PutPermissionPolicy
Attaches an IAM policy to the specified resource. Use this to share a rule group across accounts.
You must be the owner of the rule group to perform this operation.
This action is subject to the following restrictions:
-
You can attach only one policy with each
PutPermissionPolicy
request. -
The ARN in the request must be a valid WAF RuleGroup ARN and the rule group must exist in the same region.
-
The user making the request must be the owner of the rule group.
Request Syntax
{
"Policy": "string
",
"ResourceArn": "string
"
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- Policy
-
The policy to attach to the specified rule group.
The policy specifications must conform to the following:
-
The policy must be composed using IAM Policy version 2012-10-17 or version 2015-01-01.
-
The policy must include specifications for
Effect
,Action
, andPrincipal
. -
Effect
must specifyAllow
. -
Action
must specifywafv2:CreateWebACL
,wafv2:UpdateWebACL
, andwafv2:PutFirewallManagerRuleGroups
. AWS WAF rejects any extra actions or wildcard actions in the policy. -
The policy must not include a
Resource
parameter.
For more information, see IAM Policies.
Type: String
Length Constraints: Minimum length of 1.
Required: Yes
-
- ResourceArn
-
The Amazon Resource Name (ARN) of the RuleGroup to which you want to attach the policy.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 2048.
Pattern:
.*\S.*
Required: Yes
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Errors
For information about the errors that are common to all actions, see Common Errors.
- WAFInternalErrorException
-
Your request is valid, but AWS WAF couldn’t perform the operation because of a system problem. Retry your request.
HTTP Status Code: 500
- WAFInvalidParameterException
-
The operation failed because AWS WAF didn't recognize a parameter in the request. For example:
-
You specified an invalid parameter name or value.
-
Your nested statement isn't valid. You might have tried to nest a statement that can’t be nested.
-
You tried to update a
WebACL
with aDefaultAction
that isn't among the types available at DefaultAction. -
Your request references an ARN that is malformed, or corresponds to a resource with which a Web ACL cannot be associated.
HTTP Status Code: 400
-
- WAFInvalidPermissionPolicyException
-
The operation failed because the specified policy isn't in the proper format.
The policy specifications must conform to the following:
-
The policy must be composed using IAM Policy version 2012-10-17 or version 2015-01-01.
-
The policy must include specifications for
Effect
,Action
, andPrincipal
. -
Effect
must specifyAllow
. -
Action
must specifywafv2:CreateWebACL
,wafv2:UpdateWebACL
, andwafv2:PutFirewallManagerRuleGroups
. AWS WAF rejects any extra actions or wildcard actions in the policy. -
The policy must not include a
Resource
parameter.
For more information, see IAM Policies.
HTTP Status Code: 400
-
- WAFNonexistentItemException
-
AWS WAF couldn’t perform the operation because your resource doesn’t exist.
HTTP Status Code: 400
Examples
Example policy parameter - No escape characters
This example illustrates one usage of PutPermissionPolicy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111111111111:user/MyUserName" }, "Action": [ "wafv2:UpdateWebACL", "wafv2:GetRuleGroup" ] } ] }
Example put permission policy call for the AWS Command Line Interface (CLI)
This example illustrates one usage of PutPermissionPolicy.
aws wafv2 put-permission-policy --resource-arn arn:aws:wafv2:us-east-1:989717579876:regional/rulegroup/rule_group_with_rules/exampleRuleGroupArn --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::111111111111:user/MyExampleUserName"},"Action":["wafv2:UpdateWebACL","wafv2:CreateWebACL","wafv2:PutFirewallManagerRuleGroups"]}]}'
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: