Why Go
- Case Studies
  
  Common problems companies solve with Go
- Use Cases
  
  Stories about how and why companies use Go
- Security
  
  How Go can help keep you secure by default
Learn
Docs
- Effective Go
  
  Tips for writing clear, performant, and idiomatic Go code
- Go User Manual
  
  A complete introduction to building software with Go
- Standard library
  
  Reference documentation for Go's standard library
- Release Notes
  
  Learn what's new in each Go release
Packages
Community
- Recorded Talks
  
  Videos from prior events
- Meetups
  
  Meet other local Go developers
- Conferences
  
  Learn and network with Go developers from around the world
- Go blog
  
  The Go project's official blog.
- Go project
  
  Get help and stay informed from Go
- Get connected

policy

package

Go to main page

Versions in this module

v3

v3.8.0

May 1, 2026

Changes in this version

+ const AbortMultipartUploadAction

+ const AddUserToGroupAdminAction

+ const AllActions

+ const AllAdminActions

+ const AllKMSActions

+ const AllS3TablesActions

+ const AllS3VectorsActions

+ const AllSTSActions

+ const AssumeRoleAction

+ const AssumeRoleLDAPIdentityAction

+ const AssumeRoleWithClientCertificateAction

+ const AssumeRoleWithClientGrantsAction

+ const AssumeRoleWithCustomTokenAction

+ const AssumeRoleWithWebIdentityAction

+ const AttachPolicyAdminAction

+ const BandwidthMonitorAction

+ const BypassGovernanceRetentionAction

+ const CancelBatchJobAction

+ const ChangeMyPasswordAdminAction

+ const ClusterInfoAction

+ const ConfigUpdateAdminAction

+ const ConsoleLogAdminAction

+ const CreateBucketAction

+ const CreatePolicyAdminAction

+ const CreateServiceAccountAdminAction

+ const CreateSessionAction

+ const CreateUserAdminAction

+ const DataUsageInfoAdminAction

+ const DecommissionAdminAction

+ const DefaultVersion

+ const DeleteBucketAction

+ const DeleteBucketCorsAction

+ const DeleteBucketPolicyAction

+ const DeleteObjectAction

+ const DeleteObjectTaggingAction

+ const DeleteObjectVersionAction

+ const DeleteObjectVersionTaggingAction

+ const DeletePolicyAdminAction

+ const DeleteUserAdminAction

+ const DeltaSharingAdminAction

+ const DeltaSharingCreateShareAction

+ const DeltaSharingCreateTokenAction

+ const DeltaSharingDeleteShareAction

+ const DeltaSharingDeleteTokenAction

+ const DeltaSharingGetShareAction

+ const DeltaSharingListSharesAction

+ const DeltaSharingListTokensAction

+ const DeltaSharingUpdateShareAction

+ const DescribeBatchJobAction

+ const DisableGroupAdminAction

+ const DisableUserAdminAction

+ const DriveInfoAction

+ const DriveListAction

+ const EnableGroupAdminAction

+ const EnableUserAdminAction

+ const ExportBucketMetadataAction

+ const ExportIAMAction

+ const ForceDeleteBucketAction

+ const ForceUnlockAdminAction

+ const GenerateBatchJobAction

+ const GetBucketCorsAction

+ const GetBucketEncryptionAction

+ const GetBucketLifecycleAction

+ const GetBucketLocationAction

+ const GetBucketNotificationAction

+ const GetBucketObjectLockConfigurationAction

+ const GetBucketPolicyAction

+ const GetBucketPolicyStatusAction

+ const GetBucketQOSAction

+ const GetBucketQuotaAdminAction

+ const GetBucketTaggingAction

+ const GetBucketTargetAction

+ const GetBucketVersioningAction

+ const GetGroupAdminAction

+ const GetInventoryConfigurationAction

+ const GetObjectAction

+ const GetObjectAttributesAction

+ const GetObjectLegalHoldAction

+ const GetObjectRetentionAction

+ const GetObjectTaggingAction

+ const GetObjectVersionAction

+ const GetObjectVersionAttributesAction

+ const GetObjectVersionForReplicationAction

+ const GetObjectVersionTaggingAction

+ const GetPolicyAdminAction

+ const GetReplicationConfigurationAction

+ const GetUserAdminAction

+ const HeadBucketAction

+ const HealAdminAction

+ const HealthInfoAdminAction

+ const ImportBucketMetadataAction

+ const ImportIAMAction

+ const InspectDataAction

+ const InventoryControlAction

