Docs Home
AWS IAM v0.0.3 published on Wednesday, Jun 1, 2022 by Pulumi
aws-iam.ReadOnlyPolicy
Explore with Pulumi AI
This resource helps you create an IAM read-only policy for the services you specify. The default AWS read-only policies may not include services you need or may contain services you do not need access to. This resource helps ensure your read-only policy has permissions to exactly what you specify.
Example Usage
using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
class MyStack : Stack
{
public MyStack()
{
var readOnlyPolicy = new ReadOnlyPolicy("read-only-policy", new ReadOnlyPolicyArgs
{
Name = "example",
Path = "/",
Description = "My example read only policy",
AllowedServices = {"rds", "dynamodb"},
});
this.ReadOnlyPolicy = Output.Create<ReadOnlyPolicy>(readOnlyPolicy);
}
[Output]
public Output<ReadOnlyPolicy> ReadOnlyPolicy { get; set; }
}
package main
import (
iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
readOnlyPolicy, err := iam.NewReadOnlyPolicy(ctx, "read-only-policy", &iam.ReadOnlyPolicyArgs{
Name: pulumi.String("example"),
Path: pulumi.String("/"),
Description: pulumi.String("My example policy"),
AllowedServices: pulumi.ToStringArray([]string{"rds", "dynamodb"}),
})
if err != nil {
return err
}
ctx.Export("readOnlyPolicy", readOnlyPolicy)
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_iam as iam
read_only_policy = iam.ReadOnlyPolicy(
'read_only_policy',
name='example',
path='/',
description='My example read only policy',
allowed_services=['rds','dynamodb'],
)
pulumi.export('read_only_policy', read_only_policy)
import * as iam from "@pulumi/aws-iam";
export const readOnlyPolicy = new iam.ReadOnlyPolicy("aws-iam-example-read-only-policy", {
name: "aws-iam-example-read-only",
path: "/",
description: "My example read only policy",
allowedServices: [ "rds", "dynamodb" ],
});
name: awsiam-yaml
runtime: yaml
resources:
readOnlyPolicy:
type: "aws-iam:index:ReadOnlyPolicy"
properties:
name: "example"
path: "/"
description: "My example read only policy"
allowedServices:
- "rds"
- "dynamodb"
outputs:
readOnlyPolicy: ${readOnlyPolicy}
Create ReadOnlyPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ReadOnlyPolicy(name: string, args: ReadOnlyPolicyArgs, opts?: ComponentResourceOptions);@overload
def ReadOnlyPolicy(resource_name: str,
args: ReadOnlyPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ReadOnlyPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
name: Optional[str] = None,
additional_policy_json: Optional[str] = None,
allow_cloudwatch_logs_query: Optional[bool] = None,
allow_predefined_sts_actions: Optional[bool] = None,
allow_web_console_services: Optional[bool] = None,
allowed_services: Optional[Sequence[str]] = None,
description: Optional[str] = None,
path: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
web_console_services: Optional[Sequence[str]] = None)func NewReadOnlyPolicy(ctx *Context, name string, args ReadOnlyPolicyArgs, opts ...ResourceOption) (*ReadOnlyPolicy, error)public ReadOnlyPolicy(string name, ReadOnlyPolicyArgs args, ComponentResourceOptions? opts = null)
public ReadOnlyPolicy(String name, ReadOnlyPolicyArgs args)
public ReadOnlyPolicy(String name, ReadOnlyPolicyArgs args, ComponentResourceOptions options)
type: aws-iam:ReadOnlyPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ReadOnlyPolicyArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ReadOnlyPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ReadOnlyPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ReadOnlyPolicyArgs
- The arguments to resource properties.
- opts ComponentResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ReadOnlyPolicyArgs
- The arguments to resource properties.
- options ComponentResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var readOnlyPolicyResource = new AwsIam.ReadOnlyPolicy("readOnlyPolicyResource", new()
{
Name = "string",
AdditionalPolicyJson = "string",
AllowCloudwatchLogsQuery = false,
AllowPredefinedStsActions = false,
AllowWebConsoleServices = false,
AllowedServices = new[]
{
"string",
},
Description = "string",
Path = "string",
Tags =
{
{ "string", "string" },
},
WebConsoleServices = new[]
{
"string",
},
});
example, err := awsiam.NewReadOnlyPolicy(ctx, "readOnlyPolicyResource", &awsiam.ReadOnlyPolicyArgs{
Name: pulumi.String("string"),
AdditionalPolicyJson: pulumi.String("string"),
AllowCloudwatchLogsQuery: pulumi.Bool(false),
AllowPredefinedStsActions: pulumi.Bool(false),
AllowWebConsoleServices: pulumi.Bool(false),
AllowedServices: pulumi.StringArray{
pulumi.String("string"),
},
Description: pulumi.String("string"),
Path: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
WebConsoleServices: pulumi.StringArray{
pulumi.String("string"),
},
})
var readOnlyPolicyResource = new ReadOnlyPolicy("readOnlyPolicyResource", ReadOnlyPolicyArgs.builder()
.name("string")
.additionalPolicyJson("string")
.allowCloudwatchLogsQuery(false)
.allowPredefinedStsActions(false)
.allowWebConsoleServices(false)
.allowedServices("string")
.description("string")
.path("string")
.tags(Map.of("string", "string"))
.webConsoleServices("string")
.build());
read_only_policy_resource = aws_iam.ReadOnlyPolicy("readOnlyPolicyResource",
name="string",
additional_policy_json="string",
allow_cloudwatch_logs_query=False,
allow_predefined_sts_actions=False,
allow_web_console_services=False,
allowed_services=["string"],
description="string",
path="string",
tags={
"string": "string",
},
web_console_services=["string"])
const readOnlyPolicyResource = new aws_iam.ReadOnlyPolicy("readOnlyPolicyResource", {
name: "string",
additionalPolicyJson: "string",
allowCloudwatchLogsQuery: false,
allowPredefinedStsActions: false,
allowWebConsoleServices: false,
allowedServices: ["string"],
description: "string",
path: "string",
tags: {
string: "string",
},
webConsoleServices: ["string"],
});
type: aws-iam:ReadOnlyPolicy
properties:
additionalPolicyJson: string
allowCloudwatchLogsQuery: false
allowPredefinedStsActions: false
allowWebConsoleServices: false
allowedServices:
- string
description: string
name: string
path: string
tags:
string: string
webConsoleServices:
- string
ReadOnlyPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ReadOnlyPolicy resource accepts the following input properties:
- Name string
- The name of the policy.
