class Policy (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.IAM.Policy |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awsiam#Policy |
 Java | software.amazon.awscdk.services.iam.Policy |
 Python | aws_cdk.aws_iam.Policy |
 TypeScript (source) | aws-cdk-lib » aws_iam » Policy |
Implements
IConstruct, IDependable, IResource, IPolicy, IGrantable
The AWS::IAM::Policy resource associates an inline IAM policy with IAM users, roles, or groups. For more information about IAM policies, see Overview of IAM Policies in the IAM User Guide guide.
Example
declare const postAuthFn: lambda.Function;
const userpool = new cognito.UserPool(this, 'myuserpool', {
lambdaTriggers: {
postAuthentication: postAuthFn,
},
});
// provide permissions to describe the user pool scoped to the ARN the user pool
postAuthFn.role?.attachInlinePolicy(new iam.Policy(this, 'userpool-policy', {
statements: [new iam.PolicyStatement({
actions: ['cognito-idp:DescribeUserPool'],
resources: [userpool.userPoolArn],
})],
}));
Initializer
new Policy(scope: Construct, id: string, props?: PolicyProps)
Parameters
- scope
Construct - id
string - props
PolicyProps
Construct Props
| Name | Type | Description |
|---|---|---|
| document? | Policy | Initial PolicyDocument to use for this Policy. |
| force? | boolean | Force creation of an AWS::IAM::Policy. |
| groups? | IGroup[] | Groups to attach this policy to. |
| policy | string | The name of the policy. |
| roles? | IRole[] | Roles to attach this policy to. |
| statements? | Policy[] | Initial set of permissions to add to this policy document. |
| users? | IUser[] | Users to attach this policy to. |
document?
Type:
Policy
(optional, default: An empty policy.)
Initial PolicyDocument to use for this Policy.
If omited, any
PolicyStatement provided in the statements property will be applied
against the empty default PolicyDocument.
force?
Type:
boolean
(optional, default: false)
Force creation of an AWS::IAM::Policy.
Unless set to true, this Policy construct will not materialize to an
AWS::IAM::Policy CloudFormation resource in case it would have no effect
(for example, if it remains unattached to an IAM identity or if it has no
statements). This is generally desired behavior, since it prevents
creating invalid--and hence undeployable--CloudFormation templates.
In cases where you know the policy must be created and it is actually
an error if no statements have been added to it or it remains unattached to
an IAM identity, you can set this to true.
groups?
Type:
IGroup[]
(optional, default: No groups.)
Groups to attach this policy to.
You can also use attachToGroup(group) to attach this policy to a group.
policyName?
Type:
string
(optional, default: Uses the logical ID of the policy resource, which is ensured
to be unique within the stack.)
The name of the policy.
If you specify multiple policies for an entity, specify unique names. For example, if you specify a list of policies for an IAM role, each policy must have a unique name.
roles?
Type:
IRole[]
(optional, default: No roles.)
Roles to attach this policy to.
You can also use attachToRole(role) to attach this policy to a role.
statements?
Type:
Policy[]
(optional, default: No statements.)
Initial set of permissions to add to this policy document.
You can also use addStatements(...statement) to add permissions later.
users?
Type:
IUser[]
(optional, default: No users.)
Users to attach this policy to.
You can also use attachToUser(user) to attach this policy to a user.
Properties
| Name | Type | Description |
|---|---|---|
| document | Policy | The policy document. |
| env | Resource | The environment this resource belongs to. |
| grant | IPrincipal | The principal to grant permissions to. |
| node | Node | The tree node. |
| policy | string | The name of this policy. |
| stack | Stack | The stack in which this resource is defined. |
document
Type:
Policy
The policy document.
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
grantPrincipal
Type:
IPrincipal
The principal to grant permissions to.
node
Type:
Node
The tree node.
policyName
Type:
string
The name of this policy.
stack
Type:
Stack
The stack in which this resource is defined.
Methods
| Name | Description |
|---|---|
| add | Adds a statement to the policy document. |
| apply | Apply the given removal policy to this resource. |
| attach | Attaches this policy to a group. |
| attach | Attaches this policy to a role. |
| attach | Attaches this policy to a user. |
| to | Returns a string representation of this construct. |
| static from | Import a policy in this app based on its name. |
addStatements(...statement)
public addStatements(...statement: PolicyStatement[]): void
Parameters
- statement
PolicyStatement
Adds a statement to the policy document.
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
attachToGroup(group)
public attachToGroup(group: IGroup): void
Parameters
- group
IGroup
Attaches this policy to a group.
attachToRole(role)
public attachToRole(role: IRole): void
Parameters
- role
IRole
Attaches this policy to a role.
attachToUser(user)
public attachToUser(user: IUser): void
Parameters
- user
IUser
Attaches this policy to a user.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
static fromPolicyName(scope, id, policyName)
public static fromPolicyName(scope: Construct, id: string, policyName: string): IPolicy
Parameters
- scope
Construct - id
string - policyName
string
Returns
Import a policy in this app based on its name.