+ const KMSAPIAction

+ const KMSAssignPolicyAction

+ const KMSAuditLogAction

+ const KMSBackupAdminAction

+ const KMSCreateKeyAction

+ const KMSCreateKeyAdminAction

+ const KMSDeleteIdentityAction

+ const KMSDeleteKeyAction

+ const KMSDeletePolicyAction

+ const KMSDescribeIdentityAction

+ const KMSDescribePolicyAction

+ const KMSDescribeSelfIdentityAction

+ const KMSEnableAdminAction

+ const KMSErrorLogAction

+ const KMSGetPolicyAction

+ const KMSImportKeyAction

+ const KMSKeyRotateAdminAction

+ const KMSKeyStatusAction

+ const KMSKeyStatusAdminAction

+ const KMSListIdentitiesAction

+ const KMSListKeysAction

+ const KMSListPoliciesAction

+ const KMSMetricsAction

+ const KMSRestoreAdminAction

+ const KMSSetPolicyAction

+ const KMSStatusAction

+ const KMSVersionAction

+ const LicenseInfoAdminAction

+ const ListAllMyBucketsAction

+ const ListBatchJobsAction

+ const ListBucketAction

+ const ListBucketMultipartUploadsAction

+ const ListBucketVersionsAction

+ const ListGroupsAdminAction

+ const ListMultipartUploadPartsAction

+ const ListServiceAccountsAdminAction

+ const ListTemporaryAccountsAdminAction

+ const ListTierAction

+ const ListUserPoliciesAdminAction

+ const ListUsersAdminAction

+ const ListenBucketNotificationAction

+ const ListenNotificationAction

+ const NodeInfoAction

+ const NodeListAction

+ const PolicyName

+ const PoolInfoAction

+ const PoolListAction

+ const ProfilingAdminAction

+ const PrometheusAdminAction

+ const PutBucketCorsAction

+ const PutBucketEncryptionAction

+ const PutBucketLifecycleAction

+ const PutBucketNotificationAction

+ const PutBucketObjectLockConfigurationAction

+ const PutBucketPolicyAction

+ const PutBucketQOSAction

+ const PutBucketTaggingAction

+ const PutBucketVersioningAction

+ const PutInventoryConfigurationAction

+ const PutObjectAction

+ const PutObjectFanOutAction

+ const PutObjectLegalHoldAction

+ const PutObjectRetentionAction

+ const PutObjectTaggingAction

+ const PutObjectVersionTaggingAction

+ const PutReplicationConfigurationAction

+ const ReadAPILogsAction

+ const ReadAlertsAction

+ const ReadAuditLogsAction

+ const ReadErrorLogsAction

+ const RebalanceAdminAction

+ const RemoveServiceAccountAdminAction

+ const RemoveUserFromGroupAdminAction

+ const ReplicateDeleteAction

+ const ReplicateObjectAction

+ const ReplicateTagsAction

+ const ReplicationDiff

+ const ResetBucketReplicationStateAction

+ const ResourceARNKMSPrefix

+ const ResourceARNPrefix

+ const ResourceARNS3TablesPrefix

+ const RestoreObjectAction

+ const S3TablesCreateNamespaceAction

+ const S3TablesCreateTableAction

+ const S3TablesCreateTableBucketAction

+ const S3TablesCreateViewAction

+ const S3TablesCreateWarehouseAction

+ const S3TablesDeleteNamespaceAction

+ const S3TablesDeleteTableAction

+ const S3TablesDeleteTableBucketAction

+ const S3TablesDeleteTableBucketEncryptionAction

+ const S3TablesDeleteTableBucketPolicyAction

+ const S3TablesDeleteTablePolicyAction

+ const S3TablesDeleteViewAction

+ const S3TablesDeleteWarehouseAction

+ const S3TablesDeleteWarehouseEncryptionAction

+ const S3TablesDeleteWarehousePolicyAction

+ const S3TablesGetConfigAction

+ const S3TablesGetNamespaceAction

+ const S3TablesGetTableAction

+ const S3TablesGetTableBucketAction

+ const S3TablesGetTableBucketEncryptionAction

+ const S3TablesGetTableBucketMaintenanceConfigurationAction

+ const S3TablesGetTableBucketPolicyAction

+ const S3TablesGetTableDataAction

+ const S3TablesGetTableEncryptionAction

+ const S3TablesGetTableMaintenanceConfigurationAction

+ const S3TablesGetTableMaintenanceJobStatusAction

+ const S3TablesGetTableMetadataLocationAction

+ const S3TablesGetTablePolicyAction

+ const S3TablesGetViewAction

+ const S3TablesGetWarehouseAction

+ const S3TablesGetWarehouseEncryptionAction

+ const S3TablesGetWarehouseMaintenanceConfigurationAction

+ const S3TablesGetWarehousePolicyAction

+ const S3TablesListNamespacesAction

