software.amazon.awscdk.services.iam

Class Role

java.lang.Object

software.constructs.Construct

software.amazon.awscdk.core.Construct

software.amazon.awscdk.core.Resource

software.amazon.awscdk.services.iam.Role

All Implemented Interfaces:

IConstruct, IDependable, IResource, IGrantable, IIdentity, IPrincipal, IRole

@Generated(value="jsii-pacmak/1.74.0 (build 6d08790)",
           date="2023-03-22T19:35:36.669Z")
public class Role
extends Resource
implements IRole

IAM Role.

Defines an IAM role. The role is created with an assume policy document associated with the specified AWS service principal defined in serviceAssumeRole.

Example:

 Role lambdaRole = Role.Builder.create(this, "Role")
         .assumedBy(new ServicePrincipal("lambda.amazonaws.com"))
         .description("Example role...")
         .build();
 Stream stream = Stream.Builder.create(this, "MyEncryptedStream")
         .encryption(StreamEncryption.KMS)
         .build();
 // give lambda permissions to read stream
 stream.grantRead(lambdaRole);
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	Role.Builder A fluent builder for Role.

Nested classes/interfaces inherited from interface software.amazon.awscdk.services.iam.IRole

IRole.Jsii$Default, IRole.Jsii$Proxy

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	Role(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	Role(software.amazon.jsii.JsiiObjectRef objRef)
	Role(software.constructs.Construct scope, java.lang.String id, RoleProps props)

Method Summary

Modifier and Type	Method and Description
void	addManagedPolicy(IManagedPolicy policy) Attaches a managed policy to this role.
java.lang.Boolean	addToPolicy(PolicyStatement statement) Add to the policy of this principal.
AddToPrincipalPolicyResult	addToPrincipalPolicy(PolicyStatement statement) Adds a permission to the role's default policy document.
void	attachInlinePolicy(Policy policy) Attaches a policy to this role.
static IRole	fromRoleArn(software.constructs.Construct scope, java.lang.String id, java.lang.String roleArn) Import an external role by ARN.
static IRole	fromRoleArn(software.constructs.Construct scope, java.lang.String id, java.lang.String roleArn, FromRoleArnOptions options) Import an external role by ARN.
static IRole	fromRoleName(software.constructs.Construct scope, java.lang.String id, java.lang.String roleName) Import an external role by name.
java.lang.String	getAssumeRoleAction() When this Principal is used in an AssumeRole policy, the action to use.
PolicyDocument	getAssumeRolePolicy() The assume role policy document associated with this role.
IPrincipal	getGrantPrincipal() The principal to grant permissions to.
IManagedPolicy	getPermissionsBoundary() Returns the permissions boundary attached to this role.
PrincipalPolicyFragment	getPolicyFragment() Returns the role.
java.lang.String	getPrincipalAccount() The AWS account ID of this principal.
java.lang.String	getRoleArn() Returns the ARN of this role.
java.lang.String	getRoleId() Returns the stable and unique string identifying the role.
java.lang.String	getRoleName() Returns the name of the role.
Grant	grant(IPrincipal grantee, java.lang.String... actions) Grant the actions defined in actions to the identity Principal on this resource.
Grant	grantAssumeRole(IPrincipal identity) Grant permissions to the given principal to assume this role.
Grant	grantPassRole(IPrincipal identity) Grant permissions to the given principal to pass this role.
protected java.util.List<java.lang.String>	validate() Validate the current construct.
IRole	withoutPolicyUpdates() Return a copy of this Role object whose Policies will not be updated.
IRole	withoutPolicyUpdates(WithoutPolicyUpdatesOptions options) Return a copy of this Role object whose Policies will not be updated.

Methods inherited from class software.amazon.awscdk.core.Resource

applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isResource

Methods inherited from class software.amazon.awscdk.core.Construct

getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface software.amazon.awscdk.core.IResource

applyRemovalPolicy, getEnv, getStack

Methods inherited from interface software.amazon.awscdk.core.IConstruct

getNode

Constructor Detail

Role

protected Role(software.amazon.jsii.JsiiObjectRef objRef)

Role

protected Role(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

Role

public Role(software.constructs.Construct scope,
            java.lang.String id,
            RoleProps props)

Parameters:

scope - This parameter is required.

id - This parameter is required.

props - This parameter is required.

Method Detail

fromRoleArn

public static IRole fromRoleArn(software.constructs.Construct scope,
                                java.lang.String id,
                                java.lang.String roleArn,
                                FromRoleArnOptions options)

Import an external role by ARN.

If the imported Role ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) and the referenced role has a path (like arn:...:role/AdminRoles/Alice), the roleName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the path in order to resolve the correct role resource.

