Use aws.iam.PolicyDocument for type-safe JSON in AWS
TypeScriptCertainly, you can create a type-safe IAM policy document using
aws.iam.PolicyDocument
. A PolicyDocument is a statement that defines an AWS IAM policy. It is defined in JSON format and the benefit of using theaws.iam.PolicyDocument
object in Pulumi is that it can provide type-safety within your IAM policies.Here is a simple demonstration on how you might set up an
aws.iam.PolicyDocument
:import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; let readS3BucketPolicyDocument = new aws.iam.PolicyDocument({ // The policy document version version: "2012-10-17", // The policy statements statements: [{ // Manage the actions this statement applies to (s3:GetObject allows read access) actions: ["s3:GetObject"], // Indicate the resource to which this policy applies (RESOURCE ARN, can be pulumi.Output) resources: ["CODE_FOR_RESOURCE_ARN"], // Applying effect to allow action on the resource effect: "Allow", }], }); let policy = new aws.iam.Policy("policy", { description: "A test policy", path: "/", policy: readS3BucketPolicyDocument.json, // policy is a pulumi.Output<string> });
In this example, the
aws.iam.PolicyDocument
describes a policy that allows read access (via thes3:GetObject
action) to a specified S3 bucket (you have to replaceCODE_FOR_RESOURCE_ARN
with your specific value).This policy document can then be used to create an
aws.iam.Policy
, which can be attached to users, groups and roles.Checkout the documentation on
aws.iam.PolicyDocument
here andaws.iam.Policy
here for more information.