All Implemented Interfaces:
IResource, IGrantable, IGroup, IIdentity, IPrincipal,, software.constructs.IConstruct, software.constructs.IDependable

@Generated(value="jsii-pacmak/1.99.0 (build 8f757e4)", date="2024-06-13T18:49:19.884Z") @Stability(Stable) public class Group extends Resource implements IGroup
An IAM Group (collection of IAM users) lets you specify permissions for multiple users, which can make it easier to manage permissions for those users.


 User user = new User(this, "MyUser"); // or User.fromUserName(this, 'User', 'johnsmith');
 Group group = new Group(this, "MyGroup"); // or Group.fromGroupArn(this, 'Group', 'arn:aws:iam::account-id:group/group-name');
 // or

See Also:
  • Constructor Details

    • Group

      protected Group( objRef)
    • Group

      protected Group( initializationMode)
    • Group

      @Stability(Stable) public Group(@NotNull software.constructs.Construct scope, @NotNull String id, @Nullable GroupProps props)
      scope - This parameter is required.
      id - This parameter is required.
      props -
    • Group

      @Stability(Stable) public Group(@NotNull software.constructs.Construct scope, @NotNull String id)
      scope - This parameter is required.
      id - This parameter is required.
  • Method Details

    • fromGroupArn

      @Stability(Stable) @NotNull public static IGroup fromGroupArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String groupArn)
      Import an external group by ARN.

      If the imported Group ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) and the referenced group has a path (like arn:...:group/AdminGroup/NetworkAdmin), the groupName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Group ARN should be supplied without the path in order to resolve the correct group resource.

      scope - construct scope. This parameter is required.
      id - construct id. This parameter is required.
      groupArn - the ARN of the group to import (e.g. arn:aws:iam::account-id:group/group-name). This parameter is required.
    • fromGroupName

      @Stability(Stable) @NotNull public static IGroup fromGroupName(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String groupName)
      Import an existing group by given name (with path).

      This method has same caveats of fromGroupArn

      scope - construct scope. This parameter is required.
      id - construct id. This parameter is required.
      groupName - the groupName (path included) of the existing group to import. This parameter is required.
    • addManagedPolicy

      @Stability(Stable) public void addManagedPolicy(@NotNull IManagedPolicy policy)
      Attaches a managed policy to this group.

      See [IAM and AWS STS quotas, name requirements, and character limits] ( for quota of managed policies attached to an IAM group.

      Specified by:
      addManagedPolicy in interface IIdentity
      policy - The managed policy to attach. This parameter is required.
    • addToPolicy

      @Stability(Stable) @NotNull public Boolean addToPolicy(@NotNull PolicyStatement statement)
      Add to the policy of this principal.

      statement - This parameter is required.
    • addToPrincipalPolicy

      @Stability(Stable) @NotNull public AddToPrincipalPolicyResult addToPrincipalPolicy(@NotNull PolicyStatement statement)
      Adds an IAM statement to the default policy.

      Specified by:
      addToPrincipalPolicy in interface IPrincipal
      statement - This parameter is required.
    • addUser

      @Stability(Stable) public void addUser(@NotNull IUser user)
      Adds a user to this group.

      user - This parameter is required.
    • attachInlinePolicy

      @Stability(Stable) public void attachInlinePolicy(@NotNull Policy policy)
      Attaches a policy to this group.

      Specified by:
      attachInlinePolicy in interface IIdentity
      policy - The policy to attach. This parameter is required.
    • getAssumeRoleAction

      @Stability(Stable) @NotNull public String getAssumeRoleAction()
      When this Principal is used in an AssumeRole policy, the action to use.
      Specified by:
      getAssumeRoleAction in interface IPrincipal
    • getGrantPrincipal

      @Stability(Stable) @NotNull public IPrincipal getGrantPrincipal()
      The principal to grant permissions to.
      Specified by:
      getGrantPrincipal in interface IGrantable
    • getGroupArn

      @Stability(Stable) @NotNull public String getGroupArn()
      Returns the IAM Group ARN.
      Specified by:
      getGroupArn in interface IGroup
    • getGroupName

      @Stability(Stable) @NotNull public String getGroupName()
      Returns the IAM Group Name.
      Specified by:
      getGroupName in interface IGroup
    • getPolicyFragment

      @Stability(Stable) @NotNull public PrincipalPolicyFragment getPolicyFragment()
      Return the policy fragment that identifies this principal in a Policy.
      Specified by:
      getPolicyFragment in interface IPrincipal
    • getPrincipalAccount

      @Stability(Stable) @Nullable public String getPrincipalAccount()
      The AWS account ID of this principal.

      Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

      Specified by:
      getPrincipalAccount in interface IPrincipal