class PolicyStatement
Language | Type name |
---|---|
.NET | Amazon.CDK.AWS.IAM.PolicyStatement |
Java | software.amazon.awscdk.services.iam.PolicyStatement |
Python | aws_cdk.aws_iam.PolicyStatement |
TypeScript (source) | @aws-cdk/aws-iam » PolicyStatement |
Represents a statement in an IAM policy document.
Example
// Add gateway endpoints when creating the VPC
const vpc = new ec2.Vpc(this, 'MyVpc', {
gatewayEndpoints: {
S3: {
service: ec2.GatewayVpcEndpointAwsService.S3,
},
},
});
// Alternatively gateway endpoints can be added on the VPC
const dynamoDbEndpoint = vpc.addGatewayEndpoint('DynamoDbEndpoint', {
service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,
});
// This allows to customize the endpoint policy
dynamoDbEndpoint.addToPolicy(
new iam.PolicyStatement({ // Restrict to listing and describing tables
principals: [new iam.AnyPrincipal()],
actions: ['dynamodb:DescribeTable', 'dynamodb:ListTables'],
resources: ['*'],
}));
// Add an interface endpoint
vpc.addInterfaceEndpoint('EcrDockerEndpoint', {
service: ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
// Uncomment the following to allow more fine-grained control over
// who can access the endpoint via the '.connections' object.
// open: false
});
Initializer
new PolicyStatement(props?: PolicyStatementProps)
Parameters
- props
Policy
Statement Props
Properties
Name | Type | Description |
---|---|---|
actions | string[] | The Actions added to this statement. |
conditions | any | The conditions added to this statement. |
effect | Effect | Whether to allow or deny the actions in this statement. |
has | boolean | Indicates if this permission has a "Principal" section. |
has | boolean | Indicates if this permission has at least one resource associated with it. |
not | string[] | The NotActions added to this statement. |
not | IPrincipal [] | The NotPrincipals added to this statement. |
not | string[] | The NotResources added to this statement. |
principals | IPrincipal [] | The Principals added to this statement. |
resources | string[] | The Resources added to this statement. |
sid? | string | Statement ID for this statement. |
actions
Type:
string[]
The Actions added to this statement.
conditions
Type:
any
The conditions added to this statement.
effect
Type:
Effect
Whether to allow or deny the actions in this statement.
hasPrincipal
Type:
boolean
Indicates if this permission has a "Principal" section.
hasResource
Type:
boolean
Indicates if this permission has at least one resource associated with it.
notActions
Type:
string[]
The NotActions added to this statement.
notPrincipals
Type:
IPrincipal
[]
The NotPrincipals added to this statement.
notResources
Type:
string[]
The NotResources added to this statement.
principals
Type:
IPrincipal
[]
The Principals added to this statement.
resources
Type:
string[]
The Resources added to this statement.
sid?
Type:
string
(optional)
Statement ID for this statement.
Methods
Name | Description |
---|---|
add | Add a condition that limits to a given account. |
add | Adds an AWS account root user principal to this policy statement. |
add | Specify allowed actions into the "Action" section of the policy statement. |
add | Adds a "*" resource to this statement. |
add | Adds all identities in all accounts ("*") to this policy statement. |
add | Specify a principal using the ARN identifier of the principal. |
add | Specify AWS account ID as the principal entity to the "Principal" section of a policy statement. |
add | Adds a canonical user ID principal to this policy document. |
add | Add a condition to the Policy. |
add | Add multiple conditions to the Policy. |
add | Adds a federated identity provider such as Amazon Cognito to this policy statement. |
add | Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document. |
add | Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement. |
add | Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement. |
add | Adds principals to the "Principal" section of a policy statement. |
add | Specify resources that this policy statement applies into the "Resource" section of this policy statement. |
add | Adds a service principal to this policy statement. |
copy(overrides?) | Create a new PolicyStatement with the same exact properties as this one, except for the overrides. |
to | JSON-ify the statement. |
to | JSON-ify the policy statement. |
to | String representation of this policy statement. |
validate | Validate that the policy statement satisfies base requirements for a policy. |
validate | Validate that the policy statement satisfies all requirements for an identity-based policy. |
validate | Validate that the policy statement satisfies all requirements for a resource-based policy. |
static from | Creates a new PolicyStatement based on the object provided. |
AccountCondition(accountId)
addpublic addAccountCondition(accountId: string): void
Parameters
- accountId
string
Add a condition that limits to a given account.
This method can only be called once: subsequent calls will overwrite earlier calls.
AccountRootPrincipal()
addpublic addAccountRootPrincipal(): void
Adds an AWS account root user principal to this policy statement.
Actions(...actions)
addpublic addActions(...actions: string[]): void
Parameters
- actions
string
— actions that will be allowed.
