PolicyStatement
- class aws_cdk.aws_iam.PolicyStatement(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)
Bases:
object
Represents a statement in an IAM policy document.
- ExampleMetadata:
infused
Example:
# destination_bucket: s3.Bucket deployment = s3deploy.BucketDeployment(self, "DeployFiles", sources=[s3deploy.Source.asset(path.join(__dirname, "source-files"))], destination_bucket=destination_bucket ) deployment.handler_role.add_to_policy( iam.PolicyStatement( actions=["kms:Decrypt", "kms:DescribeKey"], effect=iam.Effect.ALLOW, resources=["<encryption key ARN>"] ))
- Parameters:
actions (
Optional
[Sequence
[str
]]) – List of actions to add to the statement. Default: - no actionsconditions (
Optional
[Mapping
[str
,Any
]]) – Conditions to add to the statement. Default: - no conditioneffect (
Optional
[Effect
]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOWnot_actions (
Optional
[Sequence
[str
]]) – List of not actions to add to the statement. Default: - no not-actionsnot_principals (
Optional
[Sequence
[IPrincipal
]]) – List of not principals to add to the statement. Default: - no not principalsnot_resources (
Optional
[Sequence
[str
]]) – NotResource ARNs to add to the statement. Default: - no not-resourcesprincipals (
Optional
[Sequence
[IPrincipal
]]) – List of principals to add to the statement. Default: - no principalsresources (
Optional
[Sequence
[str
]]) – Resource ARNs to add to the statement. Default: - no resourcessid (
Optional
[str
]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid
Methods
- add_account_condition(account_id)
Add a
StringEquals
condition that limits to a given account fromsts:ExternalId
.This method can only be called once: subsequent calls will overwrite earlier calls.
- Parameters:
account_id (
str
) –- See:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
- Return type:
None
- add_account_root_principal()
Adds an AWS account root user principal to this policy statement.
- Return type:
None
- add_actions(*actions)
Specify allowed actions into the “Action” section of the policy statement.
- Parameters:
actions (
str
) – actions that will be allowed.- See:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
- Return type:
None
- add_all_resources()
Adds a
"*"
resource to this statement.- Return type:
None
- add_any_principal()
Adds all identities in all accounts (“*”) to this policy statement.
- Return type:
None
- add_arn_principal(arn)
Specify a principal using the ARN identifier of the principal.
You cannot specify IAM groups and instance profiles as principals.
- Parameters:
arn (
str
) – ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).- Return type:
None
- add_aws_account_principal(account_id)
Specify AWS account ID as the principal entity to the “Principal” section of a policy statement.
- Parameters:
account_id (
str
) –- Return type:
None
- add_canonical_user_principal(canonical_user_id)
Adds a canonical user ID principal to this policy document.
- Parameters:
canonical_user_id (
str
) – unique identifier assigned by AWS for every account.- Return type:
None
- add_condition(key, value)
Add a condition to the Policy.
If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
# stmt: iam.PolicyStatement stmt.add_condition("StringEquals", {"aws:SomeField": "1"}) stmt.add_condition("StringEquals", {"aws:SomeField": "2"})
Will end up with the single condition
StringEquals: { 'aws:SomeField': '2' }
.If you meant to add a condition to say that the field can be either
1
or2
, write this:# stmt: iam.PolicyStatement stmt.add_condition("StringEquals", {"aws:SomeField": ["1", "2"]})
- Parameters:
key (
str
) –value (
Any
) –
- Return type:
None
- add_conditions(conditions)
Add multiple conditions to the Policy.
See the
addCondition
function for a caveat on calling this method multiple times.- Parameters:
conditions (
Mapping
[str
,Any
]) –- Return type:
None
- add_federated_principal(federated, conditions)
Adds a federated identity provider such as Amazon Cognito to this policy statement.
- Parameters:
federated (
Any
) – federated identity provider (i.e. ‘cognito-identity.amazonaws.com’).conditions (
Mapping
[str
,Any
]) – The conditions under which the policy is in effect. See the IAM documentation.
- Return type:
None
- add_not_actions(*not_actions)
Explicitly allow all actions except the specified list of actions into the “NotAction” section of the policy document.
- Parameters:
not_actions (
str
) – actions that will be denied. All other actions will be permitted.- See:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
- Return type:
None
- add_not_principals(*not_principals)
Specify principals that is not allowed or denied access to the “NotPrincipal” section of a policy statement.
- Parameters:
not_principals (
IPrincipal
) – IAM principals that will be denied access.- See:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
- Return type:
None
- add_not_resources(*arns)
Specify resources that this policy statement will not apply to in the “NotResource” section of this policy statement.
All resources except the specified list will be matched.
- Parameters:
arns (
str
) – Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.- See:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
- Return type:
None
- add_principals(*principals)
Adds principals to the “Principal” section of a policy statement.
- Parameters:
principals (
IPrincipal
) – IAM principals that will be added.- See:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
- Return type:
None
- add_resources(*arns)
Specify resources that this policy statement applies into the “Resource” section of this policy statement.
