Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save tinovyatkin/c43928ac4606a0d39b2008063436d9f5 to your computer and use it in GitHub Desktop.
Save tinovyatkin/c43928ac4606a0d39b2008063436d9f5 to your computer and use it in GitHub Desktop.
AWS IAM Policy JSON Schema
{
"type": "object",
"required": ["Statement"],
"additionalProperties": false,
"properties": {
"Version": {
"type": "string",
"enum": ["2008-10-17", "2012-10-17"]
},
"Id": {
"type": "string"
},
"Statement": {
"oneOf": [
{
"$ref": "#/definitions/Statement"
},
{
"type": "array",
"items": {
"$ref": "#/definitions/Statement"
}
}
]
}
},
"definitions": {
"aws-arn": {
"type": "string",
"pattern": "^arn:aws:[^:]+:[^:]*:(?:\\d{12}|\\*)?:.+$"
},
"aws-principal-arn": {
"type": "string",
"pattern": "^arn:aws:iam::\\d{12}:(?:root|user|group|role)"
},
"string-array": {
"type": "array",
"items": {
"type": "string"
}
},
"string-or-string-array": {
"anyOf": [
{
"type": "string"
},
{
"$ref": "#/definitions/string-array"
}
]
},
"wildcard": {
"const": "*"
},
"condition-set-value": {
"type": "object",
"additionalProperties": {
"$ref": "#/definitions/string-array"
}
},
"condition-value": {
"type": "object",
"additionalProperties": {
"anyOf": [
{ "$ref": "#/definitions/string-or-string-array" },
{ "type": "boolean" },
{ "type": "number" }
]
}
},
"Statement": {
"allOf": [
{
"oneOf": [{ "required": ["Action"] }, { "required": ["NotAction"] }]
},
{
"oneOf": [
{ "required": ["Resource"] },
{ "required": ["NotResource"] }
]
},
{
"type": "object",
"required": ["Effect"],
"additionalProperties": false,
"properties": {
"Sid": {
"type": "string"
},
"Effect": {
"type": "string",
"enum": ["Allow", "Deny"]
},
"Action": {
"$ref": "#/definitions/Action"
},
"NotAction": {
"$ref": "#/definitions/Action"
},
"Principal": {
"$ref": "#/definitions/Principal"
},
"NotPrincipal": {
"$ref": "#/definitions/Principal"
},
"Resource": {
"$ref": "#/definitions/Resource"
},
"NotResource": {
"$ref": "#/definitions/Resource"
},
"Condition": {
"$ref": "#/definitions/Condition"
}
}
}
]
},
"Action": {
"anyOf": [
{
"$ref": "#/definitions/wildcard"
},
{
"$ref": "#/definitions/string-or-string-array"
}
]
},
"Principal": {
"anyOf": [
{
"$ref": "#/definitions/wildcard"
},
{
"type": "object",
"properties": {
"AWS": {
"anyOf": [
{
"$ref": "#/definitions/wildcard"
},
{
"$ref": "#/definitions/aws-principal-arn"
},
{
"type": "array",
"items": {
"$ref": "#/definitions/aws-principal-arn"
}
}
]
},
"Federated": {
"$ref": "#/definitions/string-or-string-array"
},
"CanonicalUser": {
"$ref": "#/definitions/string-or-string-array"
}
}
}
]
},
"Resource": {
"anyOf": [
{
"$ref": "#/definitions/wildcard"
},
{
"$ref": "#/definitions/aws-arn"
},
{
"type": "array",
"items": {
"$ref": "#/definitions/aws-arn"
}
}
]
},
"Condition": {
"type": "object",
"properties": {
"Null": {
"type": "object",
"additionalProperties": {
"enum": ["true", "false", true, false]
}
},
"StringEquals": {
"$ref": "#/definitions/condition-value"
},
"StringNotEquals": {
"$ref": "#/definitions/condition-value"
},
"StringEqualsIgnoreCase": {
"$ref": "#/definitions/condition-value"
},
"StringNotEqualsIgnoreCase": {
"$ref": "#/definitions/condition-value"
},
"StringLike": {
"$ref": "#/definitions/condition-value"
},
"StringNotLike": {
"$ref": "#/definitions/condition-value"
},
"NumericEquals": {
"$ref": "#/definitions/condition-value"
},
"NumericNotEquals": {
"$ref": "#/definitions/condition-value"
},
"NumericLessThan": {
"$ref": "#/definitions/condition-value"
},
"NumericLessThanEquals": {
"$ref": "#/definitions/condition-value"
},
"NumericGreaterThan": {
"$ref": "#/definitions/condition-value"
},
"NumericGreaterThanEquals": {
"$ref": "#/definitions/condition-value"
},
"DateEquals": {
"$ref": "#/definitions/condition-value"
},
"DateNotEquals": {
"$ref": "#/definitions/condition-value"
},
"DateLessThan": {
"$ref": "#/definitions/condition-value"
},
"DateLessThanEquals": {
"$ref": "#/definitions/condition-value"
},
"DateGreaterThan": {
"$ref": "#/definitions/condition-value"
},
"DateGreaterThanEquals": {
"$ref": "#/definitions/condition-value"
},
"Bool": {
"$ref": "#/definitions/condition-value"
},
"BinaryEquals": {
"$ref": "#/definitions/condition-value"
},
"IpAddress": {
"$ref": "#/definitions/condition-value"
},
"NotIpAddress": {
"$ref": "#/definitions/condition-value"
},
"ArnEquals": {
"$ref": "#/definitions/condition-value"
},
"ArnNotEquals": {
"$ref": "#/definitions/condition-value"
},
"ArnLike": {
"$ref": "#/definitions/condition-value"
},
"ArnNotLike": {
"$ref": "#/definitions/condition-value"
},
"StringEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"StringNotEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"StringEqualsIgnoreCaseIfExists": {
"$ref": "#/definitions/condition-value"
},
"StringNotEqualsIgnoreCaseIfExists": {
"$ref": "#/definitions/condition-value"
},
"StringLikeIfExists": {
"$ref": "#/definitions/condition-value"
},
"StringNotLikeIfExists": {
