PolicyDocumentProps

class aws_cdk.aws_iam.PolicyDocumentProps(*, assign_sids=None, minimize=None, statements=None)

Bases: object

Properties for a new PolicyDocument.

Parameters:

  • assign_sids (Optional[bool]) – Automatically assign Statement Ids to all statements. Default: false

  • minimize (Optional[bool]) – Try to minimize the policy by merging statements. To avoid overrunning the maximum policy size, combine statements if they produce the same result. Merging happens according to the following rules: - The Effect of both statements is the same - Neither of the statements have a ‘Sid’ - Combine Principals if the rest of the statement is exactly the same. - Combine Resources if the rest of the statement is exactly the same. - Combine Actions if the rest of the statement is exactly the same. - We will never combine NotPrincipals, NotResources or NotActions, because doing so would change the meaning of the policy document. Default: - false, unless the feature flag @aws-cdk/aws-iam:minimizePolicies is set

  • statements (Optional[Sequence[PolicyStatement]]) – Initial statements to add to the policy document. Default: - No statements

ExampleMetadata:

infused

Example:

my_trusted_admin_role = iam.Role.from_role_arn(self, "TrustedRole", "arn:aws:iam:....")
# Creates a limited admin policy and assigns to the account root.
my_custom_policy = iam.PolicyDocument(
    statements=[iam.PolicyStatement(
        actions=["kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*"
        ],
        principals=[iam.AccountRootPrincipal()],
        resources=["*"]
    )]
)
key = kms.Key(self, "MyKey",
    policy=my_custom_policy
)

Attributes

assign_sids

Automatically assign Statement Ids to all statements.

Default:

false

minimize

Try to minimize the policy by merging statements.

To avoid overrunning the maximum policy size, combine statements if they produce the same result. Merging happens according to the following rules:

  • The Effect of both statements is the same

  • Neither of the statements have a ‘Sid’

  • Combine Principals if the rest of the statement is exactly the same.

  • Combine Resources if the rest of the statement is exactly the same.

  • Combine Actions if the rest of the statement is exactly the same.

  • We will never combine NotPrincipals, NotResources or NotActions, because doing so would change the meaning of the policy document.

Default:

  • false, unless the feature flag @aws-cdk/aws-iam:minimizePolicies is set

statements

Initial statements to add to the policy document.

Default:

  • No statements