PolicyStatement¶

class aws_cdk.aws_iam.PolicyStatement(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)¶

Bases: object

Represents a statement in an IAM policy document.

Parameters

actions (Optional[List[str]]) – List of actions to add to the statement. Default: - no actions
conditions (Optional[Mapping[str, Any]]) – Conditions to add to the statement. Default: - no condition
effect (Optional[Effect]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOW
not_actions (Optional[List[str]]) – List of not actions to add to the statement. Default: - no not-actions
not_principals (Optional[List[IPrincipal]]) – List of not principals to add to the statement. Default: - no not principals
not_resources (Optional[List[str]]) – NotResource ARNs to add to the statement. Default: - no not-resources
principals (Optional[List[IPrincipal]]) – List of principals to add to the statement. Default: - no principals
resources (Optional[List[str]]) – Resource ARNs to add to the statement. Default: - no resources
sid (Optional[str]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid

Methods

add_account_condition(account_id)¶

Add a condition that limits to a given account.

Parameters

account_id (str) –

Return type

None

add_account_root_principal()¶

Adds an AWS account root user principal to this policy statement.

Return type: None

add_actions(*actions)¶

Specify allowed actions into the “Action” section of the policy statement.

Parameters: actions (str) – actions that will be allowed.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
Return type: None

add_all_resources()¶

Adds a "*" resource to this statement.

Return type: None

add_any_principal()¶

Adds all identities in all accounts (“*”) to this policy statement.

Return type: None

add_arn_principal(arn)¶

Specify a principal using the ARN identifier of the principal.

You cannot specify IAM groups and instance profiles as principals.

Parameters: arn (str) – ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).
Return type: None

add_aws_account_principal(account_id)¶

Specify AWS account ID as the principal entity to the “Principal” section of a policy statement.

Parameters

account_id (str) –

Return type

None

add_canonical_user_principal(canonical_user_id)¶

Adds a canonical user ID principal to this policy document.

Parameters: canonical_user_id (str) – unique identifier assigned by AWS for every account.
Return type: None

add_condition(key, value)¶

Add a condition to the Policy.

Parameters

key (str) –
value (Any) –

Return type

None

add_conditions(conditions)¶

Add multiple conditions to the Policy.

Parameters

conditions (Mapping[str, Any]) –

Return type

None

add_federated_principal(federated, conditions)¶

Adds a federated identity provider such as Amazon Cognito to this policy statement.

Parameters

federated (Any) – federated identity provider (i.e. ‘cognito-identity.amazonaws.com’).
conditions (Mapping[str, Any]) – The conditions under which the policy is in effect. See the IAM documentation.

Return type

None

add_not_actions(*not_actions)¶

Explicitly allow all actions except the specified list of actions into the “NotAction” section of the policy document.

Parameters: not_actions (str) – actions that will be denied. All other actions will be permitted.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
Return type: None

add_not_principals(*not_principals)¶

Specify principals that is not allowed or denied access to the “NotPrincipal” section of a policy statement.

Parameters: not_principals (IPrincipal) – IAM principals that will be denied access.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
Return type: None

add_not_resources(*arns)¶

Specify resources that this policy statement will not apply to in the “NotResource” section of this policy statement.

All resources except the specified list will be matched.

Parameters: arns (str) – Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
Return type: None

add_principals(*principals)¶

Adds principals to the “Principal” section of a policy statement.

Parameters: principals (IPrincipal) – IAM principals that will be added.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
Return type: None

add_resources(*arns)¶

Specify resources that this policy statement applies into the “Resource” section of this policy statement.

Parameters: arns (str) – Amazon Resource Names (ARNs) of the resources that this policy statement applies to.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
Return type: None

add_service_principal(service, *, conditions=None, region=None)¶

Adds a service principal to this policy statement.

Parameters

service (str) – the service name for which a service principal is requested (e.g: s3.amazonaws.com).
conditions (Optional[Mapping[str, Any]]) – Additional conditions to add to the Service Principal. Default: - No conditions
region (Optional[str]) – The region in which the service is operating. Default: the current Stack’s region.

Return type

None

to_json()¶

JSON-ify the statement.

Used when JSON.stringify() is called

Return type: Any

to_statement_json()¶

JSON-ify the policy statement.

Used when JSON.stringify() is called

Return type: Any

to_string()¶

String representation of this policy statement.

Return type: str

validate_for_any_policy()¶

Validate that the policy statement satisfies base requirements for a policy.

Return type: List[str]

validate_for_identity_policy()¶

Validate that the policy statement satisfies all requirements for an identity-based policy.

Return type: List[str]

validate_for_resource_policy()¶

Validate that the policy statement satisfies all requirements for a resource-based policy.

Return type: List[str]

Attributes

effect¶

Whether to allow or deny the actions in this statement.

Return type: Effect

has_principal¶

Indicates if this permission has a “Principal” section.

Return type: bool

has_resource¶

Indicates if this permission as at least one resource associated with it.

Return type: bool

sid¶

Statement ID for this statement.

Return type: Optional[str]

Static Methods

classmethod from_json(obj)¶

Creates a new PolicyStatement based on the object provided.

This will accept an object created from the .toJSON() call

Parameters: obj (Any) – the PolicyStatement in object form.
Return type: PolicyStatement