PolicyStatement
- class aws_cdk.aws_iam.PolicyStatement(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)
Bases:
object
Represents a statement in an IAM policy document.
- ExampleMetadata:
lit=test/integ.vpc-endpoint.lit.ts infused
Example:
# Add gateway endpoints when creating the VPC vpc = ec2.Vpc(self, "MyVpc", gateway_endpoints={ "S3": ec2.GatewayVpcEndpointOptions( service=ec2.GatewayVpcEndpointAwsService.S3 ) } ) # Alternatively gateway endpoints can be added on the VPC dynamo_db_endpoint = vpc.add_gateway_endpoint("DynamoDbEndpoint", service=ec2.GatewayVpcEndpointAwsService.DYNAMODB ) # This allows to customize the endpoint policy dynamo_db_endpoint.add_to_policy( iam.PolicyStatement( # Restrict to listing and describing tables principals=[iam.AnyPrincipal()], actions=["dynamodb:DescribeTable", "dynamodb:ListTables"], resources=["*"])) # Add an interface endpoint vpc.add_interface_endpoint("EcrDockerEndpoint", service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER )
- Parameters:
actions (
Optional
[Sequence
[str
]]) – List of actions to add to the statement. Default: - no actionsconditions (
Optional
[Mapping
[str
,Any
]]) – Conditions to add to the statement. Default: - no conditioneffect (
Optional
[Effect
]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOWnot_actions (
Optional
[Sequence
[str
]]) – List of not actions to add to the statement. Default: - no not-actionsnot_principals (
Optional
[Sequence
[IPrincipal
]]) – List of not principals to add to the statement. Default: - no not principalsnot_resources (
Optional
[Sequence
[str
]]) – NotResource ARNs to add to the statement. Default: - no not-resourcesprincipals (
Optional
[Sequence
[IPrincipal
]]) – List of principals to add to the statement. Default: - no principalsresources (
Optional
[Sequence
[str
]]) – Resource ARNs to add to the statement. Default: - no resourcessid (
Optional
[str
]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid
Methods
- add_account_condition(account_id)
Add a condition that limits to a given account.
This method can only be called once: subsequent calls will overwrite earlier calls.
- Parameters:
account_id (
str
)- Return type:
None
- add_account_root_principal()
Adds an AWS account root user principal to this policy statement.
- Return type:
None
- add_actions(*actions)
Specify allowed actions into the “Action” section of the policy statement.
- Parameters:
actions (
str
) – actions that will be allowed.- See:
- Return type:
None
- add_all_resources()
Adds a
"*"
resource to this statement.- Return type:
None
- add_any_principal()
Adds all identities in all accounts (“*”) to this policy statement.
- Return type:
None
- add_arn_principal(arn)
Specify a principal using the ARN identifier of the principal.
You cannot specify IAM groups and instance profiles as principals.
- Parameters:
arn (
str
) – ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).- Return type:
None
- add_aws_account_principal(account_id)
Specify AWS account ID as the principal entity to the “Principal” section of a policy statement.
- Parameters:
account_id (
str
)- Return type:
None
- add_canonical_user_principal(canonical_user_id)
Adds a canonical user ID principal to this policy document.
- Parameters:
canonical_user_id (
str
) – unique identifier assigned by AWS for every account.- Return type:
None
- add_condition(key, value)
Add a condition to the Policy.
If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
# stmt: iam.PolicyStatement stmt.add_condition("StringEquals", {"aws:SomeField": "1"}) stmt.add_condition("StringEquals", {"aws:SomeField": "2"})
Will end up with the single condition
StringEquals: { 'aws:SomeField': '2' }
.If you meant to add a condition to say that the field can be either
1
or2
, write this:# stmt: iam.PolicyStatement stmt.add_condition("StringEquals", {"aws:SomeField": ["1", "2"]})
- Parameters:
key (
str
)value (
Any
)
- Return type:
None
- add_conditions(conditions)
Add multiple conditions to the Policy.
See the
addCondition
function for a caveat on calling this method multiple times.- Parameters:
conditions (
Mapping
[str
,Any
])- Return type:
None
- add_federated_principal(federated, conditions)
Adds a federated identity provider such as Amazon Cognito to this policy statement.
- Parameters:
federated (
Any
) – federated identity provider (i.e. ‘cognito-identity.amazonaws.com’).conditions (
Mapping
[str
,Any
]) – The conditions under which the policy is in effect. See the IAM documentation.
