User

class aws_cdk.aws_iam.User(scope, id, *, groups=None, managed_policies=None, password=None, password_reset_required=None, path=None, permissions_boundary=None, user_name=None)

Bases: Resource

Define a new IAM user.

ExampleMetadata:

infused

Example:

# definition: sfn.IChainable
user = iam.User(self, "MyUser")
state_machine = sfn.StateMachine(self, "StateMachine",
    definition_body=sfn.DefinitionBody.from_chainable(definition)
)

# give user permission to send task success to the state machine
state_machine.grant(user, "states:SendTaskSuccess")
Parameters:

  • scope (Construct)

  • id (str)

  • groups (Optional[Sequence[IGroup]]) – Groups to add this user to. You can also use addToGroup to add this user to a group. Default: - No groups.

  • managed_policies (Optional[Sequence[IManagedPolicy]]) – A list of managed policies associated with this role. You can add managed policies later using addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName)). Default: - No managed policies.

  • password (Optional[SecretValue]) – The password for the user. This is required so the user can access the AWS Management Console. You can use SecretValue.unsafePlainText to specify a password in plain text or use secretsmanager.Secret.fromSecretAttributes to reference a secret in Secrets Manager. Default: - User won’t be able to access the management console without a password.

  • password_reset_required (Optional[bool]) – Specifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console. If this is set to ‘true’, you must also specify “initialPassword”. Default: false

  • path (Optional[str]) – The path for the user name. For more information about paths, see IAM Identifiers in the IAM User Guide. Default: /

  • permissions_boundary (Optional[IManagedPolicy]) – AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity’s permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. Default: - No permissions boundary.

  • user_name (Optional[str]) – A name for the IAM user. For valid values, see the UserName parameter for the CreateUser action in the IAM API Reference. If you don’t specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template’s capabilities. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates. Default: - Generated by CloudFormation (recommended)

Methods

add_managed_policy(policy)

Attaches a managed policy to the user.

Parameters:

policy (IManagedPolicy) – The managed policy to attach.

Return type:

None

add_to_group(group)

Adds this user to a group.

Parameters:

group (IGroup)

Return type:

None

add_to_policy(statement)

Add to the policy of this principal.

Parameters:

statement (PolicyStatement)

Return type:

bool

add_to_principal_policy(statement)

Adds an IAM statement to the default policy.

Parameters:

statement (PolicyStatement)

Return type:

AddToPrincipalPolicyResult

Returns:

true

apply_removal_policy(policy)

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

Parameters:

policy (RemovalPolicy)

Return type:

None

attach_inline_policy(policy)

Attaches a policy to this user.

Parameters:

policy (Policy)

Return type:

None

to_string()

Returns a string representation of this construct.

Return type:

str

Attributes

PROPERTY_INJECTION_ID = 'aws-cdk-lib.aws-iam.User'
assume_role_action

When this Principal is used in an AssumeRole policy, the action to use.

env

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

grant_principal

The principal to grant permissions to.

node

The tree node.

permissions_boundary

Returns the permissions boundary attached to this user.

policy_fragment

Return the policy fragment that identifies this principal in a Policy.

principal_account

The AWS account ID of this principal.

Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it’s assumed to be AWS::AccountId.

stack

The stack in which this resource is defined.

user_arn

An attribute that represents the user’s ARN.

Attribute:

true

user_name

An attribute that represents the user name.

Attribute:

true

user_ref

A reference to a User resource.

Static Methods

classmethod from_user_arn(scope, id, user_arn)

Import an existing user given a user ARN.

If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.

Parameters:

  • scope (Construct) – construct scope.

  • id (str) – construct id.

  • user_arn (str) – the ARN of an existing user to import.

Return type:

IUser

classmethod from_user_attributes(scope, id, *, user_arn)

Import an existing user given user attributes.

If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.

Parameters:

  • scope (Construct) – construct scope.

  • id (str) – construct id.

  • user_arn (str) – The ARN of the user. Format: arn::iam:::user/

Return type:

IUser

classmethod from_user_name(scope, id, user_name)

Import an existing user given a username.

Parameters:

  • scope (Construct) – construct scope.

  • id (str) – construct id.

  • user_name (str) – the username of the existing user to import.

Return type:

IUser

classmethod is_construct(x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters:

x (Any) – Any object.

Return type:

bool

Returns:

true if x is an object created from a class which extends Construct.

classmethod is_owned_resource(construct)

Returns true if the construct was created by CDK, and false otherwise.

Parameters:

construct (IConstruct)

Return type:

bool

classmethod is_resource(construct)

Check whether the given construct is a Resource.

Parameters:

construct (IConstruct)

Return type:

bool