Class GetPolicyDocument
Inheritance
Inherited Members
Namespace: Pulumi.Aws.Iam
Assembly: Pulumi.Aws.dll
Syntax
public static class GetPolicyDocumentMethods
View SourceInvokeAsync(GetPolicyDocumentArgs, InvokeOptions)
Generates an IAM policy document in JSON format.
This is a data source which can be used to construct a JSON representation of
an IAM policy document, for use with resources which expect policy documents,
such as the aws.iam.Policy resource.
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var examplePolicyDocument = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
},
Resources =
{
"arn:aws:s3:::*",
},
Sid = "1",
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:ListBucket",
},
Condition =
{
{
{ "test", "StringLike" },
{ "values",
{
"",
"home/",
"home/&{aws:username}/",
} },
{ "variable", "s3:prefix" },
},
},
Resources =
{
$"arn:aws:s3:::{@var.S3_bucket_name}",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}",
$"arn:aws:s3:::{@var.S3_bucket_name}/home/&{{aws:username}}/*",
},
},
},
}));
var examplePolicy = new Aws.Iam.Policy("examplePolicy", new Aws.Iam.PolicyArgs
{
Path = "/",
Policy = examplePolicyDocument.Apply(examplePolicyDocument => examplePolicyDocument.Json),
});
}
}
Using this data source to generate policy documents is optional. It is also
valid to use literal JSON strings within your configuration, or to use the
file interpolation function to read a raw JSON policy document from a file.
Context Variable Interpolation
The IAM policy document format allows context variables to be interpolated
into various strings within a statement. The native IAM policy document format
uses ${...}-style syntax that is in conflict with interpolation
syntax, so this data source instead uses &{...} syntax for interpolations that
should be processed by AWS rather than by this provider.
Wildcard Principal
In order to define wildcard principal (a.k.a. anonymous user) use type = "*" and
identifiers = ["*"]. In that case the rendered json will contain "Principal": "*".
Note, that even though the IAM Documentation
states that "Principal": "*" and "Principal": {"AWS": "*"} are equivalent,
those principals have different behavior for IAM Role Trust Policy. Therefore
this provider will normalize the principal field only in above-mentioned case and principals
like type = "AWS" and identifiers = ["*"] will be rendered as "Principal": {"AWS": "*"}.
Example with Multiple Principals
Showing how you can use this as an assume role policy as well as showing how you can specify multiple principal blocks with different types.
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var eventStreamBucketRoleAssumeRolePolicy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"sts:AssumeRole",
},
Principals =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Identifiers =
{
"firehose.amazonaws.com",
},
Type = "Service",
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Identifiers =
{
@var.Trusted_role_arn,
},
Type = "AWS",
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
{
Identifiers =
{
$"arn:aws:iam::{@var.Account_id}:saml-provider/{@var.Provider_name}",
"cognito-identity.amazonaws.com",
},
Type = "Federated",
},
},
},
},
}));
}
}
Example with Source and Override
Showing how you can use source_json and override_json
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
Sid = "SidToOverwrite",
},
},
}));
var sourceJsonExample = source.Apply(source => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
SourceJson = source.Json,
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
Sid = "SidToOverwrite",
},
},
})));
var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
"*",
},
Sid = "SidToOverwrite",
},
},
}));
var overrideJsonExample = @override.Apply(@override => Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
OverrideJson = @override.Json,
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:*",
},
Resources =
{
"*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:*",
},
Resources =
{
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*",
},
Sid = "SidToOverwrite",
},
},
})));
}
}
data.aws_iam_policy_document.source_json_example.json will evaluate to:
using Pulumi;
class MyStack : Stack
{
public MyStack()
{
}
}
data.aws_iam_policy_document.override_json_example.json will evaluate to:
using Pulumi;
class MyStack : Stack
{
public MyStack()
{
}
}
You can also combine source_json and override_json in the same document.
Example without Statement
Use without a statement:
using Pulumi;
using Aws = Pulumi.Aws;
class MyStack : Stack
{
public MyStack()
{
var source = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"ec2:DescribeAccountAttributes",
},
Resources =
{
"*",
},
Sid = "OverridePlaceholder",
},
},
}));
var @override = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
Statements =
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
{
Actions =
{
"s3:GetObject",
},
Resources =
{
"*",
},
Sid = "OverridePlaceholder",
},
},
}));
var politik = Output.Tuple(@override, source).Apply(values =>
{
var @override = values.Item1;
var source = values.Item2;
return Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
{
OverrideJson = @override.Json,
SourceJson = source.Json,
}));
});
}
}
data.aws_iam_policy_document.politik.json will evaluate to:
using Pulumi;
class MyStack : Stack
{
public MyStack()
{
}
}
Declaration
public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args = null, InvokeOptions options = null)Parameters
| Type | Name | Description |
|---|---|---|
| GetPolicyDocumentArgs | args | |
| InvokeOptions | options |
Returns
| Type | Description |
|---|---|
| System.Threading.Tasks.Task<GetPolicyDocumentResult> |