awsiam

package
v2.0.0-rc.26 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 26, 2021 License: Apache-2.0 Imports: 6 Imported by: 187

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CfnAccessKey_CFN_RESOURCE_TYPE_NAME

func CfnAccessKey_CFN_RESOURCE_TYPE_NAME() *string

func CfnAccessKey_IsCfnElement

func CfnAccessKey_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnAccessKey_IsCfnResource

func CfnAccessKey_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnAccessKey_IsConstruct

func CfnAccessKey_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnGroup_CFN_RESOURCE_TYPE_NAME

func CfnGroup_CFN_RESOURCE_TYPE_NAME() *string

func CfnGroup_IsCfnElement

func CfnGroup_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnGroup_IsCfnResource

func CfnGroup_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnGroup_IsConstruct

func CfnGroup_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnInstanceProfile_CFN_RESOURCE_TYPE_NAME

func CfnInstanceProfile_CFN_RESOURCE_TYPE_NAME() *string

func CfnInstanceProfile_IsCfnElement

func CfnInstanceProfile_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnInstanceProfile_IsCfnResource

func CfnInstanceProfile_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnInstanceProfile_IsConstruct

func CfnInstanceProfile_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnManagedPolicy_CFN_RESOURCE_TYPE_NAME

func CfnManagedPolicy_CFN_RESOURCE_TYPE_NAME() *string

func CfnManagedPolicy_IsCfnElement

func CfnManagedPolicy_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnManagedPolicy_IsCfnResource

func CfnManagedPolicy_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnManagedPolicy_IsConstruct

func CfnManagedPolicy_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnOIDCProvider_CFN_RESOURCE_TYPE_NAME

func CfnOIDCProvider_CFN_RESOURCE_TYPE_NAME() *string

func CfnOIDCProvider_IsCfnElement

func CfnOIDCProvider_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnOIDCProvider_IsCfnResource

func CfnOIDCProvider_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnOIDCProvider_IsConstruct

func CfnOIDCProvider_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnPolicy_CFN_RESOURCE_TYPE_NAME

func CfnPolicy_CFN_RESOURCE_TYPE_NAME() *string

func CfnPolicy_IsCfnElement

func CfnPolicy_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnPolicy_IsCfnResource

func CfnPolicy_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnPolicy_IsConstruct

func CfnPolicy_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnRole_CFN_RESOURCE_TYPE_NAME

func CfnRole_CFN_RESOURCE_TYPE_NAME() *string

func CfnRole_IsCfnElement

func CfnRole_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnRole_IsCfnResource

func CfnRole_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnRole_IsConstruct

func CfnRole_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnSAMLProvider_CFN_RESOURCE_TYPE_NAME

func CfnSAMLProvider_CFN_RESOURCE_TYPE_NAME() *string

func CfnSAMLProvider_IsCfnElement

func CfnSAMLProvider_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnSAMLProvider_IsCfnResource

func CfnSAMLProvider_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnSAMLProvider_IsConstruct

func CfnSAMLProvider_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnServerCertificate_CFN_RESOURCE_TYPE_NAME

func CfnServerCertificate_CFN_RESOURCE_TYPE_NAME() *string

func CfnServerCertificate_IsCfnElement

func CfnServerCertificate_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnServerCertificate_IsCfnResource

func CfnServerCertificate_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnServerCertificate_IsConstruct

func CfnServerCertificate_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnServiceLinkedRole_CFN_RESOURCE_TYPE_NAME

func CfnServiceLinkedRole_CFN_RESOURCE_TYPE_NAME() *string

func CfnServiceLinkedRole_IsCfnElement

func CfnServiceLinkedRole_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnServiceLinkedRole_IsCfnResource

func CfnServiceLinkedRole_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnServiceLinkedRole_IsConstruct

func CfnServiceLinkedRole_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnUserToGroupAddition_CFN_RESOURCE_TYPE_NAME

func CfnUserToGroupAddition_CFN_RESOURCE_TYPE_NAME() *string

func CfnUserToGroupAddition_IsCfnElement

func CfnUserToGroupAddition_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnUserToGroupAddition_IsCfnResource

func CfnUserToGroupAddition_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnUserToGroupAddition_IsConstruct

func CfnUserToGroupAddition_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnUser_CFN_RESOURCE_TYPE_NAME

func CfnUser_CFN_RESOURCE_TYPE_NAME() *string

func CfnUser_IsCfnElement

func CfnUser_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnUser_IsCfnResource

func CfnUser_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnUser_IsConstruct

func CfnUser_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func CfnVirtualMFADevice_CFN_RESOURCE_TYPE_NAME

func CfnVirtualMFADevice_CFN_RESOURCE_TYPE_NAME() *string

func CfnVirtualMFADevice_IsCfnElement

func CfnVirtualMFADevice_IsCfnElement(x interface{}) *bool

Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).

Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.

Returns: The construct as a stack element or undefined if it is not a stack element. Experimental.

func CfnVirtualMFADevice_IsCfnResource

func CfnVirtualMFADevice_IsCfnResource(construct constructs.IConstruct) *bool

Check whether the given construct is a CfnResource. Experimental.

func CfnVirtualMFADevice_IsConstruct

func CfnVirtualMFADevice_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func Group_IsConstruct

func Group_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func Group_IsResource

func Group_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func LazyRole_IsConstruct

func LazyRole_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func LazyRole_IsResource

func LazyRole_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func ManagedPolicy_IsConstruct

func ManagedPolicy_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func ManagedPolicy_IsResource

func ManagedPolicy_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func NewAccountPrincipal_Override

func NewAccountPrincipal_Override(a AccountPrincipal, accountId interface{})

Experimental.

func NewAccountRootPrincipal_Override

func NewAccountRootPrincipal_Override(a AccountRootPrincipal)

Experimental.

func NewAnyPrincipal_Override

func NewAnyPrincipal_Override(a AnyPrincipal)

Experimental.

func NewArnPrincipal_Override

func NewArnPrincipal_Override(a ArnPrincipal, arn *string)

Experimental.