- Additional
Policy stringJson - JSON policy document if you want to add custom actions.
- Allow
Cloudwatch boolLogs Query - Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
- Allow
Predefined boolSts Actions - Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
- Allow
Web boolConsole Services - Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
- Allowed
Services List<string> - List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
- Description string
- The description of the policy.
- Path string
- The path of the policy in IAM.
- Dictionary<string, string>
- A map of tags to add.
- Web
Console List<string>Services - List of web console services to allow.
- Name string
- The name of the policy.
- Additional
Policy stringJson - JSON policy document if you want to add custom actions.
- Allow
Cloudwatch boolLogs Query - Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
- Allow
Predefined boolSts Actions - Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
- Allow
Web boolConsole Services - Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
- Allowed
Services []string - List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
- Description string
- The description of the policy.
- Path string
- The path of the policy in IAM.
- map[string]string
- A map of tags to add.
- Web
Console []stringServices - List of web console services to allow.
- name String
- The name of the policy.
- additional
Policy StringJson - JSON policy document if you want to add custom actions.
- allow
Cloudwatch BooleanLogs Query - Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
- allow
Predefined BooleanSts Actions - Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
- allow
Web BooleanConsole Services - Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
- allowed
Services List<String> - List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
- description String
- The description of the policy.
- path String
- The path of the policy in IAM.
- Map<String,String>
- A map of tags to add.
- web
Console List<String>Services - List of web console services to allow.
- name string
- The name of the policy.
- additional
Policy stringJson - JSON policy document if you want to add custom actions.
- allow
Cloudwatch booleanLogs Query - Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
- allow
Predefined booleanSts Actions - Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
- allow
Web booleanConsole Services - Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
- allowed
Services string[] - List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
- description string
- The description of the policy.
- path string
- The path of the policy in IAM.
- {[key: string]: string}
- A map of tags to add.
- web
Console string[]Services - List of web console services to allow.
- name str
- The name of the policy.
- additional_
policy_ strjson - JSON policy document if you want to add custom actions.
- allow_
cloudwatch_ boollogs_ query - Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
- allow_
predefined_ boolsts_ actions - Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
- allow_
web_ boolconsole_ services - Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
- allowed_
services Sequence[str] - List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
- description str
- The description of the policy.
- path str
- The path of the policy in IAM.
- Mapping[str, str]
- A map of tags to add.
- web_
console_ Sequence[str]services - List of web console services to allow.
- name String
- The name of the policy.
- additional
Policy StringJson - JSON policy document if you want to add custom actions.
- allow
Cloudwatch BooleanLogs Query - Allows StartQuery/StopQuery/FilterLogEvents CloudWatch actions.
- allow
Predefined BooleanSts Actions - Allows GetCallerIdentity/GetSessionToken/GetAccessKeyInfo sts actions.
- allow
Web BooleanConsole Services - Allows List/Get/Describe/View actions for services used when browsing AWS console (e.g. resource-groups, tag, health services).
- allowed
Services List<String> - List of services to allow Get/List/Describe/View options. Service name should be the same as corresponding service IAM prefix. See what it is for each service here https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html.
- description String
- The description of the policy.
- path String
- The path of the policy in IAM.
- Map<String>
- A map of tags to add.
- web
Console List<String>Services - List of web console services to allow.
Outputs
All input properties are implicitly available as output properties. Additionally, the ReadOnlyPolicy resource produces the following output properties:
- Arn string
- The ARN assigned by AWS to this policy.
- Id string
- The policy's ID.
- Policy string
- The policy document.
- Policy
Json string - Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.
- Arn string
- The ARN assigned by AWS to this policy.
- Id string
- The policy's ID.
- Policy string
- The policy document.
- Policy
Json string - Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.
- arn String
- The ARN assigned by AWS to this policy.
- id String
- The policy's ID.
- policy String
- The policy document.
- policy
Json String - Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.
- arn string
- The ARN assigned by AWS to this policy.
- id string
- The policy's ID.
- policy string
- The policy document.
- policy
Json string - Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.
- arn str
- The ARN assigned by AWS to this policy.
- id str
- The policy's ID.
- policy str
- The policy document.
- policy_
json str - Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.
- arn String
- The ARN assigned by AWS to this policy.
- id String
- The policy's ID.
- policy String
- The policy document.
- policy
Json String - Policy document as json. Useful if you need document but do not want to create IAM policy itself. For example for SSO Permission Set inline policies.
Package Details
- Repository
- aws-iam
- License