+ const S3TablesListTableBucketsAction

+ const S3TablesListTablesAction

+ const S3TablesListTagsForResourceAction

+ const S3TablesListViewsAction

+ const S3TablesListWarehousesAction

+ const S3TablesPutTableBucketEncryptionAction

+ const S3TablesPutTableBucketMaintenanceConfigurationAction

+ const S3TablesPutTableBucketPolicyAction

+ const S3TablesPutTableDataAction

+ const S3TablesPutTableEncryptionAction

+ const S3TablesPutTableMaintenanceConfigurationAction

+ const S3TablesPutTablePolicyAction

+ const S3TablesPutWarehouseEncryptionAction

+ const S3TablesPutWarehouseMaintenanceConfigurationAction

+ const S3TablesPutWarehousePolicyAction

+ const S3TablesRegisterTableAction

+ const S3TablesRegisterViewAction

+ const S3TablesRenameTableAction

+ const S3TablesRenameViewAction

+ const S3TablesTableMetricsAction

+ const S3TablesTagResourceAction

+ const S3TablesUntagResourceAction

+ const S3TablesUpdateNamespacePropertiesAction

+ const S3TablesUpdateTableAction

+ const S3TablesUpdateTableMetadataLocationAction

+ const S3TablesUpdateViewAction

+ const S3VectorsCreateIndexAction

+ const S3VectorsCreateVectorBucketAction

+ const S3VectorsDeleteIndexAction

+ const S3VectorsDeleteVectorBucketAction

+ const S3VectorsDeleteVectorsAction

+ const S3VectorsGetIndexAction

+ const S3VectorsGetVectorBucketAction

+ const S3VectorsGetVectorsAction

+ const S3VectorsListIndexesAction

+ const S3VectorsListVectorBucketsAction

+ const S3VectorsListVectorsAction

+ const S3VectorsPutVectorsAction

+ const S3VectorsQueryVectorsAction

+ const ServerInfoAdminAction

+ const ServerUpdateAdminAction

+ const ServiceCordonAdminAction

+ const ServiceFreezeAdminAction

+ const ServiceRestartAdminAction

+ const ServiceStopAdminAction

+ const SessionPolicyName

+ const SetBucketQuotaAdminAction

+ const SetBucketTargetAction

+ const SetInfoAction

+ const SetTierAction

+ const SiteReplicationAddAction

+ const SiteReplicationDisableAction

+ const SiteReplicationInfoAction

+ const SiteReplicationOperationAction

+ const SiteReplicationRemoveAction

+ const SiteReplicationResyncAction

+ const StartBatchJobAction

+ const StorageInfoAdminAction

+ const TablesReplicationAddAction

+ const TablesReplicationInfoAction

+ const TablesReplicationRemoveAction

+ const TablesReplicationStartFailoverAction

+ const TopLocksAdminAction

+ const TraceAdminAction

+ const UpdateObjectEncryptionAction

+ const UpdatePolicyAssociationAction

+ const UpdateServiceAccountAdminAction

+ var ARNPrefixToType map[string]ResourceARNType

+ var ARNTypeToPrefix = map[ResourceARNType]string

+ var AdminActionsWithResource = map[AdminAction]struct

+ var DefaultPolicies = []struct{ ... }

+ var IAMActionConditionKeyMap = createActionConditionKeyMap()

+ var SupportedActions = map[Action]struct

+ var SupportedAdminActions = map[AdminAction]struct

+ var SupportedObjectActions = map[Action]struct

+ var SupportedTableActions = map[TableAction]struct

+ var SupportedVectorsActions = map[VectorsAction]struct

+ var VectorsActionConditionKeyMap = createVectorsActionConditionKeyMap()

+ func Errorf(format string, a ...interface{}) error

+ func GetPoliciesFromClaims(claims map[string]any, policyClaimName string) (set.StringSet, bool)

+ func GetValuesFromClaims(claims map[string]any, claimName string) (set.StringSet, bool)

+ func IsAllowedPar(policies []Policy, args Args) bool

+ func IsAllowedSerial(policies []Policy, args Args) bool

+ type Action string

+ func (action Action) IsObjectAction() bool

+ func (action Action) IsValid() bool

+ func (action Action) Match(a Action) bool

+ type ActionConditionKeyMap map[Action]condition.KeySet

+ func (a ActionConditionKeyMap) Lookup(action Action) condition.KeySet

+ type ActionSet map[Action]struct

+ func NewActionSet(actions ...Action) ActionSet

+ func NewActionStrings(actions ...string) ActionSet

+ func (actionSet *ActionSet) UnmarshalJSON(data []byte) error

+ func (actionSet ActionSet) Add(action Action)

