Expand description
Provides the structures and enumerations that define the IAM Rust model.
§Mapping from AWS Names
A JSON policy document includes these elements:
- Optional policy-wide information at the top of the document
- One or more individual statements
Each statement includes information about a single permission. If a policy includes multiple statements, AWS applies a logical OR across the statements when evaluating them. If multiple policies apply to a request, AWS applies a logical OR across all of those policies when evaluating them. The information in a statement is contained within a series of elements.
- Version – Specify the version of the policy language that you want to use. As a best practice, use the latest 2012-10-17 version.
- Statement – Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
- Sid (Optional) – Include an optional statement ID to differentiate between your statements.
- Effect – Use Allow or Deny to indicate whether the policy allows or denies access.
- Principal (Required in only some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
- Action – Include a list of actions that the policy allows or denies.
- Resource (Required in only some circumstances) – If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, this element is optional. If you do not include this element, then the resource to which the action applies is the resource to which the policy is attached.
- Condition (Optional) – Specify the circumstances under which the policy grants permission.
Structs§
- Condition
Operator - Pulls apart the string form of an operator used by IAM. It identifies the quantifiers which are used as string prefixes and recognizes the if exist suffix as well.
- Policy
- An IAM policy resource.
- Statement
- The Statement element is the main element for a policy. This element is required. It can
include multiple elements (see the subsequent sections in this page). The Statement element
contains an array of individual statements. Each individual statement is a JSON block
enclosed in braces
{ }.
Enums§
- Action
- The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element. Each AWS service has its own set of actions that describe tasks that you can perform with that service.
- Condition
Operator Quantifier - You can use the Condition element of a policy to test multiple keys or multiple values for a single key in a request. You can use condition keys to test the values of the matching keys in the request. For example, you can use a condition key to control access to specific attributes of a DynamoDB table or to an Amazon EC2 instance based on tags.
- Condition
Value - The value to test an operator against.
- Effect
- The Effect element is required and specifies whether the statement results in an allow or an explicit deny. Valid values for Effect are Allow and Deny.
- Global
Condition Operator - Use condition operators in the
Conditionelement to match the condition key and value in the policy against values in the request context. - Principal
- Use the Principal element to specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal entity that is allowed or denied access to a resource. You cannot use the Principal element in an IAM identity-based policy. You can use it in the trust policies for IAM roles and in resource-based policies. Resource-based policies are policies that you embed directly in an IAM resource.
- Principal
Type - This describes the way in which the condition ARNs should be understood.
- Resource
- The Resource element specifies the object or objects that the statement covers. Statements must include either a Resource or a NotResource element. You specify a resource using an ARN.
- Version
- The Version policy element is used within a policy and defines the version of the policy language.