AWS::IAM::Policy - AWS CloudFormation (original) (raw)
Adds or updates an inline policy document that is embedded in the specified IAM group, user or role.
An IAM user can also have a managed policy attached to it. For information about policies, see Managed Policies and Inline Policies in the IAM User Guide.
The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.
For information about policy documents see Creating IAM policies in the IAM User Guide.
For information about limits on the number of inline policies that you can embed in an identity, see Limitations on IAM Entities in the IAM User Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"Type" : "AWS::IAM::Policy",
"Properties" : {
"Groups" : [ String, ... ],
"PolicyDocument" : Json,
"PolicyName" : String,
"Roles" : [ String, ... ],
"Users" : [ String, ... ]
}
}
YAML
Type: AWS::IAM::Policy
Properties:
Groups:
- String
PolicyDocument: Json
PolicyName: String
Roles:
- String
Users:
- String
Properties
Groups
The name of the group to associate the policy with.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.
Required: No
Type: Array of String
Pattern: [\w+=,.@-]+
Minimum: 1
Maximum: 128
Update requires: No interruption
PolicyDocument
The policy document.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
- Any printable ASCII character ranging from the space character (
\u0020) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through
\u00FF) - The special characters tab (
\u0009), line feed (\u000A), and carriage return (\u000D)
Required: Yes
Type: Json
Minimum: 1
Maximum: 131072
Update requires: No interruption
PolicyName
The name of the policy document.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
Required: Yes
Type: String
Minimum: 1
Maximum: 128
Update requires: No interruption
Roles
The name of the role to associate the policy with.
This parameter allows (per its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
Note
If an external policy (such as AWS::IAM::Policy orAWS::IAM::ManagedPolicy) has a Ref to a role and if a resource (such as AWS::ECS::Service) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.
Required: No
Type: Array of String
Update requires: No interruption
Users
The name of the user to associate the policy with.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
Required: No
Type: Array of String
Pattern: [\w+=,.@-]+
Minimum: 1
Maximum: 128
Update requires: No interruption
Return values
Ref
When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource name.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Id
The stable and unique string identifying the policy.
For more information about IDs, see IAM identifiers in the_IAM User Guide_.
Examples
Policy with policy group
JSON
{
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "CFNUsers",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:Describe*",
"cloudformation:List*",
"cloudformation:Get*"
],
"Resource": "*"
}
]
},
"Groups": [
{
"Ref": "CFNUserGroup"
}
]
}
}YAML
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: CFNUsers
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- 'cloudformation:Describe*'
- 'cloudformation:List*'
- 'cloudformation:Get*'
Resource: '*'
Groups:
- !Ref CFNUserGroupPolicy with specified role
JSON
{
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "RootRole"
}
]
}
}YAML
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
Roles:
- !Ref RootRoleSee also
- AWS::IAM::GroupPolicy
- AWS::IAM::RolePolicy
- AWS::IAM::UserPolicy
- PutGroupPolicy in the AWS Identity and Access Management API Reference
- PutRolePolicy in the AWS Identity and Access Management API Reference
- PutUserPolicy in the AWS Identity and Access Management API Reference