1. Packages
  2. AWS
  3. API Docs
  4. iam
  5. getPolicyDocument
AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi

aws.iam.getPolicyDocument

Explore with Pulumi AI

aws logo
AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi

    Generates an IAM policy document in JSON format for use with resources that expect policy documents such as aws.iam.Policy.

    Using this data source to generate policy documents is optional. It is also valid to use literal JSON strings in your configuration or to use the file interpolation function to read a raw JSON policy document from a file.

    Example Usage

    Basic Example

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = aws.iam.getPolicyDocument({
        statements: [
            {
                sid: "1",
                actions: [
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketLocation",
                ],
                resources: ["arn:aws:s3:::*"],
            },
            {
                actions: ["s3:ListBucket"],
                resources: [`arn:aws:s3:::${s3BucketName}`],
                conditions: [{
                    test: "StringLike",
                    variable: "s3:prefix",
                    values: [
                        "",
                        "home/",
                        "home/&{aws:username}/",
                    ],
                }],
            },
            {
                actions: ["s3:*"],
                resources: [
                    `arn:aws:s3:::${s3BucketName}/home/&{aws:username}`,
                    `arn:aws:s3:::${s3BucketName}/home/&{aws:username}/*`,
                ],
            },
        ],
    });
    const examplePolicy = new aws.iam.Policy("example", {
        name: "example_policy",
        path: "/",
        policy: example.then(example => example.json),
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.iam.get_policy_document(statements=[
        {
            "sid": "1",
            "actions": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
            ],
            "resources": ["arn:aws:s3:::*"],
        },
        {
            "actions": ["s3:ListBucket"],
            "resources": [f"arn:aws:s3:::{s3_bucket_name}"],
            "conditions": [{
                "test": "StringLike",
                "variable": "s3:prefix",
                "values": [
                    "",
                    "home/",
                    "home/&{aws:username}/",
                ],
            }],
        },
        {
            "actions": ["s3:*"],
            "resources": [
                f"arn:aws:s3:::{s3_bucket_name}/home/&{{aws:username}}",
                f"arn:aws:s3:::{s3_bucket_name}/home/&{{aws:username}}/*",
            ],
        },
    ])
    example_policy = aws.iam.Policy("example",
        name="example_policy",
        path="/",
        policy=example.json)
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Sid: pulumi.StringRef("1"),
    					Actions: []string{
    						"s3:ListAllMyBuckets",
    						"s3:GetBucketLocation",
    					},
    					Resources: []string{
    						"arn:aws:s3:::*",
    					},
    				},
    				{
    					Actions: []string{
    						"s3:ListBucket",
    					},
    					Resources: []string{
    						fmt.Sprintf("arn:aws:s3:::%v", s3BucketName),
    					},
    					Conditions: []iam.GetPolicyDocumentStatementCondition{
    						{
    							Test:     "StringLike",
    							Variable: "s3:prefix",
    							Values: []string{
    								"",
    								"home/",
    								"home/&{aws:username}/",
    							},
    						},
    					},
    				},
    				{
    					Actions: []string{
    						"s3:*",
    					},
    					Resources: []string{
    						fmt.Sprintf("arn:aws:s3:::%v/home/&{aws:username}", s3BucketName),
    						fmt.Sprintf("arn:aws:s3:::%v/home/&{aws:username}/*", s3BucketName),
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = iam.NewPolicy(ctx, "example", &iam.PolicyArgs{
    			Name:   pulumi.String("example_policy"),
    			Path:   pulumi.String("/"),
    			Policy: pulumi.String(example.Json),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "1",
                    Actions = new[]
                    {
                        "s3:ListAllMyBuckets",
                        "s3:GetBucketLocation",
                    },
                    Resources = new[]
                    {
                        "arn:aws:s3:::*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "s3:ListBucket",
                    },
                    Resources = new[]
                    {
                        $"arn:aws:s3:::{s3BucketName}",
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "StringLike",
                            Variable = "s3:prefix",
                            Values = new[]
                            {
                                "",
                                "home/",
                                "home/&{aws:username}/",
                            },
                        },
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        $"arn:aws:s3:::{s3BucketName}/home/&{{aws:username}}",
                        $"arn:aws:s3:::{s3BucketName}/home/&{{aws:username}}/*",
                    },
                },
            },
        });
    
        var examplePolicy = new Aws.Iam.Policy("example", new()
        {
            Name = "example_policy",
            Path = "/",
            PolicyDocument = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Policy;
    import com.pulumi.aws.iam.PolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("1")
                        .actions(                    
                            "s3:ListAllMyBuckets",
                            "s3:GetBucketLocation")
                        .resources("arn:aws:s3:::*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("s3:ListBucket")
                        .resources(String.format("arn:aws:s3:::%s", s3BucketName))
                        .conditions(GetPolicyDocumentStatementConditionArgs.builder()
                            .test("StringLike")
                            .variable("s3:prefix")
                            .values(                        
                                "",
                                "home/",
                                "home/&{aws:username}/")
                            .build())
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("s3:*")
                        .resources(                    
                            String.format("arn:aws:s3:::%s/home/&{{aws:username}}", s3BucketName),
                            String.format("arn:aws:s3:::%s/home/&{{aws:username}}/*", s3BucketName))
                        .build())
                .build());
    
            var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()
                .name("example_policy")
                .path("/")
                .policy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    resources:
      examplePolicy:
        type: aws:iam:Policy
        name: example
        properties:
          name: example_policy
          path: /
          policy: ${example.json}
    variables:
      example:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: '1'
                actions:
                  - s3:ListAllMyBuckets
                  - s3:GetBucketLocation
                resources:
                  - arn:aws:s3:::*
              - actions:
                  - s3:ListBucket
                resources:
                  - arn:aws:s3:::${s3BucketName}
                conditions:
                  - test: StringLike
                    variable: s3:prefix
                    values:
                      -
                      - home/
                      - home/&{aws:username}/
              - actions:
                  - s3:*
                resources:
                  - arn:aws:s3:::${s3BucketName}/home/&{aws:username}
                  - arn:aws:s3:::${s3BucketName}/home/&{aws:username}/*
    

