class PolicyStatement
Language | Type name |
---|---|
![]() | Amazon.CDK.AWS.IAM.PolicyStatement |
![]() | github.com/aws/aws-cdk-go/awscdk/v2/awsiam#PolicyStatement |
![]() | software.amazon.awscdk.services.iam.PolicyStatement |
![]() | aws_cdk.aws_iam.PolicyStatement |
![]() | aws-cdk-lib » aws_iam » PolicyStatement |
Represents a statement in an IAM policy document.
Example
const accessLogsBucket = new s3.Bucket(this, 'AccessLogsBucket', {
objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
});
accessLogsBucket.addToResourcePolicy(
new iam.PolicyStatement({
actions: ['s3:*'],
resources: [accessLogsBucket.bucketArn, accessLogsBucket.arnForObjects('*')],
principals: [new iam.AnyPrincipal()],
})
)
const bucket = new s3.Bucket(this, 'MyBucket', {
serverAccessLogsBucket: accessLogsBucket,
serverAccessLogsPrefix: 'logs',
});
Initializer
new PolicyStatement(props?: PolicyStatementProps)
Parameters
- props
Policy
Statement Props
Properties
Name | Type | Description |
---|---|---|
actions | string[] | The Actions added to this statement. |
conditions | any | The conditions added to this statement. |
effect | Effect | Whether to allow or deny the actions in this statement Set effect for this statement. |
frozen | boolean | Whether the PolicyStatement has been frozen. |
has | boolean | Indicates if this permission has a "Principal" section. |
has | boolean | Indicates if this permission has at least one resource associated with it. |
not | string[] | The NotActions added to this statement. |
not | IPrincipal [] | The NotPrincipals added to this statement. |
not | string[] | The NotResources added to this statement. |
principals | IPrincipal [] | The Principals added to this statement. |
resources | string[] | The Resources added to this statement. |
sid? | string | Statement ID for this statement Set Statement ID for this statement. |
actions
Type:
string[]
The Actions added to this statement.
conditions
Type:
any
The conditions added to this statement.
effect
Type:
Effect
Whether to allow or deny the actions in this statement Set effect for this statement.
frozen
Type:
boolean
Whether the PolicyStatement has been frozen.
The statement object is frozen when freeze()
is called.
hasPrincipal
Type:
boolean
Indicates if this permission has a "Principal" section.
hasResource
Type:
boolean
Indicates if this permission has at least one resource associated with it.
notActions
Type:
string[]
The NotActions added to this statement.
notPrincipals
Type:
IPrincipal
[]
The NotPrincipals added to this statement.
notResources
Type:
string[]
The NotResources added to this statement.
principals
Type:
IPrincipal
[]
The Principals added to this statement.
resources
Type:
string[]
The Resources added to this statement.
sid?
Type:
string
(optional)
Statement ID for this statement Set Statement ID for this statement.
Methods
Name | Description |
---|---|
add | Add a StringEquals condition that limits to a given account from sts:ExternalId . |
add | Adds an AWS account root user principal to this policy statement. |
add | Specify allowed actions into the "Action" section of the policy statement. |
add | Adds a "*" resource to this statement. |
add | Adds all identities in all accounts ("*") to this policy statement. |
add | Specify a principal using the ARN identifier of the principal. |
add | Specify AWS account ID as the principal entity to the "Principal" section of a policy statement. |
add | Adds a canonical user ID principal to this policy document. |
add | Add a condition to the Policy. |
add | Add multiple conditions to the Policy. |
add | Adds a federated identity provider such as Amazon Cognito to this policy statement. |
add | Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document. |
add | Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement. |
add | Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement. |
add | Adds principals to the "Principal" section of a policy statement. |
add | Specify resources that this policy statement applies into the "Resource" section of this policy statement. |
add | Adds a service principal to this policy statement. |
add | Add an StringEquals condition that limits to a given account from aws:SourceAccount . |
add | Add an ArnEquals condition that limits to a given resource arn from aws:SourceArn . |
copy(overrides?) | Create a new PolicyStatement with the same exact properties as this one, except for the overrides. |
freeze() | Make the PolicyStatement immutable. |
to | JSON-ify the statement. |
to | JSON-ify the policy statement. |
to | String representation of this policy statement. |
validate | Validate that the policy statement satisfies base requirements for a policy. |
validate | Validate that the policy statement satisfies all requirements for an identity-based policy. |
validate | Validate that the policy statement satisfies all requirements for a resource-based policy. |
static from | Creates a new PolicyStatement based on the object provided. |
addAccountCondition(accountId)
public addAccountCondition(accountId: string): void
Parameters
- accountId
string
Add a StringEquals
condition that limits to a given account from sts:ExternalId
.
This method can only be called once: subsequent calls will overwrite earlier calls.
addAccountRootPrincipal()
public addAccountRootPrincipal(): void
Adds an AWS account root user principal to this policy statement.
addActions(...actions)
public addActions(...actions: string[]): void
Parameters
- actions
string
— actions that will be allowed.
