Class Role
- All Implemented Interfaces:
IConstruct
,IDependable
,IResource
,IGrantable
,IIdentity
,IPrincipal
,IRole
,software.amazon.jsii.JsiiSerializable
,software.constructs.IConstruct
Defines an IAM role. The role is created with an assume policy document associated with
the specified AWS service principal defined in serviceAssumeRole
.
Example:
Role lambdaRole = Role.Builder.create(this, "Role") .assumedBy(new ServicePrincipal("lambda.amazonaws.com")) .description("Example role...") .build(); Stream stream = Stream.Builder.create(this, "MyEncryptedStream") .encryption(StreamEncryption.KMS) .build(); // give lambda permissions to read stream stream.grantRead(lambdaRole);
-
Nested Class Summary
Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode
Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IConstruct
IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IResource
IResource.Jsii$Default
Nested classes/interfaces inherited from interface software.amazon.awscdk.services.iam.IRole
IRole.Jsii$Default, IRole.Jsii$Proxy
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
addManagedPolicy
(IManagedPolicy policy) Attaches a managed policy to this role.addToPolicy
(PolicyStatement statement) Add to the policy of this principal.addToPrincipalPolicy
(PolicyStatement statement) Adds a permission to the role's default policy document.void
attachInlinePolicy
(Policy policy) Attaches a policy to this role.static IRole
fromRoleArn
(software.constructs.Construct scope, String id, String roleArn) Import an external role by ARN.static IRole
fromRoleArn
(software.constructs.Construct scope, String id, String roleArn, FromRoleArnOptions options) Import an external role by ARN.static IRole
fromRoleName
(software.constructs.Construct scope, String id, String roleName) Import an external role by name.When this Principal is used in an AssumeRole policy, the action to use.The assume role policy document associated with this role.The principal to grant permissions to.Returns the permissions boundary attached to this role.Returns the role.The AWS account ID of this principal.Returns the ARN of this role.Returns the stable and unique string identifying the role.Returns the name of the role.grant
(IPrincipal grantee, @NotNull String... actions) Grant the actions defined in actions to the identity Principal on this resource.grantAssumeRole
(IPrincipal identity) Grant permissions to the given principal to assume this role.grantPassRole
(IPrincipal identity) Grant permissions to the given principal to pass this role.validate()
Validate the current construct.Return a copy of this Role object whose Policies will not be updated.Return a copy of this Role object whose Policies will not be updated.Methods inherited from class software.amazon.awscdk.core.Resource
applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isResource
Methods inherited from class software.amazon.awscdk.core.Construct
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize
Methods inherited from class software.constructs.Construct
toString
Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface software.amazon.awscdk.core.IConstruct
getNode
Methods inherited from interface software.amazon.awscdk.core.IResource
applyRemovalPolicy, getEnv, getStack
Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Constructor Details
-
Role
protected Role(software.amazon.jsii.JsiiObjectRef objRef) -
Role
protected Role(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
Role
@Stability(Stable) public Role(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull RoleProps props) - Parameters:
scope
- This parameter is required.id
- This parameter is required.props
- This parameter is required.
-
-
Method Details
-
fromRoleArn
@Stability(Stable) @NotNull public static IRole fromRoleArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String roleArn, @Nullable FromRoleArnOptions options) Import an external role by ARN.If the imported Role ARN is a Token (such as a
CfnParameter.valueAsString
or aFn.importValue()
) and the referenced role has apath
(likearn:...:role/AdminRoles/Alice
), theroleName
property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without thepath
in order to resolve the correct role resource.- Parameters:
scope
- construct scope. This parameter is required.id
- construct id. This parameter is required.roleArn
- the ARN of the role to import. This parameter is required.options
- allow customizing the behavior of the returned role.
-
fromRoleArn
@Stability(Stable) @NotNull public static IRole fromRoleArn(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String roleArn) Import an external role by ARN.If the imported Role ARN is a Token (such as a
CfnParameter.valueAsString
or aFn.importValue()
) and the referenced role has apath
(likearn:...:role/AdminRoles/Alice
), theroleName
property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without thepath
in order to resolve the correct role resource.- Parameters:
scope
- construct scope. This parameter is required.id
- construct id. This parameter is required.roleArn
- the ARN of the role to import. This parameter is required.
-
fromRoleName
@Stability(Stable) @NotNull public static IRole fromRoleName(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull String roleName) Import an external role by name.The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.
- Parameters:
scope
- This parameter is required.id
- This parameter is required.roleName
- This parameter is required.
-
addManagedPolicy
Attaches a managed policy to this role.- Specified by:
addManagedPolicy
in interfaceIIdentity
- Parameters:
policy
- The the managed policy to attach. This parameter is required.
-
addToPolicy
Add to the policy of this principal.- Specified by:
addToPolicy
in interfaceIPrincipal
- Parameters:
statement
- This parameter is required.- Returns:
- true if the statement was added, false if the principal in question does not have a policy document to add the statement to.
-
addToPrincipalPolicy
@Stability(Stable) @NotNull public AddToPrincipalPolicyResult addToPrincipalPolicy(@NotNull PolicyStatement statement) Adds a permission to the role's default policy document.If there is no default policy attached to this role, it will be created.
- Specified by:
addToPrincipalPolicy
in interfaceIPrincipal
- Parameters:
statement
- The permission statement to add to the policy document. This parameter is required.
-
attachInlinePolicy
Attaches a policy to this role.- Specified by:
attachInlinePolicy
in interfaceIIdentity
- Parameters:
policy
- The policy to attach. This parameter is required.
-
grant
@Stability(Stable) @NotNull public Grant grant(@NotNull IPrincipal grantee, @NotNull @NotNull String... actions) Grant the actions defined in actions to the identity Principal on this resource. -
grantAssumeRole
Grant permissions to the given principal to assume this role.- Specified by:
grantAssumeRole
in interfaceIRole
- Parameters:
identity
- This parameter is required.
-
grantPassRole
Grant permissions to the given principal to pass this role.- Specified by:
grantPassRole
in interfaceIRole
- Parameters:
identity
- This parameter is required.
-
validate
Validate the current construct.This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.
-
withoutPolicyUpdates
@Stability(Stable) @NotNull public IRole withoutPolicyUpdates(@Nullable WithoutPolicyUpdatesOptions options) Return a copy of this Role object whose Policies will not be updated.Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.
If you do, you are responsible for adding the correct statements to the Role's policies yourself.
- Parameters:
options
-
-
withoutPolicyUpdates
Return a copy of this Role object whose Policies will not be updated.Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.
If you do, you are responsible for adding the correct statements to the Role's policies yourself.
-
getAssumeRoleAction
When this Principal is used in an AssumeRole policy, the action to use.- Specified by:
getAssumeRoleAction
in interfaceIPrincipal
-
getGrantPrincipal
The principal to grant permissions to.- Specified by:
getGrantPrincipal
in interfaceIGrantable
-
getPolicyFragment
Returns the role.- Specified by:
getPolicyFragment
in interfaceIPrincipal
-
getRoleArn
Returns the ARN of this role.- Specified by:
getRoleArn
in interfaceIRole
-
getRoleId
Returns the stable and unique string identifying the role.For example, AIDAJQABLZS4A3QDU576Q.
-
getRoleName
Returns the name of the role.- Specified by:
getRoleName
in interfaceIRole
-
getAssumeRolePolicy
The assume role policy document associated with this role. -
getPermissionsBoundary
Returns the permissions boundary attached to this role. -
getPrincipalAccount
The AWS account ID of this principal.Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.
- Specified by:
getPrincipalAccount
in interfaceIPrincipal
-