Parameters:

scope - construct scope. This parameter is required.

id - construct id. This parameter is required.

roleArn - the ARN of the role to import. This parameter is required.

options - allow customizing the behavior of the returned role.

fromRoleArn

public static IRole fromRoleArn(software.constructs.Construct scope,
                                java.lang.String id,
                                java.lang.String roleArn)

Import an external role by ARN.

If the imported Role ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) and the referenced role has a path (like arn:...:role/AdminRoles/Alice), the roleName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the path in order to resolve the correct role resource.

Parameters:

scope - construct scope. This parameter is required.

id - construct id. This parameter is required.

roleArn - the ARN of the role to import. This parameter is required.

fromRoleName

public static IRole fromRoleName(software.constructs.Construct scope,
                                 java.lang.String id,
                                 java.lang.String roleName)

Import an external role by name.

The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.

Parameters:

scope - This parameter is required.

id - This parameter is required.

roleName - This parameter is required.

addManagedPolicy

public void addManagedPolicy(IManagedPolicy policy)

Attaches a managed policy to this role.

Specified by:

addManagedPolicy in interface IIdentity

Parameters:

policy - The the managed policy to attach. This parameter is required.

addToPolicy

public java.lang.Boolean addToPolicy(PolicyStatement statement)

Add to the policy of this principal.

Specified by:

addToPolicy in interface IPrincipal

Parameters:

statement - This parameter is required.

Returns:

true if the statement was added, false if the principal in question does not have a policy document to add the statement to.

addToPrincipalPolicy

public AddToPrincipalPolicyResult addToPrincipalPolicy(PolicyStatement statement)

Adds a permission to the role's default policy document.

If there is no default policy attached to this role, it will be created.

Specified by:

addToPrincipalPolicy in interface IPrincipal

Parameters:

statement - The permission statement to add to the policy document. This parameter is required.

attachInlinePolicy

public void attachInlinePolicy(Policy policy)

Attaches a policy to this role.

Specified by:

attachInlinePolicy in interface IIdentity

Parameters:

policy - The policy to attach. This parameter is required.

grant

public Grant grant(IPrincipal grantee,
                   java.lang.String... actions)

Grant the actions defined in actions to the identity Principal on this resource.

Specified by:

grant in interface IRole

Parameters:

grantee - This parameter is required.

actions - This parameter is required.

grantAssumeRole

public Grant grantAssumeRole(IPrincipal identity)

Grant permissions to the given principal to assume this role.

Specified by:

grantAssumeRole in interface IRole

Parameters:

identity - This parameter is required.

grantPassRole

public Grant grantPassRole(IPrincipal identity)

Grant permissions to the given principal to pass this role.

Specified by:

grantPassRole in interface IRole

Parameters:

identity - This parameter is required.

validate

protected java.util.List<java.lang.String> validate()

Validate the current construct.

This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.

Overrides:

validate in class Construct

Returns:

An array of validation error messages, or an empty array if the construct is valid.

withoutPolicyUpdates

public IRole withoutPolicyUpdates(WithoutPolicyUpdatesOptions options)

Return a copy of this Role object whose Policies will not be updated.

Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.

If you do, you are responsible for adding the correct statements to the Role's policies yourself.

Parameters:

options -

withoutPolicyUpdates

public IRole withoutPolicyUpdates()

Return a copy of this Role object whose Policies will not be updated.

Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.

If you do, you are responsible for adding the correct statements to the Role's policies yourself.

getAssumeRoleAction

public java.lang.String getAssumeRoleAction()

When this Principal is used in an AssumeRole policy, the action to use.

Specified by:

getAssumeRoleAction in interface IPrincipal

getGrantPrincipal

public IPrincipal getGrantPrincipal()

The principal to grant permissions to.

Specified by:

getGrantPrincipal in interface IGrantable

getPolicyFragment

public PrincipalPolicyFragment getPolicyFragment()

Returns the role.

Specified by:

getPolicyFragment in interface IPrincipal

getRoleArn

public java.lang.String getRoleArn()

Returns the ARN of this role.

Specified by:

getRoleArn in interface IRole

getRoleId

public java.lang.String getRoleId()

Returns the stable and unique string identifying the role.

For example, AIDAJQABLZS4A3QDU576Q.

getRoleName

public java.lang.String getRoleName()

Returns the name of the role.

Specified by:

getRoleName in interface IRole

getAssumeRolePolicy

public PolicyDocument getAssumeRolePolicy()

The assume role policy document associated with this role.

getPermissionsBoundary

public IManagedPolicy getPermissionsBoundary()

Returns the permissions boundary attached to this role.

getPrincipalAccount

public java.lang.String getPrincipalAccount()

The AWS account ID of this principal.

Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

Specified by:

getPrincipalAccount in interface IPrincipal