Develop
EngineVersion 1iamClasses

iam:ResourcePolicy

A policy attached to an action defining who can execute it.

Extends: iam:Policy

Resource policies are attached to actions via iam:hasResourcePolicy. They specify which principals (roles) are permitted or denied access to the action.

Properties

iam:action (optional)

The IAM action(s) this policy applies to.

Policy action must reference an IAM Action if specified

Specific iam:Action(s) such as act:InvokeAction, secrets:ResolveSecret, os:ReadStatement, os:WriteStatement. When omitted, policy applies to any action.

Values:

  • iam:Assume: IAM action for assuming an assumable resource (agent or role).

Inherited from parent class.

iam:condition (optional)

Conditions that must be satisfied for this policy to apply.

condition must reference a Condition

Multiple conditions on a policy are ANDed together.

Inherited from parent class.

iam:effect (required, max 1)

Whether this policy allows or denies access.

Policy must have exactly one effect (Allow or Deny)

Values:

  • iam:Allow: The policy permits the action.
  • iam:Deny: The policy prohibits the action.

Inherited from parent class.

iam:role (optional)

The role(s) this resource policy applies to.

ResourcePolicy role must be a valid role if specified

Specific iam:Role(s). When omitted, policy applies to any role.

Values:

  • iam:FullAccessRole: Grants complete access to all workspace actions.
  • iam:SystemAdminRole: Grants full read, write, and invocation access to all system-defined resources.
  • iam:SystemReadRole: Grants read access and action invocation on system-defined resources.

iam:Resource

iam:Resource from the iam matrix.

iam:Role

iam:Role from the iam matrix.

On this page

Propertiesiam:action (optional)iam:condition (optional)iam:effect (required, max 1)iam:role (optional)