func NewCanonicalUserPrincipal_Override

func NewCanonicalUserPrincipal_Override(c CanonicalUserPrincipal, canonicalUserId *string)

Experimental.

func NewCfnAccessKey_Override

func NewCfnAccessKey_Override(c CfnAccessKey, scope constructs.Construct, id *string, props *CfnAccessKeyProps)

Create a new `AWS::IAM::AccessKey`.

func NewCfnGroup_Override

func NewCfnGroup_Override(c CfnGroup, scope constructs.Construct, id *string, props *CfnGroupProps)

Create a new `AWS::IAM::Group`.

func NewCfnInstanceProfile_Override

func NewCfnInstanceProfile_Override(c CfnInstanceProfile, scope constructs.Construct, id *string, props *CfnInstanceProfileProps)

Create a new `AWS::IAM::InstanceProfile`.

func NewCfnManagedPolicy_Override

func NewCfnManagedPolicy_Override(c CfnManagedPolicy, scope constructs.Construct, id *string, props *CfnManagedPolicyProps)

Create a new `AWS::IAM::ManagedPolicy`.

func NewCfnOIDCProvider_Override

func NewCfnOIDCProvider_Override(c CfnOIDCProvider, scope constructs.Construct, id *string, props *CfnOIDCProviderProps)

Create a new `AWS::IAM::OIDCProvider`.

func NewCfnPolicy_Override

func NewCfnPolicy_Override(c CfnPolicy, scope constructs.Construct, id *string, props *CfnPolicyProps)

Create a new `AWS::IAM::Policy`.

func NewCfnRole_Override

func NewCfnRole_Override(c CfnRole, scope constructs.Construct, id *string, props *CfnRoleProps)

Create a new `AWS::IAM::Role`.

func NewCfnSAMLProvider_Override

func NewCfnSAMLProvider_Override(c CfnSAMLProvider, scope constructs.Construct, id *string, props *CfnSAMLProviderProps)

Create a new `AWS::IAM::SAMLProvider`.

func NewCfnServerCertificate_Override

func NewCfnServerCertificate_Override(c CfnServerCertificate, scope constructs.Construct, id *string, props *CfnServerCertificateProps)

Create a new `AWS::IAM::ServerCertificate`.

func NewCfnServiceLinkedRole_Override

func NewCfnServiceLinkedRole_Override(c CfnServiceLinkedRole, scope constructs.Construct, id *string, props *CfnServiceLinkedRoleProps)

Create a new `AWS::IAM::ServiceLinkedRole`.

func NewCfnUserToGroupAddition_Override

func NewCfnUserToGroupAddition_Override(c CfnUserToGroupAddition, scope constructs.Construct, id *string, props *CfnUserToGroupAdditionProps)

Create a new `AWS::IAM::UserToGroupAddition`.

func NewCfnUser_Override

func NewCfnUser_Override(c CfnUser, scope constructs.Construct, id *string, props *CfnUserProps)

Create a new `AWS::IAM::User`.

func NewCfnVirtualMFADevice_Override

func NewCfnVirtualMFADevice_Override(c CfnVirtualMFADevice, scope constructs.Construct, id *string, props *CfnVirtualMFADeviceProps)

Create a new `AWS::IAM::VirtualMFADevice`.

func NewCompositeDependable_Override

func NewCompositeDependable_Override(c CompositeDependable, dependables ...constructs.IDependable)

Experimental.

func NewCompositePrincipal_Override

func NewCompositePrincipal_Override(c CompositePrincipal, principals ...PrincipalBase)

Experimental.

func NewFederatedPrincipal_Override

func NewFederatedPrincipal_Override(f FederatedPrincipal, federated *string, conditions *map[string]interface{}, assumeRoleAction *string)

Experimental.

func NewGroup_Override

func NewGroup_Override(g Group, scope constructs.Construct, id *string, props *GroupProps)

Experimental.

func NewLazyRole_Override

func NewLazyRole_Override(l LazyRole, scope constructs.Construct, id *string, props *LazyRoleProps)

Experimental.

func NewManagedPolicy_Override

func NewManagedPolicy_Override(m ManagedPolicy, scope constructs.Construct, id *string, props *ManagedPolicyProps)

Experimental.

func NewOpenIdConnectPrincipal_Override

func NewOpenIdConnectPrincipal_Override(o OpenIdConnectPrincipal, openIdConnectProvider IOpenIdConnectProvider, conditions *map[string]interface{})

Experimental.

func NewOpenIdConnectProvider_Override

func NewOpenIdConnectProvider_Override(o OpenIdConnectProvider, scope constructs.Construct, id *string, props *OpenIdConnectProviderProps)

Defines an OpenID Connect provider. Experimental.

func NewOrganizationPrincipal_Override

func NewOrganizationPrincipal_Override(o OrganizationPrincipal, organizationId *string)

Experimental.

func NewPolicyDocument_Override

func NewPolicyDocument_Override(p PolicyDocument, props *PolicyDocumentProps)

Experimental.

func NewPolicyStatement_Override

func NewPolicyStatement_Override(p PolicyStatement, props *PolicyStatementProps)

Experimental.

func NewPolicy_Override

func NewPolicy_Override(p Policy, scope constructs.Construct, id *string, props *PolicyProps)

Experimental.

func NewPrincipalBase_Override

func NewPrincipalBase_Override(p PrincipalBase)

Experimental.

func NewPrincipalPolicyFragment_Override

func NewPrincipalPolicyFragment_Override(p PrincipalPolicyFragment, principalJson *map[string]*[]*string, conditions *map[string]interface{})

Experimental.

func NewPrincipalWithConditions_Override

func NewPrincipalWithConditions_Override(p PrincipalWithConditions, principal IPrincipal, conditions *map[string]interface{})

Experimental.

func NewRole_Override

func NewRole_Override(r Role, scope constructs.Construct, id *string, props *RoleProps)

Experimental.

func NewSamlConsolePrincipal_Override

func NewSamlConsolePrincipal_Override(s SamlConsolePrincipal, samlProvider ISamlProvider, conditions *map[string]interface{})

Experimental.

