ArnPrincipal

class aws_cdk.aws_iam.ArnPrincipal(arn)

Bases: PrincipalBase

Specify a principal by the Amazon Resource Name (ARN).

You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions. You cannot specify IAM groups or instance profiles as principals

See:: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
ExampleMetadata:: infused

Example:

# Option 2: create your custom mastersRole with scoped assumeBy arn as the Cluster prop. Switch to this role from the AWS console.
from aws_cdk.lambda_layer_kubectl_v30 import KubectlV30Layer
# vpc: ec2.Vpc


masters_role = iam.Role(self, "MastersRole",
    assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
)

cluster = eks.Cluster(self, "EksCluster",
    vpc=vpc,
    version=eks.KubernetesVersion.V1_30,
    kubectl_layer=KubectlV30Layer(self, "KubectlLayer"),
    masters_role=masters_role
)

masters_role.add_to_policy(iam.PolicyStatement(
    actions=["eks:AccessKubernetesApi", "eks:Describe*", "eks:List*"
    ],
    resources=[cluster.cluster_arn]
))

Parameters:: arn (str) – Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name).

Methods

add_to_assume_role_policy(document)

Add the principal to the AssumeRolePolicyDocument.

Add the statements to the AssumeRolePolicyDocument necessary to give this principal permissions to assume the given role.

Parameters:

document (PolicyDocument) –

Return type:

None

add_to_policy(statement)

Add to the policy of this principal.

Parameters:

statement (PolicyStatement) –

Return type:

bool

add_to_principal_policy(_statement)

Add to the policy of this principal.

Parameters:

_statement (PolicyStatement) –

Return type:

AddToPrincipalPolicyResult

dedupe_string()

Return whether or not this principal is equal to the given principal.

Return type:: Optional[str]

in_organization(organization_id)

A convenience method for adding a condition that the principal is part of the specified AWS Organization.

Parameters:

organization_id (str) –

Return type:

PrincipalBase

to_json()

JSON-ify the principal.

Used when JSON.stringify() is called

Return type:: Mapping[str, List[str]]

to_string()

Returns a string representation of an object.

Return type:: str

with_conditions(conditions)

Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added.

When there is a value for the same operator and key in both the principal and the conditions parameter, the value from the conditions parameter will be used.

Parameters:

conditions (Mapping[str, Any]) –

Return type:

PrincipalBase

Returns:

a new PrincipalWithConditions object.

with_session_tags()

Returns a new principal using this principal as the base, with session tags enabled.

Return type:: PrincipalBase
Returns:: a new SessionTagsPrincipal object.

Attributes

arn

iam::123456789012:user/user-name).

Type:: Amazon Resource Name (ARN) of the principal entity (i.e. arn
Type:: aws

assume_role_action: When this Principal is used in an AssumeRole policy, the action to use.

grant_principal: The principal to grant permissions to.

policy_fragment: Return the policy fragment that identifies this principal in a Policy.

principal_account

The AWS account ID of this principal.

Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it’s assumed to be AWS::AccountId.