access_policies

Creates, updates, deletes or gets an access_policy resource or lists access_policies in a region

Overview

Name	`access_policies`
Type	Resource
Description	Resource schema for AWS::IoTSiteWise::AccessPolicy
Id	`awscc.iotsitewise.access_policies`

Fields

get (all properties)
list (identifiers only)

Name	Datatype	Description
`access_policy_id`	`string`	The ID of the access policy.
`access_policy_arn`	`string`	The ARN of the access policy.
▶`access_policy_identity`	`object`	The identity for this access policy. Choose either a user or a group but not both.
`access_policy_permission`	`string`	The permission level for this access policy. Valid values are ADMINISTRATOR or VIEWER.
▶`access_policy_resource`	`object`	The AWS IoT SiteWise Monitor resource for this access policy. Choose either portal or project but not both.
`region`	`string`	AWS region.

Name	Datatype	Description
`access_policy_id`	`string`	The ID of the access policy.
`region`	`string`	AWS region.

For more information, see AWS::IoTSiteWise::AccessPolicy.

Methods

Name	Resource	Accessible by	Required Params
`create_resource`	`access_policies`	`INSERT`	`AccessPolicyIdentity, AccessPolicyPermission, AccessPolicyResource, region`
`delete_resource`	`access_policies`	`DELETE`	`Identifier, region`
`update_resource`	`access_policies`	`UPDATE`	`Identifier, PatchDocument, region`
`list_resources`	`access_policies_list_only`	`SELECT`	`region`
`get_resource`	`access_policies`	`SELECT`	`Identifier, region`

`SELECT` examples

get (all properties)
list (identifiers only)

Gets all properties from an individual access_policy.

SELECT
  region,
  access_policy_id,
  access_policy_arn,
  access_policy_identity,
  access_policy_permission,
  access_policy_resource
FROM awscc.iotsitewise.access_policies
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ access_policy_id }}';

Lists all access_policies in a region.

SELECT
  region,
  access_policy_id
FROM awscc.iotsitewise.access_policies_list_only
WHERE
  region = '{{ region }}';

`INSERT` example

Use the following StackQL query and manifest file to create a new access_policy resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO awscc.iotsitewise.access_policies (
  AccessPolicyIdentity,
  AccessPolicyPermission,
  AccessPolicyResource,
  region
)
SELECT
  '{{ access_policy_identity }}',
  '{{ access_policy_permission }}',
  '{{ access_policy_resource }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

/*+ create */
INSERT INTO awscc.iotsitewise.access_policies (
  AccessPolicyIdentity,
  AccessPolicyPermission,
  AccessPolicyResource,
  region
)
SELECT
  '{{ access_policy_identity }}',
  '{{ access_policy_permission }}',
  '{{ access_policy_resource }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
  value: '{{ vars.AWS_REGION }}'
resources:
- name: access_policy
  props:
    - name: access_policy_identity
      value:
        user:
          id: '{{ id }}'
        iam_user:
          arn: '{{ arn }}'
        iam_role:
          arn: '{{ arn }}'
    - name: access_policy_permission
      value: '{{ access_policy_permission }}'
    - name: access_policy_resource
      value:
        portal:
          portal_auth_mode: '{{ portal_auth_mode }}'
          portal_contact_email: '{{ portal_contact_email }}'
          portal_description: '{{ portal_description }}'
          portal_name: '{{ portal_name }}'
          portal_type: '{{ portal_type }}'
          portal_type_configuration: {}
          role_arn: '{{ role_arn }}'
          notification_sender_email: '{{ notification_sender_email }}'
          alarms:
            alarm_role_arn: '{{ alarm_role_arn }}'
            notification_lambda_arn: '{{ notification_lambda_arn }}'
          tags:
            - key: '{{ key }}'
              value: '{{ value }}'
        project:
          portal_id: '{{ portal_id }}'
          project_name: '{{ project_name }}'
          project_description: '{{ project_description }}'
          asset_ids:
            - '{{ asset_ids[0] }}'
          tags:
            - null

`UPDATE` example

Use the following StackQL query and manifest file to update a access_policy resource, using stack-deploy.

/*+ update */
UPDATE awscc.iotsitewise.access_policies
SET PatchDocument = string('{{ {
    "AccessPolicyIdentity": access_policy_identity,
    "AccessPolicyPermission": access_policy_permission,
    "AccessPolicyResource": access_policy_resource
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ access_policy_id }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

`DELETE` example

/*+ delete */
DELETE FROM awscc.iotsitewise.access_policies
WHERE
  Identifier = '{{ access_policy_id }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

Parameter	Description
`ClientToken`	A unique identifier to ensure the idempotency of the resource request. This allows the provider to accurately distinguish between retries and new requests. A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request.
`RoleArn`	The ARN of the IAM role used to perform this resource operation. The role specified must have the permissions required for this operation. If you do not specify a role, a temporary session is created using your AWS user credentials.
`TypeVersionId`	For private resource types, the type version to use in this resource operation. If you do not specify a resource version, the default version is used.

Permissions

To operate on the access_policies resource, the following permissions are required:

Create
Read
Update
Delete
List

iotsitewise:CreateAccessPolicy

iotsitewise:DescribeAccessPolicy

iotsitewise:DescribeAccessPolicy,
iotsitewise:UpdateAccessPolicy

iotsitewise:DescribeAccessPolicy,
iotsitewise:DeleteAccessPolicy

iotsitewise:ListAccessPolicies,
iotsitewise:ListProjects,
iotsitewise:ListPortals

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

UPDATE example​

DELETE example​

Additional Parameters​

Permissions​