PolicyDocument

class aws_cdk.aws_iam.PolicyDocument(*, assign_sids=None, minimize=None, statements=None)

Bases: object

A PolicyDocument is a collection of statements.

ExampleMetadata:

infused

Example:

import aws_cdk.aws_iam as iam


my_file_system_policy = iam.PolicyDocument(
    statements=[iam.PolicyStatement(
        actions=["elasticfilesystem:ClientWrite", "elasticfilesystem:ClientMount"
        ],
        principals=[iam.AccountRootPrincipal()],
        resources=["*"],
        conditions={
            "Bool": {
                "elasticfilesystem:AccessedViaMountTarget": "true"
            }
        }
    )]
)

file_system = efs.FileSystem(self, "MyEfsFileSystem",
    vpc=ec2.Vpc(self, "VPC"),
    file_system_policy=my_file_system_policy
)
Parameters:
  • assign_sids (Optional[bool]) – Automatically assign Statement Ids to all statements. Default: false

  • minimize (Optional[bool]) – Try to minimize the policy by merging statements. To avoid overrunning the maximum policy size, combine statements if they produce the same result. Merging happens according to the following rules: - The Effect of both statements is the same - Neither of the statements have a ‘Sid’ - Combine Principals if the rest of the statement is exactly the same. - Combine Resources if the rest of the statement is exactly the same. - Combine Actions if the rest of the statement is exactly the same. - We will never combine NotPrincipals, NotResources or NotActions, because doing so would change the meaning of the policy document. Default: - false, unless the feature flag @aws-cdk/aws-iam:minimizePolicies is set

  • statements (Optional[Sequence[PolicyStatement]]) – Initial statements to add to the policy document. Default: - No statements

Methods

add_statements(*statement)

Adds a statement to the policy document.

Parameters:

statement (PolicyStatement) – the statement to add.

Return type:

None

resolve(context)

Produce the Token’s value at resolution time.

Parameters:

context (IResolveContext) –

Return type:

Any

to_json()

JSON-ify the document.

Used when JSON.stringify() is called

Return type:

Any

to_string()

Encode the policy document as a string.

Return type:

str

validate_for_any_policy()

Validate that all policy statements in the policy document satisfies the requirements for any policy.

Return type:

List[str]

Returns:

An array of validation error messages, or an empty array if the document is valid.

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

validate_for_identity_policy()

Validate that all policy statements in the policy document satisfies the requirements for an identity-based policy.

Return type:

List[str]

Returns:

An array of validation error messages, or an empty array if the document is valid.

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

validate_for_resource_policy()

Validate that all policy statements in the policy document satisfies the requirements for a resource-based policy.

Return type:

List[str]

Returns:

An array of validation error messages, or an empty array if the document is valid.

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

Attributes

creation_stack

The creation stack of this resolvable which will be appended to errors thrown during resolution.

This may return an array with a single informational element indicating how to get this property populated, if it was skipped for performance reasons.

is_empty

Whether the policy document contains any statements.

statement_count

The number of statements already added to this policy.

Can be used, for example, to generate unique “sid”s within the policy.

Static Methods

classmethod from_json(obj)

Creates a new PolicyDocument based on the object provided.

This will accept an object created from the .toJSON() call

Parameters:

obj (Any) – the PolicyDocument in object form.

Return type:

PolicyDocument