software.amazon.awscdk.services.iam

Class PolicyStatement

java.lang.Object

software.amazon.jsii.JsiiObject

software.amazon.awscdk.services.iam.PolicyStatement

@Generated(value="jsii-pacmak/1.58.0 (build f8ba112)",
           date="2022-05-20T22:19:54.894Z")
public class PolicyStatement
extends software.amazon.jsii.JsiiObject

Represents a statement in an IAM policy document.

Example:

 // Add gateway endpoints when creating the VPC
 Vpc vpc = Vpc.Builder.create(this, "MyVpc")
         .gatewayEndpoints(Map.of(
                 "S3", GatewayVpcEndpointOptions.builder()
                         .service(GatewayVpcEndpointAwsService.S3)
                         .build()))
         .build();
 // Alternatively gateway endpoints can be added on the VPC
 GatewayVpcEndpoint dynamoDbEndpoint = vpc.addGatewayEndpoint("DynamoDbEndpoint", GatewayVpcEndpointOptions.builder()
         .service(GatewayVpcEndpointAwsService.DYNAMODB)
         .build());
 // This allows to customize the endpoint policy
 dynamoDbEndpoint.addToPolicy(
 PolicyStatement.Builder.create() // Restrict to listing and describing tables
         .principals(List.of(new AnyPrincipal()))
         .actions(List.of("dynamodb:DescribeTable", "dynamodb:ListTables"))
         .resources(List.of("*")).build());
 // Add an interface endpoint
 vpc.addInterfaceEndpoint("EcrDockerEndpoint", InterfaceVpcEndpointOptions.builder()
         .service(InterfaceVpcEndpointAwsService.ECR_DOCKER)
         .build());
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	PolicyStatement.Builder A fluent builder for PolicyStatement.

Constructor Summary

Constructors

Modifier	Constructor and Description
	PolicyStatement()
protected	PolicyStatement(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	PolicyStatement(software.amazon.jsii.JsiiObjectRef objRef)

Method Summary

Modifier and Type	Method and Description
void	addAccountCondition(java.lang.String accountId) Add a condition that limits to a given account.
void	addAccountRootPrincipal() Adds an AWS account root user principal to this policy statement.
void	addActions(java.lang.String... actions) Specify allowed actions into the "Action" section of the policy statement.
void	addAllResources() Adds a ``"*"`` resource to this statement.
void	addAnyPrincipal() Adds all identities in all accounts ("*") to this policy statement.
void	addArnPrincipal(java.lang.String arn) Specify a principal using the ARN identifier of the principal.
void	addAwsAccountPrincipal(java.lang.String accountId) Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
void	addCanonicalUserPrincipal(java.lang.String canonicalUserId) Adds a canonical user ID principal to this policy document.
void	addCondition(java.lang.String key, java.lang.Object value) Add a condition to the Policy.
void	addConditions(java.util.Map<java.lang.String,java.lang.Object> conditions) Add multiple conditions to the Policy.
void	addFederatedPrincipal(java.lang.Object federated, java.util.Map<java.lang.String,java.lang.Object> conditions) Adds a federated identity provider such as Amazon Cognito to this policy statement.
void	addNotActions(java.lang.String... notActions) Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
void	addNotPrincipals(IPrincipal... notPrincipals) Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
void	addNotResources(java.lang.String... arns) Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.
void	addPrincipals(IPrincipal... principals) Adds principals to the "Principal" section of a policy statement.
void	addResources(java.lang.String... arns) Specify resources that this policy statement applies into the "Resource" section of this policy statement.
void	addServicePrincipal(java.lang.String service) Adds a service principal to this policy statement.
void	addServicePrincipal(java.lang.String service, ServicePrincipalOpts opts) Adds a service principal to this policy statement.
PolicyStatement	copy() Create a new `PolicyStatement` with the same exact properties as this one, except for the overrides.
PolicyStatement	copy(PolicyStatementProps overrides) Create a new `PolicyStatement` with the same exact properties as this one, except for the overrides.
static PolicyStatement	fromJson(java.lang.Object obj) Creates a new PolicyStatement based on the object provided.
Effect	getEffect() Whether to allow or deny the actions in this statement.
java.lang.Boolean	getHasPrincipal() Indicates if this permission has a "Principal" section.
java.lang.Boolean	getHasResource() Indicates if this permission has at least one resource associated with it.
java.util.List<IPrincipal>	getPrincipals() Expose principals to allow their ARNs to be replaced by account ID strings in policy statements for resources policies that don't allow full account ARNs, such as AWS::Logs::ResourcePolicy.
java.lang.String	getSid() Statement ID for this statement.
void	setEffect(Effect value) Whether to allow or deny the actions in this statement.
void	setSid(java.lang.String value) Statement ID for this statement.
java.lang.Object	toJSON() JSON-ify the statement.
java.lang.Object	toStatementJson() JSON-ify the policy statement.
java.lang.String	toString() String representation of this policy statement.
java.util.List<java.lang.String>	validateForAnyPolicy() Validate that the policy statement satisfies base requirements for a policy.
java.util.List<java.lang.String>	validateForIdentityPolicy() Validate that the policy statement satisfies all requirements for an identity-based policy.
java.util.List<java.lang.String>	validateForResourcePolicy() Validate that the policy statement satisfies all requirements for a resource-based policy.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

