AWS::DataZone::PolicyGrant

DataZone PolicyGrant

Policy Grant in AWS DataZone is an explicit authorization assignment that allows a specific principal (user, group, or project) to perform particular actions (such as creating glossary terms, managing projects, or accessing resources) on governed resources within a certain scope (like a Domain Unit or Project). Policy Grants are essentially the mechanism by which DataZone enforces fine-grained, role-based access control beyond what is possible through AWS IAM alone.

Properties

6 configurable properties. 4 required. Click a row to see details.

Filter:

Property	Type	Flags
`DomainIdentifier`	`string`	RequiredCreate-only
`EntityIdentifier`	`string`	RequiredCreate-only
`EntityType`	`string`	RequiredCreate-only
`PolicyType`	`string`	RequiredCreate-only
`Detail`	`PolicyGrantDetail`	Create-only
`Principal`	`PolicyGrantPrincipal`	Create-only

Return Values

Values returned after the resource is created. Access these with Fn::GetAtt.

Attribute	Type	Description
`CreatedAt`	`string`	Specifies the timestamp at which policy grant member was created.
`CreatedBy`	`string`	Specifies the user who created the policy grant member.
`GrantId`	`string`	The unique identifier of the policy grant returned by the AddPolicyGrant API

Sample CloudFormation Template

A minimal template with required properties and common optional ones.

template.yaml

AWSTemplateFormatVersion: "2010-09-09"
Description: Sample template for AWS::DataZone::PolicyGrant

Resources:
  MyResource:
    Type: AWS::DataZone::PolicyGrant
    Properties:
      DomainIdentifier: "my-domainidentifier"
      EntityIdentifier: "my-entityidentifier"
      EntityType: "value"
      PolicyType: "value"

Required IAM Permissions

Permissions CloudFormation needs in your IAM role to manage this resource.

create

datazone:AddPolicyGrantdatazone:ListPolicyGrants

read

datazone:ListPolicyGrants

delete

datazone:RemovePolicyGrantdatazone:ListPolicyGrants

list

datazone:ListPolicyGrants

Learn AWS the Practical Way

Our bi-weekly newsletter teaches hands-on AWS fundamentals. No certification fluff - just practical knowledge.

Subscribe to Newsletter

Quick Facts

ServiceDataZone

Properties9

Required4

TaggingNot supported

Primary IDDomainIdentifier

Supported Operations

CreateReadDeleteList

Immutable After Creation

These properties cannot be changed after the resource is created. Updating them triggers a replacement.

DetailDomainIdentifierEntityIdentifierEntityTypePolicyTypePrincipal

Related Resources

External Links

AWS Documentation