Creating template-linked policies

You can create template-linked policies to link to a policy template. Template-linked policies stay linked to their policy templates. If you change the policy statement in the policy template, any policies linked to that template automatically use the new statement for all authorization decisions made from that moment forward.

AWS Management Console

To create a template-linked policy by instantiating a policy template

Open the Verified Permissions console at https://console.aws.amazon.com/verifiedpermissions/. Choose your policy store.
In the navigation pane on the left, choose Policies.
Choose Create policy and then choose Create template-linked policy.
Choose the radio button next to the policy template to use and then choose Next.
Type the Principal and Resource to be used for this specific instance of the template-linked policy. The specified values are displayed in the Policy statement preview field.

Note
The Principal and Resource values must have the same formatting as static policies. For example, to specify the AdminUsers group for the principal, type Group::"AdminUsers". If you type AdminUsers, a validation error is displayed.
Choose Create template-linked policy.

The new template-linked policy is displayed under Policies.

AWS CLI

To create a template-linked policy by instantiating a policy template

You can create a template-linked policy that references an existing policy template and that specifies values for any placeholders used by the template.

The following example creates a template-linked policy that uses a template with the following statement:


permit(
    principal in ?principal,
    action == PhotoFlash::Action::"view",
    resource == PhotoFlash::Photo::"VacationPhoto94.jpg"
);

It also uses the following definition.txt file to supply the value for the definition parameter:


{
    "templateLinked": {
        "policyTemplateId": "PTEXAMPLEabcdefg111111",
        "principal": {
            "entityType": "PhotoFlash::User",
            "entityId": "alice"
        }
    }
}

The output shows both the resource, which it gets from the template, and the principal, which it gets from the definition parameter


$ aws verifiedpermissions create-policy \
    --definition file://definition.txt
    --policy-store-id PSEXAMPLEabcdefg111111
{
    "createdDate": "2023-05-22T18:57:53.298278+00:00",
    "lastUpdatedDate": "2023-05-22T18:57:53.298278+00:00",
    "policyId": "TPEXAMPLEabcdefg111111",
    "policyStoreId": "PSEXAMPLEabcdefg111111",
    "policyType": "TEMPLATELINKED",
    "principal": {
        "entityId": "alice",
        "entityType": "PhotoFlash::User"
    },
    "resource": {
        "entityId": "VacationPhoto94.jpg",
        "entityType": "PhotoFlash::Photo"
    }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating policy templates

Editing policy templates

Creating template-linked policies

To create a template-linked policy by instantiating a policy template

Note

To create a template-linked policy by instantiating a policy template