    Example Multiple Condition Keys and Values

    You can specify a condition with multiple keys and values by supplying multiple condition blocks with the same test value, but differing variable and values values.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const exampleMultipleConditionKeysAndValues = aws.iam.getPolicyDocument({
        statements: [{
            actions: [
                "kms:Decrypt",
                "kms:GenerateDataKey",
            ],
            resources: ["*"],
            conditions: [
                {
                    test: "ForAnyValue:StringEquals",
                    variable: "kms:EncryptionContext:service",
                    values: ["pi"],
                },
                {
                    test: "ForAnyValue:StringEquals",
                    variable: "kms:EncryptionContext:aws:pi:service",
                    values: ["rds"],
                },
                {
                    test: "ForAnyValue:StringEquals",
                    variable: "kms:EncryptionContext:aws:rds:db-id",
                    values: [
                        "db-AAAAABBBBBCCCCCDDDDDEEEEE",
                        "db-EEEEEDDDDDCCCCCBBBBBAAAAA",
                    ],
                },
            ],
        }],
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example_multiple_condition_keys_and_values = aws.iam.get_policy_document(statements=[{
        "actions": [
            "kms:Decrypt",
            "kms:GenerateDataKey",
        ],
        "resources": ["*"],
        "conditions": [
            {
                "test": "ForAnyValue:StringEquals",
                "variable": "kms:EncryptionContext:service",
                "values": ["pi"],
            },
            {
                "test": "ForAnyValue:StringEquals",
                "variable": "kms:EncryptionContext:aws:pi:service",
                "values": ["rds"],
            },
            {
                "test": "ForAnyValue:StringEquals",
                "variable": "kms:EncryptionContext:aws:rds:db-id",
                "values": [
                    "db-AAAAABBBBBCCCCCDDDDDEEEEE",
                    "db-EEEEEDDDDDCCCCCBBBBBAAAAA",
                ],
            },
        ],
    }])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Actions: []string{
    						"kms:Decrypt",
    						"kms:GenerateDataKey",
    					},
    					Resources: []string{
    						"*",
    					},
    					Conditions: []iam.GetPolicyDocumentStatementCondition{
    						{
    							Test:     "ForAnyValue:StringEquals",
    							Variable: "kms:EncryptionContext:service",
    							Values: []string{
    								"pi",
    							},
    						},
    						{
    							Test:     "ForAnyValue:StringEquals",
    							Variable: "kms:EncryptionContext:aws:pi:service",
    							Values: []string{
    								"rds",
    							},
    						},
    						{
    							Test:     "ForAnyValue:StringEquals",
    							Variable: "kms:EncryptionContext:aws:rds:db-id",
    							Values: []string{
    								"db-AAAAABBBBBCCCCCDDDDDEEEEE",
    								"db-EEEEEDDDDDCCCCCBBBBBAAAAA",
    							},
    						},
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var exampleMultipleConditionKeysAndValues = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "kms:Decrypt",
                        "kms:GenerateDataKey",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                    Conditions = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "ForAnyValue:StringEquals",
                            Variable = "kms:EncryptionContext:service",
                            Values = new[]
                            {
                                "pi",
                            },
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "ForAnyValue:StringEquals",
                            Variable = "kms:EncryptionContext:aws:pi:service",
                            Values = new[]
                            {
                                "rds",
                            },
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
                        {
                            Test = "ForAnyValue:StringEquals",
                            Variable = "kms:EncryptionContext:aws:rds:db-id",
                            Values = new[]
                            {
                                "db-AAAAABBBBBCCCCCDDDDDEEEEE",
                                "db-EEEEEDDDDDCCCCCBBBBBAAAAA",
                            },
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var exampleMultipleConditionKeysAndValues = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .actions(                
                        "kms:Decrypt",
                        "kms:GenerateDataKey")
                    .resources("*")
                    .conditions(                
                        GetPolicyDocumentStatementConditionArgs.builder()
                            .test("ForAnyValue:StringEquals")
                            .variable("kms:EncryptionContext:service")
                            .values("pi")
                            .build(),
                        GetPolicyDocumentStatementConditionArgs.builder()
                            .test("ForAnyValue:StringEquals")
                            .variable("kms:EncryptionContext:aws:pi:service")
                            .values("rds")
                            .build(),
                        GetPolicyDocumentStatementConditionArgs.builder()
                            .test("ForAnyValue:StringEquals")
                            .variable("kms:EncryptionContext:aws:rds:db-id")
                            .values(                        
                                "db-AAAAABBBBBCCCCCDDDDDEEEEE",
                                "db-EEEEEDDDDDCCCCCBBBBBAAAAA")
                            .build())
                    .build())
                .build());
    
        }
    }
    
    variables:
      exampleMultipleConditionKeysAndValues:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - kms:Decrypt
                  - kms:GenerateDataKey
                resources:
                  - '*'
                conditions:
                  - test: ForAnyValue:StringEquals
                    variable: kms:EncryptionContext:service
                    values:
                      - pi
                  - test: ForAnyValue:StringEquals
                    variable: kms:EncryptionContext:aws:pi:service
                    values:
                      - rds
                  - test: ForAnyValue:StringEquals
                    variable: kms:EncryptionContext:aws:rds:db-id
                    values:
                      - db-AAAAABBBBBCCCCCDDDDDEEEEE
                      - db-EEEEEDDDDDCCCCCBBBBBAAAAA
    

    data.aws_iam_policy_document.example_multiple_condition_keys_and_values.json will evaluate to:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Action": [
            "kms:GenerateDataKey",
            "kms:Decrypt"
          ],
          "Resource": "*",
          "Condition": {
            "ForAnyValue:StringEquals": {
              "kms:EncryptionContext:aws:pi:service": "rds",
              "kms:EncryptionContext:aws:rds:db-id": [
                "db-AAAAABBBBBCCCCCDDDDDEEEEE",
                "db-EEEEEDDDDDCCCCCBBBBBAAAAA"
              ],
              "kms:EncryptionContext:service": "pi"
            }
          }
        }
      ]
    }
    

