PolicyDocumentProps

class aws_cdk.aws_iam.PolicyDocumentProps(*, assign_sids=None, minimize=None, statements=None)

Bases: object

Properties for a new PolicyDocument.

Parameters
  • assign_sids (Optional[bool]) – Automatically assign Statement Ids to all statements. Default: false

  • minimize (Optional[bool]) – Try to minimize the policy by merging statements. To avoid overrunning the maximum policy size, combine statements if they produce the same result. Merging happens according to the following rules: - The Effect of both statements is the same - Neither of the statements have a ‘Sid’ - Combine Principals if the rest of the statement is exactly the same. - Combine Resources if the rest of the statement is exactly the same. - Combine Actions if the rest of the statement is exactly the same. - We will never combine NotPrincipals, NotResources or NotActions, because doing so would change the meaning of the policy document. Default: - false, unless the feature flag @aws-cdk/aws-iam:minimizePolicies is set

  • statements (Optional[Sequence[PolicyStatement]]) – Initial statements to add to the policy document. Default: - No statements

ExampleMetadata

infused

Example:

my_trusted_admin_role = iam.Role.from_role_arn(self, "TrustedRole", "arn:aws:iam:....")
# Creates a limited admin policy and assigns to the account root.
my_custom_policy = iam.PolicyDocument(
    statements=[iam.PolicyStatement(
        actions=["kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*"
        ],
        principals=[iam.AccountRootPrincipal()],
        resources=["*"]
    )]
)
key = kms.Key(self, "MyKey",
    policy=my_custom_policy
)

Attributes

assign_sids

Automatically assign Statement Ids to all statements.

Default

false

Return type

Optional[bool]

minimize

Try to minimize the policy by merging statements.

To avoid overrunning the maximum policy size, combine statements if they produce the same result. Merging happens according to the following rules:

  • The Effect of both statements is the same

  • Neither of the statements have a ‘Sid’

  • Combine Principals if the rest of the statement is exactly the same.

  • Combine Resources if the rest of the statement is exactly the same.

  • Combine Actions if the rest of the statement is exactly the same.

  • We will never combine NotPrincipals, NotResources or NotActions, because doing so would change the meaning of the policy document.

Default
  • false, unless the feature flag @aws-cdk/aws-iam:minimizePolicies is set

Return type

Optional[bool]

statements

Initial statements to add to the policy document.

Default
  • No statements

Return type

Optional[List[PolicyStatement]]