Organizations / Client / create_policy
create_policy#
- Organizations.Client.create_policy(**kwargs)#
Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual Amazon Web Services account.
For more information about policies and their use, see Managing Organizations policies.
If the request includes tags, then the requester must have the
organizations:TagResource
permission.This operation can be called only from the organization’s management account or by a member account that is a delegated administrator for an Amazon Web Services service.
See also: AWS API Documentation
Request Syntax
response = client.create_policy( Content='string', Description='string', Name='string', Type='SERVICE_CONTROL_POLICY'|'TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY', Tags=[ { 'Key': 'string', 'Value': 'string' }, ] )
- Parameters:
Content (string) –
[REQUIRED]
The policy text content to add to the new policy. The text that you supply must adhere to the rules of the policy type you specify in the
Type
parameter.The maximum size of a policy document depends on the policy’s type. For more information, see Maximum and minimum values in the Organizations User Guide.
Description (string) –
[REQUIRED]
An optional description to assign to the policy.
Name (string) –
[REQUIRED]
The friendly name to assign to the policy.
The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.
Type (string) –
[REQUIRED]
The type of policy to create. You can specify one of the following values:
Tags (list) –
A list of tags that you want to attach to the newly created policy. For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can’t set it to
null
. For more information about tagging, see Tagging Organizations resources in the Organizations User Guide.Note
If any one of the tags is not valid or if you exceed the allowed number of tags for a policy, then the entire request fails and the policy is not created.
(dict) –
A custom key-value pair associated with a resource within your organization.
You can attach tags to any of the following organization resources.
Amazon Web Services account
Organizational unit (OU)
Organization root
Policy
Key (string) – [REQUIRED]
The key identifier, or name, of the tag.
Value (string) – [REQUIRED]
The string value that’s associated with the key of the tag. You can set the value of a tag to an empty string, but you can’t set the value of a tag to null.
- Return type:
dict
- Returns:
Response Syntax
{ 'Policy': { 'PolicySummary': { 'Id': 'string', 'Arn': 'string', 'Name': 'string', 'Description': 'string', 'Type': 'SERVICE_CONTROL_POLICY'|'TAG_POLICY'|'BACKUP_POLICY'|'AISERVICES_OPT_OUT_POLICY', 'AwsManaged': True|False }, 'Content': 'string' } }
Response Structure
(dict) –
Policy (dict) –
A structure that contains details about the newly created policy.
PolicySummary (dict) –
A structure that contains additional details about the policy.
Id (string) –
The unique identifier (ID) of the policy.
The regex pattern for a policy ID string requires “p-” followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).
Arn (string) –
The Amazon Resource Name (ARN) of the policy.
For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the Amazon Web Services Service Authorization Reference.
Name (string) –
The friendly name of the policy.
The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.
Description (string) –
The description of the policy.
Type (string) –
The type of policy.
AwsManaged (boolean) –
A boolean value that indicates whether the specified policy is an Amazon Web Services managed policy. If true, then you can attach the policy to roots, OUs, or accounts, but you cannot edit it.
Content (string) –
The text content of the policy.
Exceptions
Organizations.Client.exceptions.AccessDeniedException
Organizations.Client.exceptions.AWSOrganizationsNotInUseException
Organizations.Client.exceptions.ConcurrentModificationException
Organizations.Client.exceptions.ConstraintViolationException
Organizations.Client.exceptions.DuplicatePolicyException
Organizations.Client.exceptions.InvalidInputException
Organizations.Client.exceptions.MalformedPolicyDocumentException
Organizations.Client.exceptions.PolicyTypeNotAvailableForOrganizationException
Organizations.Client.exceptions.ServiceException
Organizations.Client.exceptions.TooManyRequestsException
Organizations.Client.exceptions.UnsupportedAPIEndpointException
Examples
The following example shows how to create a service control policy (SCP) that is named AllowAllS3Actions. The JSON string in the content parameter specifies the content in the policy. The parameter string is escaped with backslashes to ensure that the embedded double quotes in the JSON policy are treated as literals in the parameter, which itself is surrounded by double quotes:
response = client.create_policy( Content='{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\"}}', Description='Enables admins of attached accounts to delegate all S3 permissions', Name='AllowAllS3Actions', Type='SERVICE_CONTROL_POLICY', ) print(response)
Expected Output:
{ 'Policy': { 'Content': '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":"s3:*"}}', 'PolicySummary': { 'Arn': 'arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111', 'Description': 'Allows delegation of all S3 actions', 'Name': 'AllowAllS3Actions', 'Type': 'SERVICE_CONTROL_POLICY', }, }, 'ResponseMetadata': { '...': '...', }, }