    Example Assume-Role Policy with Multiple Principals

    You can specify multiple principal blocks with different types. You can also use this data source to generate an assume-role policy.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const eventStreamBucketRoleAssumeRolePolicy = aws.iam.getPolicyDocument({
        statements: [{
            actions: ["sts:AssumeRole"],
            principals: [
                {
                    type: "Service",
                    identifiers: ["firehose.amazonaws.com"],
                },
                {
                    type: "AWS",
                    identifiers: [trustedRoleArn],
                },
                {
                    type: "Federated",
                    identifiers: [
                        `arn:aws:iam::${accountId}:saml-provider/${providerName}`,
                        "cognito-identity.amazonaws.com",
                    ],
                },
            ],
        }],
    });
    
    import pulumi
    import pulumi_aws as aws
    
    event_stream_bucket_role_assume_role_policy = aws.iam.get_policy_document(statements=[{
        "actions": ["sts:AssumeRole"],
        "principals": [
            {
                "type": "Service",
                "identifiers": ["firehose.amazonaws.com"],
            },
            {
                "type": "AWS",
                "identifiers": [trusted_role_arn],
            },
            {
                "type": "Federated",
                "identifiers": [
                    f"arn:aws:iam::{account_id}:saml-provider/{provider_name}",
                    "cognito-identity.amazonaws.com",
                ],
            },
        ],
    }])
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    _, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Actions: []string{
    "sts:AssumeRole",
    },
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "Service",
    Identifiers: []string{
    "firehose.amazonaws.com",
    },
    },
    {
    Type: "AWS",
    Identifiers: interface{}{
    trustedRoleArn,
    },
    },
    {
    Type: "Federated",
    Identifiers: []string{
    fmt.Sprintf("arn:aws:iam::%v:saml-provider/%v", accountId, providerName),
    "cognito-identity.amazonaws.com",
    },
    },
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var eventStreamBucketRoleAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "sts:AssumeRole",
                    },
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "firehose.amazonaws.com",
                            },
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                trustedRoleArn,
                            },
                        },
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Federated",
                            Identifiers = new[]
                            {
                                $"arn:aws:iam::{accountId}:saml-provider/{providerName}",
                                "cognito-identity.amazonaws.com",
                            },
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var eventStreamBucketRoleAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .actions("sts:AssumeRole")
                    .principals(                
                        GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("Service")
                            .identifiers("firehose.amazonaws.com")
                            .build(),
                        GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(trustedRoleArn)
                            .build(),
                        GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("Federated")
                            .identifiers(                        
                                String.format("arn:aws:iam::%s:saml-provider/%s", accountId,providerName),
                                "cognito-identity.amazonaws.com")
                            .build())
                    .build())
                .build());
    
        }
    }
    
    variables:
      eventStreamBucketRoleAssumeRolePolicy:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - sts:AssumeRole
                principals:
                  - type: Service
                    identifiers:
                      - firehose.amazonaws.com
                  - type: AWS
                    identifiers:
                      - ${trustedRoleArn}
                  - type: Federated
                    identifiers:
                      - arn:aws:iam::${accountId}:saml-provider/${providerName}
                      - cognito-identity.amazonaws.com
    

    Example Using A Source Document

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const source = aws.iam.getPolicyDocument({
        statements: [
            {
                actions: ["ec2:*"],
                resources: ["*"],
            },
            {
                sid: "SidToOverride",
                actions: ["s3:*"],
                resources: ["*"],
            },
        ],
    });
    const sourceDocumentExample = source.then(source => aws.iam.getPolicyDocument({
        sourcePolicyDocuments: [source.json],
        statements: [{
            sid: "SidToOverride",
            actions: ["s3:*"],
            resources: [
                "arn:aws:s3:::somebucket",
                "arn:aws:s3:::somebucket/*",
            ],
        }],
    }));
    
    import pulumi
    import pulumi_aws as aws
    
    source = aws.iam.get_policy_document(statements=[
        {
            "actions": ["ec2:*"],
            "resources": ["*"],
        },
        {
            "sid": "SidToOverride",
            "actions": ["s3:*"],
            "resources": ["*"],
        },
    ])
    source_document_example = aws.iam.get_policy_document(source_policy_documents=[source.json],
        statements=[{
            "sid": "SidToOverride",
            "actions": ["s3:*"],
            "resources": [
                "arn:aws:s3:::somebucket",
                "arn:aws:s3:::somebucket/*",
            ],
        }])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Actions: []string{
    "ec2:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("SidToOverride"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    SourcePolicyDocuments: interface{}{
    source.Json,
    },
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("SidToOverride"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "arn:aws:s3:::somebucket",
    "arn:aws:s3:::somebucket/*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var source = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "ec2:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "SidToOverride",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var sourceDocumentExample = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            SourcePolicyDocuments = new[]
            {
                source.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "SidToOverride",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "arn:aws:s3:::somebucket",
                        "arn:aws:s3:::somebucket/*",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("ec2:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("SidToOverride")
                        .actions("s3:*")
                        .resources("*")
                        .build())
                .build());
    
            final var sourceDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("SidToOverride")
                    .actions("s3:*")
                    .resources(                
                        "arn:aws:s3:::somebucket",
                        "arn:aws:s3:::somebucket/*")
                    .build())
                .build());
    