func NewSamlMetadataDocument_Override

func NewSamlMetadataDocument_Override(s SamlMetadataDocument)

Experimental.

func NewSamlPrincipal_Override

func NewSamlPrincipal_Override(s SamlPrincipal, samlProvider ISamlProvider, conditions *map[string]interface{})

Experimental.

func NewSamlProvider_Override

func NewSamlProvider_Override(s SamlProvider, scope constructs.Construct, id *string, props *SamlProviderProps)

Experimental.

func NewServicePrincipal_Override

func NewServicePrincipal_Override(s ServicePrincipal, service *string, opts *ServicePrincipalOpts)

Experimental.

func NewStarPrincipal_Override

func NewStarPrincipal_Override(s StarPrincipal)

Experimental.

func NewUnknownPrincipal_Override

func NewUnknownPrincipal_Override(u UnknownPrincipal, props *UnknownPrincipalProps)

Experimental.

func NewUser_Override

func NewUser_Override(u User, scope constructs.Construct, id *string, props *UserProps)

Experimental.

func NewWebIdentityPrincipal_Override

func NewWebIdentityPrincipal_Override(w WebIdentityPrincipal, identityProvider *string, conditions *map[string]interface{})

Experimental.

func OpenIdConnectProvider_IsConstruct

func OpenIdConnectProvider_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func OpenIdConnectProvider_IsResource

func OpenIdConnectProvider_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func Policy_IsConstruct

func Policy_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func Policy_IsResource

func Policy_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func Role_IsConstruct

func Role_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func Role_IsResource

func Role_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func SamlProvider_IsConstruct

func SamlProvider_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func SamlProvider_IsResource

func SamlProvider_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func User_IsConstruct

func User_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead

func User_IsResource

func User_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

Types

type AccountPrincipal

type AccountPrincipal interface {
	ArnPrincipal
	AccountId() interface{}
	Arn() *string
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

Specify AWS account ID as the principal entity in a policy to delegate authority to the account. Experimental.

func NewAccountPrincipal

func NewAccountPrincipal(accountId interface{}) AccountPrincipal

Experimental.

type AccountRootPrincipal

type AccountRootPrincipal interface {
	AccountPrincipal
	AccountId() interface{}
	Arn() *string
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

Use the AWS account into which a stack is deployed as the principal entity in a policy. Experimental.

func NewAccountRootPrincipal

func NewAccountRootPrincipal() AccountRootPrincipal

Experimental.

type AddToPrincipalPolicyResult

type AddToPrincipalPolicyResult struct {
	// Whether the statement was added to the identity's policies.
	// Experimental.
	StatementAdded *bool `json:"statementAdded"`
	// Dependable which allows depending on the policy change being applied.
	// Experimental.
	PolicyDependable constructs.IDependable `json:"policyDependable"`
}

Result of calling `addToPrincipalPolicy`. Experimental.

type AddToResourcePolicyResult

type AddToResourcePolicyResult struct {
	// Whether the statement was added.
	// Experimental.
	StatementAdded *bool `json:"statementAdded"`
	// Dependable which allows depending on the policy change being applied.
	// Experimental.
	PolicyDependable constructs.IDependable `json:"policyDependable"`
}

Result of calling addToResourcePolicy. Experimental.

type AnyPrincipal

type AnyPrincipal interface {
	ArnPrincipal
	Arn() *string
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

A principal representing all AWS identities in all accounts.

Some services behave differently when you specify `Principal: '*'` or `Principal: { AWS: "*" }` in their resource policy.

`AnyPrincipal` renders to `Principal: { AWS: "*" }`. This is correct most of the time, but in cases where you need the other principal, use `StarPrincipal` instead. Experimental.

func NewAnyPrincipal

func NewAnyPrincipal() AnyPrincipal

Experimental.

type ArnPrincipal

type ArnPrincipal interface {
	PrincipalBase
	Arn() *string
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

Specify a principal by the Amazon Resource Name (ARN).

You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions. You cannot specify IAM groups or instance profiles as principals See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Experimental.

func NewArnPrincipal

func NewArnPrincipal(arn *string) ArnPrincipal

Experimental.

type CanonicalUserPrincipal

type CanonicalUserPrincipal interface {
	PrincipalBase
	AssumeRoleAction() *string
	CanonicalUserId() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

A policy principal for canonicalUserIds - useful for S3 bucket policies that use Origin Access identities.

See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html

and

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

for more details. Experimental.

func NewCanonicalUserPrincipal

func NewCanonicalUserPrincipal(canonicalUserId *string) CanonicalUserPrincipal

Experimental.

type CfnAccessKey

type CfnAccessKey interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrSecretAccessKey() *string
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	LogicalId() *string
	Node() constructs.Node
	Ref() *string
	Serial() *float64
	SetSerial(val *float64)
	Stack() awscdk.Stack
	Status() *string
	SetStatus(val *string)
	UpdatedProperites() *map[string]interface{}
	UserName() *string
	SetUserName(val *string)
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::AccessKey`.

func NewCfnAccessKey

func NewCfnAccessKey(scope constructs.Construct, id *string, props *CfnAccessKeyProps) CfnAccessKey

Create a new `AWS::IAM::AccessKey`.

type CfnAccessKeyProps

type CfnAccessKeyProps struct {
	// `AWS::IAM::AccessKey.UserName`.
	UserName *string `json:"userName"`
	// `AWS::IAM::AccessKey.Serial`.
	Serial *float64 `json:"serial"`
	// `AWS::IAM::AccessKey.Status`.
	Status *string `json:"status"`
}

Properties for defining a `AWS::IAM::AccessKey`.

type CfnGroup

type CfnGroup interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrArn() *string
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	GroupName() *string
	SetGroupName(val *string)
	LogicalId() *string
	ManagedPolicyArns() *[]*string
	SetManagedPolicyArns(val *[]*string)
	Node() constructs.Node
	Path() *string
	SetPath(val *string)
	Policies() interface{}
	SetPolicies(val interface{})
	Ref() *string
	Stack() awscdk.Stack
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::Group`.