"$ref": "#/definitions/condition-value"
},
"NumericEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"NumericNotEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"NumericLessThanIfExists": {
"$ref": "#/definitions/condition-value"
},
"NumericLessThanEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"NumericGreaterThanIfExists": {
"$ref": "#/definitions/condition-value"
},
"NumericGreaterThanEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"DateEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"DateNotEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"DateLessThanIfExists": {
"$ref": "#/definitions/condition-value"
},
"DateLessThanEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"DateGreaterThanIfExists": {
"$ref": "#/definitions/condition-value"
},
"DateGreaterThanEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"BoolIfExists": {
"$ref": "#/definitions/condition-value"
},
"BinaryEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"IpAddressIfExists": {
"$ref": "#/definitions/condition-value"
},
"NotIpAddressIfExists": {
"$ref": "#/definitions/condition-value"
},
"ArnEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"ArnNotEqualsIfExists": {
"$ref": "#/definitions/condition-value"
},
"ArnLikeIfExists": {
"$ref": "#/definitions/condition-value"
},
"ArnNotLikeIfExists": {
"$ref": "#/definitions/condition-value"
},
"ForAllValues:StringEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:StringNotEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:StringEqualsIgnoreCase": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:StringNotEqualsIgnoreCase": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:StringLike": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:StringNotLike": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:NumericEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:NumericNotEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:NumericLessThan": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:NumericLessThanEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:NumericGreaterThan": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:NumericGreaterThanEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:DateEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:DateNotEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:DateLessThan": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:DateLessThanEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:DateGreaterThan": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:DateGreaterThanEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:Bool": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:BinaryEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:IpAddress": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:NotIpAddress": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:ArnEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:ArnNotEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:ArnLike": {
"$ref": "#/definitions/condition-set-value"
},
"ForAllValues:ArnNotLike": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:StringEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:StringNotEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:StringEqualsIgnoreCase": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:StringNotEqualsIgnoreCase": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:StringLike": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:StringNotLike": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:NumericEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:NumericNotEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:NumericLessThan": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:NumericLessThanEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:NumericGreaterThan": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:NumericGreaterThanEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:DateEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:DateNotEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:DateLessThan": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:DateLessThanEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:DateGreaterThan": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:DateGreaterThanEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:Bool": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:BinaryEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:IpAddress": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:NotIpAddress": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:ArnEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:ArnNotEquals": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:ArnLike": {
"$ref": "#/definitions/condition-set-value"
},
"ForAnyValues:ArnNotLike": {
"$ref": "#/definitions/condition-set-value"
}
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment