@Generated(value="jsii-pacmak/1.74.0 (build 6d08790)", date="2023-03-22T19:35:44.100Z") public class CfnPermission extends CfnResource implements IInspectable
The AWS::Lambda::Permission
resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function.
To grant permission to another account, specify the account ID as the Principal
. To grant permission to an organization defined in AWS Organizations , specify the organization ID as the PrincipalOrgID
. For AWS services, the principal is a domain-style identifier defined by the service, like s3.amazonaws.com
or sns.amazonaws.com
. For AWS services, you can also specify the ARN of the associated resource as the SourceArn
. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.
If your function has a function URL, you can specify the FunctionUrlAuthType
parameter. This adds a condition to your permission that only applies when your function URL's AuthType
matches the specified FunctionUrlAuthType
. For more information about the AuthType
parameter, see Security and auth model for Lambda function URLs .
This resource adds a statement to a resource-based permission policy for the function. For more information about function policies, see Lambda Function Policies .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import software.amazon.awscdk.services.lambda.*; CfnPermission cfnPermission = CfnPermission.Builder.create(this, "MyCfnPermission") .action("action") .functionName("functionName") .principal("principal") // the properties below are optional .eventSourceToken("eventSourceToken") .functionUrlAuthType("functionUrlAuthType") .principalOrgId("principalOrgId") .sourceAccount("sourceAccount") .sourceArn("sourceArn") .build();
Modifier and Type | Class and Description |
---|---|
static class |
CfnPermission.Builder
A fluent builder for
CfnPermission . |
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy
IConstruct.Jsii$Default
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
|
Modifier | Constructor and Description |
---|---|
|
CfnPermission(Construct scope,
java.lang.String id,
CfnPermissionProps props)
Create a new `AWS::Lambda::Permission`.
|
protected |
CfnPermission(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) |
protected |
CfnPermission(software.amazon.jsii.JsiiObjectRef objRef) |
Modifier and Type | Method and Description |
---|---|
java.lang.String |
getAction()
The action that the principal can use on the function.
|
protected java.util.Map<java.lang.String,java.lang.Object> |
getCfnProperties() |
java.lang.String |
getEventSourceToken()
For Alexa Smart Home functions, a token that the invoker must supply.
|
java.lang.String |
getFunctionName()
The name of the Lambda function, version, or alias.
|
java.lang.String |
getFunctionUrlAuthType()
The type of authentication that your function URL uses.
|
java.lang.String |
getPrincipal()
The AWS service or AWS account that invokes the function.
|
java.lang.String |
getPrincipalOrgId()
The identifier for your organization in AWS Organizations .
|
java.lang.String |
getSourceAccount()
For AWS service , the ID of the AWS account that owns the resource.
|
java.lang.String |
getSourceArn()
For AWS services , the ARN of the AWS resource that invokes the function.
|
void |
inspect(TreeInspector inspector)
Examines the CloudFormation resource and discloses attributes.
|
protected java.util.Map<java.lang.String,java.lang.Object> |
renderProperties(java.util.Map<java.lang.String,java.lang.Object> props) |
void |
setAction(java.lang.String value)
The action that the principal can use on the function.
|
void |
setEventSourceToken(java.lang.String value)
For Alexa Smart Home functions, a token that the invoker must supply.
|
void |
setFunctionName(java.lang.String value)
The name of the Lambda function, version, or alias.
|
void |
setFunctionUrlAuthType(java.lang.String value)
The type of authentication that your function URL uses.
|
void |
setPrincipal(java.lang.String value)
The AWS service or AWS account that invokes the function.
|
void |
setPrincipalOrgId(java.lang.String value)
The identifier for your organization in AWS Organizations .
|
void |
setSourceAccount(java.lang.String value)
For AWS service , the ID of the AWS account that owns the resource.
|
void |
setSourceArn(java.lang.String value)
For AWS services , the ARN of the AWS resource that invokes the function.
|
addDeletionOverride, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, isCfnResource, shouldSynthesize, toString, validateProperties
getRef
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize, validate
public static final java.lang.String CFN_RESOURCE_TYPE_NAME
protected CfnPermission(software.amazon.jsii.JsiiObjectRef objRef)
protected CfnPermission(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
public CfnPermission(Construct scope, java.lang.String id, CfnPermissionProps props)
scope
- - scope in which this resource is defined. This parameter is required.id
- - scoped id of the resource. This parameter is required.props
- - resource properties. This parameter is required.public void inspect(TreeInspector inspector)
inspect
in interface IInspectable
inspector
- - tree inspector to collect and process attributes. This parameter is required.protected java.util.Map<java.lang.String,java.lang.Object> renderProperties(java.util.Map<java.lang.String,java.lang.Object> props)
renderProperties
in class CfnResource
props
- This parameter is required.protected java.util.Map<java.lang.String,java.lang.Object> getCfnProperties()
getCfnProperties
in class CfnResource
public java.lang.String getAction()
For example, lambda:InvokeFunction
or lambda:GetFunction
.
public void setAction(java.lang.String value)
For example, lambda:InvokeFunction
or lambda:GetFunction
.
public java.lang.String getFunctionName()
Name formats - Function name – my-function
(name-only), my-function:v1
(with alias).
arn:aws:lambda:us-west-2:123456789012:function:my-function
.123456789012:function:my-function
.You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
public void setFunctionName(java.lang.String value)
Name formats - Function name – my-function
(name-only), my-function:v1
(with alias).
arn:aws:lambda:us-west-2:123456789012:function:my-function
.123456789012:function:my-function
.You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
public java.lang.String getPrincipal()
If you specify a service, use SourceArn
or SourceAccount
to limit who can invoke the function through that service.
public void setPrincipal(java.lang.String value)
If you specify a service, use SourceArn
or SourceAccount
to limit who can invoke the function through that service.
public java.lang.String getEventSourceToken()
public void setEventSourceToken(java.lang.String value)
public java.lang.String getFunctionUrlAuthType()
Set to AWS_IAM
if you want to restrict access to authenticated users only. Set to NONE
if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs .
public void setFunctionUrlAuthType(java.lang.String value)
Set to AWS_IAM
if you want to restrict access to authenticated users only. Set to NONE
if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs .
public java.lang.String getPrincipalOrgId()
Use this to grant permissions to all the AWS accounts under this organization.
public void setPrincipalOrgId(java.lang.String value)
Use this to grant permissions to all the AWS accounts under this organization.
public java.lang.String getSourceAccount()
Use this together with SourceArn
to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
public void setSourceAccount(java.lang.String value)
Use this together with SourceArn
to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
public java.lang.String getSourceArn()
For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the StringLike
operator.
public void setSourceArn(java.lang.String value)
For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the StringLike
operator.