You are viewing documentation for version 2 of the AWS SDK for Ruby. Version 3 documentation can be found here.

Class: Aws::IAM::Policy

Inherits:
Resources::Resource show all
Defined in:
(unknown)

Instance Attribute Summary collapse

Attributes inherited from Resources::Resource

#client, #identifiers

Instance Method Summary collapse

Methods inherited from Resources::Resource

add_data_attribute, add_identifier, #data, data_attributes, #data_loaded?, identifiers, #load, #wait_until

Methods included from Resources::OperationMethods

#add_batch_operation, #add_operation, #batch_operation, #batch_operation_names, #batch_operations, #operation, #operation_names, #operations

Constructor Details

#initialize(arn, options = {}) ⇒ Object #initialize(options = {}) ⇒ Object

Overloads:

  • #initialize(arn, options = {}) ⇒ Object

    Parameters:

    • arn (String)

    Options Hash (options):

    • :client (Client)

      When `:client is not given, the options hash is used to construct a new Client object.

  • #initialize(options = {}) ⇒ Object

    Options Hash (options):

    • :arn (required, String)
    • :client (Client)

      When `:client is not given, the options hash is used to construct a new Client object.

Instance Attribute Details

#arnString (readonly)

Returns:

  • (String)

#attachment_countInteger (readonly)

The number of entities (users, groups, and roles) that the policy is attached to.

Returns:

  • (Integer)

    The number of entities (users, groups, and roles) that the policy is attached to.

#create_dateTime (readonly)

The date and time, in ISO 8601 date-time format, when the policy was created.

Returns:

  • (Time)

    The date and time, in [ISO 8601 date-time format][1], when the policy was created.

#default_version_idString (readonly)

The identifier for the version of the policy that is set as the default version.

Returns:

  • (String)

    The identifier for the version of the policy that is set as the default version.

#descriptionString (readonly)

A friendly description of the policy.

This element is included in the response to the GetPolicy operation. It is not included in the response to the ListPolicies operation.

Returns:

  • (String)

    A friendly description of the policy.

#is_attachableBoolean (readonly)

Specifies whether the policy can be attached to an IAM user, group, or role.

Returns:

  • (Boolean)

    Specifies whether the policy can be attached to an IAM user, group, or role.

#pathString (readonly)

The path to the policy.

For more information about paths, see IAM Identifiers in the IAM User Guide.

Returns:

  • (String)

    The path to the policy.

#permissions_boundary_usage_countInteger (readonly)

The number of entities (users and roles) for which the policy is used to set the permissions boundary.

For more information about permissions boundaries, see Permissions Boundaries for IAM Identities in the IAM User Guide.

Returns:

  • (Integer)

    The number of entities (users and roles) for which the policy is used to set the permissions boundary.

#policy_idString (readonly)

The stable and unique string identifying the policy.

For more information about IDs, see IAM Identifiers in the IAM User Guide.

Returns:

  • (String)

    The stable and unique string identifying the policy.

#policy_nameString (readonly)

The friendly name (not ARN) identifying the policy.

Returns:

  • (String)

    The friendly name (not ARN) identifying the policy.

#update_dateTime (readonly)

The date and time, in ISO 8601 date-time format, when the policy was last updated.

When a policy has only one version, this field contains the date and time when the policy was created. When a policy has more than one version, this field contains the date and time when the most recent policy version was created.

Returns:

  • (Time)

    The date and time, in [ISO 8601 date-time format][1], when the policy was last updated.

Instance Method Details

#attach_group(options = {}) ⇒ Struct

Attaches the specified managed policy to the specified IAM group.

You use this API to attach a managed policy to a group. To embed an inline policy in a group, use PutGroupPolicy.

For more information about policies, see Managed Policies and Inline Policies in the IAM User Guide.

Examples:

Request syntax example with placeholder values


policy.attach_group({
  group_name: "groupNameType", # required
})

Options Hash (options):

  • :group_name (required, String)

    The name (friendly name, not ARN) of the group to attach the policy to.

    This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Returns:

  • (Struct)

    Returns an empty response.

See Also:

#attach_role(options = {}) ⇒ Struct

Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.

You cannot use a managed policy as the role's trust policy. The role's trust policy is created at the same time as the role, using CreateRole. You can update a role's trust policy using UpdateAssumeRolePolicy.

Use this API to attach a managed policy to a role. To embed an inline policy in a role, use PutRolePolicy. For more information about policies, see Managed Policies and Inline Policies in the IAM User Guide.

Examples:

Request syntax example with placeholder values


policy.attach_role({
  role_name: "roleNameType", # required
})

Options Hash (options):

  • :role_name (required, String)

    The name (friendly name, not ARN) of the role to attach the policy to.

    This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Returns:

  • (Struct)

    Returns an empty response.

