Class PermissionsBoundary
- All Implemented Interfaces:
software.amazon.jsii.JsiiSerializable
A permissions boundary is typically applied at the Stage scope.
This allows setting different permissions boundaries per Stage. For
example, you may not apply a boundary to the Dev stage which deploys
to a personal dev account, but you do apply the default boundary to the
Prod stage.
It is possible to apply different permissions boundaries to different scopes within your app. In this case the most specifically applied one wins
Example:
// no permissions boundary for dev stage
// no permissions boundary for dev stage
new Stage(app, "DevStage");
// default boundary for prod stage
Stage prodStage = Stage.Builder.create(app, "ProdStage")
.permissionsBoundary(PermissionsBoundary.fromName("prod-pb"))
.build();
// overriding the pb applied for this stack
// overriding the pb applied for this stack
Stack.Builder.create(prodStage, "ProdStack1")
.permissionsBoundary(PermissionsBoundary.fromName("stack-pb"))
.build();
// will inherit the permissions boundary from the stage
// will inherit the permissions boundary from the stage
new Stack(prodStage, "ProdStack2");
-
Nested Class Summary
Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode -
Constructor Summary
ConstructorsModifierConstructorDescriptionprotectedPermissionsBoundary(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protectedPermissionsBoundary(software.amazon.jsii.JsiiObjectRef objRef) -
Method Summary
Modifier and TypeMethodDescriptionstatic PermissionsBoundaryApply a permissions boundary with the given ARN to all IAM Roles and Users created within a scope.static PermissionsBoundaryApply a permissions boundary with the given name to all IAM Roles and Users created within a scope.Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSetMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Constructor Details
-
PermissionsBoundary
protected PermissionsBoundary(software.amazon.jsii.JsiiObjectRef objRef) -
PermissionsBoundary
protected PermissionsBoundary(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
-
-
Method Details
-
fromArn
Apply a permissions boundary with the given ARN to all IAM Roles and Users created within a scope.The arn can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.
- '${AWS::Partition}'
- '${AWS::Region}'
- '${AWS::AccountId}'
- '${Qualifier}'
Example:
Stage.Builder.create(app, "ProdStage") .permissionsBoundary(PermissionsBoundary.fromArn("arn:aws:iam::${AWS::AccountId}:policy/my-custom-permissions-boundary")) .build();- Parameters:
arn- the ARN of the permissions boundary policy. This parameter is required.
-
fromName
Apply a permissions boundary with the given name to all IAM Roles and Users created within a scope.The name can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.
- '${AWS::Partition}'
- '${AWS::Region}'
- '${AWS::AccountId}'
- '${Qualifier}'
Example:
Stage.Builder.create(app, "ProdStage") .permissionsBoundary(PermissionsBoundary.fromName("my-custom-permissions-boundary")) .build();- Parameters:
name- the name of the permissions boundary policy. This parameter is required.
-