Here is a documentation:
Sid – (Optional) The Sid is a statement identifier, an arbitrary string you can use to identify the statement.
Does it means that Sid parameter is just description?
-
4Yes that's exactly what it means, it is just a description.– Mark BNov 27, 2017 at 16:01
Add a comment
|
3 Answers
In another part of the documentation AWS provides some additional information about the purpose of the Sid:
The
Sid(statement ID) is an optional identifier that you provide for the policy statement. You can assign aSidvalue to each statement in a statement array. In services that let you specify anIDelement, such as SQS and SNS, theSidvalue is just a sub-ID of the policy document's ID. In IAM, theSidvalue must be unique within a JSON policy.
So yes, it's just a description.
-
2The part you quoted says that it's an "optional identifier". If it's just a description, why would it have to be unique?– Khoa VoJun 1, 2021 at 8:54
-
2It doesnt appear to be JUST a description - seems to not allow spaces or wildcards? So it's more of an identifier, from what I gather, and supports
[a-z, A-Z, 0-9]Jun 15, 2021 at 18:27 -
2and it has to be unique per policy, so you can use multiple
sididentifiers for statements in your policy, but can't use the samesidmore than once in that policy. You can repeat the same sids in different policies though. Jun 16, 2021 at 16:38 -
3That part in the documentation is really not much of help. It does not mention how we could use it and does not give any useful examples either. It definitely does not look like a description.– maulik13Aug 10, 2021 at 11:42
You can use Sid to refer to a specific statement in a long policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAll",
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "DenyList",
"Effect": "Deny",
"Action": "s3:List*",
"Resource": "arn:aws:s3:::*"
}
]
}
For example when explain the policy, you can say that the AllowAll statement allows all S3 actions, but that DenyList denies all list actions. Imagine if those Sids weren't there, how would you refer to either of them?
This might be semantic nitpicking, but I disagree that it's "just a description", because descriptions don't have to be unique. Also Sid doesn't support spaces so it's really just an ID.
Update: Quoting AWS docs
Some AWS services (for example, Amazon SQS or Amazon SNS) might require this element and have uniqueness requirements for it.
-
by referring do you mean reference in yaml or for description purposes? Sep 14, 2021 at 12:31
-
1@user2770362 It can be used for both description and automation purposes. I'm not sure what you mean by "reference in yaml", but if you mean in a programmatic context then yes. I think it'd be useful to loop through all statements in a policy, and pick out the one with a specific name, for example.– Khoa VoSep 14, 2021 at 13:17
-
I don't think 'just a description' is enough to describe the meaning of Sid.
I think a better question would be: 'how can I use Sid to my advantage?'
Here is one example:
- you could use Sid to process your policies in case you ever need to find the needle in the hay stack.
Example: you have 1k policies and would like to find the policy that does "S3DenyPublicReadACL". maybe you store that policy in an s3 bucket, so you can reuse it.
Solution: Write a script/lambda, find it and reuse it in an automatic way.
-
1That is the right question to ask, and the documentation fails to provide any info about its use case.– maulik13Aug 10, 2021 at 11:43