Class PolicyStatement

java.lang.Object
software.amazon.jsii.JsiiObject
software.amazon.awscdk.services.iam.PolicyStatement
All Implemented Interfaces:
software.amazon.jsii.JsiiSerializable

@Generated(value="jsii-pacmak/1.98.0 (build 00b106d)", date="2024-05-24T02:42:39.139Z") @Stability(Stable) public class PolicyStatement extends software.amazon.jsii.JsiiObject
Represents a statement in an IAM policy document.

Example:

 Bucket destinationBucket;
 BucketDeployment deployment = BucketDeployment.Builder.create(this, "DeployFiles")
         .sources(List.of(Source.asset(join(__dirname, "source-files"))))
         .destinationBucket(destinationBucket)
         .build();
 deployment.handlerRole.addToPolicy(
 PolicyStatement.Builder.create()
         .actions(List.of("kms:Decrypt", "kms:DescribeKey"))
         .effect(Effect.ALLOW)
         .resources(List.of("<encryption key ARN>"))
         .build());
 
  • Constructor Details

    • PolicyStatement

      protected PolicyStatement(software.amazon.jsii.JsiiObjectRef objRef)
    • PolicyStatement

      protected PolicyStatement(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
    • PolicyStatement

      @Stability(Stable) public PolicyStatement(@Nullable PolicyStatementProps props)
      Parameters:
      props -
    • PolicyStatement

      @Stability(Stable) public PolicyStatement()
  • Method Details

    • fromJson

      @Stability(Stable) @NotNull public static PolicyStatement fromJson(@NotNull Object obj)
      Creates a new PolicyStatement based on the object provided.

      This will accept an object created from the .toJSON() call

      Parameters:
      obj - the PolicyStatement in object form. This parameter is required.
    • addAccountCondition

      @Stability(Stable) public void addAccountCondition(@NotNull String accountId)
      Add a StringEquals condition that limits to a given account from sts:ExternalId.

      This method can only be called once: subsequent calls will overwrite earlier calls.

      Parameters:
      accountId - This parameter is required.
      See Also:
    • addAccountRootPrincipal

      @Stability(Stable) public void addAccountRootPrincipal()
      Adds an AWS account root user principal to this policy statement.
    • addActions

      @Stability(Stable) public void addActions(@NotNull @NotNull String... actions)
      Specify allowed actions into the "Action" section of the policy statement.

      Parameters:
      actions - actions that will be allowed. This parameter is required.
      See Also:
    • addAllResources

      @Stability(Stable) public void addAllResources()
      Adds a "*" resource to this statement.
    • addAnyPrincipal

      @Stability(Stable) public void addAnyPrincipal()
      Adds all identities in all accounts ("*") to this policy statement.
    • addArnPrincipal

      @Stability(Stable) public void addArnPrincipal(@NotNull String arn)
      Specify a principal using the ARN identifier of the principal.

      You cannot specify IAM groups and instance profiles as principals.

      Parameters:
      arn - ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name). This parameter is required.
    • addAwsAccountPrincipal

      @Stability(Stable) public void addAwsAccountPrincipal(@NotNull String accountId)
      Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.

      Parameters:
      accountId - This parameter is required.
    • addCanonicalUserPrincipal

      @Stability(Stable) public void addCanonicalUserPrincipal(@NotNull String canonicalUserId)
      Adds a canonical user ID principal to this policy document.

      Parameters:
      canonicalUserId - unique identifier assigned by AWS for every account. This parameter is required.
    • addCondition

      @Stability(Stable) public void addCondition(@NotNull String key, @NotNull Object value)
      Add a condition to the Policy.

      If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:

       PolicyStatement stmt;
       stmt.addCondition("StringEquals", Map.of("aws:SomeField", "1"));
       stmt.addCondition("StringEquals", Map.of("aws:SomeField", "2"));
       

      Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.

      If you meant to add a condition to say that the field can be either 1 or 2, write this:

       PolicyStatement stmt;
       stmt.addCondition("StringEquals", Map.of("aws:SomeField", List.of("1", "2")));
       

      Parameters:
      key - This parameter is required.
      value - This parameter is required.
    • addConditions

      @Stability(Stable) public void addConditions(@NotNull Map<String,Object> conditions)
      Add multiple conditions to the Policy.

      See the addCondition function for a caveat on calling this method multiple times.

      Parameters:
      conditions - This parameter is required.
    • addFederatedPrincipal

      @Stability(Stable) public void addFederatedPrincipal(@NotNull Object federated, @NotNull Map<String,Object> conditions)
      Adds a federated identity provider such as Amazon Cognito to this policy statement.

      Parameters:
      federated - federated identity provider (i.e. 'cognito-identity.amazonaws.com'). This parameter is required.
      conditions - The conditions under which the policy is in effect. This parameter is required.
    • addNotActions

      @Stability(Stable) public void addNotActions(@NotNull @NotNull String... notActions)
      Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.

      Parameters:
      notActions - actions that will be denied. This parameter is required.
      See Also:
    • addNotPrincipals

      @Stability(Stable) public void addNotPrincipals(@NotNull @NotNull IPrincipal... notPrincipals)
      Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.

      Parameters:
      notPrincipals - IAM principals that will be denied access. This parameter is required.
      See Also:
    • addNotResources

      @Stability(Stable) public void addNotResources(@NotNull @NotNull String... arns)
      Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.

      All resources except the specified list will be matched.

