Complete policy lifecycle management including managed policies, inline policies, and policy attachments.
Creates a new managed policy for your AWS account.
/**
* Creates a new managed policy for your AWS account
* @param PolicyName - The friendly name of the policy
* @param PolicyDocument - The JSON policy document that is the content for the policy
* @param Path - The path for the policy (default: /)
* @param Description - A friendly description of the policy
* @param Tags - A list of tags that you want to attach to the new IAM customer managed policy
*/
interface CreatePolicyCommandInput {
PolicyName: string;
PolicyDocument: string;
Path?: string;
Description?: string;
Tags?: Tag[];
}
interface CreatePolicyCommandOutput {
Policy?: Policy;
}Usage Example:
import { IAMClient, CreatePolicyCommand } from "@aws-sdk/client-iam";
const client = new IAMClient({ region: "us-east-1" });
const policyDocument = {
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: ["s3:GetObject", "s3:PutObject"],
Resource: "arn:aws:s3:::my-bucket/*"
}
]
};
const command = new CreatePolicyCommand({
PolicyName: "S3AccessPolicy",
PolicyDocument: JSON.stringify(policyDocument),
Description: "Allows read/write access to specific S3 bucket",
Tags: [
{ Key: "Department", Value: "Engineering" }
]
});
const result = await client.send(command);
console.log("Created policy:", result.Policy?.PolicyName);Deletes the specified managed policy.
/**
* Deletes the specified managed policy
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy you want to delete
*/
interface DeletePolicyCommandInput {
PolicyArn: string;
}
interface DeletePolicyCommandOutput {}Retrieves information about the specified managed policy.
/**
* Retrieves information about the specified managed policy
* @param PolicyArn - The Amazon Resource Name (ARN) of the managed policy that you want information about
*/
interface GetPolicyCommandInput {
PolicyArn: string;
}
interface GetPolicyCommandOutput {
Policy?: Policy;
}Lists all the managed policies that are available in your AWS account.
/**
* Lists all the managed policies that are available in your AWS account
* @param Scope - The scope to use for filtering the results (All | AWS | Local)
* @param OnlyAttached - A flag to filter the results to only the attached policies
* @param PathPrefix - The path prefix for filtering policies (default: /)
* @param PolicyUsageFilter - The policy usage method to use for filtering the results
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListPoliciesCommandInput {
Scope?: PolicyScopeType;
OnlyAttached?: boolean;
PathPrefix?: string;
PolicyUsageFilter?: PolicyUsageType;
Marker?: string;
MaxItems?: number;
}
interface ListPoliciesCommandOutput {
Policies?: Policy[];
IsTruncated?: boolean;
Marker?: string;
}Creates a new version of the specified managed policy.
/**
* Creates a new version of the specified managed policy
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy to which you want to add a new version
* @param PolicyDocument - The JSON policy document that you want to use as the content for this new version
* @param SetAsDefault - Specifies whether to set this version as the policy's default version
*/
interface CreatePolicyVersionCommandInput {
PolicyArn: string;
PolicyDocument: string;
SetAsDefault?: boolean;
}
interface CreatePolicyVersionCommandOutput {
PolicyVersion?: PolicyVersion;
}Deletes the specified version from the specified managed policy.
/**
* Deletes the specified version from the specified managed policy
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy from which you want to delete a version
* @param VersionId - The policy version to delete
*/
interface DeletePolicyVersionCommandInput {
PolicyArn: string;
VersionId: string;
}
interface DeletePolicyVersionCommandOutput {}Retrieves information about the specified version of the specified managed policy.
/**
* Retrieves information about the specified version of the specified managed policy
* @param PolicyArn - The Amazon Resource Name (ARN) of the managed policy that you want information about
* @param VersionId - Identifies the policy version to retrieve
*/
interface GetPolicyVersionCommandInput {
PolicyArn: string;
VersionId: string;
}
interface GetPolicyVersionCommandOutput {
PolicyVersion?: PolicyVersion;
}Lists information about the versions of the specified managed policy.
