ServicePrincipal¶

class aws_cdk.aws_iam.ServicePrincipal(service, *, conditions=None, region=None)¶

Bases: aws_cdk.aws_iam.PrincipalBase

An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).

ExampleMetadata: infused

Example:

lambda_role = iam.Role(self, "Role",
    assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
    description="Example role..."
)

stream = kinesis.Stream(self, "MyEncryptedStream",
    encryption=kinesis.StreamEncryption.KMS
)

# give lambda permissions to read stream
stream.grant_read(lambda_role)

Parameters

service (str) – AWS service (i.e. sqs.amazonaws.com).
conditions (Optional[Mapping[str, Any]]) – Additional conditions to add to the Service Principal. Default: - No conditions
region (Optional[str]) – (deprecated) The region in which the service is operating. Default: the current Stack’s region.

Methods

add_to_assume_role_policy(document)¶

Add the princpial to the AssumeRolePolicyDocument.

Add the statements to the AssumeRolePolicyDocument necessary to give this principal permissions to assume the given role.

Parameters

document (PolicyDocument) –

Return type

None

add_to_policy(statement)¶

Add to the policy of this principal.

Parameters

statement (PolicyStatement) –

Return type

bool

add_to_principal_policy(_statement)¶

Add to the policy of this principal.

Parameters

_statement (PolicyStatement) –

Return type

AddToPrincipalPolicyResult

to_json()¶

JSON-ify the principal.

Used when JSON.stringify() is called

Return type: Mapping[str, List[str]]

to_string()¶

Returns a string representation of an object.

Return type: str

with_conditions(conditions)¶

Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added.

When there is a value for the same operator and key in both the principal and the conditions parameter, the value from the conditions parameter will be used.

Parameters

conditions (Mapping[str, Any]) –

Return type

PrincipalBase

Returns

a new PrincipalWithConditions object.

with_session_tags()¶

Returns a new principal using this principal as the base, with session tags enabled.

Return type: PrincipalBase
Returns: a new SessionTagsPrincipal object.

Attributes

assume_role_action¶

When this Principal is used in an AssumeRole policy, the action to use.

Return type: str

grant_principal¶

The principal to grant permissions to.

Return type: IPrincipal

policy_fragment¶

Return the policy fragment that identifies this principal in a Policy.

Return type: PrincipalPolicyFragment

principal_account¶

The AWS account ID of this principal.

Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it’s assumed to be AWS::AccountId.

Return type: Optional[str]

service¶

AWS service (i.e. sqs.amazonaws.com).

Return type: str