func NewCfnGroup

func NewCfnGroup(scope constructs.Construct, id *string, props *CfnGroupProps) CfnGroup

Create a new `AWS::IAM::Group`.

type CfnGroupProps

type CfnGroupProps struct {
	// `AWS::IAM::Group.GroupName`.
	GroupName *string `json:"groupName"`
	// `AWS::IAM::Group.ManagedPolicyArns`.
	ManagedPolicyArns *[]*string `json:"managedPolicyArns"`
	// `AWS::IAM::Group.Path`.
	Path *string `json:"path"`
	// `AWS::IAM::Group.Policies`.
	Policies interface{} `json:"policies"`
}

Properties for defining a `AWS::IAM::Group`.

type CfnGroup_PolicyProperty

type CfnGroup_PolicyProperty struct {
	// `CfnGroup.PolicyProperty.PolicyDocument`.
	PolicyDocument interface{} `json:"policyDocument"`
	// `CfnGroup.PolicyProperty.PolicyName`.
	PolicyName *string `json:"policyName"`
}

type CfnInstanceProfile

type CfnInstanceProfile interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrArn() *string
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	InstanceProfileName() *string
	SetInstanceProfileName(val *string)
	LogicalId() *string
	Node() constructs.Node
	Path() *string
	SetPath(val *string)
	Ref() *string
	Roles() *[]*string
	SetRoles(val *[]*string)
	Stack() awscdk.Stack
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::InstanceProfile`.

func NewCfnInstanceProfile

func NewCfnInstanceProfile(scope constructs.Construct, id *string, props *CfnInstanceProfileProps) CfnInstanceProfile

Create a new `AWS::IAM::InstanceProfile`.

type CfnInstanceProfileProps

type CfnInstanceProfileProps struct {
	// `AWS::IAM::InstanceProfile.Roles`.
	Roles *[]*string `json:"roles"`
	// `AWS::IAM::InstanceProfile.InstanceProfileName`.
	InstanceProfileName *string `json:"instanceProfileName"`
	// `AWS::IAM::InstanceProfile.Path`.
	Path *string `json:"path"`
}

Properties for defining a `AWS::IAM::InstanceProfile`.

type CfnManagedPolicy

type CfnManagedPolicy interface {
	awscdk.CfnResource
	awscdk.IInspectable
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	Description() *string
	SetDescription(val *string)
	Groups() *[]*string
	SetGroups(val *[]*string)
	LogicalId() *string
	ManagedPolicyName() *string
	SetManagedPolicyName(val *string)
	Node() constructs.Node
	Path() *string
	SetPath(val *string)
	PolicyDocument() interface{}
	SetPolicyDocument(val interface{})
	Ref() *string
	Roles() *[]*string
	SetRoles(val *[]*string)
	Stack() awscdk.Stack
	UpdatedProperites() *map[string]interface{}
	Users() *[]*string
	SetUsers(val *[]*string)
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::ManagedPolicy`.

func NewCfnManagedPolicy

func NewCfnManagedPolicy(scope constructs.Construct, id *string, props *CfnManagedPolicyProps) CfnManagedPolicy

Create a new `AWS::IAM::ManagedPolicy`.

type CfnManagedPolicyProps

type CfnManagedPolicyProps struct {
	// `AWS::IAM::ManagedPolicy.PolicyDocument`.
	PolicyDocument interface{} `json:"policyDocument"`
	// `AWS::IAM::ManagedPolicy.Description`.
	Description *string `json:"description"`
	// `AWS::IAM::ManagedPolicy.Groups`.
	Groups *[]*string `json:"groups"`
	// `AWS::IAM::ManagedPolicy.ManagedPolicyName`.
	ManagedPolicyName *string `json:"managedPolicyName"`
	// `AWS::IAM::ManagedPolicy.Path`.
	Path *string `json:"path"`
	// `AWS::IAM::ManagedPolicy.Roles`.
	Roles *[]*string `json:"roles"`
	// `AWS::IAM::ManagedPolicy.Users`.
	Users *[]*string `json:"users"`
}

Properties for defining a `AWS::IAM::ManagedPolicy`.

type CfnOIDCProvider

type CfnOIDCProvider interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrArn() *string
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	ClientIdList() *[]*string
	SetClientIdList(val *[]*string)
	CreationStack() *[]*string
	LogicalId() *string
	Node() constructs.Node
	Ref() *string
	Stack() awscdk.Stack
	Tags() awscdk.TagManager
	ThumbprintList() *[]*string
	SetThumbprintList(val *[]*string)
	UpdatedProperites() *map[string]interface{}
	Url() *string
	SetUrl(val *string)
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::OIDCProvider`.

func NewCfnOIDCProvider

func NewCfnOIDCProvider(scope constructs.Construct, id *string, props *CfnOIDCProviderProps) CfnOIDCProvider

Create a new `AWS::IAM::OIDCProvider`.

type CfnOIDCProviderProps

type CfnOIDCProviderProps struct {
	// `AWS::IAM::OIDCProvider.ThumbprintList`.
	ThumbprintList *[]*string `json:"thumbprintList"`
	// `AWS::IAM::OIDCProvider.ClientIdList`.
	ClientIdList *[]*string `json:"clientIdList"`
	// `AWS::IAM::OIDCProvider.Tags`.
	Tags *[]*awscdk.CfnTag `json:"tags"`
	// `AWS::IAM::OIDCProvider.Url`.
	Url *string `json:"url"`
}

Properties for defining a `AWS::IAM::OIDCProvider`.

type CfnPolicy

type CfnPolicy interface {
	awscdk.CfnResource
	awscdk.IInspectable
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	Groups() *[]*string
	SetGroups(val *[]*string)
	LogicalId() *string
	Node() constructs.Node
	PolicyDocument() interface{}
	SetPolicyDocument(val interface{})
	PolicyName() *string
	SetPolicyName(val *string)
	Ref() *string
	Roles() *[]*string
	SetRoles(val *[]*string)
	Stack() awscdk.Stack
	UpdatedProperites() *map[string]interface{}
	Users() *[]*string
	SetUsers(val *[]*string)
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::Policy`.

