PolicyStatement

class aws_cdk.aws_iam.PolicyStatement(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)

Bases: object

Represents a statement in an IAM policy document.

ExampleMetadata:

lit=test/integ.vpc-endpoint.lit.ts infused

Example:

# Add gateway endpoints when creating the VPC
vpc = ec2.Vpc(self, "MyVpc",
    gateway_endpoints={
        "S3": ec2.GatewayVpcEndpointOptions(
            service=ec2.GatewayVpcEndpointAwsService.S3
        )
    }
)

# Alternatively gateway endpoints can be added on the VPC
dynamo_db_endpoint = vpc.add_gateway_endpoint("DynamoDbEndpoint",
    service=ec2.GatewayVpcEndpointAwsService.DYNAMODB
)

# This allows to customize the endpoint policy
dynamo_db_endpoint.add_to_policy(
    iam.PolicyStatement( # Restrict to listing and describing tables
        principals=[iam.AnyPrincipal()],
        actions=["dynamodb:DescribeTable", "dynamodb:ListTables"],
        resources=["*"]))

# Add an interface endpoint
vpc.add_interface_endpoint("EcrDockerEndpoint",
    service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER
)
Parameters:

  • actions (Optional[Sequence[str]]) – List of actions to add to the statement. Default: - no actions

  • conditions (Optional[Mapping[str, Any]]) – Conditions to add to the statement. Default: - no condition

  • effect (Optional[Effect]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOW

  • not_actions (Optional[Sequence[str]]) – List of not actions to add to the statement. Default: - no not-actions

  • not_principals (Optional[Sequence[IPrincipal]]) – List of not principals to add to the statement. Default: - no not principals

  • not_resources (Optional[Sequence[str]]) – NotResource ARNs to add to the statement. Default: - no not-resources

  • principals (Optional[Sequence[IPrincipal]]) – List of principals to add to the statement. Default: - no principals

  • resources (Optional[Sequence[str]]) – Resource ARNs to add to the statement. Default: - no resources

  • sid (Optional[str]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid

Methods

add_account_condition(account_id)

Add a condition that limits to a given account.

This method can only be called once: subsequent calls will overwrite earlier calls.

Parameters:

account_id (str) –

Return type:

None

add_account_root_principal()

Adds an AWS account root user principal to this policy statement.

Return type:

None

add_actions(*actions)

Specify allowed actions into the “Action” section of the policy statement.

Parameters:

actions (str) – actions that will be allowed.

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

Return type:

None

add_all_resources()

Adds a "*" resource to this statement.

Return type:

None

add_any_principal()

Adds all identities in all accounts (“*”) to this policy statement.

Return type:

None

add_arn_principal(arn)

Specify a principal using the ARN identifier of the principal.

You cannot specify IAM groups and instance profiles as principals.

Parameters:

arn (str) – ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).

Return type:

None

add_aws_account_principal(account_id)

Specify AWS account ID as the principal entity to the “Principal” section of a policy statement.

Parameters:

account_id (str) –

Return type:

None

add_canonical_user_principal(canonical_user_id)

Adds a canonical user ID principal to this policy document.

Parameters:

canonical_user_id (str) – unique identifier assigned by AWS for every account.

Return type:

None

add_condition(key, value)

Add a condition to the Policy.

If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:

# stmt: iam.PolicyStatement


stmt.add_condition("StringEquals", {"aws:SomeField": "1"})
stmt.add_condition("StringEquals", {"aws:SomeField": "2"})

Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.

If you meant to add a condition to say that the field can be either 1 or 2, write this:

# stmt: iam.PolicyStatement


stmt.add_condition("StringEquals", {"aws:SomeField": ["1", "2"]})
Parameters:

  • key (str) –

  • value (Any) –

Return type:

None

add_conditions(conditions)

Add multiple conditions to the Policy.

See the addCondition function for a caveat on calling this method multiple times.

Parameters:

conditions (Mapping[str, Any]) –

Return type:

None

add_federated_principal(federated, conditions)

Adds a federated identity provider such as Amazon Cognito to this policy statement.

Parameters:

  • federated (Any) – federated identity provider (i.e. ‘cognito-identity.amazonaws.com’).

