Class PermissionsBoundary
- All Implemented Interfaces:
software.amazon.jsii.JsiiSerializable
A permissions boundary is typically applied at the Stage
scope.
This allows setting different permissions boundaries per Stage. For
example, you may not apply a boundary to the Dev
stage which deploys
to a personal dev account, but you do apply the default boundary to the
Prod
stage.
It is possible to apply different permissions boundaries to different scopes within your app. In this case the most specifically applied one wins
Example:
// no permissions boundary for dev stage // no permissions boundary for dev stage new Stage(app, "DevStage"); // default boundary for prod stage Stage prodStage = Stage.Builder.create(app, "ProdStage") .permissionsBoundary(PermissionsBoundary.fromName("prod-pb")) .build(); // overriding the pb applied for this stack // overriding the pb applied for this stack Stack.Builder.create(prodStage, "ProdStack1") .permissionsBoundary(PermissionsBoundary.fromName("stack-pb")) .build(); // will inherit the permissions boundary from the stage // will inherit the permissions boundary from the stage new Stack(prodStage, "ProdStack2");
-
Nested Class Summary
Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode
-
Constructor Summary
ConstructorsModifierConstructorDescriptionprotected
PermissionsBoundary
(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protected
PermissionsBoundary
(software.amazon.jsii.JsiiObjectRef objRef) -
Method Summary
Modifier and TypeMethodDescriptionstatic PermissionsBoundary
Apply a permissions boundary with the given ARN to all IAM Roles and Users created within a scope.static PermissionsBoundary
Apply a permissions boundary with the given name to all IAM Roles and Users created within a scope.Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Constructor Details
-
PermissionsBoundary
protected PermissionsBoundary(software.amazon.jsii.JsiiObjectRef objRef) -
PermissionsBoundary
protected PermissionsBoundary(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
-
-
Method Details
-
fromArn
Apply a permissions boundary with the given ARN to all IAM Roles and Users created within a scope.The arn can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.
- '${AWS::Partition}'
- '${AWS::Region}'
- '${AWS::AccountId}'
- '${Qualifier}'
Example:
Stage.Builder.create(app, "ProdStage") .permissionsBoundary(PermissionsBoundary.fromArn("arn:aws:iam::${AWS::AccountId}:policy/my-custom-permissions-boundary")) .build();
- Parameters:
arn
- the ARN of the permissions boundary policy. This parameter is required.
-
fromName
Apply a permissions boundary with the given name to all IAM Roles and Users created within a scope.The name can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.
- '${AWS::Partition}'
- '${AWS::Region}'
- '${AWS::AccountId}'
- '${Qualifier}'
Example:
Stage.Builder.create(app, "ProdStage") .permissionsBoundary(PermissionsBoundary.fromName("my-custom-permissions-boundary")) .build();
- Parameters:
name
- the name of the permissions boundary policy. This parameter is required.
-