Class LazyRoleProps
Properties for defining a LazyRole.
Inheritance
Namespace: Amazon.CDK.AWS.IAM
Assembly: Amazon.CDK.AWS.IAM.dll
Syntax (csharp)
public class LazyRoleProps : Object, ILazyRoleProps, IRoleProps
Syntax (vb)
Public Class LazyRoleProps
Inherits Object
Implements ILazyRoleProps, IRoleProps
Remarks
ExampleMetadata: fixture=_generated
Examples
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
using Amazon.CDK.AWS.IAM;
using Amazon.CDK;
ManagedPolicy managedPolicy;
PolicyDocument policyDocument;
IPrincipal principal;
var lazyRoleProps = new LazyRoleProps {
AssumedBy = principal,
// the properties below are optional
Description = "description",
ExternalId = "externalId",
ExternalIds = new [] { "externalIds" },
InlinePolicies = new Dictionary<string, PolicyDocument> {
{ "inlinePoliciesKey", policyDocument }
},
ManagedPolicies = new [] { managedPolicy },
MaxSessionDuration = Duration.Minutes(30),
Path = "path",
PermissionsBoundary = managedPolicy,
RoleName = "roleName"
};
Synopsis
Constructors
LazyRoleProps() |
Properties
AssumedBy | The IAM principal (i.e. |
Description | A description of the role. |
ExternalId | (deprecated) ID that the role assumer needs to provide when assuming this role. |
ExternalIds | List of IDs that the role assumer needs to provide one of when assuming this role. |
InlinePolicies | A list of named policies to inline into this role. |
ManagedPolicies | A list of managed policies associated with this role. |
MaxSessionDuration | The maximum session duration that you want to set for the specified role. |
Path | The path associated with this role. |
PermissionsBoundary | AWS supports permissions boundaries for IAM entities (users or roles). |
RoleName | A name for the IAM role. |
Constructors
LazyRoleProps()
public LazyRoleProps()
Properties
AssumedBy
The IAM principal (i.e. new ServicePrincipal('sns.amazonaws.com')
) which can assume this role.
public IPrincipal AssumedBy { get; set; }
Property Value
Remarks
You can later modify the assume role policy document by accessing it via
the assumeRolePolicy
property.
Description
A description of the role.
public string Description { get; set; }
Property Value
System.String
Remarks
It can be up to 1000 characters long.
Default: - No description.
ExternalId
(deprecated) ID that the role assumer needs to provide when assuming this role.
public string ExternalId { get; set; }
Property Value
System.String
Remarks
If the configured and provided external IDs do not match, the AssumeRole operation will fail.
Default: No external ID required
Stability: Deprecated
ExternalIds
List of IDs that the role assumer needs to provide one of when assuming this role.
public string[] ExternalIds { get; set; }
Property Value
System.String[]
Remarks
If the configured and provided external IDs do not match, the AssumeRole operation will fail.
Default: No external ID required
InlinePolicies
A list of named policies to inline into this role.
public IDictionary<string, PolicyDocument> InlinePolicies { get; set; }
Property Value
System.Collections.Generic.IDictionary<System.String, PolicyDocument>
Remarks
These policies will be
created with the role, whereas those added by addToPolicy
are added
using a separate CloudFormation resource (allowing a way around circular
dependencies that could otherwise be introduced).
Default: - No policy is inlined in the Role resource.
ManagedPolicies
A list of managed policies associated with this role.
public IManagedPolicy[] ManagedPolicies { get; set; }
Property Value
Remarks
You can add managed policies later using
addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))
.
Default: - No managed policies.
MaxSessionDuration
The maximum session duration that you want to set for the specified role.
public Duration MaxSessionDuration { get; set; }
Property Value
Remarks
This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
Anyone who assumes the role from the AWS CLI or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter.
If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL.
Default: Duration.hours(1)
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
Path
The path associated with this role.
public string Path { get; set; }
Property Value
System.String
Remarks
For information about IAM paths, see Friendly Names and Paths in IAM User Guide.
Default: /
PermissionsBoundary
AWS supports permissions boundaries for IAM entities (users or roles).
public IManagedPolicy PermissionsBoundary { get; set; }
Property Value
Remarks
A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
Default: - No permissions boundary.
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
RoleName
A name for the IAM role.
public string RoleName { get; set; }
Property Value
System.String
Remarks
For valid values, see the RoleName parameter for the CreateRole action in the IAM API Reference.
IMPORTANT: If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.
Default: - AWS CloudFormation generates a unique physical ID and uses that ID for the role name.