User
- class aws_cdk.aws_iam.User(scope, id, *, groups=None, managed_policies=None, password=None, password_reset_required=None, path=None, permissions_boundary=None, user_name=None)
Bases:
Resource
Define a new IAM user.
- ExampleMetadata:
infused
Example:
# definition: sfn.IChainable user = iam.User(self, "MyUser") state_machine = sfn.StateMachine(self, "StateMachine", definition_body=sfn.DefinitionBody.from_chainable(definition) ) # give user permission to send task success to the state machine state_machine.grant(user, "states:SendTaskSuccess")
- Parameters:
scope (
Construct
) –id (
str
) –groups (
Optional
[Sequence
[IGroup
]]) – Groups to add this user to. You can also useaddToGroup
to add this user to a group. Default: - No groups.managed_policies (
Optional
[Sequence
[IManagedPolicy
]]) – A list of managed policies associated with this role. You can add managed policies later usingaddManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))
. Default: - No managed policies.password (
Optional
[SecretValue
]) – The password for the user. This is required so the user can access the AWS Management Console. You can useSecretValue.unsafePlainText
to specify a password in plain text or usesecretsmanager.Secret.fromSecretAttributes
to reference a secret in Secrets Manager. Default: - User won’t be able to access the management console without a password.password_reset_required (
Optional
[bool
]) – Specifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console. If this is set to ‘true’, you must also specify “initialPassword”. Default: falsepath (
Optional
[str
]) – The path for the user name. For more information about paths, see IAM Identifiers in the IAM User Guide. Default: /permissions_boundary (
Optional
[IManagedPolicy
]) – AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. Default: - No permissions boundary.user_name (
Optional
[str
]) – A name for the IAM user. For valid values, see the UserName parameter for the CreateUser action in the IAM API Reference. If you don’t specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template’s capabilities. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates. Default: - Generated by CloudFormation (recommended)
Methods
- add_managed_policy(policy)
Attaches a managed policy to the user.
- Parameters:
policy (
IManagedPolicy
) – The managed policy to attach.- Return type:
None
- add_to_policy(statement)
Add to the policy of this principal.
- Parameters:
statement (
PolicyStatement
) –- Return type:
bool
- add_to_principal_policy(statement)
Adds an IAM statement to the default policy.
- Parameters:
statement (
PolicyStatement
) –- Return type:
- Returns:
true
- apply_removal_policy(policy)
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.
The resource can be deleted (
RemovalPolicy.DESTROY
), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN
).- Parameters:
policy (
RemovalPolicy
) –- Return type:
None
- attach_inline_policy(policy)
Attaches a policy to this user.
- Parameters:
policy (
Policy
) –- Return type:
None
- to_string()
Returns a string representation of this construct.
- Return type:
str
Attributes
- assume_role_action
When this Principal is used in an AssumeRole policy, the action to use.
- env
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
- grant_principal
The principal to grant permissions to.
- node
The tree node.
- permissions_boundary
Returns the permissions boundary attached to this user.
- policy_fragment
Return the policy fragment that identifies this principal in a Policy.
- principal_account
The AWS account ID of this principal.
Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it’s assumed to be AWS::AccountId.
- stack
The stack in which this resource is defined.
- user_arn
An attribute that represents the user’s ARN.
- Attribute:
true
- user_name
An attribute that represents the user name.
- Attribute:
true
Static Methods
- classmethod from_user_arn(scope, id, user_arn)
Import an existing user given a user ARN.
If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.
- classmethod from_user_attributes(scope, id, *, user_arn)
Import an existing user given user attributes.
If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.
- classmethod from_user_name(scope, id, user_name)
Import an existing user given a username.
- classmethod is_construct(x)
Checks if
x
is a construct.Use this method instead of
instanceof
to properly detectConstruct
instances, even when the construct library is symlinked.Explanation: in JavaScript, multiple copies of the
constructs
library on disk are seen as independent, completely different libraries. As a consequence, the classConstruct
in each copy of theconstructs
library is seen as a different class, and an instance of one class will not test asinstanceof
the other class.npm install
will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of theconstructs
library can be accidentally installed, andinstanceof
will behave unpredictably. It is safest to avoid usinginstanceof
, and using this type-testing method instead.- Parameters:
x (
Any
) – Any object.- Return type:
bool
- Returns:
true if
x
is an object created from a class which extendsConstruct
.
- classmethod is_owned_resource(construct)
Returns true if the construct was created by CDK, and false otherwise.
- Parameters:
construct (
IConstruct
) –- Return type:
bool
- classmethod is_resource(construct)
Check whether the given construct is a Resource.
- Parameters:
construct (
IConstruct
) –- Return type:
bool