software.amazon.awscdk.services.iam

Class PolicyStatement

java.lang.Object

software.amazon.jsii.JsiiObject

software.amazon.awscdk.services.iam.PolicyStatement

All Implemented Interfaces:

software.amazon.jsii.JsiiSerializable

@Generated(value="jsii-pacmak/1.74.0 (build 6d08790)",
           date="2023-05-19T23:08:46.006Z")
 @Stability(value=Stable)
public class PolicyStatement
extends software.amazon.jsii.JsiiObject

Represents a statement in an IAM policy document.

Example:

 // Add gateway endpoints when creating the VPC
 Vpc vpc = Vpc.Builder.create(this, "MyVpc")
         .gatewayEndpoints(Map.of(
                 "S3", GatewayVpcEndpointOptions.builder()
                         .service(GatewayVpcEndpointAwsService.S3)
                         .build()))
         .build();
 // Alternatively gateway endpoints can be added on the VPC
 GatewayVpcEndpoint dynamoDbEndpoint = vpc.addGatewayEndpoint("DynamoDbEndpoint", GatewayVpcEndpointOptions.builder()
         .service(GatewayVpcEndpointAwsService.DYNAMODB)
         .build());
 // This allows to customize the endpoint policy
 dynamoDbEndpoint.addToPolicy(
 PolicyStatement.Builder.create() // Restrict to listing and describing tables
         .principals(List.of(new AnyPrincipal()))
         .actions(List.of("dynamodb:DescribeTable", "dynamodb:ListTables"))
         .resources(List.of("*")).build());
 // Add an interface endpoint
 vpc.addInterfaceEndpoint("EcrDockerEndpoint", InterfaceVpcEndpointOptions.builder()
         .service(InterfaceVpcEndpointAwsService.ECR_DOCKER)
         .build());
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	PolicyStatement.Builder A fluent builder for PolicyStatement.

Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject

software.amazon.jsii.JsiiObject.InitializationMode

Constructor Summary

Constructors

Modifier	Constructor and Description
	PolicyStatement()
protected	PolicyStatement(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	PolicyStatement(software.amazon.jsii.JsiiObjectRef objRef)
	PolicyStatement(PolicyStatementProps props)

Method Summary

Modifier and Type	Method and Description
void	addAccountCondition(String accountId) Add a condition that limits to a given account.
void	addAccountRootPrincipal() Adds an AWS account root user principal to this policy statement.
void	addActions(String... actions) Specify allowed actions into the "Action" section of the policy statement.
void	addAllResources() Adds a ``"*"`` resource to this statement.
void	addAnyPrincipal() Adds all identities in all accounts ("*") to this policy statement.
void	addArnPrincipal(String arn) Specify a principal using the ARN identifier of the principal.
void	addAwsAccountPrincipal(String accountId) Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
void	addCanonicalUserPrincipal(String canonicalUserId) Adds a canonical user ID principal to this policy document.
void	addCondition(String key, Object value) Add a condition to the Policy.
void	addConditions(Map<String,Object> conditions) Add multiple conditions to the Policy.
void	addFederatedPrincipal(Object federated, Map<String,Object> conditions) Adds a federated identity provider such as Amazon Cognito to this policy statement.
void	addNotActions(String... notActions) Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
void	addNotPrincipals(IPrincipal... notPrincipals) Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
void	addNotResources(String... arns) Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.
void	addPrincipals(IPrincipal... principals) Adds principals to the "Principal" section of a policy statement.
void	addResources(String... arns) Specify resources that this policy statement applies into the "Resource" section of this policy statement.
void	addServicePrincipal(String service) Adds a service principal to this policy statement.
void	addServicePrincipal(String service, ServicePrincipalOpts opts) Adds a service principal to this policy statement.
PolicyStatement	copy() Create a new `PolicyStatement` with the same exact properties as this one, except for the overrides.
PolicyStatement	copy(PolicyStatementProps overrides) Create a new `PolicyStatement` with the same exact properties as this one, except for the overrides.
static PolicyStatement	fromJson(Object obj) Creates a new PolicyStatement based on the object provided.
List<String>	getActions() The Actions added to this statement.
Object	getConditions() The conditions added to this statement.
Effect	getEffect() Whether to allow or deny the actions in this statement.
Boolean	getHasPrincipal() Indicates if this permission has a "Principal" section.
Boolean	getHasResource() Indicates if this permission has at least one resource associated with it.
List<String>	getNotActions() The NotActions added to this statement.
List<IPrincipal>	getNotPrincipals() The NotPrincipals added to this statement.
List<String>	getNotResources() The NotResources added to this statement.
List<IPrincipal>	getPrincipals() The Principals added to this statement.
List<String>	getResources() The Resources added to this statement.
String	getSid() Statement ID for this statement.
void	setEffect(Effect value) Whether to allow or deny the actions in this statement.
void	setSid(String value) Statement ID for this statement.
Object	toJSON() JSON-ify the statement.
Object	toStatementJson() JSON-ify the policy statement.
String	toString() String representation of this policy statement.
List<String>	validateForAnyPolicy() Validate that the policy statement satisfies base requirements for a policy.
List<String>	validateForIdentityPolicy() Validate that the policy statement satisfies all requirements for an identity-based policy.
List<String>	validateForResourcePolicy() Validate that the policy statement satisfies all requirements for a resource-based policy.

