Class PermissionsBoundary

Apply a permissions boundary to all IAM Roles and Users within a specific scope.

Inheritance
object
PermissionsBoundary
Namespace: Amazon.CDK
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class PermissionsBoundary : DeputyBase
Syntax (vb)
Public Class PermissionsBoundary Inherits DeputyBase
Remarks

A permissions boundary is typically applied at the Stage scope. This allows setting different permissions boundaries per Stage. For example, you may not apply a boundary to the Dev stage which deploys to a personal dev account, but you do apply the default boundary to the Prod stage.

It is possible to apply different permissions boundaries to different scopes within your app. In this case the most specifically applied one wins

Examples
// no permissions boundary for dev stage
             // no permissions boundary for dev stage
             new Stage(app, "DevStage");

             // default boundary for prod stage
             var prodStage = new Stage(app, "ProdStage", new StageProps {
                 PermissionsBoundary = PermissionsBoundary.FromName("prod-pb")
             });

             // overriding the pb applied for this stack
             // overriding the pb applied for this stack
             new Stack(prodStage, "ProdStack1", new StackProps {
                 PermissionsBoundary = PermissionsBoundary.FromName("stack-pb")
             });

             // will inherit the permissions boundary from the stage
             // will inherit the permissions boundary from the stage
             new Stack(prodStage, "ProdStack2");

Synopsis

Methods

FromArn(string)

Apply a permissions boundary with the given ARN to all IAM Roles and Users created within a scope.
FromName(string)

Apply a permissions boundary with the given name to all IAM Roles and Users created within a scope.

Methods

FromArn(string)

Apply a permissions boundary with the given ARN to all IAM Roles and Users created within a scope.

public static PermissionsBoundary FromArn(string arn)
Parameters
arn string

the ARN of the permissions boundary policy.

Returns

PermissionsBoundary

Remarks

The arn can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.

    Examples
    new Stage(app, "ProdStage", new StageProps {
                 PermissionsBoundary = PermissionsBoundary.FromArn("arn:aws:iam::${AWS::AccountId}:policy/my-custom-permissions-boundary")
             });

    FromName(string)

    Apply a permissions boundary with the given name to all IAM Roles and Users created within a scope.

    public static PermissionsBoundary FromName(string name)
    Parameters
    name string

    the name of the permissions boundary policy.

    Returns

    PermissionsBoundary

    Remarks

    The name can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.

      Examples
      new Stage(app, "ProdStage", new StageProps {
                 PermissionsBoundary = PermissionsBoundary.FromName("my-custom-permissions-boundary")
             });