Class PolicyStatement
Represents a statement in an IAM policy document.
Inheritance
Namespace: Amazon.CDK.AWS.IAM
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class PolicyStatement : DeputyBase
Syntax (vb)
Public Class PolicyStatement
Inherits DeputyBase
Remarks
ExampleMetadata: infused
Examples
Bucket destinationBucket;
var deployment = new BucketDeployment(this, "DeployFiles", new BucketDeploymentProps {
Sources = new [] { Source.Asset(Join(__dirname, "source-files")) },
DestinationBucket = destinationBucket
});
deployment.HandlerRole.AddToPolicy(
new PolicyStatement(new PolicyStatementProps {
Actions = new [] { "kms:Decrypt", "kms:DescribeKey" },
Effect = Effect.ALLOW,
Resources = new [] { "<encryption key ARN>" }
}));
Synopsis
Constructors
PolicyStatement(IPolicyStatementProps) | |
PolicyStatement(ByRefValue) | Used by jsii to construct an instance of this class from a Javascript-owned object reference |
PolicyStatement(DeputyBase.DeputyProps) | Used by jsii to construct an instance of this class from DeputyProps |
Properties
Actions | The Actions added to this statement. |
Conditions | The conditions added to this statement. |
Effect | Whether to allow or deny the actions in this statement Set effect for this statement. |
Frozen | Whether the PolicyStatement has been frozen. |
HasPrincipal | Indicates if this permission has a "Principal" section. |
HasResource | Indicates if this permission has at least one resource associated with it. |
NotActions | The NotActions added to this statement. |
NotPrincipals | The NotPrincipals added to this statement. |
NotResources | The NotResources added to this statement. |
Principals | The Principals added to this statement. |
Resources | The Resources added to this statement. |
Sid | Statement ID for this statement Set Statement ID for this statement. |
Methods
AddAccountCondition(String) | Add a |
AddAccountRootPrincipal() | Adds an AWS account root user principal to this policy statement. |
AddActions(String[]) | Specify allowed actions into the "Action" section of the policy statement. |
AddAllResources() | Adds a |
AddAnyPrincipal() | Adds all identities in all accounts ("*") to this policy statement. |
AddArnPrincipal(String) | Specify a principal using the ARN identifier of the principal. |
AddAwsAccountPrincipal(String) | Specify AWS account ID as the principal entity to the "Principal" section of a policy statement. |
AddCanonicalUserPrincipal(String) | Adds a canonical user ID principal to this policy document. |
AddCondition(String, Object) | Add a condition to the Policy. |
AddConditions(IDictionary<String, Object>) | Add multiple conditions to the Policy. |
AddFederatedPrincipal(Object, IDictionary<String, Object>) | Adds a federated identity provider such as Amazon Cognito to this policy statement. |
AddNotActions(String[]) | Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document. |
AddNotPrincipals(IPrincipal[]) | Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement. |
AddNotResources(String[]) | Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement. |
AddPrincipals(IPrincipal[]) | Adds principals to the "Principal" section of a policy statement. |
AddResources(String[]) | Specify resources that this policy statement applies into the "Resource" section of this policy statement. |
AddServicePrincipal(String, IServicePrincipalOpts) | Adds a service principal to this policy statement. |
AddSourceAccountCondition(String) | Add an |
AddSourceArnCondition(String) | Add an |
Copy(IPolicyStatementProps) | Create a new |
Freeze() | Make the PolicyStatement immutable. |
FromJson(Object) | Creates a new PolicyStatement based on the object provided. |
ToJSON() | JSON-ify the statement. |
ToStatementJson() | JSON-ify the policy statement. |
ToString() | String representation of this policy statement. |
ValidateForAnyPolicy() | Validate that the policy statement satisfies base requirements for a policy. |
ValidateForIdentityPolicy() | Validate that the policy statement satisfies all requirements for an identity-based policy. |
ValidateForResourcePolicy() | Validate that the policy statement satisfies all requirements for a resource-based policy. |
Constructors
PolicyStatement(IPolicyStatementProps)
PolicyStatement(ByRefValue)
Used by jsii to construct an instance of this class from a Javascript-owned object reference
protected PolicyStatement(ByRefValue reference)
Parameters
- reference Amazon.JSII.Runtime.Deputy.ByRefValue
The Javascript-owned object reference
PolicyStatement(DeputyBase.DeputyProps)
Used by jsii to construct an instance of this class from DeputyProps
protected PolicyStatement(DeputyBase.DeputyProps props)
Parameters
- props Amazon.JSII.Runtime.Deputy.DeputyBase.DeputyProps
The deputy props
Properties
Actions
The Actions added to this statement.
