PolicyStatement¶
-
class
aws_cdk.aws_iam.
PolicyStatement
(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)¶ Bases:
object
Represents a statement in an IAM policy document.
- Parameters
actions (
Optional
[Sequence
[str
]]) – List of actions to add to the statement. Default: - no actionsconditions (
Optional
[Mapping
[str
,Any
]]) – Conditions to add to the statement. Default: - no conditioneffect (
Optional
[Effect
]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOWnot_actions (
Optional
[Sequence
[str
]]) – List of not actions to add to the statement. Default: - no not-actionsnot_principals (
Optional
[Sequence
[IPrincipal
]]) – List of not principals to add to the statement. Default: - no not principalsnot_resources (
Optional
[Sequence
[str
]]) – NotResource ARNs to add to the statement. Default: - no not-resourcesprincipals (
Optional
[Sequence
[IPrincipal
]]) – List of principals to add to the statement. Default: - no principalsresources (
Optional
[Sequence
[str
]]) – Resource ARNs to add to the statement. Default: - no resourcessid (
Optional
[str
]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid
Methods
-
add_account_condition
(account_id)¶ Add a condition that limits to a given account.
- Parameters
account_id (
str
) –- Return type
None
-
add_account_root_principal
()¶ Adds an AWS account root user principal to this policy statement.
- Return type
None
-
add_actions
(*actions)¶ Specify allowed actions into the “Action” section of the policy statement.
- Parameters
actions (
str
) – actions that will be allowed.- See
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
- Return type
None
-
add_all_resources
()¶ Adds a
"*"
resource to this statement.- Return type
None
-
add_any_principal
()¶ Adds all identities in all accounts (“*”) to this policy statement.
- Return type
None
-
add_arn_principal
(arn)¶ Specify a principal using the ARN identifier of the principal.
You cannot specify IAM groups and instance profiles as principals.
- Parameters
arn (
str
) – ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).- Return type
None
-
add_aws_account_principal
(account_id)¶ Specify AWS account ID as the principal entity to the “Principal” section of a policy statement.
- Parameters
account_id (
str
) –- Return type
None
-
add_canonical_user_principal
(canonical_user_id)¶ Adds a canonical user ID principal to this policy document.
- Parameters
canonical_user_id (
str
) – unique identifier assigned by AWS for every account.- Return type
None
-
add_condition
(key, value)¶ Add a condition to the Policy.
- Parameters
key (
str
) –value (
Any
) –
- Return type
None
-
add_conditions
(conditions)¶ Add multiple conditions to the Policy.
- Parameters
conditions (
Mapping
[str
,Any
]) –- Return type
None
-
add_federated_principal
(federated, conditions)¶ Adds a federated identity provider such as Amazon Cognito to this policy statement.
- Parameters
federated (
Any
) – federated identity provider (i.e. ‘cognito-identity.amazonaws.com’).conditions (
Mapping
[str
,Any
]) – The conditions under which the policy is in effect. See the IAM documentation.
- Return type
None
-
add_not_actions
(*not_actions)¶ Explicitly allow all actions except the specified list of actions into the “NotAction” section of the policy document.
- Parameters
not_actions (
str
) – actions that will be denied. All other actions will be permitted.- See
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
- Return type
None
-
add_not_principals
(*not_principals)¶ Specify principals that is not allowed or denied access to the “NotPrincipal” section of a policy statement.
- Parameters
not_principals (
IPrincipal
) – IAM principals that will be denied access.- See
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
- Return type
None
-
add_not_resources
(*arns)¶ Specify resources that this policy statement will not apply to in the “NotResource” section of this policy statement.
All resources except the specified list will be matched.
- Parameters
arns (
str
) – Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.- See
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
- Return type
None
-
add_principals
(*principals)¶ Adds principals to the “Principal” section of a policy statement.
- Parameters
principals (
IPrincipal
) – IAM principals that will be added.- See
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
- Return type
None
-
add_resources
(*arns)¶ Specify resources that this policy statement applies into the “Resource” section of this policy statement.
- Parameters
arns (
str
) – Amazon Resource Names (ARNs) of the resources that this policy statement applies to.- See
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
- Return type
None
-
add_service_principal
(service, *, conditions=None, region=None)¶ Adds a service principal to this policy statement.
- Parameters
service (
str
) – the service name for which a service principal is requested (e.g:s3.amazonaws.com
).conditions (
Optional
[Mapping
[str
,Any
]]) – Additional conditions to add to the Service Principal. Default: - No conditionsregion (
Optional
[str
]) – The region in which the service is operating. Default: the current Stack’s region.
- Return type
None
-
to_json
()¶ JSON-ify the statement.
Used when JSON.stringify() is called
- Return type
Any
-
to_statement_json
()¶ JSON-ify the policy statement.
Used when JSON.stringify() is called
- Return type
Any
-
to_string
()¶ String representation of this policy statement.
- Return type
str
-
validate_for_any_policy
()¶ Validate that the policy statement satisfies base requirements for a policy.
- Return type
List
[str
]
-
validate_for_identity_policy
()¶ Validate that the policy statement satisfies all requirements for an identity-based policy.
- Return type
List
[str
]
-
validate_for_resource_policy
()¶ Validate that the policy statement satisfies all requirements for a resource-based policy.
- Return type
List
[str
]
Attributes
-
has_principal
¶ Indicates if this permission has a “Principal” section.
- Return type
bool
-
has_resource
¶ Indicates if this permission as at least one resource associated with it.
- Return type
bool
-
sid
¶ Statement ID for this statement.
- Return type
Optional
[str
]
Static Methods
-
classmethod
from_json
(obj)¶ Creates a new PolicyStatement based on the object provided.
This will accept an object created from the
.toJSON()
call- Parameters
obj (
Any
) – the PolicyStatement in object form.- Return type