IAM / Client / put_role_permissions_boundary



Adds or updates the policy that is specified as the IAM role’s permissions boundary. You can use an Amazon Web Services managed policy or a customer managed policy to set the boundary for a role. Use the boundary to control the maximum permissions that the role can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the role.

You cannot set the boundary for a service-linked role.


Policies used as permissions boundaries do not provide permissions. You must also attach a permissions policy to the role. To learn how the effective permissions for a role are evaluated, see IAM JSON policy evaluation logic in the IAM User Guide.

See also: AWS API Documentation

Request Syntax

response = client.put_role_permissions_boundary(
  • RoleName (string) –


    The name (friendly name, not ARN) of the IAM role for which you want to set the permissions boundary.

  • PermissionsBoundary (string) –


    The ARN of the managed policy that is used to set the permissions boundary for the role.

    A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see Permissions boundaries for IAM entities in the IAM User Guide.

    For more information about policy types, see Policy types in the IAM User Guide.




  • IAM.Client.exceptions.NoSuchEntityException

  • IAM.Client.exceptions.InvalidInputException

  • IAM.Client.exceptions.UnmodifiableEntityException

  • IAM.Client.exceptions.PolicyNotAttachableException

  • IAM.Client.exceptions.ServiceFailureException