PolicyStatementProps

class aws_cdk.aws_iam.PolicyStatementProps(*, actions=None, conditions=None, effect=None, not_actions=None, not_principals=None, not_resources=None, principals=None, resources=None, sid=None)

Bases: object

Interface for creating a policy statement.

Parameters:

  • actions (Optional[Sequence[str]]) – List of actions to add to the statement. Default: - no actions

  • conditions (Optional[Mapping[str, Any]]) – Conditions to add to the statement. Default: - no condition

  • effect (Optional[Effect]) – Whether to allow or deny the actions in this statement. Default: Effect.ALLOW

  • not_actions (Optional[Sequence[str]]) – List of not actions to add to the statement. Default: - no not-actions

  • not_principals (Optional[Sequence[IPrincipal]]) – List of not principals to add to the statement. Default: - no not principals

  • not_resources (Optional[Sequence[str]]) – NotResource ARNs to add to the statement. Default: - no not-resources

  • principals (Optional[Sequence[IPrincipal]]) – List of principals to add to the statement. Default: - no principals

  • resources (Optional[Sequence[str]]) – Resource ARNs to add to the statement. Default: - no resources

  • sid (Optional[str]) – The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy. Default: - no sid

ExampleMetadata:

fixture=default infused

Example:

execution_role = iam.Role(self, "EvaluationRole",
    assumed_by=iam.ServicePrincipal("bedrock-agentcore.amazonaws.com"),
    description="Custom role for online evaluation"
)

# Add required permissions
execution_role.add_to_policy(iam.PolicyStatement(
    actions=["logs:DescribeLogGroups", "logs:GetQueryResults", "logs:StartQuery"
    ],
    resources=["arn:aws:logs:*:*:log-group:/aws/bedrock-agentcore/*"]
))

evaluation = agentcore.OnlineEvaluationConfig(self, "CustomRoleEval",
    online_evaluation_config_name="custom_role_evaluation",
    evaluators=[
        agentcore.EvaluatorReference.builtin(agentcore.BuiltinEvaluator.HELPFULNESS)
    ],
    data_source=agentcore.DataSourceConfig.from_cloud_watch_logs(
        log_group_names=["/aws/bedrock-agentcore/my-agent"],
        service_names=["my-agent.default"]
    ),
    execution_role=execution_role
)

Attributes

actions

List of actions to add to the statement.

Default:

  • no actions

conditions

Conditions to add to the statement.

Default:

  • no condition

effect

Whether to allow or deny the actions in this statement.

Default:

Effect.ALLOW

not_actions

List of not actions to add to the statement.

Default:

  • no not-actions

not_principals

List of not principals to add to the statement.

Default:

  • no not principals

not_resources

NotResource ARNs to add to the statement.

Default:

  • no not-resources

principals

List of principals to add to the statement.

Default:

  • no principals

resources

Resource ARNs to add to the statement.

Default:

  • no resources

sid

The Sid (statement ID) is an optional identifier that you provide for the policy statement.

You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy.

Default:

  • no sid