PolicyStatement

protected PolicyStatement(software.amazon.jsii.JsiiObjectRef objRef)

PolicyStatement

protected PolicyStatement(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

PolicyStatement

public PolicyStatement()

Method Detail

fromJson

public static PolicyStatement fromJson(java.lang.Object obj)

Creates a new PolicyStatement based on the object provided.

This will accept an object created from the .toJSON() call

Parameters:

obj - the PolicyStatement in object form. This parameter is required.

addAccountCondition

public void addAccountCondition(java.lang.String accountId)

Add a condition that limits to a given account.

This method can only be called once: subsequent calls will overwrite earlier calls.

Parameters:

accountId - This parameter is required.

addAccountRootPrincipal

public void addAccountRootPrincipal()

Adds an AWS account root user principal to this policy statement.

addActions

public void addActions(java.lang.String... actions)

Specify allowed actions into the "Action" section of the policy statement.

Parameters:

actions - actions that will be allowed. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

addAllResources

public void addAllResources()

Adds a ``"*"`` resource to this statement.

addAnyPrincipal

public void addAnyPrincipal()

Adds all identities in all accounts ("*") to this policy statement.

addArnPrincipal

public void addArnPrincipal(java.lang.String arn)

Specify a principal using the ARN identifier of the principal.

You cannot specify IAM groups and instance profiles as principals.

Parameters:

arn - ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name). This parameter is required.

addAwsAccountPrincipal

public void addAwsAccountPrincipal(java.lang.String accountId)

Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.

Parameters:

accountId - This parameter is required.

addCanonicalUserPrincipal

public void addCanonicalUserPrincipal(java.lang.String canonicalUserId)

Adds a canonical user ID principal to this policy document.

Parameters:

canonicalUserId - unique identifier assigned by AWS for every account. This parameter is required.

addCondition

public void addCondition(java.lang.String key,
                         java.lang.Object value)

Add a condition to the Policy.

If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:

 PolicyStatement stmt;
 stmt.addCondition("StringEquals", Map.of("aws:SomeField", "1"));
 stmt.addCondition("StringEquals", Map.of("aws:SomeField", "2"));
 

Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.

If you meant to add a condition to say that the field can be either 1 or 2, write this:

 PolicyStatement stmt;
 stmt.addCondition("StringEquals", Map.of("aws:SomeField", List.of("1", "2")));
 

Parameters:

key - This parameter is required.

value - This parameter is required.

addConditions

public void addConditions(java.util.Map<java.lang.String,java.lang.Object> conditions)

Add multiple conditions to the Policy.

