Class PolicyStatement
Represents a statement in an IAM policy document.
Namespace: Amazon.CDK.AWS.IAM
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class PolicyStatement : DeputyBaseSyntax (vb)
Public Class PolicyStatement Inherits DeputyBaseRemarks
ExampleMetadata: infused
Examples
var accessLogsBucket = new Bucket(this, "AccessLogsBucket", new BucketProps {
ObjectOwnership = ObjectOwnership.BUCKET_OWNER_ENFORCED
});
accessLogsBucket.AddToResourcePolicy(
new PolicyStatement(new PolicyStatementProps {
Actions = new [] { "s3:*" },
Resources = new [] { accessLogsBucket.BucketArn, accessLogsBucket.ArnForObjects("*") },
Principals = new [] { new AnyPrincipal() }
}));
var bucket = new Bucket(this, "MyBucket", new BucketProps {
ServerAccessLogsBucket = accessLogsBucket,
ServerAccessLogsPrefix = "logs"
});Synopsis
Constructors
| PolicyStatement(IPolicyStatementProps?) | Represents a statement in an IAM policy document. |
Properties
| Actions | The Actions added to this statement. |
| Conditions | The conditions added to this statement. |
| Effect | Whether to allow or deny the actions in this statement Set effect for this statement. |
| Frozen | Whether the PolicyStatement has been frozen. |
| HasPrincipal | Indicates if this permission has a "Principal" section. |
| HasResource | Indicates if this permission has at least one resource associated with it. |
| NotActions | The NotActions added to this statement. |
| NotPrincipals | The NotPrincipals added to this statement. |
| NotResources | The NotResources added to this statement. |
| PROPERTY_INJECTION_ID | Uniquely identifies this class. |
| Principals | The Principals added to this statement. |
| Resources | The Resources added to this statement. |
| Sid | Statement ID for this statement Set Statement ID for this statement. |
Methods
| AddAccountCondition(string) | Add a |
| AddAccountRootPrincipal() | Adds an AWS account root user principal to this policy statement. |
| AddActions(params string[]) | Specify allowed actions into the "Action" section of the policy statement. |
| AddAllResources() | Adds a |
| AddAnyPrincipal() | Adds all identities in all accounts ("*") to this policy statement. |
| AddArnPrincipal(string) | Specify a principal using the ARN identifier of the principal. |
| AddAwsAccountPrincipal(string) | Specify AWS account ID as the principal entity to the "Principal" section of a policy statement. |
| AddCanonicalUserPrincipal(string) | Adds a canonical user ID principal to this policy document. |
| AddCondition(string, object) | Add a condition to the Policy. |
| AddConditions(IDictionary<string, object>) | Add multiple conditions to the Policy. |
| AddFederatedPrincipal(object, IDictionary<string, object>) | Adds a federated identity provider such as Amazon Cognito to this policy statement. |
| AddNotActions(params string[]) | Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document. |
| AddNotPrincipals(params IPrincipal[]) | Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement. |
| AddNotResources(params string[]) | Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement. |
| AddPrincipals(params IPrincipal[]) | Adds principals to the "Principal" section of a policy statement. |
| AddResources(params string[]) | Specify resources that this policy statement applies into the "Resource" section of this policy statement. |
| AddServicePrincipal(string, IServicePrincipalOpts?) | Adds a service principal to this policy statement. |
| AddSourceAccountCondition(string) | Add an |
| AddSourceArnCondition(string) | Add an |
| Copy(IPolicyStatementProps?) | Create a new |
| Freeze() | Make the PolicyStatement immutable. |
| FromJson(object) | Creates a new PolicyStatement based on the object provided. |
| ToJSON() | JSON-ify the statement. |
| ToStatementJson() | JSON-ify the policy statement. |
| ToString() | String representation of this policy statement. |
| ValidateForAnyPolicy() | Validate that the policy statement satisfies base requirements for a policy. |
| ValidateForIdentityPolicy() | Validate that the policy statement satisfies all requirements for an identity-based policy. |
| ValidateForResourcePolicy() | Validate that the policy statement satisfies all requirements for a resource-based policy. |
Constructors
PolicyStatement(IPolicyStatementProps?)