func NewCfnPolicy

func NewCfnPolicy(scope constructs.Construct, id *string, props *CfnPolicyProps) CfnPolicy

Create a new `AWS::IAM::Policy`.

type CfnPolicyProps

type CfnPolicyProps struct {
	// `AWS::IAM::Policy.PolicyDocument`.
	PolicyDocument interface{} `json:"policyDocument"`
	// `AWS::IAM::Policy.PolicyName`.
	PolicyName *string `json:"policyName"`
	// `AWS::IAM::Policy.Groups`.
	Groups *[]*string `json:"groups"`
	// `AWS::IAM::Policy.Roles`.
	Roles *[]*string `json:"roles"`
	// `AWS::IAM::Policy.Users`.
	Users *[]*string `json:"users"`
}

Properties for defining a `AWS::IAM::Policy`.

type CfnRole

type CfnRole interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AssumeRolePolicyDocument() interface{}
	SetAssumeRolePolicyDocument(val interface{})
	AttrArn() *string
	AttrRoleId() *string
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	Description() *string
	SetDescription(val *string)
	LogicalId() *string
	ManagedPolicyArns() *[]*string
	SetManagedPolicyArns(val *[]*string)
	MaxSessionDuration() *float64
	SetMaxSessionDuration(val *float64)
	Node() constructs.Node
	Path() *string
	SetPath(val *string)
	PermissionsBoundary() *string
	SetPermissionsBoundary(val *string)
	Policies() interface{}
	SetPolicies(val interface{})
	Ref() *string
	RoleName() *string
	SetRoleName(val *string)
	Stack() awscdk.Stack
	Tags() awscdk.TagManager
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::Role`.

func NewCfnRole

func NewCfnRole(scope constructs.Construct, id *string, props *CfnRoleProps) CfnRole

Create a new `AWS::IAM::Role`.

type CfnRoleProps

type CfnRoleProps struct {
	// `AWS::IAM::Role.AssumeRolePolicyDocument`.
	AssumeRolePolicyDocument interface{} `json:"assumeRolePolicyDocument"`
	// `AWS::IAM::Role.Description`.
	Description *string `json:"description"`
	// `AWS::IAM::Role.ManagedPolicyArns`.
	ManagedPolicyArns *[]*string `json:"managedPolicyArns"`
	// `AWS::IAM::Role.MaxSessionDuration`.
	MaxSessionDuration *float64 `json:"maxSessionDuration"`
	// `AWS::IAM::Role.Path`.
	Path *string `json:"path"`
	// `AWS::IAM::Role.PermissionsBoundary`.
	PermissionsBoundary *string `json:"permissionsBoundary"`
	// `AWS::IAM::Role.Policies`.
	Policies interface{} `json:"policies"`
	// `AWS::IAM::Role.RoleName`.
	RoleName *string `json:"roleName"`
	// `AWS::IAM::Role.Tags`.
	Tags *[]*awscdk.CfnTag `json:"tags"`
}

Properties for defining a `AWS::IAM::Role`.

type CfnRole_PolicyProperty

type CfnRole_PolicyProperty struct {
	// `CfnRole.PolicyProperty.PolicyDocument`.
	PolicyDocument interface{} `json:"policyDocument"`
	// `CfnRole.PolicyProperty.PolicyName`.
	PolicyName *string `json:"policyName"`
}

type CfnSAMLProvider

type CfnSAMLProvider interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrArn() *string
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	LogicalId() *string
	Name() *string
	SetName(val *string)
	Node() constructs.Node
	Ref() *string
	SamlMetadataDocument() *string
	SetSamlMetadataDocument(val *string)
	Stack() awscdk.Stack
	Tags() awscdk.TagManager
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::SAMLProvider`.

func NewCfnSAMLProvider

func NewCfnSAMLProvider(scope constructs.Construct, id *string, props *CfnSAMLProviderProps) CfnSAMLProvider

Create a new `AWS::IAM::SAMLProvider`.

type CfnSAMLProviderProps

type CfnSAMLProviderProps struct {
	// `AWS::IAM::SAMLProvider.SamlMetadataDocument`.
	SamlMetadataDocument *string `json:"samlMetadataDocument"`
	// `AWS::IAM::SAMLProvider.Name`.
	Name *string `json:"name"`
	// `AWS::IAM::SAMLProvider.Tags`.
	Tags *[]*awscdk.CfnTag `json:"tags"`
}

Properties for defining a `AWS::IAM::SAMLProvider`.

type CfnServerCertificate

type CfnServerCertificate interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrArn() *string
	CertificateBody() *string
	SetCertificateBody(val *string)
	CertificateChain() *string
	SetCertificateChain(val *string)
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	LogicalId() *string
	Node() constructs.Node
	Path() *string
	SetPath(val *string)
	PrivateKey() *string
	SetPrivateKey(val *string)
	Ref() *string
	ServerCertificateName() *string
	SetServerCertificateName(val *string)
	Stack() awscdk.Stack
	Tags() awscdk.TagManager
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::ServerCertificate`.

func NewCfnServerCertificate

func NewCfnServerCertificate(scope constructs.Construct, id *string, props *CfnServerCertificateProps) CfnServerCertificate

Create a new `AWS::IAM::ServerCertificate`.

type CfnServerCertificateProps

type CfnServerCertificateProps struct {
	// `AWS::IAM::ServerCertificate.CertificateBody`.
	CertificateBody *string `json:"certificateBody"`
	// `AWS::IAM::ServerCertificate.CertificateChain`.
	CertificateChain *string `json:"certificateChain"`
	// `AWS::IAM::ServerCertificate.Path`.
	Path *string `json:"path"`
	// `AWS::IAM::ServerCertificate.PrivateKey`.
	PrivateKey *string `json:"privateKey"`
	// `AWS::IAM::ServerCertificate.ServerCertificateName`.
	ServerCertificateName *string `json:"serverCertificateName"`
	// `AWS::IAM::ServerCertificate.Tags`.
	Tags *[]*awscdk.CfnTag `json:"tags"`
}

Properties for defining a `AWS::IAM::ServerCertificate`.

