get
Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws.iam.Policy. Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings in your configuration or to use the file interpolation function to read a raw JSON policy document from a file.
Example Usage
Basic Example
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var examplePolicyDocument = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("1")
.actions(
"s3:ListAllMyBuckets",
"s3:GetBucketLocation")
.resources("arn:aws:s3:::*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("s3:ListBucket")
.resources(String.format("arn:aws:s3:::%s", var_.s3_bucket_name()))
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringLike")
.variable("s3:prefix")
.values(
"",
"home/",
"home/&{aws:username}/")
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("s3:*")
.resources(
String.format("arn:aws:s3:::%s/home/&{{aws:username}}", var_.s3_bucket_name()),
String.format("arn:aws:s3:::%s/home/&{{aws:username}}/*", var_.s3_bucket_name()))
.build())
.build());
var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()
.path("/")
.policy(examplePolicyDocument.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}Example Multiple Condition Keys and Values
You can specify a condition with multiple keys and values by supplying multiple condition blocks with the same test value, but differing variable and values values.
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var exampleMultipleConditionKeysAndValues = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions(
"kms:Decrypt",
"kms:GenerateDataKey")
.conditions(
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.values("pi")
.variable("kms:EncryptionContext:service")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.values("rds")
.variable("kms:EncryptionContext:aws:pi:service")
.build(),
GetPolicyDocumentStatementConditionArgs.builder()
.test("ForAnyValue:StringEquals")
.values(
"db-AAAAABBBBBCCCCCDDDDDEEEEE",
"db-EEEEEDDDDDCCCCCBBBBBAAAAA")
.variable("kms:EncryptionContext:aws:rds:db-id")
.build())
.resources("*")
.build())
.build());
}
}Example Assume-Role Policy with Multiple Principals
You can specify multiple principal blocks with different types. You can also use this data source to generate an assume-role policy.
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var eventStreamBucketRoleAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.actions("sts:AssumeRole")
.principals(
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("firehose.amazonaws.com")
.build(),
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(var_.trusted_role_arn())
.build(),
GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Federated")
.identifiers(
String.format("arn:aws:iam::%s:saml-provider/%s", var_.account_id(),var_.provider_name()),
"cognito-identity.amazonaws.com")
.build())
.build())
.build());
}
}Example Using A Source Document
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources("*")
.build())
.build());
final var sourceDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources(
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*")
.build())
.build());
}
}Example Using An Override Document
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources("*")
.build())
.build());
final var overridePolicyDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("SidToOverride")
.actions("s3:*")
.resources(
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*")
.build())
.build());
}
}Example with Both Source and Override Documents
You can also combine source_policy_documents and override_policy_documents in the same document.
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceholder")
.actions("ec2:DescribeAccountAttributes")
.resources("*")
.build())
.build());
final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceholder")
.actions("s3:GetObject")
.resources("*")
.build())
.build());
final var politik = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}Example of Merging Source Documents
Multiple documents can be combined using the source_policy_documents or override_policy_documents attributes. source_policy_documents requires that all documents have unique Sids, while override_policy_documents will iteratively override matching Sids.
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var sourceOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("UniqueSidOne")
.actions("s3:*")
.resources("*")
.build())
.build());
final var sourceTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("UniqueSidTwo")
.actions("iam:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.actions("lambda:*")
.resources("*")
.build())
.build());
final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.sourcePolicyDocuments(
sourceOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
sourceTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}Example of Merging Override Documents
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var policyOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderOne")
.effect("Allow")
.actions("s3:*")
.resources("*")
.build())
.build());
final var policyTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("ec2:*")
.resources("*")
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderTwo")
.effect("Allow")
.actions("iam:*")
.resources("*")
.build())
.build());
final var policyThree = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderOne")
.effect("Deny")
.actions("logs:*")
.resources("*")
.build())
.build());
final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.overridePolicyDocuments(
policyOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
policyTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
policyThree.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("OverridePlaceHolderTwo")
.effect("Deny")
.actions("*")
.resources("*")
.build())
.build());
}
}Return
A collection of values returned by getPolicyDocument. //*/
Parameters
A collection of arguments for invoking getPolicyDocument.
Return
A collection of values returned by getPolicyDocument.
Parameters
IAM policy document whose statements with non-blank sids will override statements with the same sid from documents assigned to the source_json, source_policy_documents, and override_policy_documents arguments. Non-overriding statements will be added to the exported document.
NOTE: Statements without a
sidcannot be overridden. In other words, a statement without asidfrom documents assigned to thesource_jsonorsource_policy_documentsarguments cannot be overridden by statements from documents assigned to theoverride_jsonoroverride_policy_documentsarguments.
List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from documents provided in the source_json and source_policy_documents arguments. Non-overriding statements will be added to the exported document.
ID for the policy document.
IAM policy document used as a base for the exported policy document. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents or source_json must have unique sids. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.
Configuration block for a policy statement. Detailed below.
IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
See also
Return
A collection of values returned by getPolicyDocument.
Parameters
Builder for com.pulumi.aws.iam.kotlin.inputs.GetPolicyDocumentPlainArgs.