public virtual string[] Actions { get; }
Property Value
System.String[]
Conditions
The conditions added to this statement.
public virtual object Conditions { get; }
Property Value
System.Object
Effect
Whether to allow or deny the actions in this statement Set effect for this statement.
public virtual Effect Effect { get; set; }
Property Value
Frozen
Whether the PolicyStatement has been frozen.
public virtual bool Frozen { get; }
Property Value
System.Boolean
Remarks
The statement object is frozen when freeze()
is called.
HasPrincipal
Indicates if this permission has a "Principal" section.
public virtual bool HasPrincipal { get; }
Property Value
System.Boolean
HasResource
Indicates if this permission has at least one resource associated with it.
public virtual bool HasResource { get; }
Property Value
System.Boolean
NotActions
The NotActions added to this statement.
public virtual string[] NotActions { get; }
Property Value
System.String[]
NotPrincipals
The NotPrincipals added to this statement.
public virtual IPrincipal[] NotPrincipals { get; }
Property Value
NotResources
The NotResources added to this statement.
public virtual string[] NotResources { get; }
Property Value
System.String[]
Principals
The Principals added to this statement.
public virtual IPrincipal[] Principals { get; }
Property Value
Resources
The Resources added to this statement.
public virtual string[] Resources { get; }
Property Value
System.String[]
Sid
Statement ID for this statement Set Statement ID for this statement.
public virtual string Sid { get; set; }
Property Value
System.String
Methods
AddAccountCondition(String)
Add a StringEquals
condition that limits to a given account from sts:ExternalId
.
public virtual void AddAccountCondition(string accountId)
Parameters
- accountId System.String
Remarks
This method can only be called once: subsequent calls will overwrite earlier calls.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
AddAccountRootPrincipal()
Adds an AWS account root user principal to this policy statement.
public virtual void AddAccountRootPrincipal()
AddActions(String[])
Specify allowed actions into the "Action" section of the policy statement.
public virtual void AddActions(params string[] actions)
Parameters
- actions System.String[]
actions that will be allowed.
Remarks
AddAllResources()
Adds a "*"
resource to this statement.
public virtual void AddAllResources()
AddAnyPrincipal()
Adds all identities in all accounts ("*") to this policy statement.
public virtual void AddAnyPrincipal()
AddArnPrincipal(String)
Specify a principal using the ARN identifier of the principal.
public virtual void AddArnPrincipal(string arn)
Parameters
- arn System.String
ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).
Remarks
You cannot specify IAM groups and instance profiles as principals.
AddAwsAccountPrincipal(String)
Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
public virtual void AddAwsAccountPrincipal(string accountId)
Parameters
- accountId System.String
AddCanonicalUserPrincipal(String)
Adds a canonical user ID principal to this policy document.
public virtual void AddCanonicalUserPrincipal(string canonicalUserId)
Parameters
- canonicalUserId System.String
unique identifier assigned by AWS for every account.
AddCondition(String, Object)
Add a condition to the Policy.
public virtual void AddCondition(string key, object value)
Parameters
- key System.String
- value System.Object
Remarks
If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
PolicyStatement stmt;
stmt.AddCondition("StringEquals", new Dictionary<string, string> { { "aws:SomeField", "1" } });
stmt.AddCondition("StringEquals", new Dictionary<string, string> { { "aws:SomeField", "2" } });
Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }
.
If you meant to add a condition to say that the field can be either 1
or 2
, write
this:
PolicyStatement stmt;
stmt.AddCondition("StringEquals", new Dictionary<string, string[]> { { "aws:SomeField", new [] { "1", "2" } } });
AddConditions(IDictionary<String, Object>)
Add multiple conditions to the Policy.
public virtual void AddConditions(IDictionary<string, object> conditions)
Parameters
- conditions System.Collections.Generic.IDictionary<System.String, System.Object>
Remarks
See the addCondition
function for a caveat on calling this method multiple times.
