:doc:`Organizations <../../organizations>` / Client / attach_policy

*************
attach_policy
*************



.. py:method:: Organizations.Client.attach_policy(**kwargs)

  

  Attaches a policy to a root, an organizational unit (OU), or an individual account. How the policy affects accounts depends on the type of policy. Refer to the *Organizations User Guide* for information about each policy type:

   

  
  * `SERVICE_CONTROL_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html>`__
   
  * `RESOURCE_CONTROL_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html>`__
   
  * `DECLARATIVE_POLICY_EC2 <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html>`__
   
  * `BACKUP_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html>`__
   
  * `TAG_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html>`__
   
  * `CHATBOT_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_chatbot.html>`__
   
  * `AISERVICES_OPT_OUT_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html>`__
   
  * `SECURITYHUB_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_security_hub.html>`__
   
  * `UPGRADE_ROLLOUT_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_upgrade_rollout.html>`__
   
  * `INSPECTOR_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inspector.html>`__
   
  * `BEDROCK_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_bedrock.html>`__
   
  * `S3_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_s3.html>`__
   
  * `NETWORK_SECURITY_DIRECTOR_POLICY <https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_network_security_director.html>`__
  

   

  You can only call this operation from the management account or a member account that is a delegated administrator.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/AttachPolicy>`_  


  **Request Syntax**
  ::

    response = client.attach_policy(
        PolicyId='string',
        TargetId='string'
    )
    
  :type PolicyId: string
  :param PolicyId: **[REQUIRED]** 

    ID for the policy that you want to attach to the target. You can get the ID for the policy by calling the  ListPolicies operation.

     

    The `regex pattern <http://wikipedia.org/wiki/regex>`__ for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).

    

  
  :type TargetId: string
  :param TargetId: **[REQUIRED]** 

    ID for the root, OU, or account that you want to attach the policy to. You can get the ID by calling the  ListRoots,  ListOrganizationalUnitsForParent, or  ListAccounts operations.

     

    The `regex pattern <http://wikipedia.org/wiki/regex>`__ for a target ID string requires one of the following:

     

    
    * **Root** - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
     
    * **Account** - A string that consists of exactly 12 digits.
     
    * **Organizational unit (OU)** - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.
    

    

  
  
  :returns: None
  **Exceptions**
  
  *   :py:class:`Organizations.Client.exceptions.AccessDeniedException`

  
  *   :py:class:`Organizations.Client.exceptions.AWSOrganizationsNotInUseException`

  
  *   :py:class:`Organizations.Client.exceptions.ConcurrentModificationException`

  
  *   :py:class:`Organizations.Client.exceptions.ConstraintViolationException`

  
  *   :py:class:`Organizations.Client.exceptions.DuplicatePolicyAttachmentException`

  
  *   :py:class:`Organizations.Client.exceptions.InvalidInputException`

  
  *   :py:class:`Organizations.Client.exceptions.PolicyNotFoundException`

  
  *   :py:class:`Organizations.Client.exceptions.PolicyTypeNotEnabledException`

  
  *   :py:class:`Organizations.Client.exceptions.ServiceException`

  
  *   :py:class:`Organizations.Client.exceptions.TargetNotFoundException`

  
  *   :py:class:`Organizations.Client.exceptions.TooManyRequestsException`

  
  *   :py:class:`Organizations.Client.exceptions.UnsupportedAPIEndpointException`

  
  *   :py:class:`Organizations.Client.exceptions.PolicyChangesInProgressException`

  

  **Examples**

  The following example shows how to attach a service control policy (SCP) to an OU:

  ::

    response = client.attach_policy(
        PolicyId='p-examplepolicyid111',
        TargetId='ou-examplerootid111-exampleouid111',
    )
    
    print(response)

  
  Expected Output:
  ::

    {
        'ResponseMetadata': {
            '...': '...',
        },
    }

  

  The following example shows how to attach a service control policy (SCP) to an account:

  ::

    response = client.attach_policy(
        PolicyId='p-examplepolicyid111',
        TargetId='333333333333',
    )
    
    print(response)

  
  Expected Output:
  ::

    {
        'ResponseMetadata': {
            '...': '...',
        },
    }

  