+ func (actionSet ActionSet) Clone() ActionSet

+ func (actionSet ActionSet) Contains(action Action) bool

+ func (actionSet ActionSet) Equals(sactionSet ActionSet) bool

+ func (actionSet ActionSet) Intersection(sset ActionSet) ActionSet

+ func (actionSet ActionSet) IsEmpty() bool

+ func (actionSet ActionSet) MarshalJSON() ([]byte, error)

+ func (actionSet ActionSet) Match(action Action) bool

+ func (actionSet ActionSet) String() string

+ func (actionSet ActionSet) ToAdminSlice() []AdminAction

+ func (actionSet ActionSet) ToKMSSlice() (actions []KMSAction)

+ func (actionSet ActionSet) ToSTSSlice() []STSAction

+ func (actionSet ActionSet) ToSlice() []Action

+ func (actionSet ActionSet) ToTableSlice() []TableAction

+ func (actionSet ActionSet) ToVectorsSlice() []VectorsAction

+ func (actionSet ActionSet) Validate() error

+ func (actionSet ActionSet) ValidateAdmin() error

+ func (actionSet ActionSet) ValidateKMS() error

+ func (actionSet ActionSet) ValidateSTS() error

+ func (actionSet ActionSet) ValidateTable() error

+ func (actionSet ActionSet) ValidateVectors() error

+ type AdminAction string

+ func (action AdminAction) HasResource() bool

+ func (action AdminAction) IsValid() bool

+ func (action AdminAction) Match(a AdminAction) bool

+ type Args struct

+ AccountName string

+ Action Action

+ BucketName string

+ Claims map[string]any

+ ConditionValues map[string][]string

+ DenyOnly bool

+ Groups []string

+ IsOwner bool

+ ObjectName string

+ OriginalAction Action

+ func (a Args) GetPolicies(policyClaimName string) (set.StringSet, bool)

+ func (a Args) GetRoleArn() string

+ type BPStatement struct

+ Actions ActionSet

+ Conditions condition.Functions

+ Effect Effect

+ NotActions ActionSet

+ NotResources ResourceSet

+ Principal Principal

+ Resources ResourceSet

+ SID ID

+ func NewBPStatement(sid ID, effect Effect, principal Principal, actionSet ActionSet, ...) BPStatement

+ func NewBPStatementWithNotAction(sid ID, effect Effect, principal Principal, notActions ActionSet, ...) BPStatement

+ func NewBPStatementWithNotResource(sid ID, effect Effect, principal Principal, actions ActionSet, ...) BPStatement

+ func (statement BPStatement) Clone() BPStatement

+ func (statement BPStatement) Equals(st BPStatement) bool

+ func (statement BPStatement) IsAllowed(args BucketPolicyArgs) bool

+ func (statement BPStatement) Validate(bucketName string) error

+ type BucketPolicy struct

+ ID ID

+ Statements []BPStatement

+ Version string

+ func ParseBucketPolicyConfig(reader io.Reader, bucketName string) (*BucketPolicy, error)

+ func (policy *BucketPolicy) Equals(p BucketPolicy) bool

+ func (policy *BucketPolicy) UnmarshalJSON(data []byte) error

+ func (policy BucketPolicy) IsAllowed(args BucketPolicyArgs) bool

+ func (policy BucketPolicy) IsEmpty() bool

+ func (policy BucketPolicy) MarshalJSON() ([]byte, error)

+ func (policy BucketPolicy) Validate(bucketName string) error

+ type BucketPolicyArgs struct

+ AccountName string

+ Action Action

+ BucketName string

+ ConditionValues map[string][]string

+ Groups []string

+ IsOwner bool

+ ObjectName string

+ type Decision uint8

+ const AllowDecision

+ const DenyDecision

+ const NoDecision

+ type Effect string

+ const Allow

+ const Deny

+ func (effect Effect) IsAllowed(b bool) bool

+ func (effect Effect) IsValid() bool

+ type Error struct

+ func (e Error) Error() string

+ func (e Error) Unwrap() error

+ type ID string

+ func (id ID) IsValid() bool

+ type KMSAction string

+ func (action KMSAction) IsValid() bool

+ type Policy struct

+ ID ID

+ Statements []Statement

+ Version string

+ func MergePolicies(inputs ...Policy) (merged Policy)

+ func ParseConfig(reader io.Reader) (*Policy, error)

+ func ParseConfigStrict(reader io.Reader) (*Policy, error)