        }
    }
    
    variables:
      source:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - ec2:*
                resources:
                  - '*'
              - sid: SidToOverride
                actions:
                  - s3:*
                resources:
                  - '*'
      sourceDocumentExample:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            sourcePolicyDocuments:
              - ${source.json}
            statements:
              - sid: SidToOverride
                actions:
                  - s3:*
                resources:
                  - arn:aws:s3:::somebucket
                  - arn:aws:s3:::somebucket/*
    

    data.aws_iam_policy_document.source_document_example.json will evaluate to:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Action": "ec2:*",
          "Resource": "*"
        },
        {
          "Sid": "SidToOverride",
          "Effect": "Allow",
          "Action": "s3:*",
          "Resource": [
            "arn:aws:s3:::somebucket/*",
            "arn:aws:s3:::somebucket"
          ]
        }
      ]
    }
    

    Example Using An Override Document

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const override = aws.iam.getPolicyDocument({
        statements: [{
            sid: "SidToOverride",
            actions: ["s3:*"],
            resources: ["*"],
        }],
    });
    const overridePolicyDocumentExample = override.then(override => aws.iam.getPolicyDocument({
        overridePolicyDocuments: [override.json],
        statements: [
            {
                actions: ["ec2:*"],
                resources: ["*"],
            },
            {
                sid: "SidToOverride",
                actions: ["s3:*"],
                resources: [
                    "arn:aws:s3:::somebucket",
                    "arn:aws:s3:::somebucket/*",
                ],
            },
        ],
    }));
    
    import pulumi
    import pulumi_aws as aws
    
    override = aws.iam.get_policy_document(statements=[{
        "sid": "SidToOverride",
        "actions": ["s3:*"],
        "resources": ["*"],
    }])
    override_policy_document_example = aws.iam.get_policy_document(override_policy_documents=[override.json],
        statements=[
            {
                "actions": ["ec2:*"],
                "resources": ["*"],
            },
            {
                "sid": "SidToOverride",
                "actions": ["s3:*"],
                "resources": [
                    "arn:aws:s3:::somebucket",
                    "arn:aws:s3:::somebucket/*",
                ],
            },
        ])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("SidToOverride"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    OverridePolicyDocuments: interface{}{
    override.Json,
    },
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Actions: []string{
    "ec2:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("SidToOverride"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "arn:aws:s3:::somebucket",
    "arn:aws:s3:::somebucket/*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var @override = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "SidToOverride",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var overridePolicyDocumentExample = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            OverridePolicyDocuments = new[]
            {
                @override.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "ec2:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "SidToOverride",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "arn:aws:s3:::somebucket",
                        "arn:aws:s3:::somebucket/*",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("SidToOverride")
                    .actions("s3:*")
                    .resources("*")
                    .build())
                .build());
    
            final var overridePolicyDocumentExample = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("ec2:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("SidToOverride")
                        .actions("s3:*")
                        .resources(                    
                            "arn:aws:s3:::somebucket",
                            "arn:aws:s3:::somebucket/*")
                        .build())
                .build());
    
        }
    }
    
    variables:
      override:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: SidToOverride
                actions:
                  - s3:*
                resources:
                  - '*'
      overridePolicyDocumentExample:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            overridePolicyDocuments:
              - ${override.json}
            statements:
              - actions:
                  - ec2:*
                resources:
                  - '*'
              - sid: SidToOverride
                actions:
                  - s3:*
                resources:
                  - arn:aws:s3:::somebucket
                  - arn:aws:s3:::somebucket/*
    

    data.aws_iam_policy_document.override_policy_document_example.json will evaluate to:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Action": "ec2:*",
          "Resource": "*"
        },
        {
          "Sid": "SidToOverride",
          "Effect": "Allow",
          "Action": "s3:*",
          "Resource": "*"
        }
      ]
    }
    

    Example with Both Source and Override Documents

    You can also combine source_policy_documents and override_policy_documents in the same document.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const source = aws.iam.getPolicyDocument({
        statements: [{
            sid: "OverridePlaceholder",
            actions: ["ec2:DescribeAccountAttributes"],
            resources: ["*"],
        }],
    });
    const override = aws.iam.getPolicyDocument({
        statements: [{
            sid: "OverridePlaceholder",
            actions: ["s3:GetObject"],
            resources: ["*"],
        }],
    });
    const politik = Promise.all([source, override]).then(([source, override]) => aws.iam.getPolicyDocument({
        sourcePolicyDocuments: [source.json],
        overridePolicyDocuments: [override.json],
    }));
    
    import pulumi
    import pulumi_aws as aws
    
    source = aws.iam.get_policy_document(statements=[{
        "sid": "OverridePlaceholder",
        "actions": ["ec2:DescribeAccountAttributes"],
        "resources": ["*"],
    }])
    override = aws.iam.get_policy_document(statements=[{
        "sid": "OverridePlaceholder",
        "actions": ["s3:GetObject"],
        "resources": ["*"],
    }])
    politik = aws.iam.get_policy_document(source_policy_documents=[source.json],
        override_policy_documents=[override.json])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceholder"),
    Actions: []string{
    "ec2:DescribeAccountAttributes",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    override, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceholder"),
    Actions: []string{
    "s3:GetObject",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    SourcePolicyDocuments: interface{}{
    source.Json,
    },
    OverridePolicyDocuments: interface{}{
    override.Json,
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var source = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceholder",
                    Actions = new[]
                    {
                        "ec2:DescribeAccountAttributes",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var @override = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceholder",
                    Actions = new[]
                    {
                        "s3:GetObject",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var politik = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            SourcePolicyDocuments = new[]
            {
                source.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
            OverridePolicyDocuments = new[]
            {
                @override.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var source = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceholder")
                    .actions("ec2:DescribeAccountAttributes")
                    .resources("*")
                    .build())
                .build());
    
            final var override = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceholder")
                    .actions("s3:GetObject")
                    .resources("*")
                    .build())
                .build());
    
            final var politik = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .sourcePolicyDocuments(source.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .overridePolicyDocuments(override.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    variables:
      source:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: OverridePlaceholder
                actions:
                  - ec2:DescribeAccountAttributes
                resources:
                  - '*'
      override:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: OverridePlaceholder
                actions:
                  - s3:GetObject
                resources:
                  - '*'
      politik:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            sourcePolicyDocuments:
              - ${source.json}
            overridePolicyDocuments:
              - ${override.json}
    

    data.aws_iam_policy_document.politik.json will evaluate to:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "OverridePlaceholder",
          "Effect": "Allow",
          "Action": "s3:GetObject",
          "Resource": "*"
        }
      ]
    }
    