Represents a statement in an IAM policy document.
public PolicyStatement(IPolicyStatementProps? props = null)Parameters
- props IPolicyStatementProps
Remarks
ExampleMetadata: infused
Examples
var accessLogsBucket = new Bucket(this, "AccessLogsBucket", new BucketProps {
ObjectOwnership = ObjectOwnership.BUCKET_OWNER_ENFORCED
});
accessLogsBucket.AddToResourcePolicy(
new PolicyStatement(new PolicyStatementProps {
Actions = new [] { "s3:*" },
Resources = new [] { accessLogsBucket.BucketArn, accessLogsBucket.ArnForObjects("*") },
Principals = new [] { new AnyPrincipal() }
}));
var bucket = new Bucket(this, "MyBucket", new BucketProps {
ServerAccessLogsBucket = accessLogsBucket,
ServerAccessLogsPrefix = "logs"
});Properties
Actions
The Actions added to this statement.
public virtual string[] Actions { get; }Property Value
string[]
Remarks
ExampleMetadata: infused
Conditions
The conditions added to this statement.
public virtual object Conditions { get; }Property Value
Remarks
ExampleMetadata: infused
Effect
Whether to allow or deny the actions in this statement Set effect for this statement.
public virtual Effect Effect { get; set; }Property Value
Remarks
ExampleMetadata: infused
Frozen
Whether the PolicyStatement has been frozen.
public virtual bool Frozen { get; }Property Value
Remarks
The statement object is frozen when freeze() is called.
HasPrincipal
Indicates if this permission has a "Principal" section.
public virtual bool HasPrincipal { get; }Property Value
Remarks
ExampleMetadata: infused
HasResource
Indicates if this permission has at least one resource associated with it.
public virtual bool HasResource { get; }Property Value
Remarks
ExampleMetadata: infused
NotActions
The NotActions added to this statement.
public virtual string[] NotActions { get; }Property Value
string[]
Remarks
ExampleMetadata: infused
NotPrincipals
The NotPrincipals added to this statement.
public virtual IPrincipal[] NotPrincipals { get; }Property Value
Remarks
ExampleMetadata: infused
NotResources
The NotResources added to this statement.
public virtual string[] NotResources { get; }Property Value
string[]
Remarks
ExampleMetadata: infused
PROPERTY_INJECTION_ID
Uniquely identifies this class.
public static string PROPERTY_INJECTION_ID { get; }Property Value
Remarks
ExampleMetadata: infused
Principals
The Principals added to this statement.
public virtual IPrincipal[] Principals { get; }Property Value
Remarks
ExampleMetadata: infused
Resources
The Resources added to this statement.
public virtual string[] Resources { get; }Property Value
string[]
Remarks
ExampleMetadata: infused
Sid
Statement ID for this statement Set Statement ID for this statement.
public virtual string? Sid { get; set; }Property Value
Remarks
ExampleMetadata: infused
Methods
AddAccountCondition(string)
Add a StringEquals condition that limits to a given account from sts:ExternalId.
public virtual void AddAccountCondition(string accountId)Parameters
- accountId string
Remarks
This method can only be called once: subsequent calls will overwrite earlier calls.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
AddAccountRootPrincipal()
Adds an AWS account root user principal to this policy statement.
public virtual void AddAccountRootPrincipal()Remarks
ExampleMetadata: infused
AddActions(params string[])
Specify allowed actions into the "Action" section of the policy statement.
public virtual void AddActions(params string[] actions)Parameters
- actions string[]
actions that will be allowed.
Remarks
AddAllResources()
Adds a "*" resource to this statement.
public virtual void AddAllResources()Remarks
ExampleMetadata: infused
AddAnyPrincipal()
Adds all identities in all accounts ("*") to this policy statement.
public virtual void AddAnyPrincipal()Remarks
ExampleMetadata: infused
AddArnPrincipal(string)
Specify a principal using the ARN identifier of the principal.
public virtual void AddArnPrincipal(string arn)Parameters
- arn string
ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).
Remarks
You cannot specify IAM groups and instance profiles as principals.
AddAwsAccountPrincipal(string)
Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
public virtual void AddAwsAccountPrincipal(string accountId)Parameters
- accountId string
Remarks
ExampleMetadata: infused
AddCanonicalUserPrincipal(string)
Adds a canonical user ID principal to this policy document.
public virtual void AddCanonicalUserPrincipal(string canonicalUserId)Parameters
- canonicalUserId string
unique identifier assigned by AWS for every account.
Remarks
ExampleMetadata: infused
AddCondition(string, object)
Add a condition to the Policy.
public virtual void AddCondition(string key, object value)Parameters
Remarks
If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
PolicyStatement stmt;
stmt.AddCondition("StringEquals", new Dictionary<string, string> { { "aws:SomeField", "1" } });
stmt.AddCondition("StringEquals", new Dictionary<string, string> { { "aws:SomeField", "2" } });Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.
