SimulatePrincipalPolicy

Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and Astran resources to determine the policies' effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to. You can simulate resources that don't exist in your account.

The simulation does not perform the API operations; it only checks the authorization to determine if the simulated policies allow or deny the operations.

Context keys are variables maintained by Astran and its services that provide details about the context of an API query request. You can use the Condition element of an IAM policy to evaluate context keys.

Permissions

Action	Description	Resource
SimulatePrincipalPolicy	Grants permission to simulate whether an identity-based policy that is attached to a specified IAM entity (user or role) provides permissions for specific API operations and resources	user, group or role

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

ActionNames.member.N

A list of names of API operations to evaluate in the simulation. Each operation is evaluated for each resource. Each operation must include the service identifier, such as iam:CreateUser.

Type: Array of strings

Length Constraints: Minimum length of 3. Maximum length of 128.

Required: Yes

PolicySourceArn

The Amazon Resource Name (ARN) of a user, group, or role whose policies you want to include in the simulation. If you specify a user, group, or role, the simulation includes all policies that are associated with that entity. If you specify a user, the simulation also includes all policies that are attached to any groups the user belongs to.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Required: Yes

ResourceArns.member.N

A list of ARNs of AWS resources to include in the simulation. If this parameter is not provided, then the value defaults to * (all resources). Each API in the ActionNames parameter is evaluated for each resource in this list. The simulation determines the access result (allowed or denied) of each combination and reports it in the response. You can simulate resources that don't exist in your account.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

Response Elements

The following elements are returned by the service.

EvaluationResults.member.N

The results of the simulation.

Type: Array of EvaluationResult objects

Errors

InvalidInput

The request was rejected because an invalid or out-of-range value was supplied for an input parameter.

HTTP Status Code: 400

NoSuchEntity

The request was rejected because it referenced a resource entity that does not exist. The error message describes the resource.

HTTP Status Code: 404

PolicyEvaluation

The request failed because a provided policy could not be successfully evaluated. An additional detailed message indicates the source of the failure.

HTTP Status Code: 500

Examples

Example: Simulating a Policy

This example simulates calling the Amazon S3 API operations GetObject, PutObject, and DeleteObject for a specific S3 bucket. The simulation includes all policies that are attached to the user Jill. In this example, the user Jill has only the managed policy "AmazonS3ReadOnlyAccess" attached. Note that all parameters are shown in unencoded form here for clarity but must be URL encoded to be included as a part of a real HTML request. In the results, the simulation shows that Jill can read from the bucket because of the managed policy attached to the user. However, she cannot delete nor add new files to the bucket because of the default implicitDeny.

https://<partition>.iam.astran.io/?Action=SimulatePrincipalPolicy
&ActionNames.member.1=s3:PutObject
&ActionNames.member.2=s3:GetObject
&ActionNames.member.3=s3:DeleteObject
&ResourceArns.member.1="arn:aws:s3:::my-test-bucket"
&PolicySourceArn=arn:aws:iam:::user/Jill
&Version=2010-05-08
&AUTHPARAMS
        

<SimulatePrincipalPolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <SimulatePrincipalPolicyResult>
    <IsTruncated>false</IsTruncated>
    <EvaluationResults>
      <member>
        <EvalResourceName>arn:aws:s3:::my-test-bucket</EvalResourceName>
        <EvalDecision>implicitDeny</EvalDecision>
        <EvalActionName>s3:PutObject</EvalActionName>
      </member>
      <member>
        <EvalResourceName>arn:aws:s3:::my-test-bucket</EvalResourceName>
        <EvalDecision>allowed</EvalDecision>
        <EvalActionName>s3:GetObject</EvalActionName>
      </member>
      <member>
        <EvalResourceName>arn:aws:s3:::my-test-bucket</EvalResourceName>
        <EvalDecision>implicitDeny</EvalDecision>
        <EvalActionName>s3:DeleteObject</EvalActionName>
      </member>
    </EvaluationResults>
  </SimulatePrincipalPolicyResult>
  <ResponseMetadata>
    <RequestId>004d7059-4c14-11e5-b121-bd8c7EXAMPLE</RequestId>
  </ResponseMetadata>
</SimulatePrincipalPolicyResponse>
        

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface
• AWS SDK for .NET
• AWS SDK for C++
• AWS SDK for Go v2
• AWS SDK for Java V2
• AWS SDK for JavaScript V3
• AWS SDK for PHP V3
• AWS SDK for Python
• AWS SDK for Ruby V3