Skip to main content

group_policies

Creates, updates, deletes or gets a group_policy resource or lists group_policies in a region

Overview

Namegroup_policies
TypeResource
DescriptionAdds or updates an inline policy document that is embedded in the specified IAM group.
A group can also have managed policies attached to it. To attach a managed policy to a group, use [AWS::IAM::Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html). To create a new managed policy, use [AWS::IAM::ManagedPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html). For information about policies, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide*.
For information about the maximum number of inline policies that you can embed in a group, see [IAM and quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide*.
Idaws.iam.group_policies

Fields

NameDatatypeDescription
policy_documentobjectThe policy document.
You must provide policies in JSON format in IAM. However, for CFN templates formatted in YAML, you can provide the policy in JSON or YAML format. CFN always converts a YAML policy to JSON format before submitting it to IAM.
The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:
+ Any printable ASCII character ranging from the space character (\u0020) through the end of the ASCII character range
+ The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF)
+ The special characters tab (\u0009), line feed (\u000A), and carriage return (\u000D)
policy_namestringThe name of the policy document.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
group_namestringThe name of the group to associate the policy with.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex)) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.
regionstringAWS region.

Methods

NameAccessible byRequired Params
delete_resourceDELETEdata__Identifier, region
create_resourceINSERTPolicyName, GroupName, region
getSELECTundefined
update_resourceUPDATEdata__Identifier, data__PatchDocument, region
get_resourceSELECTdata__Identifier, region

SELECT examples

Gets all properties from an individual group_policy.

SELECT
region,
policy_document,
policy_name,
group_name
FROM aws.iam.group_policies
WHERE data__Identifier = '<PolicyName>|<GroupName>';

INSERT example

Use the following StackQL query and manifest file to create a new group_policy resource, using stack-deploy.

/*+ create */
INSERT INTO aws.iam.group_policies (
 PolicyName,
 GroupName,
 region
)
SELECT 
'{{ PolicyName }}',
 '{{ GroupName }}',
'{{ region }}';

DELETE example

/*+ delete */
DELETE FROM aws.iam.group_policies
WHERE data__Identifier = '<PolicyName|GroupName>'
AND region = 'us-east-1';

Permissions

To operate on the group_policies resource, the following permissions are required:

Create

iam:PutGroupPolicy,
iam:GetGroupPolicy

Read

iam:GetGroupPolicy

Update

iam:PutGroupPolicy,
iam:GetGroupPolicy

Delete

iam:DeleteGroupPolicy,
iam:GetGroupPolicy