policy_grants
Creates, updates, deletes or gets a policy_grant resource or lists policy_grants in a region
Overview
| Name | policy_grants |
| Type | Resource |
| Description | Policy Grant in AWS DataZone is an explicit authorization assignment that allows a specific principal (user, group, or project) to perform particular actions (such as creating glossary terms, managing projects, or accessing resources) on governed resources within a certain scope (like a Domain Unit or Project). Policy Grants are essentially the mechanism by which DataZone enforces fine-grained, role-based access control beyond what is possible through AWS IAM alone. |
| Id | awscc.datazone.policy_grants |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
entity_type | string | |
policy_type | string | |
created_by | string | Specifies the user who created the policy grant member. |
created_at | string | Specifies the timestamp at which policy grant member was created. |
grant_id | string | The unique identifier of the policy grant returned by the AddPolicyGrant API |
entity_identifier | string | |
detail | object | |
principal | object | |
domain_identifier | string | |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
entity_type | string | |
policy_type | string | |
grant_id | string | The unique identifier of the policy grant returned by the AddPolicyGrant API |
entity_identifier | string | |
domain_identifier | string | |
region | string | AWS region. |
For more information, see AWS::DataZone::PolicyGrant.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | policy_grants | INSERT | DomainIdentifier, EntityIdentifier, EntityType, PolicyType, region |
delete_resource | policy_grants | DELETE | Identifier, region |
list_resources | policy_grants_list_only | SELECT | region |
get_resource | policy_grants | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual policy_grant.
SELECT
region,
entity_type,
policy_type,
created_by,
created_at,
grant_id,
entity_identifier,
detail,
principal,
domain_identifier
FROM awscc.datazone.policy_grants
WHERE
region = 'us-east-1' AND
Identifier = '{{ domain_identifier }}|{{ grant_id }}|{{ entity_identifier }}|{{ entity_type }}|{{ policy_type }}';
Lists all policy_grants in a region.
SELECT
region,
domain_identifier,
grant_id,
entity_identifier,
entity_type,
policy_type
FROM awscc.datazone.policy_grants_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new policy_grant resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.datazone.policy_grants (
EntityType,
PolicyType,
EntityIdentifier,
DomainIdentifier,
region
)
SELECT
'{{ entity_type }}',
'{{ policy_type }}',
'{{ entity_identifier }}',
'{{ domain_identifier }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.datazone.policy_grants (
EntityType,
PolicyType,
EntityIdentifier,
Detail,
Principal,
DomainIdentifier,
region
)
SELECT
'{{ entity_type }}',
'{{ policy_type }}',
'{{ entity_identifier }}',
'{{ detail }}',
'{{ principal }}',
'{{ domain_identifier }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: policy_grant
props:
- name: entity_type
value: '{{ entity_type }}'
- name: policy_type
value: '{{ policy_type }}'
- name: entity_identifier
value: '{{ entity_identifier }}'
- name: detail
value: null
- name: principal
value: null
- name: domain_identifier
value: '{{ domain_identifier }}'
DELETE example
/*+ delete */
DELETE FROM awscc.datazone.policy_grants
WHERE
Identifier = '{{ domain_identifier }}|{{ grant_id }}|{{ entity_identifier }}|{{ entity_type }}|{{ policy_type }}' AND
region = 'us-east-1';
Permissions
To operate on the policy_grants resource, the following permissions are required:
- Read
- Create
- List
- Delete
datazone:ListPolicyGrants
datazone:AddPolicyGrant,
datazone:ListPolicyGrants
datazone:ListPolicyGrants
datazone:RemovePolicyGrant,
datazone:ListPolicyGrants