Class PolicyStatement
- All Implemented Interfaces:
software.amazon.jsii.JsiiSerializable
Example:
Bucket accessLogsBucket = Bucket.Builder.create(this, "AccessLogsBucket") .objectOwnership(ObjectOwnership.BUCKET_OWNER_ENFORCED) .build(); accessLogsBucket.addToResourcePolicy( PolicyStatement.Builder.create() .actions(List.of("s3:*")) .resources(List.of(accessLogsBucket.getBucketArn(), accessLogsBucket.arnForObjects("*"))) .principals(List.of(new AnyPrincipal())) .build()); Bucket bucket = Bucket.Builder.create(this, "MyBucket") .serverAccessLogsBucket(accessLogsBucket) .serverAccessLogsPrefix("logs") .build();
-
Nested Class Summary
Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode
-
Constructor Summary
ModifierConstructorDescriptionprotected
PolicyStatement
(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protected
PolicyStatement
(software.amazon.jsii.JsiiObjectRef objRef) -
Method Summary
Modifier and TypeMethodDescriptionvoid
addAccountCondition
(String accountId) Add aStringEquals
condition that limits to a given account fromsts:ExternalId
.void
Adds an AWS account root user principal to this policy statement.void
addActions
(@NotNull String... actions) Specify allowed actions into the "Action" section of the policy statement.void
Adds a"*"
resource to this statement.void
Adds all identities in all accounts ("*") to this policy statement.void
addArnPrincipal
(String arn) Specify a principal using the ARN identifier of the principal.void
addAwsAccountPrincipal
(String accountId) Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.void
addCanonicalUserPrincipal
(String canonicalUserId) Adds a canonical user ID principal to this policy document.void
addCondition
(String key, Object value) Add a condition to the Policy.void
addConditions
(Map<String, Object> conditions) Add multiple conditions to the Policy.void
addFederatedPrincipal
(Object federated, Map<String, Object> conditions) Adds a federated identity provider such as Amazon Cognito to this policy statement.void
addNotActions
(@NotNull String... notActions) Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.void
addNotPrincipals
(@NotNull IPrincipal... notPrincipals) Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.void
addNotResources
(@NotNull String... arns) Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.void
addPrincipals
(@NotNull IPrincipal... principals) Adds principals to the "Principal" section of a policy statement.void
addResources
(@NotNull String... arns) Specify resources that this policy statement applies into the "Resource" section of this policy statement.void
addServicePrincipal
(String service) Adds a service principal to this policy statement.void
addServicePrincipal
(String service, ServicePrincipalOpts opts) Adds a service principal to this policy statement.void
addSourceAccountCondition
(String accountId) Add anStringEquals
condition that limits to a given account fromaws:SourceAccount
.void
Add anArnEquals
condition that limits to a given resource arn fromaws:SourceArn
.copy()
Create a newPolicyStatement
with the same exact properties as this one, except for the overrides.copy
(PolicyStatementProps overrides) Create a newPolicyStatement
with the same exact properties as this one, except for the overrides.freeze()
Make the PolicyStatement immutable.static PolicyStatement
Creates a new PolicyStatement based on the object provided.The Actions added to this statement.The conditions added to this statement.Whether to allow or deny the actions in this statement Set effect for this statement.Whether the PolicyStatement has been frozen.Indicates if this permission has a "Principal" section.Indicates if this permission has at least one resource associated with it.The NotActions added to this statement.The NotPrincipals added to this statement.The NotResources added to this statement.The Principals added to this statement.The Resources added to this statement.getSid()
Statement ID for this statement Set Statement ID for this statement.void
Whether to allow or deny the actions in this statement Set effect for this statement.void
Statement ID for this statement Set Statement ID for this statement.toJSON()
JSON-ify the statement.JSON-ify the policy statement.toString()
String representation of this policy statement.Validate that the policy statement satisfies base requirements for a policy.Validate that the policy statement satisfies all requirements for an identity-based policy.Validate that the policy statement satisfies all requirements for a resource-based policy.Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Constructor Details
-
PolicyStatement
protected PolicyStatement(software.amazon.jsii.JsiiObjectRef objRef) -
PolicyStatement
protected PolicyStatement(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
PolicyStatement
- Parameters:
props
-
-
PolicyStatement
@Stability(Stable) public PolicyStatement()
-
-
Method Details
-
fromJson
Creates a new PolicyStatement based on the object provided.This will accept an object created from the
.toJSON()
call- Parameters:
obj
- the PolicyStatement in object form. This parameter is required.
-
addAccountCondition
Add aStringEquals
condition that limits to a given account fromsts:ExternalId
.This method can only be called once: subsequent calls will overwrite earlier calls.
- Parameters:
accountId
- This parameter is required.- See Also:
-
addAccountRootPrincipal
@Stability(Stable) public void addAccountRootPrincipal()Adds an AWS account root user principal to this policy statement. -
addActions
Specify allowed actions into the "Action" section of the policy statement.- Parameters:
actions
- actions that will be allowed. This parameter is required.- See Also:
-
addAllResources
@Stability(Stable) public void addAllResources()Adds a"*"
resource to this statement. -
addAnyPrincipal
@Stability(Stable) public void addAnyPrincipal()Adds all identities in all accounts ("*") to this policy statement. -
addArnPrincipal
Specify a principal using the ARN identifier of the principal.You cannot specify IAM groups and instance profiles as principals.