AddFederatedPrincipal(Object, IDictionary<String, Object>)
Adds a federated identity provider such as Amazon Cognito to this policy statement.
public virtual void AddFederatedPrincipal(object federated, IDictionary<string, object> conditions)
Parameters
- federated System.Object
federated identity provider (i.e. 'cognito-identity.amazonaws.com').
- conditions System.Collections.Generic.IDictionary<System.String, System.Object>
The conditions under which the policy is in effect.
AddNotActions(String[])
Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
public virtual void AddNotActions(params string[] notActions)
Parameters
- notActions System.String[]
actions that will be denied.
Remarks
AddNotPrincipals(IPrincipal[])
Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
public virtual void AddNotPrincipals(params IPrincipal[] notPrincipals)
Parameters
- notPrincipals IPrincipal[]
IAM principals that will be denied access.
Remarks
AddNotResources(String[])
Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.
public virtual void AddNotResources(params string[] arns)
Parameters
- arns System.String[]
Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.
Remarks
All resources except the specified list will be matched.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
AddPrincipals(IPrincipal[])
Adds principals to the "Principal" section of a policy statement.
public virtual void AddPrincipals(params IPrincipal[] principals)
Parameters
- principals IPrincipal[]
IAM principals that will be added.
Remarks
AddResources(String[])
Specify resources that this policy statement applies into the "Resource" section of this policy statement.
public virtual void AddResources(params string[] arns)
Parameters
- arns System.String[]
Amazon Resource Names (ARNs) of the resources that this policy statement applies to.
Remarks
AddServicePrincipal(String, IServicePrincipalOpts)
Adds a service principal to this policy statement.
public virtual void AddServicePrincipal(string service, IServicePrincipalOpts opts = null)
Parameters
- service System.String
the service name for which a service principal is requested (e.g:
s3.amazonaws.com
).- opts IServicePrincipalOpts
options for adding the service principal (such as specifying a principal in a different region).
AddSourceAccountCondition(String)
Add an StringEquals
condition that limits to a given account from aws:SourceAccount
.
public virtual void AddSourceAccountCondition(string accountId)
Parameters
- accountId System.String
Remarks
This method can only be called once: subsequent calls will overwrite earlier calls.
AddSourceArnCondition(String)
Add an ArnEquals
condition that limits to a given resource arn from aws:SourceArn
.
public virtual void AddSourceArnCondition(string arn)
Parameters
- arn System.String
Remarks
This method can only be called once: subsequent calls will overwrite earlier calls.
Copy(IPolicyStatementProps)
Create a new PolicyStatement
with the same exact properties as this one, except for the overrides.
public virtual PolicyStatement Copy(IPolicyStatementProps overrides = null)
Parameters
- overrides IPolicyStatementProps
Returns
Freeze()
Make the PolicyStatement immutable.
public virtual PolicyStatement Freeze()
Returns
Remarks
After calling this, any of the addXxx()
methods will throw an exception.
Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.
FromJson(Object)
Creates a new PolicyStatement based on the object provided.
public static PolicyStatement FromJson(object obj)
Parameters
- obj System.Object
the PolicyStatement in object form.
Returns
Remarks
This will accept an object created from the .toJSON()
call
ToJSON()
JSON-ify the statement.
public virtual object ToJSON()
Returns
System.Object
Remarks
Used when JSON.stringify() is called
ToStatementJson()
JSON-ify the policy statement.
public virtual object ToStatementJson()
Returns
System.Object
Remarks
Used when JSON.stringify() is called
ToString()
String representation of this policy statement.
public override string ToString()
Returns
System.String
ValidateForAnyPolicy()
Validate that the policy statement satisfies base requirements for a policy.
public virtual string[] ValidateForAnyPolicy()
Returns
System.String[]
An array of validation error messages, or an empty array if the statement is valid.
ValidateForIdentityPolicy()
Validate that the policy statement satisfies all requirements for an identity-based policy.
public virtual string[] ValidateForIdentityPolicy()
Returns
System.String[]
An array of validation error messages, or an empty array if the statement is valid.
ValidateForResourcePolicy()
Validate that the policy statement satisfies all requirements for a resource-based policy.
public virtual string[] ValidateForResourcePolicy()
Returns
System.String[]
An array of validation error messages, or an empty array if the statement is valid.