    Example of Merging Source Documents

    Multiple documents can be combined using the source_policy_documents or override_policy_documents attributes. source_policy_documents requires that all documents have unique Sids, while override_policy_documents will iteratively override matching Sids.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const sourceOne = aws.iam.getPolicyDocument({
        statements: [
            {
                actions: ["ec2:*"],
                resources: ["*"],
            },
            {
                sid: "UniqueSidOne",
                actions: ["s3:*"],
                resources: ["*"],
            },
        ],
    });
    const sourceTwo = aws.iam.getPolicyDocument({
        statements: [
            {
                sid: "UniqueSidTwo",
                actions: ["iam:*"],
                resources: ["*"],
            },
            {
                actions: ["lambda:*"],
                resources: ["*"],
            },
        ],
    });
    const combined = Promise.all([sourceOne, sourceTwo]).then(([sourceOne, sourceTwo]) => aws.iam.getPolicyDocument({
        sourcePolicyDocuments: [
            sourceOne.json,
            sourceTwo.json,
        ],
    }));
    
    import pulumi
    import pulumi_aws as aws
    
    source_one = aws.iam.get_policy_document(statements=[
        {
            "actions": ["ec2:*"],
            "resources": ["*"],
        },
        {
            "sid": "UniqueSidOne",
            "actions": ["s3:*"],
            "resources": ["*"],
        },
    ])
    source_two = aws.iam.get_policy_document(statements=[
        {
            "sid": "UniqueSidTwo",
            "actions": ["iam:*"],
            "resources": ["*"],
        },
        {
            "actions": ["lambda:*"],
            "resources": ["*"],
        },
    ])
    combined = aws.iam.get_policy_document(source_policy_documents=[
        source_one.json,
        source_two.json,
    ])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    sourceOne, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Actions: []string{
    "ec2:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("UniqueSidOne"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    sourceTwo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("UniqueSidTwo"),
    Actions: []string{
    "iam:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Actions: []string{
    "lambda:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    SourcePolicyDocuments: interface{}{
    sourceOne.Json,
    sourceTwo.Json,
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var sourceOne = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "ec2:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "UniqueSidOne",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var sourceTwo = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "UniqueSidTwo",
                    Actions = new[]
                    {
                        "iam:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Actions = new[]
                    {
                        "lambda:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var combined = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            SourcePolicyDocuments = new[]
            {
                sourceOne.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
                sourceTwo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var sourceOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("ec2:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("UniqueSidOne")
                        .actions("s3:*")
                        .resources("*")
                        .build())
                .build());
    
            final var sourceTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("UniqueSidTwo")
                        .actions("iam:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .actions("lambda:*")
                        .resources("*")
                        .build())
                .build());
    
            final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .sourcePolicyDocuments(            
                    sourceOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
                    sourceTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
        }
    }
    
    variables:
      sourceOne:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - actions:
                  - ec2:*
                resources:
                  - '*'
              - sid: UniqueSidOne
                actions:
                  - s3:*
                resources:
                  - '*'
      sourceTwo:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: UniqueSidTwo
                actions:
                  - iam:*
                resources:
                  - '*'
              - actions:
                  - lambda:*
                resources:
                  - '*'
      combined:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            sourcePolicyDocuments:
              - ${sourceOne.json}
              - ${sourceTwo.json}
    

    data.aws_iam_policy_document.combined.json will evaluate to:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Action": "ec2:*",
          "Resource": "*"
        },
        {
          "Sid": "UniqueSidOne",
          "Effect": "Allow",
          "Action": "s3:*",
          "Resource": "*"
        },
        {
          "Sid": "UniqueSidTwo",
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        },
        {
          "Sid": "",
          "Effect": "Allow",
          "Action": "lambda:*",
          "Resource": "*"
        }
      ]
    }
    

    Example of Merging Override Documents

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const policyOne = aws.iam.getPolicyDocument({
        statements: [{
            sid: "OverridePlaceHolderOne",
            effect: "Allow",
            actions: ["s3:*"],
            resources: ["*"],
        }],
    });
    const policyTwo = aws.iam.getPolicyDocument({
        statements: [
            {
                effect: "Allow",
                actions: ["ec2:*"],
                resources: ["*"],
            },
            {
                sid: "OverridePlaceHolderTwo",
                effect: "Allow",
                actions: ["iam:*"],
                resources: ["*"],
            },
        ],
    });
    const policyThree = aws.iam.getPolicyDocument({
        statements: [{
            sid: "OverridePlaceHolderOne",
            effect: "Deny",
            actions: ["logs:*"],
            resources: ["*"],
        }],
    });
    const combined = Promise.all([policyOne, policyTwo, policyThree]).then(([policyOne, policyTwo, policyThree]) => aws.iam.getPolicyDocument({
        overridePolicyDocuments: [
            policyOne.json,
            policyTwo.json,
            policyThree.json,
        ],
        statements: [{
            sid: "OverridePlaceHolderTwo",
            effect: "Deny",
            actions: ["*"],
            resources: ["*"],
        }],
    }));
    