See the addCondition function for a caveat on calling this method multiple times.

Parameters:

conditions - This parameter is required.

addFederatedPrincipal

public void addFederatedPrincipal(java.lang.Object federated,
                                  java.util.Map<java.lang.String,java.lang.Object> conditions)

Adds a federated identity provider such as Amazon Cognito to this policy statement.

Parameters:

federated - federated identity provider (i.e. 'cognito-identity.amazonaws.com'). This parameter is required.

conditions - The conditions under which the policy is in effect. This parameter is required.

addNotActions

public void addNotActions(java.lang.String... notActions)

Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.

Parameters:

notActions - actions that will be denied. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

addNotPrincipals

public void addNotPrincipals(IPrincipal... notPrincipals)

Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.

Parameters:

notPrincipals - IAM principals that will be denied access. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

addNotResources

public void addNotResources(java.lang.String... arns)

Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.

All resources except the specified list will be matched.

Parameters:

arns - Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

addPrincipals

public void addPrincipals(IPrincipal... principals)

Adds principals to the "Principal" section of a policy statement.

Parameters:

principals - IAM principals that will be added. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

addResources

public void addResources(java.lang.String... arns)

Specify resources that this policy statement applies into the "Resource" section of this policy statement.

Parameters:

arns - Amazon Resource Names (ARNs) of the resources that this policy statement applies to. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

addServicePrincipal

public void addServicePrincipal(java.lang.String service,
                                ServicePrincipalOpts opts)

Adds a service principal to this policy statement.

Parameters:

service - the service name for which a service principal is requested (e.g: `s3.amazonaws.com`). This parameter is required.

opts - options for adding the service principal (such as specifying a principal in a different region).

addServicePrincipal

public void addServicePrincipal(java.lang.String service)

Adds a service principal to this policy statement.

Parameters:

service - the service name for which a service principal is requested (e.g: `s3.amazonaws.com`). This parameter is required.

copy

public PolicyStatement copy(PolicyStatementProps overrides)

Create a new `PolicyStatement` with the same exact properties as this one, except for the overrides.

Parameters:

overrides -

copy

public PolicyStatement copy()

Create a new `PolicyStatement` with the same exact properties as this one, except for the overrides.

toJSON

public java.lang.Object toJSON()

JSON-ify the statement.

Used when JSON.stringify() is called

toStatementJson

public java.lang.Object toStatementJson()

JSON-ify the policy statement.

Used when JSON.stringify() is called

toString

public java.lang.String toString()

String representation of this policy statement.

validateForAnyPolicy

public java.util.List<java.lang.String> validateForAnyPolicy()

Validate that the policy statement satisfies base requirements for a policy.

Returns:

An array of validation error messages, or an empty array if the statement is valid.

validateForIdentityPolicy

public java.util.List<java.lang.String> validateForIdentityPolicy()

Validate that the policy statement satisfies all requirements for an identity-based policy.

Returns:

An array of validation error messages, or an empty array if the statement is valid.

validateForResourcePolicy

public java.util.List<java.lang.String> validateForResourcePolicy()

Validate that the policy statement satisfies all requirements for a resource-based policy.

Returns:

An array of validation error messages, or an empty array if the statement is valid.

getHasPrincipal

public java.lang.Boolean getHasPrincipal()

Indicates if this permission has a "Principal" section.

getHasResource

public java.lang.Boolean getHasResource()

Indicates if this permission has at least one resource associated with it.

getPrincipals

public java.util.List<IPrincipal> getPrincipals()

Expose principals to allow their ARNs to be replaced by account ID strings in policy statements for resources policies that don't allow full account ARNs, such as AWS::Logs::ResourcePolicy.

getEffect

public Effect getEffect()

Whether to allow or deny the actions in this statement.

setEffect

public void setEffect(Effect value)

Whether to allow or deny the actions in this statement.

getSid

public java.lang.String getSid()

Statement ID for this statement.

setSid

public void setSid(java.lang.String value)

Statement ID for this statement.