      Parameters:
      arns - Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to. This parameter is required.
      See Also:
    • addPrincipals

      @Stability(Stable) public void addPrincipals(@NotNull @NotNull IPrincipal... principals)
      Adds principals to the "Principal" section of a policy statement.

      Parameters:
      principals - IAM principals that will be added. This parameter is required.
      See Also:
    • addResources

      @Stability(Stable) public void addResources(@NotNull @NotNull String... arns)
      Specify resources that this policy statement applies into the "Resource" section of this policy statement.

      Parameters:
      arns - Amazon Resource Names (ARNs) of the resources that this policy statement applies to. This parameter is required.
      See Also:
    • addServicePrincipal

      @Stability(Stable) public void addServicePrincipal(@NotNull String service, @Nullable ServicePrincipalOpts opts)
      Adds a service principal to this policy statement.

      Parameters:
      service - the service name for which a service principal is requested (e.g: s3.amazonaws.com). This parameter is required.
      opts - options for adding the service principal (such as specifying a principal in a different region).
    • addServicePrincipal

      @Stability(Stable) public void addServicePrincipal(@NotNull String service)
      Adds a service principal to this policy statement.

      Parameters:
      service - the service name for which a service principal is requested (e.g: s3.amazonaws.com). This parameter is required.
    • addSourceAccountCondition

      @Stability(Stable) public void addSourceAccountCondition(@NotNull String accountId)
      Add an StringEquals condition that limits to a given account from aws:SourceAccount.

      This method can only be called once: subsequent calls will overwrite earlier calls.

      Parameters:
      accountId - This parameter is required.
      See Also:
    • addSourceArnCondition

      @Stability(Stable) public void addSourceArnCondition(@NotNull String arn)
      Add an ArnEquals condition that limits to a given resource arn from aws:SourceArn.

      This method can only be called once: subsequent calls will overwrite earlier calls.

      Parameters:
      arn - This parameter is required.
      See Also:
    • copy

      @Stability(Stable) @NotNull public PolicyStatement copy(@Nullable PolicyStatementProps overrides)
      Create a new PolicyStatement with the same exact properties as this one, except for the overrides.

      Parameters:
      overrides -
    • copy

      @Stability(Stable) @NotNull public PolicyStatement copy()
      Create a new PolicyStatement with the same exact properties as this one, except for the overrides.
    • freeze

      @Stability(Stable) @NotNull public PolicyStatement freeze()
      Make the PolicyStatement immutable.

      After calling this, any of the addXxx() methods will throw an exception.

      Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.

    • toJSON

      @Stability(Stable) @NotNull public Object toJSON()
      JSON-ify the statement.

      Used when JSON.stringify() is called

    • toStatementJson

      @Stability(Stable) @NotNull public Object toStatementJson()
      JSON-ify the policy statement.

      Used when JSON.stringify() is called

    • toString

      @Stability(Stable) @NotNull public String toString()
      String representation of this policy statement.
      Overrides:
      toString in class Object
    • validateForAnyPolicy

      @Stability(Stable) @NotNull public List<String> validateForAnyPolicy()
      Validate that the policy statement satisfies base requirements for a policy.

      Returns:
      An array of validation error messages, or an empty array if the statement is valid.
    • validateForIdentityPolicy

      @Stability(Stable) @NotNull public List<String> validateForIdentityPolicy()
      Validate that the policy statement satisfies all requirements for an identity-based policy.

      Returns:
      An array of validation error messages, or an empty array if the statement is valid.
    • validateForResourcePolicy

      @Stability(Stable) @NotNull public List<String> validateForResourcePolicy()
      Validate that the policy statement satisfies all requirements for a resource-based policy.

      Returns:
      An array of validation error messages, or an empty array if the statement is valid.
    • getActions

      @Stability(Stable) @NotNull public List<String> getActions()
      The Actions added to this statement.
    • getConditions

      @Stability(Stable) @NotNull public Object getConditions()
      The conditions added to this statement.
    • getFrozen

      @Stability(Stable) @NotNull public Boolean getFrozen()
      Whether the PolicyStatement has been frozen.

      The statement object is frozen when freeze() is called.

    • getHasPrincipal

      @Stability(Stable) @NotNull public Boolean getHasPrincipal()
      Indicates if this permission has a "Principal" section.
    • getHasResource

      @Stability(Stable) @NotNull public Boolean getHasResource()
      Indicates if this permission has at least one resource associated with it.
    • getNotActions

      @Stability(Stable) @NotNull public List<String> getNotActions()
      The NotActions added to this statement.
    • getNotPrincipals

      @Stability(Stable) @NotNull public List<IPrincipal> getNotPrincipals()
      The NotPrincipals added to this statement.
    • getNotResources

      @Stability(Stable) @NotNull public List<String> getNotResources()
      The NotResources added to this statement.
    • getPrincipals

      @Stability(Stable) @NotNull public List<IPrincipal> getPrincipals()
      The Principals added to this statement.
    • getResources

      @Stability(Stable) @NotNull public List<String> getResources()
      The Resources added to this statement.
    • getEffect

      @Stability(Stable) @NotNull public Effect getEffect()
      Whether to allow or deny the actions in this statement Set effect for this statement.
    • setEffect

      @Stability(Stable) public void setEffect(@NotNull Effect value)
      Whether to allow or deny the actions in this statement Set effect for this statement.
    • getSid

      @Stability(Stable) @Nullable public String getSid()
      Statement ID for this statement Set Statement ID for this statement.
    • setSid

      @Stability(Stable) public void setSid(@Nullable String value)
      Statement ID for this statement Set Statement ID for this statement.