PutPermissionPolicy
Attaches a IAM policy to the specified resource. The only supported use for this action is to share a RuleGroup across accounts.
The PutPermissionPolicy is subject to the following restrictions:
-
You can attach only one policy with each
PutPermissionPolicyrequest. -
The policy must include an
Effect,ActionandPrincipal. -
Effectmust specifyAllow. -
The
Actionin the policy must bewaf:UpdateWebACL,waf-regional:UpdateWebACL,waf:GetRuleGroupandwaf-regional:GetRuleGroup. Any extra or wildcard actions in the policy will be rejected. -
The policy cannot include a
Resourceparameter. -
The ARN in the request must be a valid WAF RuleGroup ARN and the RuleGroup must exist in the same region.
-
The user making the request must be the owner of the RuleGroup.
-
Your policy must be composed using IAM Policy version 2012-10-17.
For more information, see IAM Policies.
An example of a valid policy parameter is shown in the Examples section below.
Request Syntax
{ "Policy": "string", "ResourceArn": "string" }
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- Policy
-
The policy to attach to the specified RuleGroup.
Type: String
Length Constraints: Minimum length of 1.
Required: Yes
- ResourceArn
-
The Amazon Resource Name (ARN) of the RuleGroup to which you want to attach the policy.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 1224.
Required: Yes
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Errors
For information about the errors that are common to all actions, see Common Errors.
- WAFInternalErrorException
-
The operation failed because of a system problem, even though the request was valid. Retry your request.
HTTP Status Code: 500
- WAFInvalidPermissionPolicyException
-
The operation failed because the specified policy is not in the proper format.
The policy is subject to the following restrictions:
-
You can attach only one policy with each
PutPermissionPolicyrequest. -
The policy must include an
Effect,ActionandPrincipal. -
Effectmust specifyAllow. -
The
Actionin the policy must bewaf:UpdateWebACL,waf-regional:UpdateWebACL,waf:GetRuleGroupandwaf-regional:GetRuleGroup. Any extra or wildcard actions in the policy will be rejected. -
The policy cannot include a
Resourceparameter. -
The ARN in the request must be a valid WAF RuleGroup ARN and the RuleGroup must exist in the same region.
-
The user making the request must be the owner of the RuleGroup.
-
Your policy must be composed using IAM Policy version 2012-10-17.
HTTP Status Code: 400
-
- WAFNonexistentItemException
-
The operation failed because the referenced object doesn't exist.
HTTP Status Code: 400
- WAFStaleDataException
-
The operation failed because you tried to create, update, or delete an object by using a change token that has already been used.
HTTP Status Code: 400
Examples
Example policy parameter - No escape characters
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111111111111:user/MyUserName" }, "Action": [ "waf:UpdateWebACL", "waf-regional:UpdateWebACL", "waf:GetRuleGroup", "waf-regional:GetRuleGroup" ] } ] }
Example policy parameter - AWS Command Line Interface (CLI)
{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111111111111:user\/MyUserName\"},\"Action\":[\"waf:UpdateWebACL\",\"waf-regional:UpdateWebACL\",\"waf:GetRuleGroup\",\"waf-regional:GetRuleGroup\"]}]}
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
