AwsCustomResourcePolicy

class aws_cdk.custom_resources.AwsCustomResourcePolicy(*args: Any, **kwargs)

Bases: object

The IAM Policy that will be applied to the different calls.

ExampleMetadata:

infused

Example:

get_parameter = cr.AwsCustomResource(self, "GetParameter",
    on_update=cr.AwsSdkCall( # will also be called for a CREATE event
        service="SSM",
        action="GetParameter",
        parameters={
            "Name": "my-parameter",
            "WithDecryption": True
        },
        physical_resource_id=cr.PhysicalResourceId.of(Date.now().to_string())),
    policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
        resources=cr.AwsCustomResourcePolicy.ANY_RESOURCE
    )
)

# Use the value in another construct with
get_parameter.get_response_field("Parameter.Value")

Attributes

ANY_RESOURCE = ['*']
resources

resources for auto-generated from SDK calls.

statements

statements for explicit policy.

Static Methods

classmethod from_sdk_calls(*, resources)

Generate IAM Policy Statements from the configured SDK calls.

Each SDK call with be translated to an IAM Policy Statement in the form of: call.service:call.action (e.g s3:PutObject).

This policy generator assumes the IAM policy name has the same name as the API call. This is true in 99% of cases, but there are exceptions (for example, S3’s PutBucketLifecycleConfiguration requires s3:PutLifecycleConfiguration permissions, Lambda’s Invoke requires lambda:InvokeFunction permissions). Use fromStatements if you want to do a call that requires different IAM action names.

Parameters:

resources (Sequence[str]) – The resources that the calls will have access to. It is best to use specific resource ARN’s when possible. However, you can also use AwsCustomResourcePolicy.ANY_RESOURCE to allow access to all resources. For example, when onCreate is used to create a resource which you don’t know the physical name of in advance. Note that will apply to ALL SDK calls.

Return type:

AwsCustomResourcePolicy

classmethod from_statements(statements)

Explicit IAM Policy Statements.

Parameters:

statements (Sequence[PolicyStatement]) – the statements to propagate to the SDK calls.

Return type:

AwsCustomResourcePolicy