Get
A collection of arguments for invoking getPrincipalPolicySimulation.
Constructors
Properties
A set of IAM action names to run simulations for. Each entry in this set adds an additional hypothetical request to the simulation. Action names consist of a service prefix and an action verb separated by a colon, such as s3:GetObject. Refer to Actions, resources, and condition keys for AWS services to see the full set of possible IAM action names across all AWS services.
A set of additional principal policy documents to include in the simulation. The simulator will behave as if each of these policies were associated with the object specified in policy_source_arn, allowing you to test the effect of hypothetical policies not yet created.
Each context block defines an entry in the table of additional context keys in the simulated request. IAM uses context keys for both custom conditions and for interpolating dynamic request-specific values into policy values. If you use policies that include those features then you will need to provide suitable example values for those keys to achieve a realistic simulation.
A set of permissions boundary policy documents to include in the simulation.
The ARN of the IAM user, group, or role whose policies will be included in the simulation. You must closely match the form of the real service request you are simulating in order to achieve a realistic result. You can use the following additional arguments to specify other characteristics of the simulated requests:
A set of ARNs of resources to include in the simulation. This argument is important for actions that have either required or optional resource types listed in Actions, resources, and condition keys for AWS services, and you must provide ARNs that identify AWS objects of the appropriate types for the chosen actions. The policy simulator only automatically loads policies associated with the policy_source_arn, so if your given resources have their own resource-level policy then you'll also need to provide that explicitly using the resource_policy_json argument to achieve a realistic simulation.
Specifies a special simulation type to run. Some EC2 actions require special simulation behaviors and a particular set of resource ARNs to achieve a realistic result. For more details, see the ResourceHandlingOption request parameter for the underlying iam:SimulatePrincipalPolicy action.
An AWS account ID to use for any resource ARN in resource_arns that doesn't include its own AWS account ID. If unspecified, the simulator will use the account ID from the caller_arn argument as a placeholder.
An IAM policy document representing the resource-level policy of all of the resources specified in resource_arns. The policy simulator cannot automatically load policies that are associated with individual resources, as described in the documentation for resource_arns above.