/**
* Lists information about the versions of the specified managed policy
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy for which you want the versions
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListPolicyVersionsCommandInput {
PolicyArn: string;
Marker?: string;
MaxItems?: number;
}
interface ListPolicyVersionsCommandOutput {
Versions?: PolicyVersion[];
IsTruncated?: boolean;
Marker?: string;
}Sets the specified version of the specified policy as the policy's default version.
/**
* Sets the specified version of the specified policy as the policy's default version
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy whose default version you want to set
* @param VersionId - The version of the policy to set as the default version
*/
interface SetDefaultPolicyVersionCommandInput {
PolicyArn: string;
VersionId: string;
}
interface SetDefaultPolicyVersionCommandOutput {}Attaches the specified managed policy to the specified user.
/**
* Attaches the specified managed policy to the specified user
* @param UserName - The name (friendly name, not ARN) of the IAM user to attach the policy to
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy you want to attach
*/
interface AttachUserPolicyCommandInput {
UserName: string;
PolicyArn: string;
}
interface AttachUserPolicyCommandOutput {}Removes the specified managed policy from the specified user.
/**
* Removes the specified managed policy from the specified user
* @param UserName - The name (friendly name, not ARN) of the IAM user to detach the policy from
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy you want to detach
*/
interface DetachUserPolicyCommandInput {
UserName: string;
PolicyArn: string;
}
interface DetachUserPolicyCommandOutput {}Attaches the specified managed policy to the specified IAM group.
/**
* Attaches the specified managed policy to the specified IAM group
* @param GroupName - The name (friendly name, not ARN) of the group to attach the policy to
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy you want to attach
*/
interface AttachGroupPolicyCommandInput {
GroupName: string;
PolicyArn: string;
}
interface AttachGroupPolicyCommandOutput {}Removes the specified managed policy from the specified IAM group.
/**
* Removes the specified managed policy from the specified IAM group
* @param GroupName - The name (friendly name, not ARN) of the IAM group to detach the policy from
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy you want to detach
*/
interface DetachGroupPolicyCommandInput {
GroupName: string;
PolicyArn: string;
}
interface DetachGroupPolicyCommandOutput {}Attaches the specified managed policy to the specified IAM role.
/**
* Attaches the specified managed policy to the specified IAM role
* @param RoleName - The name (friendly name, not ARN) of the role to attach the policy to
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy you want to attach
*/
interface AttachRolePolicyCommandInput {
RoleName: string;
PolicyArn: string;
}
interface AttachRolePolicyCommandOutput {}Removes the specified managed policy from the specified role.
/**
* Removes the specified managed policy from the specified role
* @param RoleName - The name (friendly name, not ARN) of the IAM role to detach the policy from
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy you want to detach
*/
interface DetachRolePolicyCommandInput {
RoleName: string;
PolicyArn: string;
}
interface DetachRolePolicyCommandOutput {}Lists all managed policies that are attached to the specified IAM user.
/**
* Lists all managed policies that are attached to the specified IAM user
* @param UserName - The name (friendly name, not ARN) of the user to list attached policies for
* @param PathPrefix - The path prefix for filtering policies
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListAttachedUserPoliciesCommandInput {
UserName: string;
PathPrefix?: string;
Marker?: string;
MaxItems?: number;
}
interface ListAttachedUserPoliciesCommandOutput {
AttachedPolicies?: AttachedPolicy[];
IsTruncated?: boolean;
Marker?: string;
}Lists all managed policies that are attached to the specified IAM group.