    import pulumi
    import pulumi_aws as aws
    
    policy_one = aws.iam.get_policy_document(statements=[{
        "sid": "OverridePlaceHolderOne",
        "effect": "Allow",
        "actions": ["s3:*"],
        "resources": ["*"],
    }])
    policy_two = aws.iam.get_policy_document(statements=[
        {
            "effect": "Allow",
            "actions": ["ec2:*"],
            "resources": ["*"],
        },
        {
            "sid": "OverridePlaceHolderTwo",
            "effect": "Allow",
            "actions": ["iam:*"],
            "resources": ["*"],
        },
    ])
    policy_three = aws.iam.get_policy_document(statements=[{
        "sid": "OverridePlaceHolderOne",
        "effect": "Deny",
        "actions": ["logs:*"],
        "resources": ["*"],
    }])
    combined = aws.iam.get_policy_document(override_policy_documents=[
            policy_one.json,
            policy_two.json,
            policy_three.json,
        ],
        statements=[{
            "sid": "OverridePlaceHolderTwo",
            "effect": "Deny",
            "actions": ["*"],
            "resources": ["*"],
        }])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    policyOne, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceHolderOne"),
    Effect: pulumi.StringRef("Allow"),
    Actions: []string{
    "s3:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    policyTwo, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Effect: pulumi.StringRef("Allow"),
    Actions: []string{
    "ec2:*",
    },
    Resources: []string{
    "*",
    },
    },
    {
    Sid: pulumi.StringRef("OverridePlaceHolderTwo"),
    Effect: pulumi.StringRef("Allow"),
    Actions: []string{
    "iam:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    policyThree, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceHolderOne"),
    Effect: pulumi.StringRef("Deny"),
    Actions: []string{
    "logs:*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    _, err = iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    OverridePolicyDocuments: interface{}{
    policyOne.Json,
    policyTwo.Json,
    policyThree.Json,
    },
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: pulumi.StringRef("OverridePlaceHolderTwo"),
    Effect: pulumi.StringRef("Deny"),
    Actions: []string{
    "*",
    },
    Resources: []string{
    "*",
    },
    },
    },
    }, nil);
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var policyOne = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceHolderOne",
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "s3:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var policyTwo = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "ec2:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceHolderTwo",
                    Effect = "Allow",
                    Actions = new[]
                    {
                        "iam:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var policyThree = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceHolderOne",
                    Effect = "Deny",
                    Actions = new[]
                    {
                        "logs:*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
        var combined = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            OverridePolicyDocuments = new[]
            {
                policyOne.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
                policyTwo.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
                policyThree.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
            },
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "OverridePlaceHolderTwo",
                    Effect = "Deny",
                    Actions = new[]
                    {
                        "*",
                    },
                    Resources = new[]
                    {
                        "*",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var policyOne = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceHolderOne")
                    .effect("Allow")
                    .actions("s3:*")
                    .resources("*")
                    .build())
                .build());
    
            final var policyTwo = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .effect("Allow")
                        .actions("ec2:*")
                        .resources("*")
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("OverridePlaceHolderTwo")
                        .effect("Allow")
                        .actions("iam:*")
                        .resources("*")
                        .build())
                .build());
    
            final var policyThree = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceHolderOne")
                    .effect("Deny")
                    .actions("logs:*")
                    .resources("*")
                    .build())
                .build());
    
            final var combined = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .overridePolicyDocuments(            
                    policyOne.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
                    policyTwo.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()),
                    policyThree.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .sid("OverridePlaceHolderTwo")
                    .effect("Deny")
                    .actions("*")
                    .resources("*")
                    .build())
                .build());
    
        }
    }
    
    variables:
      policyOne:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: OverridePlaceHolderOne
                effect: Allow
                actions:
                  - s3:*
                resources:
                  - '*'
      policyTwo:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - effect: Allow
                actions:
                  - ec2:*
                resources:
                  - '*'
              - sid: OverridePlaceHolderTwo
                effect: Allow
                actions:
                  - iam:*
                resources:
                  - '*'
      policyThree:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: OverridePlaceHolderOne
                effect: Deny
                actions:
                  - logs:*
                resources:
                  - '*'
      combined:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            overridePolicyDocuments:
              - ${policyOne.json}
              - ${policyTwo.json}
              - ${policyThree.json}
            statements:
              - sid: OverridePlaceHolderTwo
                effect: Deny
                actions:
                  - '*'
                resources:
                  - '*'
    

    data.aws_iam_policy_document.combined.json will evaluate to:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "OverridePlaceholderTwo",
          "Effect": "Allow",
          "Action": "iam:*",
          "Resource": "*"
        },
        {
          "Sid": "OverridePlaceholderOne",
          "Effect": "Deny",
          "Action": "logs:*",
          "Resource": "*"
        },
        {
          "Sid": "",
          "Effect": "Allow",
          "Action": "ec2:*",
          "Resource": "*"
        },
      ]
    }
    

    Using getPolicyDocument

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getPolicyDocument(args: GetPolicyDocumentArgs, opts?: InvokeOptions): Promise<GetPolicyDocumentResult>
    function getPolicyDocumentOutput(args: GetPolicyDocumentOutputArgs, opts?: InvokeOptions): Output<GetPolicyDocumentResult>
    def get_policy_document(override_json: Optional[str] = None,
                            override_policy_documents: Optional[Sequence[str]] = None,
                            policy_id: Optional[str] = None,
                            source_json: Optional[str] = None,
                            source_policy_documents: Optional[Sequence[str]] = None,
                            statements: Optional[Sequence[GetPolicyDocumentStatement]] = None,
                            version: Optional[str] = None,
                            opts: Optional[InvokeOptions] = None) -> GetPolicyDocumentResult
    def get_policy_document_output(override_json: Optional[pulumi.Input[str]] = None,
                            override_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                            policy_id: Optional[pulumi.Input[str]] = None,
                            source_json: Optional[pulumi.Input[str]] = None,
                            source_policy_documents: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                            statements: Optional[pulumi.Input[Sequence[pulumi.Input[GetPolicyDocumentStatementArgs]]]] = None,
                            version: Optional[pulumi.Input[str]] = None,
                            opts: Optional[InvokeOptions] = None) -> Output[GetPolicyDocumentResult]
    func GetPolicyDocument(ctx *Context, args *GetPolicyDocumentArgs, opts ...InvokeOption) (*GetPolicyDocumentResult, error)
    func GetPolicyDocumentOutput(ctx *Context, args *GetPolicyDocumentOutputArgs, opts ...InvokeOption) GetPolicyDocumentResultOutput