- Return type:
None
- add_not_actions(*not_actions)
Explicitly allow all actions except the specified list of actions into the “NotAction” section of the policy document.
- Parameters:
not_actions (
str
) – actions that will be denied. All other actions will be permitted.- See:
- Return type:
None
- add_not_principals(*not_principals)
Specify principals that is not allowed or denied access to the “NotPrincipal” section of a policy statement.
- Parameters:
not_principals (
IPrincipal
) – IAM principals that will be denied access.- See:
- Return type:
None
- add_not_resources(*arns)
Specify resources that this policy statement will not apply to in the “NotResource” section of this policy statement.
All resources except the specified list will be matched.
- Parameters:
arns (
str
) – Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.- See:
- Return type:
None
- add_principals(*principals)
Adds principals to the “Principal” section of a policy statement.
- Parameters:
principals (
IPrincipal
) – IAM principals that will be added.- See:
- Return type:
None
- add_resources(*arns)
Specify resources that this policy statement applies into the “Resource” section of this policy statement.
- Parameters:
arns (
str
) – Amazon Resource Names (ARNs) of the resources that this policy statement applies to.- See:
- Return type:
None
- add_service_principal(service, *, conditions=None, region=None)
Adds a service principal to this policy statement.
- Parameters:
service (
str
) – the service name for which a service principal is requested (e.g:s3.amazonaws.com
).conditions (
Optional
[Mapping
[str
,Any
]]) – Additional conditions to add to the Service Principal. Default: - No conditionsregion (
Optional
[str
]) – (deprecated) The region in which the service is operating. Default: - the current Stack’s region.
- Return type:
None
- copy(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)
Create a new
PolicyStatement
with the same exact properties as this one, except for the overrides.- Parameters:
actions (
Optional
[Sequence
[str
]]) – List of actions to add to the statement. Default: - no actionsconditions (
Optional
[Mapping
[str
,Any
]]) – Conditions to add to the statement. Default: - no conditioneffect (
Optional
[Effect
]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOWnot_actions (
Optional
[Sequence
[str
]]) – List of not actions to add to the statement. Default: - no not-actionsnot_principals (
Optional
[Sequence
[IPrincipal
]]) – List of not principals to add to the statement. Default: - no not principalsnot_resources (
Optional
[Sequence
[str
]]) – NotResource ARNs to add to the statement. Default: - no not-resourcesprincipals (
Optional
[Sequence
[IPrincipal
]]) – List of principals to add to the statement. Default: - no principalsresources (
Optional
[Sequence
[str
]]) – Resource ARNs to add to the statement. Default: - no resourcessid (
Optional
[str
]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid
- Return type:
- to_json()
JSON-ify the statement.
Used when JSON.stringify() is called
- Return type:
Any
- to_statement_json()
JSON-ify the policy statement.
Used when JSON.stringify() is called
- Return type:
Any
- to_string()
String representation of this policy statement.
- Return type:
str
- validate_for_any_policy()
Validate that the policy statement satisfies base requirements for a policy.
- Return type:
List
[str
]- Returns:
An array of validation error messages, or an empty array if the statement is valid.
- validate_for_identity_policy()
Validate that the policy statement satisfies all requirements for an identity-based policy.
- Return type:
List
[str
]- Returns:
An array of validation error messages, or an empty array if the statement is valid.
- validate_for_resource_policy()
Validate that the policy statement satisfies all requirements for a resource-based policy.
- Return type:
List
[str
]- Returns:
An array of validation error messages, or an empty array if the statement is valid.
Attributes
- actions
The Actions added to this statement.
- conditions
The conditions added to this statement.
- effect
Whether to allow or deny the actions in this statement.
- has_principal
Indicates if this permission has a “Principal” section.
- has_resource
Indicates if this permission has at least one resource associated with it.
- not_actions
The NotActions added to this statement.
- not_principals
The NotPrincipals added to this statement.
- not_resources
The NotResources added to this statement.
- principals
The Principals added to this statement.
- resources
The Resources added to this statement.
- sid
Statement ID for this statement.
Static Methods
- classmethod from_json(obj)
Creates a new PolicyStatement based on the object provided.
This will accept an object created from the
.toJSON()
call- Parameters:
obj (
Any
) – the PolicyStatement in object form.- Return type: