Policy
The Policy resource lets you create and manage AWS IAM Policies that define permissions for AWS services and resources.
Minimal Example
Create a basic policy that allows S3 bucket access:
ts
import { Policy } from "alchemy/aws";
const s3Policy = await Policy("bucket-access", {
policyName: "s3-bucket-access",
document: {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:GetObject",
"s3:PutObject"
],
Resource: `${bucket.arn}/*`
}]
}
});Multiple Statements
Create a policy with multiple statements and conditions:
ts
import { Policy } from "alchemy/aws";
const apiPolicy = await Policy("api-access", {
policyName: "api-gateway-access",
document: {
Version: "2012-10-17",
Statement: [
{
Sid: "InvokeAPI",
Effect: "Allow",
Action: "execute-api:Invoke",
Resource: `${api.executionArn}/*`,
Condition: {
StringEquals: {
"aws:SourceVpc": vpc.id
}
}
},
{
Sid: "ReadLogs",
Effect: "Allow",
Action: [
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
Resource: `${api.logGroupArn}:*`
}
]
},
description: "Allows invoking API Gateway endpoints and reading logs",
tags: {
Service: "API Gateway",
Environment: "production"
}
});Deny Policy
Create a policy that denies access based on tags:
ts
import { Policy } from "alchemy/aws";
const denyPolicy = await Policy("deny-production", {
policyName: "deny-production-access",
document: {
Version: "2012-10-17",
Statement: [{
Effect: "Deny",
Action: "*",
Resource: "*",
Condition: {
StringEquals: {
"aws:ResourceTag/Environment": "production"
}
}
}]
}
});