- Parameters:
arn
- ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name). This parameter is required.
-
addAwsAccountPrincipal
Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.- Parameters:
accountId
- This parameter is required.
-
addCanonicalUserPrincipal
Adds a canonical user ID principal to this policy document.- Parameters:
canonicalUserId
- unique identifier assigned by AWS for every account. This parameter is required.
-
addCondition
Add a condition to the Policy.If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
PolicyStatement stmt; stmt.addCondition("StringEquals", Map.of("aws:SomeField", "1")); stmt.addCondition("StringEquals", Map.of("aws:SomeField", "2"));
Will end up with the single condition
StringEquals: { 'aws:SomeField': '2' }
.If you meant to add a condition to say that the field can be either
1
or2
, write this:PolicyStatement stmt; stmt.addCondition("StringEquals", Map.of("aws:SomeField", List.of("1", "2")));
- Parameters:
key
- This parameter is required.value
- This parameter is required.
-
addConditions
Add multiple conditions to the Policy.See the
addCondition
function for a caveat on calling this method multiple times.- Parameters:
conditions
- This parameter is required.
-
addFederatedPrincipal
@Stability(Stable) public void addFederatedPrincipal(@NotNull Object federated, @NotNull Map<String, Object> conditions) Adds a federated identity provider such as Amazon Cognito to this policy statement.- Parameters:
federated
- federated identity provider (i.e. 'cognito-identity.amazonaws.com'). This parameter is required.conditions
- The conditions under which the policy is in effect. This parameter is required.
-
addNotActions
Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.- Parameters:
notActions
- actions that will be denied. This parameter is required.- See Also:
-
addNotPrincipals
Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.- Parameters:
notPrincipals
- IAM principals that will be denied access. This parameter is required.- See Also:
-
addNotResources
Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.All resources except the specified list will be matched.
- Parameters:
arns
- Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to. This parameter is required.- See Also:
-
addPrincipals
Adds principals to the "Principal" section of a policy statement.- Parameters:
principals
- IAM principals that will be added. This parameter is required.- See Also:
-
addResources
Specify resources that this policy statement applies into the "Resource" section of this policy statement.- Parameters:
arns
- Amazon Resource Names (ARNs) of the resources that this policy statement applies to. This parameter is required.- See Also:
-
addServicePrincipal
@Stability(Stable) public void addServicePrincipal(@NotNull String service, @Nullable ServicePrincipalOpts opts) Adds a service principal to this policy statement.- Parameters:
service
- the service name for which a service principal is requested (e.g:s3.amazonaws.com
). This parameter is required.opts
- options for adding the service principal (such as specifying a principal in a different region).
-
addServicePrincipal
Adds a service principal to this policy statement.- Parameters:
service
- the service name for which a service principal is requested (e.g:s3.amazonaws.com
). This parameter is required.
-
addSourceAccountCondition
Add anStringEquals
condition that limits to a given account fromaws:SourceAccount
.This method can only be called once: subsequent calls will overwrite earlier calls.
- Parameters:
accountId
- This parameter is required.- See Also:
-
addSourceArnCondition
Add anArnEquals
condition that limits to a given resource arn fromaws:SourceArn
.This method can only be called once: subsequent calls will overwrite earlier calls.
- Parameters:
arn
- This parameter is required.- See Also:
-
copy
Create a newPolicyStatement
with the same exact properties as this one, except for the overrides.- Parameters:
overrides
-
-
copy
Create a newPolicyStatement
with the same exact properties as this one, except for the overrides. -
freeze
Make the PolicyStatement immutable.After calling this, any of the
addXxx()
methods will throw an exception.Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.
-
toJSON
JSON-ify the statement.Used when JSON.stringify() is called
-
toStatementJson
JSON-ify the policy statement.Used when JSON.stringify() is called
-
toString
String representation of this policy statement. -
validateForAnyPolicy
Validate that the policy statement satisfies base requirements for a policy.- Returns:
- An array of validation error messages, or an empty array if the statement is valid.
-
validateForIdentityPolicy
Validate that the policy statement satisfies all requirements for an identity-based policy.- Returns:
- An array of validation error messages, or an empty array if the statement is valid.
-
validateForResourcePolicy
Validate that the policy statement satisfies all requirements for a resource-based policy.- Returns:
- An array of validation error messages, or an empty array if the statement is valid.
-
getActions
The Actions added to this statement. -
getConditions
The conditions added to this statement. -
getFrozen
Whether the PolicyStatement has been frozen.The statement object is frozen when
freeze()
is called. -
getHasPrincipal
Indicates if this permission has a "Principal" section. -
getHasResource
Indicates if this permission has at least one resource associated with it. -
getNotActions
The NotActions added to this statement. -
getNotPrincipals
The NotPrincipals added to this statement. -
getNotResources
The NotResources added to this statement. -
getPrincipals
The Principals added to this statement. -
getResources
The Resources added to this statement. -
getEffect
Whether to allow or deny the actions in this statement Set effect for this statement. -
setEffect
Whether to allow or deny the actions in this statement Set effect for this statement. -
getSid
Statement ID for this statement Set Statement ID for this statement. -
setSid
Statement ID for this statement Set Statement ID for this statement.
-