    > Note: This function is named GetPolicyDocument in the Go SDK.

    public static class GetPolicyDocument 
    {
        public static Task<GetPolicyDocumentResult> InvokeAsync(GetPolicyDocumentArgs args, InvokeOptions? opts = null)
        public static Output<GetPolicyDocumentResult> Invoke(GetPolicyDocumentInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetPolicyDocumentResult> getPolicyDocument(GetPolicyDocumentArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: aws:iam/getPolicyDocument:getPolicyDocument
      arguments:
        # arguments dictionary

    The following arguments are supported:

    OverrideJson string

    Deprecated: Not used

    OverridePolicyDocuments List<string>
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    PolicyId string
    ID for the policy document.
    SourceJson string

    Deprecated: Not used

    SourcePolicyDocuments List<string>
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    Statements List<GetPolicyDocumentStatement>
    Configuration block for a policy statement. Detailed below.
    Version string
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    OverrideJson string

    Deprecated: Not used

    OverridePolicyDocuments []string
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    PolicyId string
    ID for the policy document.
    SourceJson string

    Deprecated: Not used

    SourcePolicyDocuments []string
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    Statements []GetPolicyDocumentStatement
    Configuration block for a policy statement. Detailed below.
    Version string
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    overrideJson String

    Deprecated: Not used

    overridePolicyDocuments List<String>
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    policyId String
    ID for the policy document.
    sourceJson String

    Deprecated: Not used

    sourcePolicyDocuments List<String>
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    statements List<GetPolicyDocumentStatement>
    Configuration block for a policy statement. Detailed below.
    version String
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    overrideJson string

    Deprecated: Not used

    overridePolicyDocuments string[]
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    policyId string
    ID for the policy document.
    sourceJson string

    Deprecated: Not used

    sourcePolicyDocuments string[]
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    statements GetPolicyDocumentStatement[]
    Configuration block for a policy statement. Detailed below.
    version string
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    override_json str

    Deprecated: Not used

    override_policy_documents Sequence[str]
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    policy_id str
    ID for the policy document.
    source_json str

    Deprecated: Not used

    source_policy_documents Sequence[str]
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    statements Sequence[GetPolicyDocumentStatement]
    Configuration block for a policy statement. Detailed below.
    version str
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.
    overrideJson String

    Deprecated: Not used

    overridePolicyDocuments List<String>
    List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from source_policy_documents. Non-overriding statements will be added to the exported document.
    policyId String
    ID for the policy document.
    sourceJson String

    Deprecated: Not used

    sourcePolicyDocuments List<String>
    List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents must have unique sids. Statements with the same sid from override_policy_documents will override source statements.
    statements List<Property Map>
    Configuration block for a policy statement. Detailed below.
    version String
    IAM policy document version. Valid values are 2008-10-17 and 2012-10-17. Defaults to 2012-10-17. For more information, see the AWS IAM User Guide.

    getPolicyDocument Result

    The following output properties are available:

    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    Standard JSON policy document rendered based on the arguments above.
    MinifiedJson string
    Minified JSON policy document rendered based on the arguments above.
    OverrideJson string

    Deprecated: Not used

    OverridePolicyDocuments List<string>
    PolicyId string
    SourceJson string

    Deprecated: Not used

    SourcePolicyDocuments List<string>
    Statements List<GetPolicyDocumentStatement>
    Version string
    Id string
    The provider-assigned unique ID for this managed resource.
    Json string
    Standard JSON policy document rendered based on the arguments above.
    MinifiedJson string
    Minified JSON policy document rendered based on the arguments above.
    OverrideJson string

    Deprecated: Not used

    OverridePolicyDocuments []string
    PolicyId string
    SourceJson string

    Deprecated: Not used

    SourcePolicyDocuments []string
    Statements []GetPolicyDocumentStatement
    Version string
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    Standard JSON policy document rendered based on the arguments above.
    minifiedJson String
    Minified JSON policy document rendered based on the arguments above.
    overrideJson String

    Deprecated: Not used

    overridePolicyDocuments List<String>
    policyId String
    sourceJson String

    Deprecated: Not used

    sourcePolicyDocuments List<String>
    statements List<GetPolicyDocumentStatement>
    version String
    id string
    The provider-assigned unique ID for this managed resource.
    json string
    Standard JSON policy document rendered based on the arguments above.
    minifiedJson string
    Minified JSON policy document rendered based on the arguments above.
    overrideJson string

    Deprecated: Not used

    overridePolicyDocuments string[]
    policyId string
    sourceJson string

    Deprecated: Not used

    sourcePolicyDocuments string[]
    statements GetPolicyDocumentStatement[]
    version string
    id str
    The provider-assigned unique ID for this managed resource.
    json str
    Standard JSON policy document rendered based on the arguments above.
    minified_json str
    Minified JSON policy document rendered based on the arguments above.
    override_json str