Specify allowed actions into the "Action" section of the policy statement.
addAllResources()
public addAllResources(): void
Adds a "*"
resource to this statement.
addAnyPrincipal()
public addAnyPrincipal(): void
Adds all identities in all accounts ("*") to this policy statement.
addArnPrincipal(arn)
public addArnPrincipal(arn: string): void
Parameters
- arn
string
— ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).
Specify a principal using the ARN identifier of the principal.
You cannot specify IAM groups and instance profiles as principals.
addAwsAccountPrincipal(accountId)
public addAwsAccountPrincipal(accountId: string): void
Parameters
- accountId
string
Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
addCanonicalUserPrincipal(canonicalUserId)
public addCanonicalUserPrincipal(canonicalUserId: string): void
Parameters
- canonicalUserId
string
— unique identifier assigned by AWS for every account.
Adds a canonical user ID principal to this policy document.
addCondition(key, value)
public addCondition(key: string, value: any): void
Parameters
- key
string
- value
any
Add a condition to the Policy.
If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
declare const stmt: iam.PolicyStatement;
stmt.addCondition('StringEquals', { 'aws:SomeField': '1' });
stmt.addCondition('StringEquals', { 'aws:SomeField': '2' });
Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }
.
If you meant to add a condition to say that the field can be either 1
or 2
, write
this:
declare const stmt: iam.PolicyStatement;
stmt.addCondition('StringEquals', { 'aws:SomeField': ['1', '2'] });
addConditions(conditions)
public addConditions(conditions: { [string]: any }): void
Parameters
- conditions
{ [string]: any }
Add multiple conditions to the Policy.
See the addCondition
function for a caveat on calling this method multiple times.
addFederatedPrincipal(federated, conditions)
public addFederatedPrincipal(federated: any, conditions: { [string]: any }): void
Parameters
- federated
any
— federated identity provider (i.e. 'cognito-identity.amazonaws.com'). - conditions
{ [string]: any }
— The conditions under which the policy is in effect.
Adds a federated identity provider such as Amazon Cognito to this policy statement.
addNotActions(...notActions)
public addNotActions(...notActions: string[]): void
Parameters
- notActions
string
— actions that will be denied.
Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
addNotPrincipals(...notPrincipals)
public addNotPrincipals(...notPrincipals: IPrincipal[]): void
Parameters
- notPrincipals
IPrincipal
— IAM principals that will be denied access.
Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
addNotResources(...arns)
public addNotResources(...arns: string[]): void
Parameters
- arns
string
— Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.
Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.
All resources except the specified list will be matched.
addPrincipals(...principals)
public addPrincipals(...principals: IPrincipal[]): void
Parameters
- principals
IPrincipal
— IAM principals that will be added.
Adds principals to the "Principal" section of a policy statement.
addResources(...arns)
public addResources(...arns: string[]): void
Parameters
- arns
string
— Amazon Resource Names (ARNs) of the resources that this policy statement applies to.
Specify resources that this policy statement applies into the "Resource" section of this policy statement.
addServicePrincipal(service, opts?)
public addServicePrincipal(service: string, opts?: ServicePrincipalOpts): void
Parameters
- service
string
— the service name for which a service principal is requested (e.g:s3.amazonaws.com
). - opts
Service
— options for adding the service principal (such as specifying a principal in a different region).Principal Opts
Adds a service principal to this policy statement.
addSourceAccountCondition(accountId)
public addSourceAccountCondition(accountId: string): void
Parameters
- accountId
string
Add an StringEquals
condition that limits to a given account from aws:SourceAccount
.
This method can only be called once: subsequent calls will overwrite earlier calls.
addSourceArnCondition(arn)
public addSourceArnCondition(arn: string): void
Parameters
- arn
string
Add an ArnEquals
condition that limits to a given resource arn from aws:SourceArn
.
This method can only be called once: subsequent calls will overwrite earlier calls.
copy(overrides?)
public copy(overrides?: PolicyStatementProps): PolicyStatement
Parameters
- overrides
Policy
Statement Props
Returns
Create a new PolicyStatement
with the same exact properties as this one, except for the overrides.
freeze()
public freeze(): PolicyStatement
Returns
Make the PolicyStatement immutable.
After calling this, any of the addXxx()
methods will throw an exception.
Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.
toJSON()
public toJSON(): any
Returns
any
JSON-ify the statement.
Used when JSON.stringify() is called
toStatementJson()
public toStatementJson(): any
Returns
any
JSON-ify the policy statement.
Used when JSON.stringify() is called
toString()
public toString(): string
Returns
string
String representation of this policy statement.
validateForAnyPolicy()
public validateForAnyPolicy(): string[]
Returns
string[]
Validate that the policy statement satisfies base requirements for a policy.
validateForIdentityPolicy()
public validateForIdentityPolicy(): string[]
Returns
string[]
Validate that the policy statement satisfies all requirements for an identity-based policy.
validateForResourcePolicy()
public validateForResourcePolicy(): string[]
Returns
string[]
Validate that the policy statement satisfies all requirements for a resource-based policy.
static fromJson(obj)
public static fromJson(obj: any): PolicyStatement
Parameters
- obj
any
— the PolicyStatement in object form.
Returns
Creates a new PolicyStatement based on the object provided.
This will accept an object created from the .toJSON()
call