Creating template-linked policies
You can create template-linked policies to link to a policy template. Template-linked policies stay linked to their policy templates. If you change the policy statement in the policy template, any policies linked to that template automatically use the new statement for all authorization decisions made from that moment forward.
- AWS Management Console
-
To create a template-linked policy by instantiating a policy template
Open the Verified Permissions console at https://console.aws.amazon.com/verifiedpermissions/
. Choose your policy store. -
In the navigation pane on the left, choose Policies.
-
Choose Create policy and then choose Create template-linked policy.
-
Choose the radio button next to the policy template to use and then choose Next.
-
Type the Principal and Resource to be used for this specific instance of the template-linked policy. The specified values are displayed in the Policy statement preview field.
Note
The Principal and Resource values must have the same formatting as static policies. For example, to specify the
AdminUsers
group for the principal, typeGroup::"AdminUsers"
. If you typeAdminUsers
, a validation error is displayed. -
Choose Create template-linked policy.
The new template-linked policy is displayed under Policies.
- AWS CLI
-
To create a template-linked policy by instantiating a policy template
You can create a template-linked policy that references an existing policy template and that specifies values for any placeholders used by the template.
The following example creates a template-linked policy that uses a template with the following statement:
permit( principal in ?principal, action == PhotoFlash::Action::"view", resource == PhotoFlash::Photo::"VacationPhoto94.jpg" );
It also uses the following
definition.txt
file to supply the value for thedefinition
parameter:{ "templateLinked": { "policyTemplateId": "PTEXAMPLEabcdefg111111", "principal": { "entityType": "PhotoFlash::User", "entityId": "alice" } } }
The output shows both the resource, which it gets from the template, and the principal, which it gets from the definition parameter
$
aws verifiedpermissions create-policy \ --definition file://definition.txt --policy-store-id PSEXAMPLEabcdefg111111
{ "createdDate": "2023-05-22T18:57:53.298278+00:00", "lastUpdatedDate": "2023-05-22T18:57:53.298278+00:00", "policyId": "TPEXAMPLEabcdefg111111", "policyStoreId": "PSEXAMPLEabcdefg111111", "policyType": "TEMPLATELINKED", "principal": { "entityId": "alice", "entityType": "PhotoFlash::User" }, "resource": { "entityId": "VacationPhoto94.jpg", "entityType": "PhotoFlash::Photo" } }