  • conditions (Mapping[str, Any]) – The conditions under which the policy is in effect. See the IAM documentation.

Return type:

None

add_not_actions(*not_actions)

Explicitly allow all actions except the specified list of actions into the “NotAction” section of the policy document.

Parameters:

not_actions (str) – actions that will be denied. All other actions will be permitted.

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

Return type:

None

add_not_principals(*not_principals)

Specify principals that is not allowed or denied access to the “NotPrincipal” section of a policy statement.

Parameters:

not_principals (IPrincipal) – IAM principals that will be denied access.

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

Return type:

None

add_not_resources(*arns)

Specify resources that this policy statement will not apply to in the “NotResource” section of this policy statement.

All resources except the specified list will be matched.

Parameters:

arns (str) – Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

Return type:

None

add_principals(*principals)

Adds principals to the “Principal” section of a policy statement.

Parameters:

principals (IPrincipal) – IAM principals that will be added.

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Return type:

None

add_resources(*arns)

Specify resources that this policy statement applies into the “Resource” section of this policy statement.

Parameters:

arns (str) – Amazon Resource Names (ARNs) of the resources that this policy statement applies to.

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

Return type:

None

add_service_principal(service, *, conditions=None, region=None)

Adds a service principal to this policy statement.

Parameters:

  • service (str) – the service name for which a service principal is requested (e.g: s3.amazonaws.com).

  • conditions (Optional[Mapping[str, Any]]) – Additional conditions to add to the Service Principal. Default: - No conditions

  • region (Optional[str]) – (deprecated) The region in which the service is operating. Default: - the current Stack’s region.

Return type:

None

copy(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)

Create a new PolicyStatement with the same exact properties as this one, except for the overrides.

Parameters:

  • actions (Optional[Sequence[str]]) – List of actions to add to the statement. Default: - no actions

  • conditions (Optional[Mapping[str, Any]]) – Conditions to add to the statement. Default: - no condition

  • effect (Optional[Effect]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOW

  • not_actions (Optional[Sequence[str]]) – List of not actions to add to the statement. Default: - no not-actions

  • not_principals (Optional[Sequence[IPrincipal]]) – List of not principals to add to the statement. Default: - no not principals

  • not_resources (Optional[Sequence[str]]) – NotResource ARNs to add to the statement. Default: - no not-resources

  • principals (Optional[Sequence[IPrincipal]]) – List of principals to add to the statement. Default: - no principals

  • resources (Optional[Sequence[str]]) – Resource ARNs to add to the statement. Default: - no resources

  • sid (Optional[str]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid

Return type:

PolicyStatement

to_json()

JSON-ify the statement.

Used when JSON.stringify() is called

Return type:

Any

to_statement_json()

JSON-ify the policy statement.

Used when JSON.stringify() is called

Return type:

Any

to_string()

String representation of this policy statement.

Return type:

str

validate_for_any_policy()

Validate that the policy statement satisfies base requirements for a policy.

Return type:

List[str]

Returns:

An array of validation error messages, or an empty array if the statement is valid.

validate_for_identity_policy()

Validate that the policy statement satisfies all requirements for an identity-based policy.

Return type:

List[str]

Returns:

An array of validation error messages, or an empty array if the statement is valid.

validate_for_resource_policy()

Validate that the policy statement satisfies all requirements for a resource-based policy.

Return type:

List[str]

Returns:

An array of validation error messages, or an empty array if the statement is valid.

Attributes

actions

The Actions added to this statement.

conditions

The conditions added to this statement.

effect

Whether to allow or deny the actions in this statement.

has_principal

Indicates if this permission has a “Principal” section.

has_resource

Indicates if this permission has at least one resource associated with it.

not_actions

The NotActions added to this statement.

not_principals

The NotPrincipals added to this statement.

not_resources

The NotResources added to this statement.

principals

The Principals added to this statement.

resources

The Resources added to this statement.

sid

Statement ID for this statement.

Static Methods

classmethod from_json(obj)

Creates a new PolicyStatement based on the object provided.

This will accept an object created from the .toJSON() call

Parameters:

obj (Any) – the PolicyStatement in object form.

Return type:

PolicyStatement