Policy

class aws_cdk.aws_iam.Policy(scope, id, *, document=None, force=None, groups=None, policy_name=None, roles=None, statements=None, users=None)

Bases: aws_cdk.core.Resource

The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles, or groups.

For more information about IAM policies, see Overview of IAM Policies in the IAM User Guide guide.

Parameters
  • scope (Construct) –

  • id (str) –

  • document (Optional[PolicyDocument]) – Initial PolicyDocument to use for this Policy. If omited, any PolicyStatement provided in the statements property will be applied against the empty default PolicyDocument. Default: - An empty policy.

  • force (Optional[bool]) – Force creation of an AWS::IAM::Policy. Unless set to true, this Policy construct will not materialize to an AWS::IAM::Policy CloudFormation resource in case it would have no effect (for example, if it remains unattached to an IAM identity or if it has no statements). This is generally desired behavior, since it prevents creating invalid–and hence undeployable–CloudFormation templates. In cases where you know the policy must be created and it is actually an error if no statements have been added to it, you can se this to true. Default: false

  • groups (Optional[List[IGroup]]) – Groups to attach this policy to. You can also use attachToGroup(group) to attach this policy to a group. Default: - No groups.

  • policy_name (Optional[str]) – The name of the policy. If you specify multiple policies for an entity, specify unique names. For example, if you specify a list of policies for an IAM role, each policy must have a unique name. Default: - Uses the logical ID of the policy resource, which is ensured to be unique within the stack.

  • roles (Optional[List[IRole]]) – Roles to attach this policy to. You can also use attachToRole(role) to attach this policy to a role. Default: - No roles.

  • statements (Optional[List[PolicyStatement]]) – Initial set of permissions to add to this policy document. You can also use addStatements(...statement) to add permissions later. Default: - No statements.

  • users (Optional[List[IUser]]) – Users to attach this policy to. You can also use attachToUser(user) to attach this policy to a user. Default: - No users.

Methods

add_statements(*statement)

Adds a statement to the policy document.

Parameters

statement (PolicyStatement) –

Return type

None

attach_to_group(group)

Attaches this policy to a group.

Parameters

group (IGroup) –

Return type

None

attach_to_role(role)

Attaches this policy to a role.

Parameters

role (IRole) –

Return type

None

attach_to_user(user)

Attaches this policy to a user.

Parameters

user (IUser) –

Return type

None

to_string()

Returns a string representation of this construct.

Return type

str

Attributes

document

The policy document.

Return type

PolicyDocument

env

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

Return type

ResourceEnvironment

node

The construct tree node associated with this construct.

Return type

ConstructNode

policy_name

The name of this policy.

Attribute

true

Return type

str

stack

The stack in which this resource is defined.

Return type

Stack

Static Methods

classmethod from_policy_name(scope, id, policy_name)

Import a policy in this app based on its name.

Parameters
  • scope (Construct) –

  • id (str) –

  • policy_name (str) –

Return type

IPolicy

classmethod is_construct(x)

Return whether the given object is a Construct.

Parameters

x (Any) –

Return type

bool