See Also:

#attach_user(options = {}) ⇒ Struct

Attaches the specified managed policy to the specified user.

You use this API to attach a managed policy to a user. To embed an inline policy in a user, use PutUserPolicy.

For more information about policies, see Managed Policies and Inline Policies in the IAM User Guide.

Examples:

Request syntax example with placeholder values


policy.attach_user({
  user_name: "userNameType", # required
})

Options Hash (options):

  • :user_name (required, String)

    The name (friendly name, not ARN) of the IAM user to attach the policy to.

    This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Returns:

  • (Struct)

    Returns an empty response.

See Also:

#attached_groups(options = {}) ⇒ Collection<Group>

Returns a Collection of Group resources. No API requests are made until you call an enumerable method on the collection. Client#list_entities_for_policy will be called multiple times until every Group has been yielded.

Examples:

Request syntax example with placeholder values


policy.attached_groups({
  path_prefix: "pathType",
  policy_usage_filter: "PermissionsPolicy", # accepts PermissionsPolicy, PermissionsBoundary
  marker: "markerType",
  max_items: 1,
})

Enumerating Group resources.

policy.attached_groups.each do |group|
  # yields each group
end

Enumerating Group resources with a limit.

policy.attached_groups.limit(10).each do |group|
  # yields at most 10 attached_groups
end

Options Hash (options):

  • :path_prefix (String)

    The path prefix for filtering the results. This parameter is optional. If it is not included, it defaults to a slash (/), listing all entities.

    This parameter allows (through its regex pattern) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercased letters.

  • :policy_usage_filter (String)

    The policy usage method to use for filtering the results.

    To list only permissions policies, set PolicyUsageFilter to PermissionsPolicy. To list only the policies used to set permissions boundaries, set the value to PermissionsBoundary.

    This parameter is optional. If it is not included, all policies are returned.

  • :marker (String)

    Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

  • :max_items (Integer)

    Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.

    If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.

Returns:

See Also:

#attached_roles(options = {}) ⇒ Collection<Role>

Returns a Collection of Role resources. No API requests are made until you call an enumerable method on the collection. Client#list_entities_for_policy will be called multiple times until every Role has been yielded.

Examples:

Request syntax example with placeholder values


policy.attached_roles({
  path_prefix: "pathType",
  policy_usage_filter: "PermissionsPolicy", # accepts PermissionsPolicy, PermissionsBoundary
  marker: "markerType",
  max_items: 1,
})

Enumerating Role resources.

policy.attached_roles.each do |role|
  # yields each role
end

Enumerating Role resources with a limit.

policy.attached_roles.limit(10).each do |role|
  # yields at most 10 attached_roles
end

Options Hash (options):

  • :path_prefix (String)

    The path prefix for filtering the results. This parameter is optional. If it is not included, it defaults to a slash (/), listing all entities.

    This parameter allows (through its regex pattern) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercased letters.

  • :policy_usage_filter (String)

    The policy usage method to use for filtering the results.

    To list only permissions policies, set PolicyUsageFilter to PermissionsPolicy. To list only the policies used to set permissions boundaries, set the value to PermissionsBoundary.

    This parameter is optional. If it is not included, all policies are returned.

  • :marker (String)

    Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

  • :max_items (Integer)

    Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.

    If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.

Returns:

  • (Collection<Role>)

See Also:

#attached_users(options = {}) ⇒ Collection<User>

Returns a Collection of User resources. No API requests are made until you call an enumerable method on the collection. Client#list_entities_for_policy will be called multiple times until every User has been yielded.

Examples:

Request syntax example with placeholder values


policy.attached_users({
  path_prefix: "pathType",
  policy_usage_filter: "PermissionsPolicy", # accepts PermissionsPolicy, PermissionsBoundary
  marker: "markerType",
  max_items: 1,
})

Enumerating User resources.

policy.attached_users.each do |user|
  # yields each user
end

Enumerating User resources with a limit.

policy.attached_users.limit(10).each do |user|
  # yields at most 10 attached_users
end

Options Hash (options):

  • :path_prefix (String)

    The path prefix for filtering the results. This parameter is optional. If it is not included, it defaults to a slash (/), listing all entities.

    This parameter allows (through its regex pattern) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercased letters.

  • :policy_usage_filter (String)

    The policy usage method to use for filtering the results.

    To list only permissions policies, set PolicyUsageFilter to PermissionsPolicy. To list only the policies used to set permissions boundaries, set the value to PermissionsBoundary.

    This parameter is optional. If it is not included, all policies are returned.

  • :marker (String)

    Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

  • :max_items (Integer)

    Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.

    If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.