- Parameters:
arns (
str
) – Amazon Resource Names (ARNs) of the resources that this policy statement applies to.- See:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
- Return type:
None
- add_service_principal(service, *, conditions=None, region=None)
Adds a service principal to this policy statement.
- Parameters:
service (
str
) – the service name for which a service principal is requested (e.g:s3.amazonaws.com
).conditions (
Optional
[Mapping
[str
,Any
]]) – Additional conditions to add to the Service Principal. Default: - No conditionsregion (
Optional
[str
]) – The region in which you want to reference the service. This is only necessary for cross-region references to opt-in regions. In those cases, the region name needs to be included to reference the correct service principal. In all other cases, the global service principal name is sufficient. This field behaves differently depending on whether the@aws-cdk/aws-iam:standardizedServicePrincipals
flag is set or not: - If the flag is set, the input service principal is assumed to be of the formSERVICE.amazonaws.com
. That value will always be returned, unless the given region is an opt-in region and the service principal is rendered in a stack in a different region, in which caseSERVICE.REGION.amazonaws.com
will be rendered. Under this regime, there is no downside to always specifying the region property: it will be rendered only if necessary. - If the flag is not set, the service principal will resolve to a single principal whose name comes from the@aws-cdk/region-info
package, using the region to override the stack region. If there is no entry for this service principal in the database,, the input service name is returned literally. This is legacy behavior and is not recommended. Default: - the resolving Stack’s region.
- Return type:
None
- add_source_account_condition(account_id)
Add an
StringEquals
condition that limits to a given account fromaws:SourceAccount
.This method can only be called once: subsequent calls will overwrite earlier calls.
- Parameters:
account_id (
str
) –- See:
- Return type:
None
- add_source_arn_condition(arn)
Add an
ArnEquals
condition that limits to a given resource arn fromaws:SourceArn
.This method can only be called once: subsequent calls will overwrite earlier calls.
- Parameters:
arn (
str
) –- See:
- Return type:
None
- copy(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)
Create a new
PolicyStatement
with the same exact properties as this one, except for the overrides.- Parameters:
actions (
Optional
[Sequence
[str
]]) – List of actions to add to the statement. Default: - no actionsconditions (
Optional
[Mapping
[str
,Any
]]) – Conditions to add to the statement. Default: - no conditioneffect (
Optional
[Effect
]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOWnot_actions (
Optional
[Sequence
[str
]]) – List of not actions to add to the statement. Default: - no not-actionsnot_principals (
Optional
[Sequence
[IPrincipal
]]) – List of not principals to add to the statement. Default: - no not principalsnot_resources (
Optional
[Sequence
[str
]]) – NotResource ARNs to add to the statement. Default: - no not-resourcesprincipals (
Optional
[Sequence
[IPrincipal
]]) – List of principals to add to the statement. Default: - no principalsresources (
Optional
[Sequence
[str
]]) – Resource ARNs to add to the statement. Default: - no resourcessid (
Optional
[str
]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid
- Return type:
- freeze()
Make the PolicyStatement immutable.
After calling this, any of the
addXxx()
methods will throw an exception.Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.
- Return type:
- to_json()
JSON-ify the statement.
Used when JSON.stringify() is called
- Return type:
Any
- to_statement_json()
JSON-ify the policy statement.
Used when JSON.stringify() is called
- Return type:
Any
- to_string()
String representation of this policy statement.
- Return type:
str
- validate_for_any_policy()
Validate that the policy statement satisfies base requirements for a policy.
- Return type:
List
[str
]- Returns:
An array of validation error messages, or an empty array if the statement is valid.
- validate_for_identity_policy()
Validate that the policy statement satisfies all requirements for an identity-based policy.
- Return type:
List
[str
]- Returns:
An array of validation error messages, or an empty array if the statement is valid.
- validate_for_resource_policy()
Validate that the policy statement satisfies all requirements for a resource-based policy.
- Return type:
List
[str
]- Returns:
An array of validation error messages, or an empty array if the statement is valid.
Attributes
- actions
The Actions added to this statement.
- conditions
The conditions added to this statement.
- effect
Whether to allow or deny the actions in this statement Set effect for this statement.
- frozen
Whether the PolicyStatement has been frozen.
The statement object is frozen when
freeze()
is called.
- has_principal
Indicates if this permission has a “Principal” section.
- has_resource
Indicates if this permission has at least one resource associated with it.
- not_actions
The NotActions added to this statement.
- not_principals
The NotPrincipals added to this statement.
- not_resources
The NotResources added to this statement.
- principals
The Principals added to this statement.
- resources
The Resources added to this statement.
- sid
Statement ID for this statement Set Statement ID for this statement.
Static Methods
- classmethod from_json(obj)
Creates a new PolicyStatement based on the object provided.
This will accept an object created from the
.toJSON()
call- Parameters:
obj (
Any
) – the PolicyStatement in object form.- Return type: