PolicyStatement

class aws_cdk.aws_iam.PolicyStatement(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)

Bases: object

Represents a statement in an IAM policy document.

ExampleMetadata

lit=test/integ.vpc-endpoint.lit.ts infused

Example:

# Add gateway endpoints when creating the VPC
vpc = ec2.Vpc(self, "MyVpc",
    gateway_endpoints={
        "S3": ec2.GatewayVpcEndpointOptions(
            service=ec2.GatewayVpcEndpointAwsService.S3
        )
    }
)

# Alternatively gateway endpoints can be added on the VPC
dynamo_db_endpoint = vpc.add_gateway_endpoint("DynamoDbEndpoint",
    service=ec2.GatewayVpcEndpointAwsService.DYNAMODB
)

# This allows to customize the endpoint policy
dynamo_db_endpoint.add_to_policy(
    iam.PolicyStatement( # Restrict to listing and describing tables
        principals=[iam.AnyPrincipal()],
        actions=["dynamodb:DescribeTable", "dynamodb:ListTables"],
        resources=["*"]))

# Add an interface endpoint
vpc.add_interface_endpoint("EcrDockerEndpoint",
    service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER
)
Parameters
  • actions (Optional[Sequence[str]]) – List of actions to add to the statement. Default: - no actions

  • conditions (Optional[Mapping[str, Any]]) – Conditions to add to the statement. Default: - no condition

  • effect (Optional[Effect]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOW

  • not_actions (Optional[Sequence[str]]) – List of not actions to add to the statement. Default: - no not-actions

  • not_principals (Optional[Sequence[IPrincipal]]) – List of not principals to add to the statement. Default: - no not principals

  • not_resources (Optional[Sequence[str]]) – NotResource ARNs to add to the statement. Default: - no not-resources

  • principals (Optional[Sequence[IPrincipal]]) – List of principals to add to the statement. Default: - no principals

  • resources (Optional[Sequence[str]]) – Resource ARNs to add to the statement. Default: - no resources

  • sid (Optional[str]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid

Methods

add_account_condition(account_id)

Add a condition that limits to a given account.

This method can only be called once: subsequent calls will overwrite earlier calls.

Parameters

account_id (str) –

Return type

None

add_account_root_principal()

Adds an AWS account root user principal to this policy statement.

Return type

None

add_actions(*actions)

Specify allowed actions into the “Action” section of the policy statement.

Parameters

actions (str) – actions that will be allowed.

See

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

Return type

None

add_all_resources()

Adds a "*" resource to this statement.

Return type

None

add_any_principal()

Adds all identities in all accounts (“*”) to this policy statement.

Return type

None

add_arn_principal(arn)

Specify a principal using the ARN identifier of the principal.

You cannot specify IAM groups and instance profiles as principals.

Parameters

arn (str) – ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).

Return type

None

add_aws_account_principal(account_id)

Specify AWS account ID as the principal entity to the “Principal” section of a policy statement.

Parameters

account_id (str) –

Return type

None

add_canonical_user_principal(canonical_user_id)

Adds a canonical user ID principal to this policy document.

Parameters

canonical_user_id (str) – unique identifier assigned by AWS for every account.

Return type

None

add_condition(key, value)

Add a condition to the Policy.

If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:

# stmt: iam.PolicyStatement


stmt.add_condition("StringEquals", {"aws:SomeField": "1"})
stmt.add_condition("StringEquals", {"aws:SomeField": "2"})

Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.

If you meant to add a condition to say that the field can be either 1 or 2, write this:

# stmt: iam.PolicyStatement


stmt.add_condition("StringEquals", {"aws:SomeField": ["1", "2"]})
Parameters
  • key (str) –

  • value (Any) –

Return type

None

add_conditions(conditions)

Add multiple conditions to the Policy.

See the addCondition function for a caveat on calling this method multiple times.

Parameters

conditions (Mapping[str, Any]) –

Return type

None

add_federated_principal(federated, conditions)

Adds a federated identity provider such as Amazon Cognito to this policy statement.

Parameters
  • federated (Any) – federated identity provider (i.e. ‘cognito-identity.amazonaws.com’).

  • conditions (Mapping[str, Any]) – The conditions under which the policy is in effect. See the IAM documentation.