/**
* Lists all managed policies that are attached to the specified IAM group
* @param GroupName - The name (friendly name, not ARN) of the group to list attached policies for
* @param PathPrefix - The path prefix for filtering policies
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListAttachedGroupPoliciesCommandInput {
GroupName: string;
PathPrefix?: string;
Marker?: string;
MaxItems?: number;
}
interface ListAttachedGroupPoliciesCommandOutput {
AttachedPolicies?: AttachedPolicy[];
IsTruncated?: boolean;
Marker?: string;
}Lists all managed policies that are attached to the specified IAM role.
/**
* Lists all managed policies that are attached to the specified IAM role
* @param RoleName - The name (friendly name, not ARN) of the role to list attached policies for
* @param PathPrefix - The path prefix for filtering policies
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListAttachedRolePoliciesCommandInput {
RoleName: string;
PathPrefix?: string;
Marker?: string;
MaxItems?: number;
}
interface ListAttachedRolePoliciesCommandOutput {
AttachedPolicies?: AttachedPolicy[];
IsTruncated?: boolean;
Marker?: string;
}Lists all IAM users, groups, and roles that the specified managed policy is attached to.
/**
* Lists all IAM users, groups, and roles that the specified managed policy is attached to
* @param PolicyArn - The Amazon Resource Name (ARN) of the IAM policy for which you want the list of entities
* @param EntityFilter - The entity type to use for filtering the results (User | Role | Group | LocalManagedPolicy | AWSManagedPolicy)
* @param PathPrefix - The path prefix for filtering entities
* @param PolicyUsageFilter - The policy usage method to use for filtering the results
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListEntitiesForPolicyCommandInput {
PolicyArn: string;
EntityFilter?: EntityType;
PathPrefix?: string;
PolicyUsageFilter?: PolicyUsageType;
Marker?: string;
MaxItems?: number;
}
interface ListEntitiesForPolicyCommandOutput {
PolicyGroups?: PolicyGroup[];
PolicyUsers?: PolicyUser[];
PolicyRoles?: PolicyRole[];
IsTruncated?: boolean;
Marker?: string;
}Adds or updates an inline policy document that is embedded in the specified IAM user.
/**
* Adds or updates an inline policy document that is embedded in the specified IAM user
* @param UserName - The name of the user to associate the policy with
* @param PolicyName - The name of the policy document
* @param PolicyDocument - The policy document
*/
interface PutUserPolicyCommandInput {
UserName: string;
PolicyName: string;
PolicyDocument: string;
}
interface PutUserPolicyCommandOutput {}Retrieves the specified inline policy document that is embedded in the specified IAM user.
/**
* Retrieves the specified inline policy document that is embedded in the specified IAM user
* @param UserName - The name of the user who the policy is associated with
* @param PolicyName - The name of the policy document to get
*/
interface GetUserPolicyCommandInput {
UserName: string;
PolicyName: string;
}
interface GetUserPolicyCommandOutput {
UserName: string;
PolicyName: string;
PolicyDocument: string;
}Deletes the specified inline policy that is embedded in the specified IAM user.
/**
* Deletes the specified inline policy that is embedded in the specified IAM user
* @param UserName - The name (friendly name, not ARN) of the IAM user from which you want to delete a policy
* @param PolicyName - The name identifying the policy document to delete
*/
interface DeleteUserPolicyCommandInput {
UserName: string;
PolicyName: string;
}
interface DeleteUserPolicyCommandOutput {}Lists the names of the inline policies embedded in the specified IAM user.
/**
* Lists the names of the inline policies embedded in the specified IAM user
* @param UserName - The name of the user to list policies for
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListUserPoliciesCommandInput {
UserName: string;
Marker?: string;
MaxItems?: number;
}
interface ListUserPoliciesCommandOutput {
PolicyNames: string[];
IsTruncated?: boolean;
Marker?: string;
}Adds or updates an inline policy document that is embedded in the specified IAM group.