If you meant to add a condition to say that the field can be either 1 or 2, write
this:
PolicyStatement stmt;
stmt.AddCondition("StringEquals", new Dictionary<string, string[]> { { "aws:SomeField", new [] { "1", "2" } } });AddConditions(IDictionary<string, object>)
Add multiple conditions to the Policy.
public virtual void AddConditions(IDictionary<string, object> conditions)Parameters
- conditions IDictionary<string, object>
Remarks
See the addCondition function for a caveat on calling this method multiple times.
AddFederatedPrincipal(object, IDictionary<string, object>)
Adds a federated identity provider such as Amazon Cognito to this policy statement.
public virtual void AddFederatedPrincipal(object federated, IDictionary<string, object> conditions)Parameters
- federated object
federated identity provider (i.e. 'cognito-identity.amazonaws.com').
- conditions IDictionary<string, object>
The conditions under which the policy is in effect.
Remarks
ExampleMetadata: infused
AddNotActions(params string[])
Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
public virtual void AddNotActions(params string[] notActions)Parameters
- notActions string[]
actions that will be denied.
Remarks
AddNotPrincipals(params IPrincipal[])
Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
public virtual void AddNotPrincipals(params IPrincipal[] notPrincipals)Parameters
- notPrincipals IPrincipal[]
IAM principals that will be denied access.
Remarks
AddNotResources(params string[])
Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.
public virtual void AddNotResources(params string[] arns)Parameters
- arns string[]
Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.
Remarks
All resources except the specified list will be matched.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
AddPrincipals(params IPrincipal[])
Adds principals to the "Principal" section of a policy statement.
public virtual void AddPrincipals(params IPrincipal[] principals)Parameters
- principals IPrincipal[]
IAM principals that will be added.
Remarks
AddResources(params string[])
Specify resources that this policy statement applies into the "Resource" section of this policy statement.
public virtual void AddResources(params string[] arns)Parameters
- arns string[]
Amazon Resource Names (ARNs) of the resources that this policy statement applies to.
Remarks
AddServicePrincipal(string, IServicePrincipalOpts?)
Adds a service principal to this policy statement.
public virtual void AddServicePrincipal(string service, IServicePrincipalOpts? opts = null)Parameters
- service string
the service name for which a service principal is requested (e.g:
s3.amazonaws.com).- opts IServicePrincipalOpts
options for adding the service principal (such as specifying a principal in a different region).
Remarks
ExampleMetadata: infused
AddSourceAccountCondition(string)
Add an StringEquals condition that limits to a given account from aws:SourceAccount.
public virtual void AddSourceAccountCondition(string accountId)Parameters
- accountId string
Remarks
This method can only be called once: subsequent calls will overwrite earlier calls.
AddSourceArnCondition(string)
Add an ArnEquals condition that limits to a given resource arn from aws:SourceArn.
public virtual void AddSourceArnCondition(string arn)Parameters
- arn string
Remarks
This method can only be called once: subsequent calls will overwrite earlier calls.
Copy(IPolicyStatementProps?)
Create a new PolicyStatement with the same exact properties as this one, except for the overrides.
public virtual PolicyStatement Copy(IPolicyStatementProps? overrides = null)Parameters
- overrides IPolicyStatementProps
Returns
Remarks
ExampleMetadata: infused
Freeze()
Make the PolicyStatement immutable.
public virtual PolicyStatement Freeze()Returns
Remarks
After calling this, any of the addXxx() methods will throw an exception.
Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.
FromJson(object)
Creates a new PolicyStatement based on the object provided.
public static PolicyStatement FromJson(object obj)Parameters
- obj object
the PolicyStatement in object form.
Returns
Remarks
This will accept an object created from the .toJSON() call
ToJSON()
JSON-ify the statement.
public virtual object ToJSON()Returns
Remarks
Used when JSON.stringify() is called
ToStatementJson()
JSON-ify the policy statement.
public virtual object ToStatementJson()Returns
Remarks
Used when JSON.stringify() is called
ToString()
String representation of this policy statement.
public override string ToString()Returns
Remarks
ExampleMetadata: infused
ValidateForAnyPolicy()
Validate that the policy statement satisfies base requirements for a policy.
public virtual string[] ValidateForAnyPolicy()Returns
string[]
An array of validation error messages, or an empty array if the statement is valid.
Remarks
ExampleMetadata: infused
ValidateForIdentityPolicy()
Validate that the policy statement satisfies all requirements for an identity-based policy.
public virtual string[] ValidateForIdentityPolicy()Returns
string[]
An array of validation error messages, or an empty array if the statement is valid.
Remarks
ExampleMetadata: infused
ValidateForResourcePolicy()
Validate that the policy statement satisfies all requirements for a resource-based policy.
public virtual string[] ValidateForResourcePolicy()Returns
string[]
An array of validation error messages, or an empty array if the statement is valid.
Remarks
ExampleMetadata: infused