Methods inherited from class software.amazon.jsii.JsiiObject

jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Constructor Detail

PolicyStatement

protected PolicyStatement(software.amazon.jsii.JsiiObjectRef objRef)

PolicyStatement

protected PolicyStatement(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

PolicyStatement

@Stability(value=Stable)
public PolicyStatement(@Nullable
                                                PolicyStatementProps props)

Parameters:

props -

PolicyStatement

@Stability(value=Stable)
public PolicyStatement()

Method Detail

fromJson

@Stability(value=Stable)
 @NotNull
public static PolicyStatement fromJson(@NotNull
                                                                          Object obj)

Creates a new PolicyStatement based on the object provided.

This will accept an object created from the .toJSON() call

Parameters:

obj - the PolicyStatement in object form. This parameter is required.

addAccountCondition

@Stability(value=Stable)
public void addAccountCondition(@NotNull
                                                         String accountId)

Add a condition that limits to a given account.

This method can only be called once: subsequent calls will overwrite earlier calls.

Parameters:

accountId - This parameter is required.

addAccountRootPrincipal

@Stability(value=Stable)
public void addAccountRootPrincipal()

Adds an AWS account root user principal to this policy statement.

addActions

@Stability(value=Stable)
public void addActions(@NotNull
                                                String... actions)

Specify allowed actions into the "Action" section of the policy statement.

Parameters:

actions - actions that will be allowed. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

addAllResources

@Stability(value=Stable)
public void addAllResources()

Adds a ``"*"`` resource to this statement.

addAnyPrincipal

@Stability(value=Stable)
public void addAnyPrincipal()

Adds all identities in all accounts ("*") to this policy statement.

addArnPrincipal

@Stability(value=Stable)
public void addArnPrincipal(@NotNull
                                                     String arn)

Specify a principal using the ARN identifier of the principal.

You cannot specify IAM groups and instance profiles as principals.

Parameters:

arn - ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name). This parameter is required.

addAwsAccountPrincipal

@Stability(value=Stable)
public void addAwsAccountPrincipal(@NotNull
                                                            String accountId)

Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.

Parameters:

accountId - This parameter is required.

addCanonicalUserPrincipal

@Stability(value=Stable)
public void addCanonicalUserPrincipal(@NotNull
                                                               String canonicalUserId)

Adds a canonical user ID principal to this policy document.

Parameters:

canonicalUserId - unique identifier assigned by AWS for every account. This parameter is required.

addCondition

@Stability(value=Stable)
public void addCondition(@NotNull
                                                  String key,
                                                  @NotNull
                                                  Object value)

Add a condition to the Policy.

If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:

 PolicyStatement stmt;
 stmt.addCondition("StringEquals", Map.of("aws:SomeField", "1"));
 stmt.addCondition("StringEquals", Map.of("aws:SomeField", "2"));
 

Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.

If you meant to add a condition to say that the field can be either 1 or 2, write this:

 PolicyStatement stmt;
 stmt.addCondition("StringEquals", Map.of("aws:SomeField", List.of("1", "2")));
 

Parameters:

key - This parameter is required.

value - This parameter is required.

addConditions

@Stability(value=Stable)
public void addConditions(@NotNull
                                                   Map<String,Object> conditions)

Add multiple conditions to the Policy.

See the addCondition function for a caveat on calling this method multiple times.

Parameters:

conditions - This parameter is required.

addFederatedPrincipal

@Stability(value=Stable)
public void addFederatedPrincipal(@NotNull
                                                           Object federated,
                                                           @NotNull
                                                           Map<String,Object> conditions)

Adds a federated identity provider such as Amazon Cognito to this policy statement.

Parameters:

federated - federated identity provider (i.e. 'cognito-identity.amazonaws.com'). This parameter is required.

conditions - The conditions under which the policy is in effect. This parameter is required.

addNotActions

@Stability(value=Stable)
public void addNotActions(@NotNull
                                                   String... notActions)

Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.

Parameters:

notActions - actions that will be denied. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

addNotPrincipals

@Stability(value=Stable)
public void addNotPrincipals(@NotNull
                                                      IPrincipal... notPrincipals)

Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.