/**
* Adds or updates an inline policy document that is embedded in the specified IAM group
* @param GroupName - The name of the group to associate the policy with
* @param PolicyName - The name of the policy document
* @param PolicyDocument - The policy document
*/
interface PutGroupPolicyCommandInput {
GroupName: string;
PolicyName: string;
PolicyDocument: string;
}
interface PutGroupPolicyCommandOutput {}Retrieves the specified inline policy document that is embedded in the specified IAM group.
/**
* Retrieves the specified inline policy document that is embedded in the specified IAM group
* @param GroupName - The name of the group the policy is associated with
* @param PolicyName - The name of the policy document to get
*/
interface GetGroupPolicyCommandInput {
GroupName: string;
PolicyName: string;
}
interface GetGroupPolicyCommandOutput {
GroupName: string;
PolicyName: string;
PolicyDocument: string;
}Deletes the specified inline policy that is embedded in the specified IAM group.
/**
* Deletes the specified inline policy that is embedded in the specified IAM group
* @param GroupName - The name (friendly name, not ARN) of the IAM group from which you want to delete a policy
* @param PolicyName - The name identifying the policy document to delete
*/
interface DeleteGroupPolicyCommandInput {
GroupName: string;
PolicyName: string;
}
interface DeleteGroupPolicyCommandOutput {}Lists the names of the inline policies that are embedded in the specified IAM group.
/**
* Lists the names of the inline policies that are embedded in the specified IAM group
* @param GroupName - The name of the group to list policies for
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListGroupPoliciesCommandInput {
GroupName: string;
Marker?: string;
MaxItems?: number;
}
interface ListGroupPoliciesCommandOutput {
PolicyNames: string[];
IsTruncated?: boolean;
Marker?: string;
}Adds or updates an inline policy document that is embedded in the specified IAM role.
/**
* Adds or updates an inline policy document that is embedded in the specified IAM role
* @param RoleName - The name of the role to associate the policy with
* @param PolicyName - The name of the policy document
* @param PolicyDocument - The policy document
*/
interface PutRolePolicyCommandInput {
RoleName: string;
PolicyName: string;
PolicyDocument: string;
}
interface PutRolePolicyCommandOutput {}Retrieves the specified inline policy document that is embedded with the specified IAM role.
/**
* Retrieves the specified inline policy document that is embedded with the specified IAM role
* @param RoleName - The name of the role associated with the policy
* @param PolicyName - The name of the policy document to get
*/
interface GetRolePolicyCommandInput {
RoleName: string;
PolicyName: string;
}
interface GetRolePolicyCommandOutput {
RoleName: string;
PolicyName: string;
PolicyDocument: string;
}Deletes the specified inline policy that is embedded in the specified IAM role.
/**
* Deletes the specified inline policy that is embedded in the specified IAM role
* @param RoleName - The name (friendly name, not ARN) of the IAM role from which you want to delete a policy
* @param PolicyName - The name of the inline policy to delete from the specified IAM role
*/
interface DeleteRolePolicyCommandInput {
RoleName: string;
PolicyName: string;
}
interface DeleteRolePolicyCommandOutput {}Lists the names of the inline policies that are embedded in the specified IAM role.
/**
* Lists the names of the inline policies that are embedded in the specified IAM role
* @param RoleName - The name of the role to list policies for
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListRolePoliciesCommandInput {
RoleName: string;
Marker?: string;
MaxItems?: number;
}
interface ListRolePoliciesCommandOutput {
PolicyNames: string[];
IsTruncated?: boolean;
Marker?: string;
}Adds a permissions boundary to an IAM user.
/**
* Adds a permissions boundary to an IAM user
* @param UserName - The name (friendly name, not ARN) of the IAM user for which you want to set the permissions boundary
* @param PermissionsBoundary - The ARN of the policy that is used to set the permissions boundary for the user
*/
interface PutUserPermissionsBoundaryCommandInput {
UserName: string;
PermissionsBoundary: string;
}
interface PutUserPermissionsBoundaryCommandOutput {}Deletes the permissions boundary for the specified IAM user.