type CfnServiceLinkedRole

type CfnServiceLinkedRole interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AwsServiceName() *string
	SetAwsServiceName(val *string)
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	CustomSuffix() *string
	SetCustomSuffix(val *string)
	Description() *string
	SetDescription(val *string)
	LogicalId() *string
	Node() constructs.Node
	Ref() *string
	Stack() awscdk.Stack
	UpdatedProperites() *map[string]interface{}
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::ServiceLinkedRole`.

func NewCfnServiceLinkedRole

func NewCfnServiceLinkedRole(scope constructs.Construct, id *string, props *CfnServiceLinkedRoleProps) CfnServiceLinkedRole

Create a new `AWS::IAM::ServiceLinkedRole`.

type CfnServiceLinkedRoleProps

type CfnServiceLinkedRoleProps struct {
	// `AWS::IAM::ServiceLinkedRole.AWSServiceName`.
	AwsServiceName *string `json:"awsServiceName"`
	// `AWS::IAM::ServiceLinkedRole.CustomSuffix`.
	CustomSuffix *string `json:"customSuffix"`
	// `AWS::IAM::ServiceLinkedRole.Description`.
	Description *string `json:"description"`
}

Properties for defining a `AWS::IAM::ServiceLinkedRole`.

type CfnUser

type CfnUser interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrArn() *string
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	Groups() *[]*string
	SetGroups(val *[]*string)
	LogicalId() *string
	LoginProfile() interface{}
	SetLoginProfile(val interface{})
	ManagedPolicyArns() *[]*string
	SetManagedPolicyArns(val *[]*string)
	Node() constructs.Node
	Path() *string
	SetPath(val *string)
	PermissionsBoundary() *string
	SetPermissionsBoundary(val *string)
	Policies() interface{}
	SetPolicies(val interface{})
	Ref() *string
	Stack() awscdk.Stack
	Tags() awscdk.TagManager
	UpdatedProperites() *map[string]interface{}
	UserName() *string
	SetUserName(val *string)
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::User`.

func NewCfnUser

func NewCfnUser(scope constructs.Construct, id *string, props *CfnUserProps) CfnUser

Create a new `AWS::IAM::User`.

type CfnUserProps

type CfnUserProps struct {
	// `AWS::IAM::User.Groups`.
	Groups *[]*string `json:"groups"`
	// `AWS::IAM::User.LoginProfile`.
	LoginProfile interface{} `json:"loginProfile"`
	// `AWS::IAM::User.ManagedPolicyArns`.
	ManagedPolicyArns *[]*string `json:"managedPolicyArns"`
	// `AWS::IAM::User.Path`.
	Path *string `json:"path"`
	// `AWS::IAM::User.PermissionsBoundary`.
	PermissionsBoundary *string `json:"permissionsBoundary"`
	// `AWS::IAM::User.Policies`.
	Policies interface{} `json:"policies"`
	// `AWS::IAM::User.Tags`.
	Tags *[]*awscdk.CfnTag `json:"tags"`
	// `AWS::IAM::User.UserName`.
	UserName *string `json:"userName"`
}

Properties for defining a `AWS::IAM::User`.

type CfnUserToGroupAddition

type CfnUserToGroupAddition interface {
	awscdk.CfnResource
	awscdk.IInspectable
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	GroupName() *string
	SetGroupName(val *string)
	LogicalId() *string
	Node() constructs.Node
	Ref() *string
	Stack() awscdk.Stack
	UpdatedProperites() *map[string]interface{}
	Users() *[]*string
	SetUsers(val *[]*string)
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::UserToGroupAddition`.

func NewCfnUserToGroupAddition

func NewCfnUserToGroupAddition(scope constructs.Construct, id *string, props *CfnUserToGroupAdditionProps) CfnUserToGroupAddition

Create a new `AWS::IAM::UserToGroupAddition`.

type CfnUserToGroupAdditionProps

type CfnUserToGroupAdditionProps struct {
	// `AWS::IAM::UserToGroupAddition.GroupName`.
	GroupName *string `json:"groupName"`
	// `AWS::IAM::UserToGroupAddition.Users`.
	Users *[]*string `json:"users"`
}

Properties for defining a `AWS::IAM::UserToGroupAddition`.

type CfnUser_LoginProfileProperty

type CfnUser_LoginProfileProperty struct {
	// `CfnUser.LoginProfileProperty.Password`.
	Password *string `json:"password"`
	// `CfnUser.LoginProfileProperty.PasswordResetRequired`.
	PasswordResetRequired interface{} `json:"passwordResetRequired"`
}

type CfnUser_PolicyProperty

type CfnUser_PolicyProperty struct {
	// `CfnUser.PolicyProperty.PolicyDocument`.
	PolicyDocument interface{} `json:"policyDocument"`
	// `CfnUser.PolicyProperty.PolicyName`.
	PolicyName *string `json:"policyName"`
}

type CfnVirtualMFADevice

type CfnVirtualMFADevice interface {
	awscdk.CfnResource
	awscdk.IInspectable
	AttrSerialNumber() *string
	CfnOptions() awscdk.ICfnResourceOptions
	CfnProperties() *map[string]interface{}
	CfnResourceType() *string
	CreationStack() *[]*string
	LogicalId() *string
	Node() constructs.Node
	Path() *string
	SetPath(val *string)
	Ref() *string
	Stack() awscdk.Stack
	Tags() awscdk.TagManager
	UpdatedProperites() *map[string]interface{}
	Users() *[]*string
	SetUsers(val *[]*string)
	VirtualMfaDeviceName() *string
	SetVirtualMfaDeviceName(val *string)
	AddDeletionOverride(path *string)
	AddDependsOn(target awscdk.CfnResource)
	AddMetadata(key *string, value interface{})
	AddOverride(path *string, value interface{})
	AddPropertyDeletionOverride(propertyPath *string)
	AddPropertyOverride(propertyPath *string, value interface{})
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions)
	GetAtt(attributeName *string) awscdk.Reference
	GetMetadata(key *string) interface{}
	Inspect(inspector awscdk.TreeInspector)
	OverrideLogicalId(newLogicalId *string)
	RenderProperties(props *map[string]interface{}) *map[string]interface{}
	ShouldSynthesize() *bool
	ToString() *string
	ValidateProperties(_properties interface{})
}