+ func (iamp *Policy) Decide(args *Args) Decision

+ func (iamp *Policy) Equals(p Policy) bool

+ func (iamp *Policy) HasDenyStatement() bool

+ func (iamp *Policy) UnmarshalJSON(data []byte) error

+ func (iamp Policy) IsAllowed(args Args) bool

+ func (iamp Policy) IsAllowedActions(bucketName, objectName string, conditionValues map[string][]string) ActionSet

+ func (iamp Policy) IsEmpty() bool

+ func (iamp Policy) MatchResource(resource string) bool

+ func (iamp Policy) Validate() error

+ func (iamp Policy) ValidateStrict() error

+ type Principal struct

+ AWS set.StringSet

+ func NewPrincipal(principals ...string) Principal

+ func (p *Principal) UnmarshalJSON(data []byte) error

+ func (p Principal) Clone() Principal

+ func (p Principal) Equals(pp Principal) bool

+ func (p Principal) Intersection(principal Principal) set.StringSet

+ func (p Principal) IsValid() bool

+ func (p Principal) MarshalJSON() ([]byte, error)

+ func (p Principal) Match(principal string) bool

+ type Resource struct

+ Pattern string

+ Type ResourceARNType

+ func NewKMSResource(pattern string) Resource

+ func NewResource(pattern string) Resource

+ func NewS3TablesResource(pattern string) Resource

+ func ParseResource(s string) (Resource, error)

+ func (r *Resource) UnmarshalJSON(data []byte) error

+ func (r Resource) IsValid() bool

+ func (r Resource) MarshalJSON() ([]byte, error)

+ func (r Resource) Match(resource string, conditionValues map[string][]string) bool

+ func (r Resource) MatchResource(resource string) bool

+ func (r Resource) String() string

+ func (r Resource) Validate() error

+ func (r Resource) ValidateBucket(bucketName string) error

+ type ResourceARNType uint32

+ const ResourceARNAll

+ const ResourceARNKMS

+ const ResourceARNS3

+ const ResourceARNS3Tables

+ func (a ResourceARNType) String() string

+ type ResourceSet map[Resource]struct

+ func NewResourceSet(resources ...Resource) ResourceSet

+ func NewResourceStrings(resources ...string) ResourceSet

+ func (resourceSet *ResourceSet) UnmarshalJSON(data []byte) error

+ func (resourceSet ResourceSet) Add(resource Resource)

+ func (resourceSet ResourceSet) BucketResourceExists() bool

+ func (resourceSet ResourceSet) Clone() ResourceSet

+ func (resourceSet ResourceSet) Equals(sresourceSet ResourceSet) bool

+ func (resourceSet ResourceSet) Intersection(sset ResourceSet) ResourceSet

+ func (resourceSet ResourceSet) MarshalJSON() ([]byte, error)

+ func (resourceSet ResourceSet) Match(resource string, conditionValues map[string][]string) bool

+ func (resourceSet ResourceSet) MatchResource(resource string) bool

+ func (resourceSet ResourceSet) ObjectResourceExists() bool

+ func (resourceSet ResourceSet) String() string

+ func (resourceSet ResourceSet) ToSlice() []Resource

+ func (resourceSet ResourceSet) ValidateBucket(bucketName string) error

+ func (resourceSet ResourceSet) ValidateKMS() error

+ func (resourceSet ResourceSet) ValidateS3() error

+ func (resourceSet ResourceSet) ValidateTable() error

+ func (resourceSet ResourceSet) ValidateVectors() error

+ type STSAction string

+ func (action STSAction) IsValid() bool

+ type Statement struct

+ Actions ActionSet

+ Conditions condition.Functions

+ Effect Effect

+ NotActions ActionSet

+ NotResources ResourceSet

+ Resources ResourceSet

+ SID ID

+ func NewStatement(sid ID, effect Effect, actionSet ActionSet, resourceSet ResourceSet, ...) Statement

+ func NewStatementWithNotAction(sid ID, effect Effect, notActions ActionSet, resources ResourceSet, ...) Statement

+ func NewStatementWithNotResource(sid ID, effect Effect, actions ActionSet, notResources ResourceSet, ...) Statement

+ func (statement Statement) Clone() Statement

+ func (statement Statement) Equals(st Statement) bool

+ func (statement Statement) IsAllowed(args Args) bool

+ func (statement Statement) IsAllowedPtr(args *Args) bool

+ func (statement Statement) Validate() error

+ func (statement Statement) ValidateStrict() error

+ type TableAction string

+ func (action TableAction) IsValid() bool

+ type VectorsAction string

+ func (action VectorsAction) IsValid() bool