/**
* Deletes the permissions boundary for the specified IAM user
* @param UserName - The name (friendly name, not ARN) of the IAM user from which you want to remove the permissions boundary
*/
interface DeleteUserPermissionsBoundaryCommandInput {
UserName: string;
}
interface DeleteUserPermissionsBoundaryCommandOutput {}Adds a permissions boundary to an IAM role.
/**
* Adds a permissions boundary to an IAM role
* @param RoleName - The name (friendly name, not ARN) of the IAM role for which you want to set the permissions boundary
* @param PermissionsBoundary - The ARN of the policy that is used to set the permissions boundary for the role
*/
interface PutRolePermissionsBoundaryCommandInput {
RoleName: string;
PermissionsBoundary: string;
}
interface PutRolePermissionsBoundaryCommandOutput {}Deletes the permissions boundary for the specified IAM role.
/**
* Deletes the permissions boundary for the specified IAM role
* @param RoleName - The name (friendly name, not ARN) of the IAM role from which you want to remove the permissions boundary
*/
interface DeleteRolePermissionsBoundaryCommandInput {
RoleName: string;
}
interface DeleteRolePermissionsBoundaryCommandOutput {}Adds one or more tags to an IAM customer managed policy.
/**
* Adds one or more tags to an IAM customer managed policy
* @param PolicyArn - The ARN of the IAM customer managed policy to which you want to add tags
* @param Tags - The list of tags that you want to attach to the IAM customer managed policy
*/
interface TagPolicyCommandInput {
PolicyArn: string;
Tags: Tag[];
}
interface TagPolicyCommandOutput {}Removes the specified tags from the specified IAM customer managed policy.
/**
* Removes the specified tags from the specified IAM customer managed policy
* @param PolicyArn - The ARN of the IAM customer managed policy from which you want to remove tags
* @param TagKeys - A list of key names as a simple array of strings
*/
interface UntagPolicyCommandInput {
PolicyArn: string;
TagKeys: string[];
}
interface UntagPolicyCommandOutput {}Lists the tags that are attached to the specified IAM customer managed policy.
/**
* Lists the tags that are attached to the specified IAM customer managed policy
* @param PolicyArn - The ARN of the IAM customer managed policy whose tags you want to see
* @param Marker - Use this parameter only when paginating results
* @param MaxItems - Use this only when paginating results to indicate the maximum number of items you want in the response
*/
interface ListPolicyTagsCommandInput {
PolicyArn: string;
Marker?: string;
MaxItems?: number;
}
interface ListPolicyTagsCommandOutput {
Tags: Tag[];
IsTruncated?: boolean;
Marker?: string;
}interface Policy {
PolicyName?: string;
PolicyId?: string;
Arn?: string;
Path?: string;
DefaultVersionId?: string;
AttachmentCount?: number;
PermissionsBoundaryUsageCount?: number;
IsAttachable?: boolean;
Description?: string;
CreateDate?: Date;
UpdateDate?: Date;
Tags?: Tag[];
}
interface PolicyVersion {
Document?: string;
VersionId?: string;
IsDefaultVersion?: boolean;
CreateDate?: Date;
}
interface AttachedPolicy {
PolicyName?: string;
PolicyArn?: string;
}
interface PolicyGroup {
GroupName?: string;
GroupId?: string;
}
interface PolicyUser {
UserName?: string;
UserId?: string;
}
interface PolicyRole {
RoleName?: string;
RoleId?: string;
}
interface Tag {
Key: string;
Value: string;
}
enum PolicyScopeType {
All = "All",
AWS = "AWS",
Local = "Local"
}
enum PolicyUsageType {
PermissionsPolicy = "PermissionsPolicy",
PermissionsBoundary = "PermissionsBoundary"
}
enum EntityType {
User = "User",
Role = "Role",
Group = "Group",
LocalManagedPolicy = "LocalManagedPolicy",
AWSManagedPolicy = "AWSManagedPolicy"
}