Specify allowed actions into the "Action" section of the policy statement.
See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
AllResources()
addpublic addAllResources(): void
Adds a "*"
resource to this statement.
AnyPrincipal()
addpublic addAnyPrincipal(): void
Adds all identities in all accounts ("*") to this policy statement.
ArnPrincipal(arn)
addpublic addArnPrincipal(arn: string): void
Parameters
- arn
string
— ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).
Specify a principal using the ARN identifier of the principal.
You cannot specify IAM groups and instance profiles as principals.
AwsAccountPrincipal(accountId)
addpublic addAwsAccountPrincipal(accountId: string): void
Parameters
- accountId
string
Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
CanonicalUserPrincipal(canonicalUserId)
addpublic addCanonicalUserPrincipal(canonicalUserId: string): void
Parameters
- canonicalUserId
string
— unique identifier assigned by AWS for every account.
Adds a canonical user ID principal to this policy document.
Condition(key, value)
addpublic addCondition(key: string, value: any): void
Parameters
- key
string
- value
any
Add a condition to the Policy.
If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
declare const stmt: iam.PolicyStatement;
stmt.addCondition('StringEquals', { 'aws:SomeField': '1' });
stmt.addCondition('StringEquals', { 'aws:SomeField': '2' });
Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }
.
If you meant to add a condition to say that the field can be either 1
or 2
, write
this:
declare const stmt: iam.PolicyStatement;
stmt.addCondition('StringEquals', { 'aws:SomeField': ['1', '2'] });
Conditions(conditions)
addpublic addConditions(conditions: { [string]: any }): void
Parameters
- conditions
{ [string]: any }
Add multiple conditions to the Policy.
See the addCondition
function for a caveat on calling this method multiple times.
FederatedPrincipal(federated, conditions)
addpublic addFederatedPrincipal(federated: any, conditions: { [string]: any }): void
Parameters
- federated
any
— federated identity provider (i.e. 'cognito-identity.amazonaws.com'). - conditions
{ [string]: any }
— The conditions under which the policy is in effect.
Adds a federated identity provider such as Amazon Cognito to this policy statement.
NotActions(...notActions)
addpublic addNotActions(...notActions: string[]): void
Parameters
- notActions
string
— actions that will be denied.
Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
NotPrincipals(...notPrincipals)
addpublic addNotPrincipals(...notPrincipals: IPrincipal[]): void
Parameters
- notPrincipals
IPrincipal
— IAM principals that will be denied access.
Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
NotResources(...arns)
addpublic addNotResources(...arns: string[]): void
Parameters
- arns
string
— Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.
Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.
All resources except the specified list will be matched.
See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
Principals(...principals)
addpublic addPrincipals(...principals: IPrincipal[]): void
Parameters
- principals
IPrincipal
— IAM principals that will be added.
Adds principals to the "Principal" section of a policy statement.
See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
Resources(...arns)
addpublic addResources(...arns: string[]): void
Parameters
- arns
string
— Amazon Resource Names (ARNs) of the resources that this policy statement applies to.
Specify resources that this policy statement applies into the "Resource" section of this policy statement.
See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
ServicePrincipal(service, opts?)
addpublic addServicePrincipal(service: string, opts?: ServicePrincipalOpts): void
Parameters
- service
string
— the service name for which a service principal is requested (e.g:s3.amazonaws.com
). - opts
Service
— options for adding the service principal (such as specifying a principal in a different region).Principal Opts
Adds a service principal to this policy statement.
copy(overrides?)
public copy(overrides?: PolicyStatementProps): PolicyStatement
Parameters
- overrides
Policy
Statement Props
Returns
Create a new PolicyStatement
with the same exact properties as this one, except for the overrides.
JSON()
topublic toJSON(): any
Returns
any
JSON-ify the statement.
Used when JSON.stringify() is called
StatementJson()
topublic toStatementJson(): any
Returns
any
JSON-ify the policy statement.
Used when JSON.stringify() is called
String()
topublic toString(): string
Returns
string
String representation of this policy statement.
ForAnyPolicy()
validatepublic validateForAnyPolicy(): string[]
Returns
string[]
Validate that the policy statement satisfies base requirements for a policy.
ForIdentityPolicy()
validatepublic validateForIdentityPolicy(): string[]
Returns
string[]
Validate that the policy statement satisfies all requirements for an identity-based policy.
ForResourcePolicy()
validatepublic validateForResourcePolicy(): string[]
Returns
string[]
Validate that the policy statement satisfies all requirements for a resource-based policy.
Json(obj)
static frompublic static fromJson(obj: any): PolicyStatement
Parameters
- obj
any
— the PolicyStatement in object form.
Returns
Creates a new PolicyStatement based on the object provided.
This will accept an object created from the .toJSON()
call