A CloudFormation `AWS::IAM::VirtualMFADevice`.

func NewCfnVirtualMFADevice

func NewCfnVirtualMFADevice(scope constructs.Construct, id *string, props *CfnVirtualMFADeviceProps) CfnVirtualMFADevice

Create a new `AWS::IAM::VirtualMFADevice`.

type CfnVirtualMFADeviceProps

type CfnVirtualMFADeviceProps struct {
	// `AWS::IAM::VirtualMFADevice.Users`.
	Users *[]*string `json:"users"`
	// `AWS::IAM::VirtualMFADevice.Path`.
	Path *string `json:"path"`
	// `AWS::IAM::VirtualMFADevice.Tags`.
	Tags *[]*awscdk.CfnTag `json:"tags"`
	// `AWS::IAM::VirtualMFADevice.VirtualMfaDeviceName`.
	VirtualMfaDeviceName *string `json:"virtualMfaDeviceName"`
}

Properties for defining a `AWS::IAM::VirtualMFADevice`.

type CommonGrantOptions

type CommonGrantOptions struct {
	// The actions to grant.
	// Experimental.
	Actions *[]*string `json:"actions"`
	// The principal to grant to.
	// Experimental.
	Grantee IGrantable `json:"grantee"`
	// The resource ARNs to grant to.
	// Experimental.
	ResourceArns *[]*string `json:"resourceArns"`
}

Basic options for a grant operation. Experimental.

type CompositeDependable

type CompositeDependable interface {
	constructs.IDependable
}

Composite dependable.

Not as simple as eagerly getting the dependency roots from the inner dependables, as they may be mutable so we need to defer the query. Experimental.

func NewCompositeDependable

func NewCompositeDependable(dependables ...constructs.IDependable) CompositeDependable

Experimental.

type CompositePrincipal

type CompositePrincipal interface {
	PrincipalBase
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddPrincipals(principals ...PrincipalBase) CompositePrincipal
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

Represents a principal that has multiple types of principals.

A composite principal cannot have conditions. i.e. multiple ServicePrincipals that form a composite principal Experimental.

func NewCompositePrincipal

func NewCompositePrincipal(principals ...PrincipalBase) CompositePrincipal

Experimental.

type Effect

type Effect string

The Effect element of an IAM policy. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html

Experimental.

const (
	Effect_ALLOW Effect = "ALLOW"
	Effect_DENY  Effect = "DENY"
)

type FederatedPrincipal

type FederatedPrincipal interface {
	PrincipalBase
	AssumeRoleAction() *string
	Conditions() *map[string]interface{}
	Federated() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

Principal entity that represents a federated identity provider such as Amazon Cognito, that can be used to provide temporary security credentials to users who have been authenticated.

Additional condition keys are available when the temporary security credentials are used to make a request. You can use these keys to write policies that limit the access of federated users. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif

Experimental.

func NewFederatedPrincipal

func NewFederatedPrincipal(federated *string, conditions *map[string]interface{}, assumeRoleAction *string) FederatedPrincipal

Experimental.

type FromRoleArnOptions

type FromRoleArnOptions struct {
	// For immutable roles: add grants to resources instead of dropping them.
	//
	// If this is `false` or not specified, grant permissions added to this role are ignored.
	// It is your own responsibility to make sure the role has the required permissions.
	//
	// If this is `true`, any grant permissions will be added to the resource instead.
	// Experimental.
	AddGrantsToResources *bool `json:"addGrantsToResources"`
	// Whether the imported role can be modified by attaching policy resources to it.
	// Experimental.
	Mutable *bool `json:"mutable"`
}

Options allowing customizing the behavior of {@link Role.fromRoleArn}. Experimental.

type Grant

type Grant interface {
	constructs.IDependable
	PrincipalStatement() PolicyStatement
	ResourceStatement() PolicyStatement
	Success() *bool
	ApplyBefore(constructs ...constructs.IConstruct)
	AssertSuccess()
}

Result of a grant() operation.

This class is not instantiable by consumers on purpose, so that they will be required to call the Grant factory functions. Experimental.

func Grant_AddToPrincipal

func Grant_AddToPrincipal(options *GrantOnPrincipalOptions) Grant

Try to grant the given permissions to the given principal.

Absence of a principal leads to a warning, but failing to add the permissions to a present principal is not an error. Experimental.

func Grant_AddToPrincipalAndResource

func Grant_AddToPrincipalAndResource(options *GrantOnPrincipalAndResourceOptions) Grant

Add a grant both on the principal and on the resource.

As long as any principal is given, granting on the principal may fail (in case of a non-identity principal), but granting on the resource will never fail.

Statement will be the resource statement. Experimental.

func Grant_AddToPrincipalOrResource

func Grant_AddToPrincipalOrResource(options *GrantWithResourceOptions) Grant

Grant the given permissions to the principal.

The permissions will be added to the principal policy primarily, falling back to the resource policy if necessary. The permissions must be granted somewhere.

  • Trying to grant permissions to a principal that does not admit adding to the principal policy while not providing a resource with a resource policy is an error.
  • Trying to grant permissions to an absent principal (possible in the case of imported resources) leads to a warning being added to the resource construct.

Experimental.

func Grant_Drop

func Grant_Drop(grantee IGrantable, _intent *string) Grant

Returns a "no-op" `Grant` object which represents a "dropped grant".

