class AwsCustomResourcePolicy
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.CustomResources.AwsCustomResourcePolicy |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/customresources#AwsCustomResourcePolicy |
 Java | software.amazon.awscdk.customresources.AwsCustomResourcePolicy |
 Python | aws_cdk.custom_resources.AwsCustomResourcePolicy |
 TypeScript (source) | aws-cdk-lib » custom_resources » AwsCustomResourcePolicy |
The IAM Policy that will be applied to the different calls.
Example
const getParameter = new cr.AwsCustomResource(this, 'GetParameter', {
onUpdate: {
service: 'SSM',
action: 'GetParameter',
parameters: {
Name: 'my-parameter',
WithDecryption: true,
},
physicalResourceId: cr.PhysicalResourceId.of(Date.now().toString()),
logging: cr.Logging.withDataHidden(),
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
}),
});
Properties
| Name | Type | Description |
|---|---|---|
| statements | Policy[] | statements for explicit policy. |
| resources? | string[] | resources for auto-generated from SDK calls. |
| static ANY_RESOURCE | string[] | Use this constant to configure access to any resource. |
statements
Type:
Policy[]
statements for explicit policy.
resources?
Type:
string[]
(optional)
resources for auto-generated from SDK calls.
static ANY_RESOURCE
Type:
string[]
Use this constant to configure access to any resource.
Methods
| Name | Description |
|---|---|
| static from | Generate IAM Policy Statements from the configured SDK calls. |
| static from | Explicit IAM Policy Statements. |
static fromSdkCalls(options)
public static fromSdkCalls(options: SdkCallsPolicyOptions): AwsCustomResourcePolicy
Parameters
- options
Sdk— options for the policy generation.Calls Policy Options
Returns
Generate IAM Policy Statements from the configured SDK calls.
Each SDK call with be translated to an IAM Policy Statement in the form of: call.service:call.action (e.g s3:PutObject).
This policy generator assumes the IAM policy name has the same name as the API
call. This is true in 99% of cases, but there are exceptions (for example,
S3's PutBucketLifecycleConfiguration requires
s3:PutLifecycleConfiguration permissions, Lambda's Invoke requires
lambda:InvokeFunction permissions). Use fromStatements if you want to
do a call that requires different IAM action names.
static fromStatements(statements)
public static fromStatements(statements: PolicyStatement[]): AwsCustomResourcePolicy
Parameters
- statements
PolicyStatement []— the statements to propagate to the SDK calls.
Returns
Explicit IAM Policy Statements.