@Generated(value="jsii-pacmak/1.74.0 (build 6d08790)", date="2023-03-22T19:35:36.669Z") public class Role extends Resource implements IRole
Defines an IAM role. The role is created with an assume policy document associated with
the specified AWS service principal defined in serviceAssumeRole
.
Example:
Role lambdaRole = Role.Builder.create(this, "Role") .assumedBy(new ServicePrincipal("lambda.amazonaws.com")) .description("Example role...") .build(); Stream stream = Stream.Builder.create(this, "MyEncryptedStream") .encryption(StreamEncryption.KMS) .build(); // give lambda permissions to read stream stream.grantRead(lambdaRole);
Modifier and Type | Class and Description |
---|---|
static class |
Role.Builder
A fluent builder for
Role . |
IRole.Jsii$Default, IRole.Jsii$Proxy
Modifier | Constructor and Description |
---|---|
protected |
Role(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) |
protected |
Role(software.amazon.jsii.JsiiObjectRef objRef) |
|
Role(software.constructs.Construct scope,
java.lang.String id,
RoleProps props) |
Modifier and Type | Method and Description |
---|---|
void |
addManagedPolicy(IManagedPolicy policy)
Attaches a managed policy to this role.
|
java.lang.Boolean |
addToPolicy(PolicyStatement statement)
Add to the policy of this principal.
|
AddToPrincipalPolicyResult |
addToPrincipalPolicy(PolicyStatement statement)
Adds a permission to the role's default policy document.
|
void |
attachInlinePolicy(Policy policy)
Attaches a policy to this role.
|
static IRole |
fromRoleArn(software.constructs.Construct scope,
java.lang.String id,
java.lang.String roleArn)
Import an external role by ARN.
|
static IRole |
fromRoleArn(software.constructs.Construct scope,
java.lang.String id,
java.lang.String roleArn,
FromRoleArnOptions options)
Import an external role by ARN.
|
static IRole |
fromRoleName(software.constructs.Construct scope,
java.lang.String id,
java.lang.String roleName)
Import an external role by name.
|
java.lang.String |
getAssumeRoleAction()
When this Principal is used in an AssumeRole policy, the action to use.
|
PolicyDocument |
getAssumeRolePolicy()
The assume role policy document associated with this role.
|
IPrincipal |
getGrantPrincipal()
The principal to grant permissions to.
|
IManagedPolicy |
getPermissionsBoundary()
Returns the permissions boundary attached to this role.
|
PrincipalPolicyFragment |
getPolicyFragment()
Returns the role.
|
java.lang.String |
getPrincipalAccount()
The AWS account ID of this principal.
|
java.lang.String |
getRoleArn()
Returns the ARN of this role.
|
java.lang.String |
getRoleId()
Returns the stable and unique string identifying the role.
|
java.lang.String |
getRoleName()
Returns the name of the role.
|
Grant |
grant(IPrincipal grantee,
java.lang.String... actions)
Grant the actions defined in actions to the identity Principal on this resource.
|
Grant |
grantAssumeRole(IPrincipal identity)
Grant permissions to the given principal to assume this role.
|
Grant |
grantPassRole(IPrincipal identity)
Grant permissions to the given principal to pass this role.
|
protected java.util.List<java.lang.String> |
validate()
Validate the current construct.
|
IRole |
withoutPolicyUpdates()
Return a copy of this Role object whose Policies will not be updated.
|
IRole |
withoutPolicyUpdates(WithoutPolicyUpdatesOptions options)
Return a copy of this Role object whose Policies will not be updated.
|
applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isResource
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
applyRemovalPolicy, getEnv, getStack
getNode
protected Role(software.amazon.jsii.JsiiObjectRef objRef)
protected Role(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
public Role(software.constructs.Construct scope, java.lang.String id, RoleProps props)
scope
- This parameter is required.id
- This parameter is required.props
- This parameter is required.public static IRole fromRoleArn(software.constructs.Construct scope, java.lang.String id, java.lang.String roleArn, FromRoleArnOptions options)
If the imported Role ARN is a Token (such as a
CfnParameter.valueAsString
or a Fn.importValue()
) and the referenced
role has a path
(like arn:...:role/AdminRoles/Alice
), the
roleName
property will not resolve to the correct value. Instead it
will resolve to the first path component. We unfortunately cannot express
the correct calculation of the full path name as a CloudFormation
expression. In this scenario the Role ARN should be supplied without the
path
in order to resolve the correct role resource.
scope
- construct scope. This parameter is required.id
- construct id. This parameter is required.roleArn
- the ARN of the role to import. This parameter is required.options
- allow customizing the behavior of the returned role.public static IRole fromRoleArn(software.constructs.Construct scope, java.lang.String id, java.lang.String roleArn)
If the imported Role ARN is a Token (such as a
CfnParameter.valueAsString
or a Fn.importValue()
) and the referenced
role has a path
(like arn:...:role/AdminRoles/Alice
), the
roleName
property will not resolve to the correct value. Instead it
will resolve to the first path component. We unfortunately cannot express
the correct calculation of the full path name as a CloudFormation
expression. In this scenario the Role ARN should be supplied without the
path
in order to resolve the correct role resource.
scope
- construct scope. This parameter is required.id
- construct id. This parameter is required.roleArn
- the ARN of the role to import. This parameter is required.public static IRole fromRoleName(software.constructs.Construct scope, java.lang.String id, java.lang.String roleName)
The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.
scope
- This parameter is required.id
- This parameter is required.roleName
- This parameter is required.public void addManagedPolicy(IManagedPolicy policy)
addManagedPolicy
in interface IIdentity
policy
- The the managed policy to attach. This parameter is required.public java.lang.Boolean addToPolicy(PolicyStatement statement)
addToPolicy
in interface IPrincipal
statement
- This parameter is required.public AddToPrincipalPolicyResult addToPrincipalPolicy(PolicyStatement statement)
If there is no default policy attached to this role, it will be created.
addToPrincipalPolicy
in interface IPrincipal
statement
- The permission statement to add to the policy document. This parameter is required.public void attachInlinePolicy(Policy policy)
attachInlinePolicy
in interface IIdentity
policy
- The policy to attach. This parameter is required.public Grant grant(IPrincipal grantee, java.lang.String... actions)
public Grant grantAssumeRole(IPrincipal identity)
grantAssumeRole
in interface IRole
identity
- This parameter is required.public Grant grantPassRole(IPrincipal identity)
grantPassRole
in interface IRole
identity
- This parameter is required.protected java.util.List<java.lang.String> validate()
This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.
public IRole withoutPolicyUpdates(WithoutPolicyUpdatesOptions options)
Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.
If you do, you are responsible for adding the correct statements to the Role's policies yourself.
options
- public IRole withoutPolicyUpdates()
Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.
If you do, you are responsible for adding the correct statements to the Role's policies yourself.
public java.lang.String getAssumeRoleAction()
getAssumeRoleAction
in interface IPrincipal
public IPrincipal getGrantPrincipal()
getGrantPrincipal
in interface IGrantable
public PrincipalPolicyFragment getPolicyFragment()
getPolicyFragment
in interface IPrincipal
public java.lang.String getRoleArn()
getRoleArn
in interface IRole
public java.lang.String getRoleId()
For example, AIDAJQABLZS4A3QDU576Q.
public java.lang.String getRoleName()
getRoleName
in interface IRole
public PolicyDocument getAssumeRolePolicy()
public IManagedPolicy getPermissionsBoundary()
public java.lang.String getPrincipalAccount()
Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.
getPrincipalAccount
in interface IPrincipal