AWS::IAM::Policy
The AWS::IAM::Policy resource associates an IAM policy with IAM users,
roles, or groups. For more information about IAM policies, see Overview of IAM Policies in the
IAM User Guide guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::IAM::Policy", "Properties" : { "Groups" : [String, ...], "PolicyDocument" :JSON object, "PolicyName" :String, "Roles" : [String, ...], "Users" : [String, ...] } }
YAML
Type: AWS::IAM::Policy Properties: Groups: -StringPolicyDocument:JSON objectPolicyName:StringRoles: -StringUsers: -String
Properties
Groups-
The names of groups to which you want to add the policy.
Required: Conditional. You must specify at least one of the following properties:
Groups,Roles, orUsers.Type: List of String values
Update requires: No interruption
PolicyDocument-
A policy document that contains permissions to add to the specified users or groups.
Required: Yes
Type: JSON object
Note
AWS Identity and Access Management (IAM) requires that policies be in JSON format. However, for templates formatted in YAML, you can create an IAM policy in either JSON or YAML format. AWS CloudFormation always converts a policy to JSON format before submitting it to IAM.
Update requires: No interruption
PolicyName-
The name of the policy. If you specify multiple policies for an entity, specify unique names. For example, if you specify a list of policies for an IAM role, each policy must have a unique name.
Required: Yes
Type: String
Update requires: No interruption
Roles-
The names of AWS::IAM::Roles to which this policy will be attached.
Note
If a policy has a
Refto a role and if a resource (such asAWS::ECS::Service) also has aRefto the same role, add aDependsOnattribute to the resource so that the resource depends on the policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with anAWS::ECS::Serviceresource, theDependsOnattribute ensures that theAWS::ECS::Serviceresource can complete its deletion before its role's policy is deleted.Required: Conditional. You must specify at least one of the following properties:
Groups,Roles, orUsers.Type: List of String values
Update requires: No interruption
Users-
The names of users for whom you want to add the policy.
Required: Conditional. You must specify at least one of the following properties:
Groups,Roles, orUsers.Type: List of String values
Update requires: No interruption
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic
function, Ref returns the resource name.
For more information about using the Ref function, see Ref.
Examples
IAM Policy with policy group
JSON
{ "Type" : "AWS::IAM::Policy", "Properties" : { "PolicyName" : "CFNUsers", "PolicyDocument" : { "Version" : "2012-10-17", "Statement": [ { "Effect" : "Allow", "Action" : [ "cloudformation:Describe*", "cloudformation:List*", "cloudformation:Get*" ], "Resource" : "*" } ] }, "Groups" : [ { "Ref" : "CFNUserGroup" } ] } }
YAML
Type: AWS::IAM::Policy Properties: PolicyName: "CFNUsers" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "cloudformation:Describe*" - "cloudformation:List*" - "cloudformation:Get*" Resource: "*" Groups: - Ref: "CFNUserGroup"
IAM Policy with specified role
JSON
{ "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "root", "PolicyDocument": { "Version" : "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }, "Roles": [ { "Ref": "RootRole" } ] } }
YAML
Type: AWS::IAM::Policy Properties: PolicyName: "root" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "*" Resource: "*" Roles: - Ref: "RootRole"