Returns:

  • (Collection<User>)

See Also:

#create_version(options = {}) ⇒ PolicyVersion

Examples:

Request syntax example with placeholder values


policy.create_version({
  policy_document: "policyDocumentType", # required
  set_as_default: false,
})

Basic usage

policyversion = policy.create_version(options)
policyversion.version_id
#=> "policyversion-version-id"

Options Hash (options):

  • :policy_document (required, String)

    The JSON policy document that you want to use as the content for this new version of the policy.

    You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.

    The regex pattern used to validate this parameter is a string of characters consisting of the following:

    • Any printable ASCII character ranging from the space character (\u0020) through the end of the ASCII character range

    • The printable characters in the Basic Latin and Latin-1 Supplement character set (through \u00FF)

    • The special characters tab (\u0009), line feed (\u000A), and carriage return (\u000D)

  • :set_as_default (Boolean)

    Specifies whether to set this version as the policy\'s default version.

    When this parameter is true, the new policy version becomes the operative version. That is, it becomes the version that is in effect for the IAM users, groups, and roles that the policy is attached to.

    For more information about managed policy versions, see Versioning for Managed Policies in the IAM User Guide.

Returns:

See Also:

#default_versionPolicyVersion?

Returns:

See Also:

#deleteStruct

Deletes the specified managed policy.

Before you can delete a managed policy, you must first detach the policy from all users, groups, and roles that it is attached to. In addition, you must delete all the policy's versions. The following steps describe the process for deleting a managed policy:

  • Detach the policy from all users, groups, and roles that the policy is attached to, using the DetachUserPolicy, DetachGroupPolicy, or DetachRolePolicy API operations. To list all the users, groups, and roles that a policy is attached to, use ListEntitiesForPolicy.

  • Delete all versions of the policy using DeletePolicyVersion. To list the policy's versions, use ListPolicyVersions. You cannot use DeletePolicyVersion to delete the version that is marked as the default version. You delete the policy's default version in the next step of the process.

  • Delete the policy (this automatically deletes the policy's default version) using this API.

For information about managed policies, see Managed Policies and Inline Policies in the IAM User Guide.

Examples:

Request syntax example with placeholder values


policy.delete()

Returns:

  • (Struct)

    Returns an empty response.

See Also:

#detach_group(options = {}) ⇒ Struct

Removes the specified managed policy from the specified IAM group.

A group can also have inline policies embedded with it. To delete an inline policy, use the DeleteGroupPolicy API. For information about policies, see Managed Policies and Inline Policies in the IAM User Guide.

Examples:

Request syntax example with placeholder values


policy.detach_group({
  group_name: "groupNameType", # required
})

Options Hash (options):

  • :group_name (required, String)

    The name (friendly name, not ARN) of the IAM group to detach the policy from.

    This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Returns:

  • (Struct)

    Returns an empty response.

See Also:

#detach_role(options = {}) ⇒ Struct

Removes the specified managed policy from the specified role.

A role can also have inline policies embedded with it. To delete an inline policy, use the DeleteRolePolicy API. For information about policies, see Managed Policies and Inline Policies in the IAM User Guide.

Examples:

Request syntax example with placeholder values


policy.detach_role({
  role_name: "roleNameType", # required
})

Options Hash (options):

  • :role_name (required, String)

    The name (friendly name, not ARN) of the IAM role to detach the policy from.

    This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Returns:

  • (Struct)

    Returns an empty response.

See Also:

#detach_user(options = {}) ⇒ Struct

Removes the specified managed policy from the specified user.

A user can also have inline policies embedded with it. To delete an inline policy, use the DeleteUserPolicy API. For information about policies, see Managed Policies and Inline Policies in the IAM User Guide.

Examples:

Request syntax example with placeholder values


policy.detach_user({
  user_name: "userNameType", # required
})

Options Hash (options):

  • :user_name (required, String)

    The name (friendly name, not ARN) of the IAM user to detach the policy from.

    This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

Returns:

  • (Struct)

    Returns an empty response.

See Also:

#versions(options = {}) ⇒ Collection<PolicyVersion>

Returns a Collection of Aws::IAM::PolicyVersion resources. No API requests are made until you call an enumerable method on the collection. Client#list_policy_versions will be called multiple times until every Aws::IAM::PolicyVersion has been yielded.

Examples:

Request syntax example with placeholder values


policy.versions({
  marker: "markerType",
  max_items: 1,
})

Enumerating Aws::IAM::PolicyVersion resources.

policy.versions.each do |policyversion|
  # yields each policyversion
end

Enumerating Aws::IAM::PolicyVersion resources with a limit.

policy.versions.limit(10).each do |policyversion|
  # yields at most 10 versions
end

Options Hash (options):

  • :marker (String)

    Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response that you received to indicate where the next call should start.

  • :max_items (Integer)

    Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.

    If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.

Returns:

See Also: