AWS::IAM::Policy
Adds or updates an inline policy document that is embedded in the specified IAM group, user or role.
An IAM user can also have a managed policy attached to it. For information about policies, see Managed Policies and Inline Policies in the IAM User Guide.
The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.
For information about policy documents see Creating IAM policies in the IAM User Guide.
For information about limits on the number of inline policies that you can embed in an identity, see Limitations on IAM Entities in the IAM User Guide.
Important
This resource does not support drift detection . The following inline policy resource types support drift detection:
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::IAM::Policy", "Properties" : { "Groups" :
[ String, ... ]
, "PolicyDocument" :Json
, "PolicyName" :String
, "Roles" :[ String, ... ]
, "Users" :[ String, ... ]
} }
YAML
Type: AWS::IAM::Policy Properties: Groups:
- String
PolicyDocument:Json
PolicyName:String
Roles:- String
Users:- String
Properties
Groups
-
The name of the group to associate the policy with.
This parameter allows (through its regex pattern
) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. Required: No
Type: Array of String
Pattern:
[\w+=,.@-]+
Minimum:
1
Maximum:
128
Update requires: No interruption
PolicyDocument
-
The policy document.
You must provide policies in JSON format in IAM. However, for Amazon CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. Amazon CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern
used to validate this parameter is a string of characters consisting of the following: -
Any printable ASCII character ranging from the space character (
\u0020
) through the end of the ASCII character range -
The printable characters in the Basic Latin and Latin-1 Supplement character set (through
\u00FF
) -
The special characters tab (
\u0009
), line feed (\u000A
), and carriage return (\u000D
)
Required: Yes
Type: Json
Minimum:
1
Maximum:
131072
Update requires: No interruption
-
PolicyName
-
The name of the policy document.
This parameter allows (through its regex pattern
) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- Required: Yes
Type: String
Minimum:
1
Maximum:
128
Update requires: No interruption
Roles
-
The name of the role to associate the policy with.
This parameter allows (per its regex pattern
) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- Note
If an external policy (such as
AWS::IAM::Policy
orAWS::IAM::ManagedPolicy
) has aRef
to a role and if a resource (such asAWS::ECS::Service
) also has aRef
to the same role, add aDependsOn
attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with anAWS::ECS::Service
resource, theDependsOn
attribute ensures that Amazon CloudFormation deletes theAWS::ECS::Service
resource before deleting its role's policy.Required: No
Type: Array of String
Update requires: No interruption
Users
-
The name of the user to associate the policy with.
This parameter allows (through its regex pattern
) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- Required: No
Type: Array of String
Pattern:
[\w+=,.@-]+
Minimum:
1
Maximum:
128
Update requires: No interruption
Return values
Ref
When the logical ID of this resource is provided to the Ref
intrinsic function, Ref
returns the resource name.
For more information about using the Ref
function, see Ref
.
Examples
IAM Policy with policy group
JSON
{ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "CFNUsers", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:Describe*", "cloudformation:List*", "cloudformation:Get*" ], "Resource": "*" } ] }, "Groups": [ { "Ref": "CFNUserGroup" } ] } }
YAML
Type: 'AWS::IAM::Policy' Properties: PolicyName: CFNUsers PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'cloudformation:Describe*' - 'cloudformation:List*' - 'cloudformation:Get*' Resource: '*' Groups: - !Ref CFNUserGroup
IAM Policy with specified role
JSON
{ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }
YAML
Type: 'AWS::IAM::Policy' Properties: PolicyName: root PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: '*' Resource: '*' Roles: - !Ref RootRole
See also
-
PutGroupPolicy in the Amazon Identity and Access Management API Reference
-
PutRolePolicy in the Amazon Identity and Access Management API Reference
-
PutUserPolicy in the Amazon Identity and Access Management API Reference