    Deprecated: Not used

    override_policy_documents Sequence[str]
    policy_id str
    source_json str

    Deprecated: Not used

    source_policy_documents Sequence[str]
    statements Sequence[GetPolicyDocumentStatement]
    version str
    id String
    The provider-assigned unique ID for this managed resource.
    json String
    Standard JSON policy document rendered based on the arguments above.
    minifiedJson String
    Minified JSON policy document rendered based on the arguments above.
    overrideJson String

    Deprecated: Not used

    overridePolicyDocuments List<String>
    policyId String
    sourceJson String

    Deprecated: Not used

    sourcePolicyDocuments List<String>
    statements List<Property Map>
    version String

    Supporting Types

    GetPolicyDocumentStatement

    Actions List<string>
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    Conditions List<GetPolicyDocumentStatementCondition>
    Configuration block for a condition. Detailed below.
    Effect string
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    NotActions List<string>
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    NotPrincipals List<GetPolicyDocumentStatementNotPrincipal>
    Like principals except these are principals that the statement does not apply to.
    NotResources List<string>
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    Principals List<GetPolicyDocumentStatementPrincipal>
    Configuration block for principals. Detailed below.
    Resources List<string>
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    Sid string
    Sid (statement ID) is an identifier for a policy statement.
    Actions []string
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    Conditions []GetPolicyDocumentStatementCondition
    Configuration block for a condition. Detailed below.
    Effect string
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    NotActions []string
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    NotPrincipals []GetPolicyDocumentStatementNotPrincipal
    Like principals except these are principals that the statement does not apply to.
    NotResources []string
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    Principals []GetPolicyDocumentStatementPrincipal
    Configuration block for principals. Detailed below.
    Resources []string
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    Sid string
    Sid (statement ID) is an identifier for a policy statement.
    actions List<String>
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    conditions List<GetPolicyDocumentStatementCondition>
    Configuration block for a condition. Detailed below.
    effect String
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    notActions List<String>
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    notPrincipals List<GetPolicyDocumentStatementNotPrincipal>
    Like principals except these are principals that the statement does not apply to.
    notResources List<String>
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    principals List<GetPolicyDocumentStatementPrincipal>
    Configuration block for principals. Detailed below.
    resources List<String>
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    sid String
    Sid (statement ID) is an identifier for a policy statement.
    actions string[]
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    conditions GetPolicyDocumentStatementCondition[]
    Configuration block for a condition. Detailed below.
    effect string
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    notActions string[]
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    notPrincipals GetPolicyDocumentStatementNotPrincipal[]
    Like principals except these are principals that the statement does not apply to.
    notResources string[]
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    principals GetPolicyDocumentStatementPrincipal[]
    Configuration block for principals. Detailed below.
    resources string[]
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    sid string
    Sid (statement ID) is an identifier for a policy statement.
    actions Sequence[str]
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    conditions Sequence[GetPolicyDocumentStatementCondition]
    Configuration block for a condition. Detailed below.
    effect str
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    not_actions Sequence[str]
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    not_principals Sequence[GetPolicyDocumentStatementNotPrincipal]
    Like principals except these are principals that the statement does not apply to.
    not_resources Sequence[str]
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    principals Sequence[GetPolicyDocumentStatementPrincipal]
    Configuration block for principals. Detailed below.
    resources Sequence[str]
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    sid str
    Sid (statement ID) is an identifier for a policy statement.
    actions List<String>
    List of actions that this statement either allows or denies. For example, ["ec2:RunInstances", "s3:*"].
    conditions List<Property Map>
    Configuration block for a condition. Detailed below.
    effect String
    Whether this statement allows or denies the given actions. Valid values are Allow and Deny. Defaults to Allow.
    notActions List<String>
    List of actions that this statement does not apply to. Use to apply a policy statement to all actions except those listed.
    notPrincipals List<Property Map>
    Like principals except these are principals that the statement does not apply to.
    notResources List<String>
    List of resource ARNs that this statement does not apply to. Use to apply a policy statement to all resources except those listed. Conflicts with resources.
    principals List<Property Map>
    Configuration block for principals. Detailed below.
    resources List<String>
    List of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy. Conflicts with not_resources.
    sid String
    Sid (statement ID) is an identifier for a policy statement.

    GetPolicyDocumentStatementCondition

    Test string
    Name of the IAM condition operator to evaluate.
    Values List<string>
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    Variable string
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    Test string
    Name of the IAM condition operator to evaluate.
    Values []string
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    Variable string
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    test String
    Name of the IAM condition operator to evaluate.
    values List<String>
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    variable String
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    test string
    Name of the IAM condition operator to evaluate.
    values string[]
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    variable string
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    test str
    Name of the IAM condition operator to evaluate.
    values Sequence[str]
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    variable str
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.
    test String
    Name of the IAM condition operator to evaluate.
    values List<String>
    Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
    variable String
    Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables starting with aws: or service-specific variables prefixed with the service name.

    GetPolicyDocumentStatementNotPrincipal

    Identifiers List<string>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    Type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    Identifiers []string
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    Type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers List<String>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type String
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers string[]
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers Sequence[str]
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type str
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers List<String>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type String
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.

    GetPolicyDocumentStatementPrincipal

    Identifiers List<string>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    Type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    Identifiers []string
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    Type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers List<String>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type String
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers string[]
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type string
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers Sequence[str]
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type str
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.
    identifiers List<String>
    List of identifiers for principals. When type is AWS, these are IAM principal ARNs, e.g., arn:aws:iam::12345678901:role/yak-role. When type is Service, these are AWS Service roles, e.g., lambda.amazonaws.com. When type is Federated, these are web identity users or SAML provider ARNs, e.g., accounts.google.com or arn:aws:iam::12345678901:saml-provider/yak-saml-provider. When type is CanonicalUser, these are canonical user IDs, e.g., 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
    type String
    Type of principal. Valid values include AWS, Service, Federated, CanonicalUser and *.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo
    AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi