PutResourcePermissionStatement
Creates a permission statement in the account's AWS Sign-In resource-based policy that specifies under what conditions principals can access AWS resources. Conditions can scope access by source VPC, source VPC endpoint, source IP, or excluded principal.
Request Syntax
{
"clientToken": "string",
"consoleSourceVpce": "string",
"excludedPrincipal": "string",
"requestedRegion": "string",
"signinSourceVpce": "string",
"sourceIp": "string",
"sourceVpc": "string",
"vpcSourceIp": "string"
}Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- clientToken
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If not provided, the AWS SDK will automatically generate one for you.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Pattern:
[!-~]+Required: No
- consoleSourceVpce
The AWS Management Console VPC endpoint identifier from which access is allowed. See
aws:SourceVpcefor more details.Type: String
Pattern:
vpce-[a-z0-9]{8,20}Required: No
- excludedPrincipal
The principal ARN that is excluded from policy evaluation. When a principal matching this ARN attempts to access an AWS resource, the resource-based policy is not evaluated.
Type: String
Length Constraints: Minimum length of 20. Maximum length of 2048.
Pattern:
arn:aws:((iam::[0-9]{12}:role/[a-zA-Z0-9_+=,.@-]{1,64})|(iam::[0-9]{12}:user/[a-zA-Z0-9_+=,.@-]{1,64})|(sts::[0-9]{12}:federated-user/[a-zA-Z0-9_+=,.@-]{2,193})|(iam::[0-9]{12}:root))Required: No
- requestedRegion
The AWS Region where the VPC resides. Required when
sourceVpcis provided.Type: String
Pattern:
[a-z]{2}(-[a-z]+)+-\d+Required: No
- signinSourceVpce
The AWS Sign-In VPC endpoint identifier from which access is allowed. See
aws:SourceVpcefor more details.Type: String
Pattern:
vpce-[a-z0-9]{8,20}Required: No
- sourceIp
The IP address outside a VPC from which access is allowed. See
aws:SourceIpfor more details.Type: String
Required: No
- sourceVpc
The VPC identifier from which access is allowed. See
aws:SourceVpcfor more details.Type: String
Pattern:
vpc-([0-9a-f]{8}|[0-9a-f]{17})Required: No
- vpcSourceIp
The IP address in a VPC from which access is allowed. See
aws:VpcSourceIpfor more details.Type: String
Required: No
Response Syntax
{
"statementId": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- statementId
The unique identifier of the created permission statement.
Type: String
Pattern:
[A-Za-z0-9+/]{64}=?
Errors
For information about the errors that are common to all actions, see Common Error Types.
- AccessDeniedException
You do not have sufficient access to perform this action.
HTTP Status Code: 400
- ConflictException
The request conflicts with the current state of the resource. For example, this exception is thrown when a client provides the same
ClientTokenfor requests with differing parameter values, or the same parameter values with differentClientTokenwithin the expiration window.HTTP Status Code: 400
- InternalServerException
The request processing has failed because of an unknown error, exception or failure with an internal server.
HTTP Status Code: 500
- ServiceQuotaExceededException
The request would cause a service quota to be exceeded.
HTTP Status Code: 400
- TooManyRequestsError
The request was denied due to rate limiting.
HTTP Status Code: 400
- ValidationException
The request failed because it contains a syntax error.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
