Syntax Properties Return values Examples See also

AWS::XRay::ResourcePolicy

Use AWS::XRay::ResourcePolicy to specify an X-Ray resource-based policy, which grants one or more AWS services and accounts permissions to access X-Ray. Each resource-based policy is associated with a specific AWS account.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::XRay::ResourcePolicy",
  "Properties" : {
      "BypassPolicyLockoutCheck" : Boolean,
      "PolicyDocument" : String,
      "PolicyName" : String
    }
}

YAML


Type: AWS::XRay::ResourcePolicy
Properties:
  BypassPolicyLockoutCheck: Boolean
  PolicyDocument: String
  PolicyName: String

Properties

BypassPolicyLockoutCheck

A flag to indicate whether to bypass the resource-based policy lockout safety check.

Required: No

Type: Boolean

Update requires: No interruption

PolicyDocument

The resource-based policy document, which can be up to 5kb in size.

Required: Yes

Type: String

Minimum: 1

Maximum: 5120

Update requires: No interruption

PolicyName

The name of the resource-based policy. Must be unique within a specific AWS account.

Required: Yes

Type: String

Pattern: [\w+=,.@-]+

Minimum: 1

Maximum: 128

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the policy name.

For more information about using the Ref function, see Ref.

Examples

Create resource-based policy

This example creates a resource-based policy called MySnsActiveTracingPolicy, which configures Amazon SNS active tracing.

JSON



{
   "AWSTemplateFormatVersion": "2010-09-09",
   "Resources": {
      "MyResourcePolicy": {
         "Type": "AWS::XRay::ResourcePolicy",
         "Properties": {
            "BypassPolicyLockoutCheck": "false",
            "PolicyDocument": "{
                \"Version\": \"2012-10-17\",
                \"Statement\": [
                  {
                    \"Sid\": \"SNSAccess\",
                    \"Effect\": \"Allow\",
                    \"Principal\": {
                      \"Service\": \"sns.amazonaws.com\"
                    },
                    \"Action\": [
                      \"xray:PutTraceSegments\",
                      \"xray:GetSamplingRules\",
                      \"xray:GetSamplingTargets\"
                    ],
                    \"Resource\": \"*\",
                    \"Condition\": {
                      \"StringEquals\": {
                        \"aws:SourceAccount\": \"my-account-id\"
                      },
                      \"StringLike\": {
                        \"aws:SourceArn\": \"arn:$my-partition:sns:$my-region:$my-account-id:my-topic-name\"
                      }
                    }
                  }
                ]
              }",
            "PolicyName": "MySnsActiveTracingPolicy"
            }
         }
      }
   }
}

YAML



AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyResourcePolicy:
    Type: AWS::XRay::ResourcePolicy
    Properties:
      BypassPolicyLockoutCheck: false
      PolicyDocument: "{
          \"Version\": \"2012-10-17\",
          \"Statement\": [
            {
              \"Sid\": \"SNSAccess\",
              \"Effect\": \"Allow\",
              \"Principal\": {
                \"Service\": \"sns.amazonaws.com\"
              },
              \"Action\": [
                \"xray:PutTraceSegments\",
                \"xray:GetSamplingRules\",
                \"xray:GetSamplingTargets\"
              ],
              \"Resource\": \"*\",
              \"Condition\": {
                \"StringEquals\": {
                  \"aws:SourceAccount\": \"my-account-id\"
                },
                \"StringLike\": {
                  \"aws:SourceArn\": \"arn:$my-partition:sns:$my-region:$my-account-id:my-topic-name\"
                }
              }
            }
          ]
        }"
      PolicyName: "MySNSActiveTracingPolicy"