ServicePrincipal
- class aws_cdk.aws_iam.ServicePrincipal(service, *, conditions=None, region=None)
Bases:
PrincipalBase
An IAM principal that represents an AWS service (i.e.
sqs.amazonaws.com
).- ExampleMetadata:
infused
Example:
# definition: sfn.IChainable role = iam.Role(self, "Role", assumed_by=iam.ServicePrincipal("lambda.amazonaws.com") ) state_machine = sfn.StateMachine(self, "StateMachine", definition_body=sfn.DefinitionBody.from_chainable(definition) ) # Give role permission to get execution history of ALL executions for the state machine state_machine.grant_execution(role, "states:GetExecutionHistory")
Reference an AWS service, optionally in a given region.
- Parameters:
service (
str
) – AWS service (i.e. sqs.amazonaws.com).conditions (
Optional
[Mapping
[str
,Any
]]) – Additional conditions to add to the Service Principal. Default: - No conditionsregion (
Optional
[str
]) – The region in which you want to reference the service. This is only necessary for cross-region references to opt-in regions. In those cases, the region name needs to be included to reference the correct service principal. In all other cases, the global service principal name is sufficient. This field behaves differently depending on whether the@aws-cdk/aws-iam:standardizedServicePrincipals
flag is set or not: - If the flag is set, the input service principal is assumed to be of the formSERVICE.amazonaws.com
. That value will always be returned, unless the given region is an opt-in region and the service principal is rendered in a stack in a different region, in which caseSERVICE.REGION.amazonaws.com
will be rendered. Under this regime, there is no downside to always specifying the region property: it will be rendered only if necessary. - If the flag is not set, the service principal will resolve to a single principal whose name comes from the@aws-cdk/region-info
package, using the region to override the stack region. If there is no entry for this service principal in the database,, the input service name is returned literally. This is legacy behavior and is not recommended. Default: - the resolving Stack’s region.
Methods
- add_to_assume_role_policy(document)
Add the principal to the AssumeRolePolicyDocument.
Add the statements to the AssumeRolePolicyDocument necessary to give this principal permissions to assume the given role.
- Parameters:
document (
PolicyDocument
) –- Return type:
None
- add_to_policy(statement)
Add to the policy of this principal.
- Parameters:
statement (
PolicyStatement
) –- Return type:
bool
- add_to_principal_policy(_statement)
Add to the policy of this principal.
- Parameters:
_statement (
PolicyStatement
) –- Return type:
- dedupe_string()
Return whether or not this principal is equal to the given principal.
- Return type:
Optional
[str
]
- to_json()
JSON-ify the principal.
Used when JSON.stringify() is called
- Return type:
Mapping
[str
,List
[str
]]
- to_string()
Returns a string representation of an object.
- Return type:
str
- with_conditions(conditions)
Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added.
When there is a value for the same operator and key in both the principal and the conditions parameter, the value from the conditions parameter will be used.
- Parameters:
conditions (
Mapping
[str
,Any
]) –- Return type:
- Returns:
a new PrincipalWithConditions object.
- with_session_tags()
Returns a new principal using this principal as the base, with session tags enabled.
- Return type:
- Returns:
a new SessionTagsPrincipal object.
Attributes
- assume_role_action
When this Principal is used in an AssumeRole policy, the action to use.
- grant_principal
The principal to grant permissions to.
- policy_fragment
Return the policy fragment that identifies this principal in a Policy.
- principal_account
The AWS account ID of this principal.
Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it’s assumed to be AWS::AccountId.
- service
AWS service (i.e. sqs.amazonaws.com).
Static Methods
- classmethod service_principal_name(service)
Return the service principal name based on the region it’s used in.
Some service principal names used to be different for different partitions, and some were not. This method would return the appropriate region-specific service principal name, getting that information from the
region-info
module.These days all service principal names are standardized, and they are all of the form
<servicename>.amazonaws.com
.To avoid breaking changes, handling is provided for services added with the formats below, however, no additional handling will be added for new regions or partitions.
s3
s3.amazonaws.com
s3.amazonaws.com.cn
s3.c2s.ic.gov
s3.sc2s.sgov.gov
- Parameters:
service (
str
) –- Return type:
str
Example:
principal_name = iam.ServicePrincipal.service_principal_name("ec2.amazonaws.com")