class User (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.IAM.User |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awsiam#User |
 Java | software.amazon.awscdk.services.iam.User |
 Python | aws_cdk.aws_iam.User |
 TypeScript (source) | aws-cdk-lib » aws_iam » User |
Implements
IConstruct, IDependable, IResource, IIdentity, IGrantable, IPrincipal, IUser
Define a new IAM user.
Example
const user = new iam.User(this, 'MyUser');
declare const definition: sfn.IChainable;
const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
definitionBody: sfn.DefinitionBody.fromChainable(definition),
});
//give user permission to send task success to the state machine
stateMachine.grant(user, 'states:SendTaskSuccess');
Initializer
new User(scope: Construct, id: string, props?: UserProps)
Parameters
Construct Props
| Name | Type | Description |
|---|---|---|
| groups? | IGroup[] | Groups to add this user to. |
| managed | IManaged[] | A list of managed policies associated with this role. |
| password? | Secret | The password for the user. This is required so the user can access the AWS Management Console. |
| password | boolean | Specifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console. |
| path? | string | The path for the user name. |
| permissions | IManaged | AWS supports permissions boundaries for IAM entities (users or roles). |
| user | string | A name for the IAM user. |
groups?
Type:
IGroup[]
(optional, default: No groups.)
Groups to add this user to.
You can also use addToGroup to add this
user to a group.
managedPolicies?
Type:
IManaged[]
(optional, default: No managed policies.)
A list of managed policies associated with this role.
You can add managed policies later using
addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName)).
password?
Type:
Secret
(optional, default: User won't be able to access the management console without a password.)
The password for the user. This is required so the user can access the AWS Management Console.
You can use SecretValue.unsafePlainText to specify a password in plain text or
use secretsmanager.Secret.fromSecretAttributes to reference a secret in
Secrets Manager.
passwordResetRequired?
Type:
boolean
(optional, default: false)
Specifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console.
If this is set to 'true', you must also specify "initialPassword".
path?
Type:
string
(optional, default: /)
The path for the user name.
For more information about paths, see IAM Identifiers in the IAM User Guide.
permissionsBoundary?
Type:
IManaged
(optional, default: No permissions boundary.)
AWS supports permissions boundaries for IAM entities (users or roles).
A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
userName?
Type:
string
(optional, default: Generated by CloudFormation (recommended))
A name for the IAM user.
For valid values, see the UserName parameter for the CreateUser action in the IAM API Reference. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name.
If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.
Properties
| Name | Type | Description |
|---|---|---|
| assume | string | When this Principal is used in an AssumeRole policy, the action to use. |
| env | Resource | The environment this resource belongs to. |
| grant | IPrincipal | The principal to grant permissions to. |
| node | Node | The tree node. |
| policy | Principal | Return the policy fragment that identifies this principal in a Policy. |
| stack | Stack | The stack in which this resource is defined. |
| user | string | An attribute that represents the user's ARN. |
| user | string | An attribute that represents the user name. |
| permissions | IManaged | Returns the permissions boundary attached to this user. |
| principal | string | The AWS account ID of this principal. |
assumeRoleAction
Type:
string
When this Principal is used in an AssumeRole policy, the action to use.
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
grantPrincipal
Type:
IPrincipal
The principal to grant permissions to.
node
Type:
Node
The tree node.
policyFragment
Type:
Principal
Return the policy fragment that identifies this principal in a Policy.
stack
Type:
Stack
The stack in which this resource is defined.
userArn
Type:
string
An attribute that represents the user's ARN.
userName
Type:
string
An attribute that represents the user name.
permissionsBoundary?
Type:
IManaged
(optional)
Returns the permissions boundary attached to this user.
principalAccount?
Type:
string
(optional)
The AWS account ID of this principal.
Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.
Methods
| Name | Description |
|---|---|
| add | Attaches a managed policy to the user. |
| add | Adds this user to a group. |
| add | Add to the policy of this principal. |
| add | Adds an IAM statement to the default policy. |
| apply | Apply the given removal policy to this resource. |
| attach | Attaches a policy to this user. |
| to | Returns a string representation of this construct. |
| static from | Import an existing user given a user ARN. |
| static from | Import an existing user given user attributes. |
| static from | Import an existing user given a username. |
addManagedPolicy(policy)
public addManagedPolicy(policy: IManagedPolicy): void
Parameters
- policy
IManaged— The managed policy to attach.Policy
Attaches a managed policy to the user.
addToGroup(group)
public addToGroup(group: IGroup): void
Parameters
- group
IGroup
Adds this user to a group.
addToPolicy(statement)
public addToPolicy(statement: PolicyStatement): boolean
Parameters
- statement
PolicyStatement
Returns
boolean
Add to the policy of this principal.
addToPrincipalPolicy(statement)
public addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult
Parameters
- statement
PolicyStatement
Returns
Adds an IAM statement to the default policy.
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
attachInlinePolicy(policy)
public attachInlinePolicy(policy: Policy): void
Parameters
- policy
Policy
Attaches a policy to this user.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
static fromUserArn(scope, id, userArn)
public static fromUserArn(scope: Construct, id: string, userArn: string): IUser
Parameters
- scope
Construct— construct scope. - id
string— construct id. - userArn
string— the ARN of an existing user to import.
Returns
Import an existing user given a user ARN.
If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.
static fromUserAttributes(scope, id, attrs)
public static fromUserAttributes(scope: Construct, id: string, attrs: UserAttributes): IUser
Parameters
- scope
Construct— construct scope. - id
string— construct id. - attrs
User— the attributes of the user to import.Attributes
Returns
Import an existing user given user attributes.
If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.
static fromUserName(scope, id, userName)
public static fromUserName(scope: Construct, id: string, userName: string): IUser
Parameters
- scope
Construct— construct scope. - id
string— construct id. - userName
string— the username of the existing user to import.
Returns
Import an existing user given a username.