Parameters:

notPrincipals - IAM principals that will be denied access. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

addNotResources

@Stability(value=Stable)
public void addNotResources(@NotNull
                                                     String... arns)

Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.

All resources except the specified list will be matched.

Parameters:

arns - Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

addPrincipals

@Stability(value=Stable)
public void addPrincipals(@NotNull
                                                   IPrincipal... principals)

Adds principals to the "Principal" section of a policy statement.

Parameters:

principals - IAM principals that will be added. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

addResources

@Stability(value=Stable)
public void addResources(@NotNull
                                                  String... arns)

Specify resources that this policy statement applies into the "Resource" section of this policy statement.

Parameters:

arns - Amazon Resource Names (ARNs) of the resources that this policy statement applies to. This parameter is required.

See Also:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

addServicePrincipal

@Stability(value=Stable)
public void addServicePrincipal(@NotNull
                                                         String service,
                                                         @Nullable
                                                         ServicePrincipalOpts opts)

Adds a service principal to this policy statement.

Parameters:

service - the service name for which a service principal is requested (e.g: `s3.amazonaws.com`). This parameter is required.

opts - options for adding the service principal (such as specifying a principal in a different region).

addServicePrincipal

@Stability(value=Stable)
public void addServicePrincipal(@NotNull
                                                         String service)

Adds a service principal to this policy statement.

Parameters:

service - the service name for which a service principal is requested (e.g: `s3.amazonaws.com`). This parameter is required.

copy

@Stability(value=Stable)
 @NotNull
public PolicyStatement copy(@Nullable
                                                               PolicyStatementProps overrides)

Create a new `PolicyStatement` with the same exact properties as this one, except for the overrides.

Parameters:

overrides -

copy

@Stability(value=Stable)
 @NotNull
public PolicyStatement copy()

Create a new `PolicyStatement` with the same exact properties as this one, except for the overrides.

toJSON

@Stability(value=Stable)
 @NotNull
public Object toJSON()

JSON-ify the statement.

Used when JSON.stringify() is called

toStatementJson

@Stability(value=Stable)
 @NotNull
public Object toStatementJson()

JSON-ify the policy statement.

Used when JSON.stringify() is called

toString

@Stability(value=Stable)
 @NotNull
public String toString()

String representation of this policy statement.

Overrides:

toString in class Object

validateForAnyPolicy

@Stability(value=Stable)
 @NotNull
public List<String> validateForAnyPolicy()

Validate that the policy statement satisfies base requirements for a policy.

Returns:

An array of validation error messages, or an empty array if the statement is valid.

validateForIdentityPolicy

@Stability(value=Stable)
 @NotNull
public List<String> validateForIdentityPolicy()

Validate that the policy statement satisfies all requirements for an identity-based policy.

Returns:

An array of validation error messages, or an empty array if the statement is valid.

validateForResourcePolicy

@Stability(value=Stable)
 @NotNull
public List<String> validateForResourcePolicy()

Validate that the policy statement satisfies all requirements for a resource-based policy.

Returns:

An array of validation error messages, or an empty array if the statement is valid.

getActions

@Stability(value=Stable)
 @NotNull
public List<String> getActions()

The Actions added to this statement.

getConditions

@Stability(value=Stable)
 @NotNull
public Object getConditions()

The conditions added to this statement.

getHasPrincipal

@Stability(value=Stable)
 @NotNull
public Boolean getHasPrincipal()

Indicates if this permission has a "Principal" section.

getHasResource

@Stability(value=Stable)
 @NotNull
public Boolean getHasResource()

Indicates if this permission has at least one resource associated with it.

getNotActions

@Stability(value=Stable)
 @NotNull
public List<String> getNotActions()

The NotActions added to this statement.

getNotPrincipals

@Stability(value=Stable)
 @NotNull
public List<IPrincipal> getNotPrincipals()

The NotPrincipals added to this statement.

getNotResources

@Stability(value=Stable)
 @NotNull
public List<String> getNotResources()

The NotResources added to this statement.

getPrincipals

@Stability(value=Stable)
 @NotNull
public List<IPrincipal> getPrincipals()

The Principals added to this statement.

getResources

@Stability(value=Stable)
 @NotNull
public List<String> getResources()

The Resources added to this statement.

getEffect

@Stability(value=Stable)
 @NotNull
public Effect getEffect()

Whether to allow or deny the actions in this statement.

setEffect

@Stability(value=Stable)
public void setEffect(@NotNull
                                               Effect value)

Whether to allow or deny the actions in this statement.

getSid

@Stability(value=Stable)
 @Nullable
public String getSid()

Statement ID for this statement.

setSid

@Stability(value=Stable)
public void setSid(@Nullable
                                            String value)

Statement ID for this statement.