class UntrustedCodeBoundaryPolicy (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.CodeBuild.UntrustedCodeBoundaryPolicy |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awscodebuild#UntrustedCodeBoundaryPolicy |
 Java | software.amazon.awscdk.services.codebuild.UntrustedCodeBoundaryPolicy |
 Python | aws_cdk.aws_codebuild.UntrustedCodeBoundaryPolicy |
 TypeScript (source) | aws-cdk-lib » aws_codebuild » UntrustedCodeBoundaryPolicy |
Implements
IConstruct, IDependable, IResource, IManaged, IGrantable
Permissions Boundary for a CodeBuild Project running untrusted code.
This class is a Policy, intended to be used as a Permissions Boundary for a CodeBuild project. It allows most of the actions necessary to run the CodeBuild project, but disallows reading from Parameter Store and Secrets Manager.
Use this when your CodeBuild project is running untrusted code (for example, if you are using one to automatically build Pull Requests that anyone can submit), and you want to prevent your future self from accidentally exposing Secrets to this build.
(The reason you might want to do this is because otherwise anyone who can submit a Pull Request to your project can write a script to email those secrets to themselves).
Example
declare const project: codebuild.Project;
iam.PermissionsBoundary.of(project).apply(new codebuild.UntrustedCodeBoundaryPolicy(this, 'Boundary'));
Initializer
new UntrustedCodeBoundaryPolicy(scope: Construct, id: string, props?: UntrustedCodeBoundaryPolicyProps)
Parameters
- scope
Construct - id
string - props
UntrustedCode Boundary Policy Props
Construct Props
| Name | Type | Description |
|---|---|---|
| additional | Policy[] | Additional statements to add to the default set of statements. |
| managed | string | The name of the managed policy. |
additionalStatements?
Type:
Policy[]
(optional, default: No additional statements)
Additional statements to add to the default set of statements.
managedPolicyName?
Type:
string
(optional, default: A name is automatically generated.)
The name of the managed policy.
Properties
| Name | Type | Description |
|---|---|---|
| description | string | The description of this policy. |
| document | Policy | The policy document. |
| env | Resource | The environment this resource belongs to. |
| grant | IPrincipal | The principal to grant permissions to. |
| managed | string | Returns the ARN of this managed policy. |
| managed | string | The name of this policy. |
| node | Node | The tree node. |
| path | string | The path of this policy. |
| stack | Stack | The stack in which this resource is defined. |
description
Type:
string
The description of this policy.
document
Type:
Policy
The policy document.
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
grantPrincipal
Type:
IPrincipal
The principal to grant permissions to.
managedPolicyArn
Type:
string
Returns the ARN of this managed policy.
managedPolicyName
Type:
string
The name of this policy.
node
Type:
Node
The tree node.
path
Type:
string
The path of this policy.
stack
Type:
Stack
The stack in which this resource is defined.
Methods
| Name | Description |
|---|---|
| add | Adds a statement to the policy document. |
| apply | Apply the given removal policy to this resource. |
| attach | Attaches this policy to a group. |
| attach | Attaches this policy to a role. |
| attach | Attaches this policy to a user. |
| to | Returns a string representation of this construct. |
addStatements(...statement)
public addStatements(...statement: PolicyStatement[]): void
Parameters
- statement
PolicyStatement
Adds a statement to the policy document.
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
attachToGroup(group)
public attachToGroup(group: IGroup): void
Parameters
- group
IGroup
Attaches this policy to a group.
attachToRole(role)
public attachToRole(role: IRole): void
Parameters
- role
IRole
Attaches this policy to a role.
attachToUser(user)
public attachToUser(user: IUser): void
Parameters
- user
IUser
Attaches this policy to a user.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.