Return type

None

add_not_actions(*not_actions)

Explicitly allow all actions except the specified list of actions into the “NotAction” section of the policy document.

Parameters

not_actions (str) – actions that will be denied. All other actions will be permitted.

See

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

Return type

None

add_not_principals(*not_principals)

Specify principals that is not allowed or denied access to the “NotPrincipal” section of a policy statement.

Parameters

not_principals (IPrincipal) – IAM principals that will be denied access.

See

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

Return type

None

add_not_resources(*arns)

Specify resources that this policy statement will not apply to in the “NotResource” section of this policy statement.

All resources except the specified list will be matched.

Parameters

arns (str) – Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.

See

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

Return type

None

add_principals(*principals)

Adds principals to the “Principal” section of a policy statement.

Parameters

principals (IPrincipal) – IAM principals that will be added.

See

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Return type

None

add_resources(*arns)

Specify resources that this policy statement applies into the “Resource” section of this policy statement.

Parameters

arns (str) – Amazon Resource Names (ARNs) of the resources that this policy statement applies to.

See

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

Return type

None

add_service_principal(service, *, conditions=None, region=None)

Adds a service principal to this policy statement.

Parameters
  • service (str) – the service name for which a service principal is requested (e.g: s3.amazonaws.com).

  • conditions (Optional[Mapping[str, Any]]) – Additional conditions to add to the Service Principal. Default: - No conditions

  • region (Optional[str]) – (deprecated) The region in which the service is operating. Default: - the current Stack’s region.

Return type

None

copy(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)

Create a new PolicyStatement with the same exact properties as this one, except for the overrides.

Parameters
  • actions (Optional[Sequence[str]]) – List of actions to add to the statement. Default: - no actions

  • conditions (Optional[Mapping[str, Any]]) – Conditions to add to the statement. Default: - no condition

  • effect (Optional[Effect]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOW

  • not_actions (Optional[Sequence[str]]) – List of not actions to add to the statement. Default: - no not-actions

  • not_principals (Optional[Sequence[IPrincipal]]) – List of not principals to add to the statement. Default: - no not principals

  • not_resources (Optional[Sequence[str]]) – NotResource ARNs to add to the statement. Default: - no not-resources

  • principals (Optional[Sequence[IPrincipal]]) – List of principals to add to the statement. Default: - no principals

  • resources (Optional[Sequence[str]]) – Resource ARNs to add to the statement. Default: - no resources

  • sid (Optional[str]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid

Return type

PolicyStatement

to_json()

JSON-ify the statement.

Used when JSON.stringify() is called

Return type

Any

to_statement_json()

JSON-ify the policy statement.

Used when JSON.stringify() is called

Return type

Any

to_string()

String representation of this policy statement.

Return type

str

validate_for_any_policy()

Validate that the policy statement satisfies base requirements for a policy.

Return type

List[str]

Returns

An array of validation error messages, or an empty array if the statement is valid.

validate_for_identity_policy()

Validate that the policy statement satisfies all requirements for an identity-based policy.

Return type

List[str]

Returns

An array of validation error messages, or an empty array if the statement is valid.

validate_for_resource_policy()

Validate that the policy statement satisfies all requirements for a resource-based policy.

Return type

List[str]

Returns

An array of validation error messages, or an empty array if the statement is valid.

Attributes

actions

The Actions added to this statement.

Return type

List[str]

conditions

The conditions added to this statement.

Return type

Any

effect

Whether to allow or deny the actions in this statement.

Return type

Effect

has_principal

Indicates if this permission has a “Principal” section.

Return type

bool

has_resource

Indicates if this permission has at least one resource associated with it.

Return type

bool

not_actions

The NotActions added to this statement.

Return type

List[str]

not_principals

The NotPrincipals added to this statement.

Return type

List[IPrincipal]

not_resources

The NotResources added to this statement.

Return type

List[str]

principals

The Principals added to this statement.

Return type

List[IPrincipal]

resources

The Resources added to this statement.

Return type

List[str]

sid

Statement ID for this statement.

Return type

Optional[str]

Static Methods

classmethod from_json(obj)

Creates a new PolicyStatement based on the object provided.

This will accept an object created from the .toJSON() call

Parameters

obj (Any) – the PolicyStatement in object form.

Return type

PolicyStatement