policy_grants
Creates, updates, deletes or gets a policy_grant resource or lists policy_grants in a region
Overview
| Name | policy_grants |
| Type | Resource |
| Description | Policy Grant in AWS DataZone is an explicit authorization assignment that allows a specific principal (user, group, or project) to perform particular actions (such as creating glossary terms, managing projects, or accessing resources) on governed resources within a certain scope (like a Domain Unit or Project). Policy Grants are essentially the mechanism by which DataZone enforces fine-grained, role-based access control beyond what is possible through AWS IAM alone. |
| Id | awscc.datazone.policy_grants |
Fields
| Name | Datatype | Description |
|---|---|---|
entity_type | string | |
policy_type | string | |
created_by | string | Specifies the user who created the policy grant member. |
created_at | string | Specifies the timestamp at which policy grant member was created. |
grant_id | string | The unique identifier of the policy grant returned by the AddPolicyGrant API |
entity_identifier | string | |
detail | object | |
principal | object | |
domain_identifier | string | |
region | string | AWS region. |
For more information, see AWS::DataZone::PolicyGrant.
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | DomainIdentifier, EntityIdentifier, EntityType, PolicyType, region |
delete_resource | DELETE | data__Identifier, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all properties from an individual policy_grant.
SELECT
region,
entity_type,
policy_type,
created_by,
created_at,
grant_id,
entity_identifier,
detail,
principal,
domain_identifier
FROM awscc.datazone.policy_grants
WHERE region = 'us-east-1' AND data__Identifier = '<DomainIdentifier>|<GrantId>|<EntityIdentifier>|<EntityType>|<PolicyType>';
INSERT example
Use the following StackQL query and manifest file to create a new policy_grant resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.datazone.policy_grants (
EntityType,
PolicyType,
EntityIdentifier,
DomainIdentifier,
region
)
SELECT
'{{ EntityType }}',
'{{ PolicyType }}',
'{{ EntityIdentifier }}',
'{{ DomainIdentifier }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.datazone.policy_grants (
EntityType,
PolicyType,
EntityIdentifier,
Detail,
Principal,
DomainIdentifier,
region
)
SELECT
'{{ EntityType }}',
'{{ PolicyType }}',
'{{ EntityIdentifier }}',
'{{ Detail }}',
'{{ Principal }}',
'{{ DomainIdentifier }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: policy_grant
props:
- name: EntityType
value: '{{ EntityType }}'
- name: PolicyType
value: '{{ PolicyType }}'
- name: EntityIdentifier
value: '{{ EntityIdentifier }}'
- name: Detail
value: null
- name: Principal
value: null
- name: DomainIdentifier
value: '{{ DomainIdentifier }}'
DELETE example
/*+ delete */
DELETE FROM awscc.datazone.policy_grants
WHERE data__Identifier = '<DomainIdentifier|GrantId|EntityIdentifier|EntityType|PolicyType>'
AND region = 'us-east-1';
Permissions
To operate on the policy_grants resource, the following permissions are required:
Read
datazone:ListPolicyGrants
Create
datazone:AddPolicyGrant,
datazone:ListPolicyGrants
List
datazone:ListPolicyGrants
Delete
datazone:RemovePolicyGrant,
datazone:ListPolicyGrants