Policy
- class aws_cdk.aws_iam.Policy(scope, id, *, document=None, force=None, groups=None, policy_name=None, roles=None, statements=None, users=None)
Bases:
Resource
The AWS::IAM::Policy resource associates an inline IAM policy with IAM users, roles, or groups. For more information about IAM policies, see Overview of IAM Policies in the IAM User Guide guide.
- ExampleMetadata:
infused
Example:
# post_auth_fn: lambda.Function userpool = cognito.UserPool(self, "myuserpool", lambda_triggers=cognito.UserPoolTriggers( post_authentication=post_auth_fn ) ) # provide permissions to describe the user pool scoped to the ARN the user pool post_auth_fn.role.attach_inline_policy(iam.Policy(self, "userpool-policy", statements=[iam.PolicyStatement( actions=["cognito-idp:DescribeUserPool"], resources=[userpool.user_pool_arn] )] ))
- Parameters:
scope (
Construct
)id (
str
)document (
Optional
[PolicyDocument
]) – Initial PolicyDocument to use for this Policy. If omited, anyPolicyStatement
provided in thestatements
property will be applied against the empty defaultPolicyDocument
. Default: - An empty policy.force (
Optional
[bool
]) – Force creation of anAWS::IAM::Policy
. Unless set totrue
, thisPolicy
construct will not materialize to anAWS::IAM::Policy
CloudFormation resource in case it would have no effect (for example, if it remains unattached to an IAM identity or if it has no statements). This is generally desired behavior, since it prevents creating invalid–and hence undeployable–CloudFormation templates. In cases where you know the policy must be created and it is actually an error if no statements have been added to it or it remains unattached to an IAM identity, you can set this totrue
. Default: falsegroups (
Optional
[Sequence
[IGroup
]]) – Groups to attach this policy to. You can also useattachToGroup(group)
to attach this policy to a group. Default: - No groups.policy_name (
Optional
[str
]) – The name of the policy. If you specify multiple policies for an entity, specify unique names. For example, if you specify a list of policies for an IAM role, each policy must have a unique name. Default: - Uses the logical ID of the policy resource, which is ensured to be unique within the stack.roles (
Optional
[Sequence
[IRole
]]) – Roles to attach this policy to. You can also useattachToRole(role)
to attach this policy to a role. Default: - No roles.statements (
Optional
[Sequence
[PolicyStatement
]]) – Initial set of permissions to add to this policy document. You can also useaddStatements(...statement)
to add permissions later. Default: - No statements.users (
Optional
[Sequence
[IUser
]]) – Users to attach this policy to. You can also useattachToUser(user)
to attach this policy to a user. Default: - No users.
Methods
- add_statements(*statement)
Adds a statement to the policy document.
- Parameters:
statement (
PolicyStatement
)- Return type:
None
- apply_removal_policy(policy)
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.
The resource can be deleted (
RemovalPolicy.DESTROY
), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN
).- Parameters:
policy (
RemovalPolicy
)- Return type:
None
- attach_to_group(group)
Attaches this policy to a group.
- Parameters:
group (
IGroup
)- Return type:
None
- to_string()
Returns a string representation of this construct.
- Return type:
str
Attributes
- document
The policy document.
- env
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
- grant_principal
The principal to grant permissions to.
- node
The tree node.
- policy_name
The name of this policy.
- Attribute:
true
- stack
The stack in which this resource is defined.
Static Methods
- classmethod from_policy_name(scope, id, policy_name)
Import a policy in this app based on its name.
- classmethod is_construct(x)
Checks if
x
is a construct.Use this method instead of
instanceof
to properly detectConstruct
instances, even when the construct library is symlinked.Explanation: in JavaScript, multiple copies of the
constructs
library on disk are seen as independent, completely different libraries. As a consequence, the classConstruct
in each copy of theconstructs
library is seen as a different class, and an instance of one class will not test asinstanceof
the other class.npm install
will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of theconstructs
library can be accidentally installed, andinstanceof
will behave unpredictably. It is safest to avoid usinginstanceof
, and using this type-testing method instead.- Parameters:
x (
Any
) – Any object.- Return type:
bool
- Returns:
true if
x
is an object created from a class which extendsConstruct
.
- classmethod is_owned_resource(construct)
Returns true if the construct was created by CDK, and false otherwise.
- Parameters:
construct (
IConstruct
)- Return type:
bool
- classmethod is_resource(construct)
Check whether the given construct is a Resource.
- Parameters:
construct (
IConstruct
)- Return type:
bool