PolicyStatement

class aws_cdk.aws_iam.PolicyStatement(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)

Bases: object

Represents a statement in an IAM policy document.

__init__(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)
Parameters
  • actions (Optional[List[str]]) – List of actions to add to the statement. Default: - no actions

  • conditions (Optional[Mapping[str, Any]]) – Conditions to add to the statement. Default: - no condition

  • effect (Optional[Effect]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOW

  • not_actions (Optional[List[str]]) – List of not actions to add to the statement. Default: - no not-actions

  • not_principals (Optional[List[IPrincipal]]) – List of not principals to add to the statement. Default: - no not principals

  • not_resources (Optional[List[str]]) – NotResource ARNs to add to the statement. Default: - no not-resources

  • principals (Optional[List[IPrincipal]]) – List of principals to add to the statement. Default: - no principals

  • resources (Optional[List[str]]) – Resource ARNs to add to the statement. Default: - no resources

  • sid (Optional[str]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid

Return type

None

Methods

add_account_condition(account_id)

Add a condition that limits to a given account.

Parameters

account_id (str) –

Return type

None

add_account_root_principal()

Adds an AWS account root user principal to this policy statement.

Return type

None

add_actions(*actions)

Specify allowed actions into the “Action” section of the policy statement.

Parameters

actions (str) – actions that will be allowed.

see :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

Return type

None

add_all_resources()

Adds a "*" resource to this statement.

Return type

None

add_any_principal()

Adds all identities in all accounts (“*”) to this policy statement.

Return type

None

add_arn_principal(arn)

Specify a principal using the ARN identifier of the principal.

You cannot specify IAM groups and instance profiles as principals.

Parameters

arn (str) – ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).

Return type

None

add_aws_account_principal(account_id)

Specify AWS account ID as the principal entity to the “Principal” section of a policy statement.

Parameters

account_id (str) –

Return type

None

add_canonical_user_principal(canonical_user_id)

Adds a canonical user ID principal to this policy document.

Parameters

canonical_user_id (str) – unique identifier assigned by AWS for every account.

Return type

None

add_condition(key, value)

Add a condition to the Policy.

Parameters
  • key (str) –

  • value (Any) –

Return type

None

add_conditions(conditions)

Add multiple conditions to the Policy.

Parameters

conditions (Mapping[str, Any]) –

Return type

None

add_federated_principal(federated, conditions)

Adds a federated identity provider such as Amazon Cognito to this policy statement.

Parameters
  • federated (Any) – federated identity provider (i.e. ‘cognito-identity.amazonaws.com’).

  • conditions (Mapping[str, Any]) – The conditions under which the policy is in effect. See the IAM documentation.

Return type

None

add_not_actions(*not_actions)

Explicitly allow all actions except the specified list of actions into the “NotAction” section of the policy document.

Parameters

not_actions (str) – actions that will be denied. All other actions will be permitted.

see :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

Return type

None

add_not_principals(*not_principals)

Specify principals that is not allowed or denied access to the “NotPrincipal” section of a policy statement.

Parameters

not_principals (IPrincipal) – IAM principals that will be denied access.

see :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

Return type

None

add_not_resources(*arns)

Specify resources that this policy statement will not apply to in the “NotResource” section of this policy statement.

All resources except the specified list will be matched.

Parameters

arns (str) – Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.

see :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

Return type

None

add_principals(*principals)

Adds principals to the “Principal” section of a policy statement.

Parameters

principals (IPrincipal) – IAM principals that will be added.

see :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Return type

None

add_resources(*arns)

Specify resources that this policy statement applies into the “Resource” section of this policy statement.

Parameters

arns (str) – Amazon Resource Names (ARNs) of the resources that this policy statement applies to.

see :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

Return type

None

add_service_principal(service, *, conditions=None, region=None)

Adds a service principal to this policy statement.

Parameters
  • service (str) – the service name for which a service principal is requested (e.g: s3.amazonaws.com).

  • conditions (Optional[Mapping[str, Any]]) – Additional conditions to add to the Service Principal. Default: - No conditions

  • region (Optional[str]) – The region in which the service is operating. Default: the current Stack’s region.

Return type

None

to_json()

JSON-ify the statement.

Used when JSON.stringify() is called

Return type

Any

to_statement_json()

JSON-ify the policy statement.

Used when JSON.stringify() is called

Return type

Any

to_string()

String representation of this policy statement.

Return type

str

Attributes

effect

Whether to allow or deny the actions in this statement.

Return type

Effect

has_principal

Indicates if this permission has a “Principal” section.

Return type

bool

has_resource

Indicates if this permission as at least one resource associated with it.

Return type

bool

sid

Statement ID for this statement.

Return type

Optional[str]

Static Methods

classmethod from_json(obj)

Creates a new PolicyStatement based on the object provided.

This will accept an object created from the .toJSON() call

Parameters

obj (Any) – the PolicyStatement in object form.

Return type

PolicyStatement