- matched
Statements List<Property Map> - A nested set of objects describing which policies contained statements that were relevant to this simulation request. Each object has attributes
source_policy_idandsource_policy_typeto identify one of the policies. - missing
Context List<String>Keys - A set of context keys (or condition keys) that were needed by some of the policies contributing to this result but not specified using a
contextblock in the configuration. Missing or incorrect context keys will typically cause a simulated request to be disallowed. - resource
Arn String - ARN of the resource that was used for this particular request. When you specify multiple actions and multiple resource ARNs, that causes a separate policy request for each combination of unique action and resource.
GetPrincipalPolicySimulationResultMatchedStatement
- Source
Policy stringId - Identifier of one of the policies used as input to the simulation.
- Source
Policy stringType - The type of the policy identified in source_policy_id.
- Source
Policy stringId - Identifier of one of the policies used as input to the simulation.
- Source
Policy stringType - The type of the policy identified in source_policy_id.
- source
Policy StringId - Identifier of one of the policies used as input to the simulation.
- source
Policy StringType - The type of the policy identified in source_policy_id.
- source
Policy stringId - Identifier of one of the policies used as input to the simulation.
- source
Policy stringType - The type of the policy identified in source_policy_id.
- source_
policy_ strid - Identifier of one of the policies used as input to the simulation.
- source_
policy_ strtype - The type of the policy identified in source_policy_id.
- source
Policy StringId - Identifier of one of the policies used as input to the simulation.
- source
Policy StringType - The type of the policy identified in source_policy_id.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.