Principal classes.

class EffectivePrincipal(inclusion, exclusions=None)

EffectivePrincipals are the representation of the difference between an Principal and its exclusion.

The allowed Principal is the difference (subtraction) of the excluded Principals from the included Principal.

exclusions: FrozenSet[policyglass.effective_arp.T]

Exclusions must always be a subset of the include and must not be subsets of each other

inclusion: policyglass.effective_arp.T

Inclusion must be a superset of any exclusions

class Principal(type, value)

A class which represents a single Principal including its type.

Objects of this type are typically generated by the Statement class.

Return type


__init__(type, value)

Create a new model by parsing and validating input data from keyword arguments.

Raises ValidationError if the input data cannot be parsed to form a valid model.

Return type


property account_id: Optional[str]

Return the account id of this Principal if there is one.

property arn_elements: List[str]

Return a list of arn elements, replacing blanks with "".

property is_account: bool

Return true if the prinncipal is an account.


Whether this object contains all the elements of another object (i.e. is a subset of the other object).


other (object) – The object to determine if our object contains.


ValueError – If the other object is not of the same type as this object.

Return type


type: policyglass.principal.PrincipalType

Principal Type

value: policyglass.principal.PrincipalValue

Principal value

class PrincipalCollection

A collection of Principals of different types, unique to PolicyGlass.

property principals: List[policyglass.principal.Principal]
class PrincipalType

A principal type, e.g. Federated or AWS.

See AWS JSON policy elements: Principal for more.

class PrincipalValue

An ARN, wildcard, or other appropriate value of a policy Principal.

See AWS JSON policy elements: Principal for more.