This can be used for e.g. imported resources where you may not be able to modify the resource's policy or some underlying policy which you don't know about. Experimental.

type GrantOnPrincipalAndResourceOptions

type GrantOnPrincipalAndResourceOptions struct {
	// The actions to grant.
	// Experimental.
	Actions *[]*string `json:"actions"`
	// The principal to grant to.
	// Experimental.
	Grantee IGrantable `json:"grantee"`
	// The resource ARNs to grant to.
	// Experimental.
	ResourceArns *[]*string `json:"resourceArns"`
	// The resource with a resource policy.
	//
	// The statement will always be added to the resource policy.
	// Experimental.
	Resource IResourceWithPolicy `json:"resource"`
	// The principal to use in the statement for the resource policy.
	// Experimental.
	ResourcePolicyPrincipal IPrincipal `json:"resourcePolicyPrincipal"`
	// When referring to the resource in a resource policy, use this as ARN.
	//
	// (Depending on the resource type, this needs to be '*' in a resource policy).
	// Experimental.
	ResourceSelfArns *[]*string `json:"resourceSelfArns"`
}

Options for a grant operation to both identity and resource. Experimental.

type GrantOnPrincipalOptions

type GrantOnPrincipalOptions struct {
	// The actions to grant.
	// Experimental.
	Actions *[]*string `json:"actions"`
	// The principal to grant to.
	// Experimental.
	Grantee IGrantable `json:"grantee"`
	// The resource ARNs to grant to.
	// Experimental.
	ResourceArns *[]*string `json:"resourceArns"`
	// Construct to report warnings on in case grant could not be registered.
	// Experimental.
	Scope constructs.IConstruct `json:"scope"`
}

Options for a grant operation that only applies to principals. Experimental.

type GrantWithResourceOptions

type GrantWithResourceOptions struct {
	// The actions to grant.
	// Experimental.
	Actions *[]*string `json:"actions"`
	// The principal to grant to.
	// Experimental.
	Grantee IGrantable `json:"grantee"`
	// The resource ARNs to grant to.
	// Experimental.
	ResourceArns *[]*string `json:"resourceArns"`
	// The resource with a resource policy.
	//
	// The statement will be added to the resource policy if it couldn't be
	// added to the principal policy.
	// Experimental.
	Resource IResourceWithPolicy `json:"resource"`
	// When referring to the resource in a resource policy, use this as ARN.
	//
	// (Depending on the resource type, this needs to be '*' in a resource policy).
	// Experimental.
	ResourceSelfArns *[]*string `json:"resourceSelfArns"`
}

Options for a grant operation. Experimental.

type Group

type Group interface {
	awscdk.Resource
	IGroup
	AssumeRoleAction() *string
	Env() *awscdk.ResourceEnvironment
	GrantPrincipal() IPrincipal
	GroupArn() *string
	GroupName() *string
	Node() constructs.Node
	PhysicalName() *string
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	Stack() awscdk.Stack
	AddManagedPolicy(policy IManagedPolicy)
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult
	AddUser(user IUser)
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	AttachInlinePolicy(policy Policy)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	ToString() *string
}

An IAM Group (collection of IAM users) lets you specify permissions for multiple users, which can make it easier to manage permissions for those users. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

Experimental.

func NewGroup

func NewGroup(scope constructs.Construct, id *string, props *GroupProps) Group

Experimental.

type GroupProps

type GroupProps struct {
	// A name for the IAM group.
	//
	// For valid values, see the GroupName parameter
	// for the CreateGroup action in the IAM API Reference. If you don't specify
	// a name, AWS CloudFormation generates a unique physical ID and uses that
	// ID for the group name.
	//
	// If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
	// acknowledge your template's capabilities. For more information, see
	// Acknowledging IAM Resources in AWS CloudFormation Templates.
	// Experimental.
	GroupName *string `json:"groupName"`
	// A list of managed policies associated with this role.
	//
	// You can add managed policies later using
	// `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
	// Experimental.
	ManagedPolicies *[]IManagedPolicy `json:"managedPolicies"`
	// The path to the group.
	//
	// For more information about paths, see [IAM
	// Identifiers](http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?Using_Identifiers.html)
	// in the IAM User Guide.
	// Experimental.
	Path *string `json:"path"`
}

Properties for defining an IAM group. Experimental.

type IGrantable

type IGrantable interface {
	// The principal to grant permissions to.
	// Experimental.
	GrantPrincipal() IPrincipal
}

Any object that has an associated principal that a permission can be granted to. Experimental.

type IGroup

type IGroup interface {
	IIdentity
	// Returns the IAM Group ARN.
	// Experimental.
	GroupArn() *string
	// Returns the IAM Group Name.
	// Experimental.
	GroupName() *string
}

Represents an IAM Group. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

Experimental.

func Group_FromGroupArn

func Group_FromGroupArn(scope constructs.Construct, id *string, groupArn *string) IGroup

Import an external group by ARN.

If the imported Group ARN is a Token (such as a `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced group has a `path` (like `arn:...:group/AdminGroup/NetworkAdmin`), the `groupName` property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Group ARN should be supplied without the `path` in order to resolve the correct group resource. Experimental.

type IIdentity

type IIdentity interface {
	IPrincipal
	awscdk.IResource
	// Attaches a managed policy to this principal.
	// Experimental.
	AddManagedPolicy(policy IManagedPolicy)
	// Attaches an inline policy to this principal.
	//
	// This is the same as calling `policy.addToXxx(principal)`.
	// Experimental.
	AttachInlinePolicy(policy Policy)
}

A construct that represents an IAM principal, such as a user, group or role. Experimental.

type IManagedPolicy

type IManagedPolicy interface {
	// The ARN of the managed policy.
	// Experimental.
	ManagedPolicyArn() *string
}

A managed policy. Experimental.

func ManagedPolicy_FromAwsManagedPolicyName

func ManagedPolicy_FromAwsManagedPolicyName(managedPolicyName *string) IManagedPolicy

Import a managed policy from one of the policies that AWS manages.

For this managed policy, you only need to know the name to be able to use it.

Some managed policy names start with "service-role/", some start with "job-function/", and some don't start with anything. Include the prefix when constructing this object. Experimental.

func ManagedPolicy_FromManagedPolicyArn

func ManagedPolicy_FromManagedPolicyArn(scope constructs.Construct, id *string, managedPolicyArn *string) IManagedPolicy

Import an external managed policy by ARN.

For this managed policy, you only need to know the ARN to be able to use it. This can be useful if you got the ARN from a CloudFormation Export.

If the imported Managed Policy ARN is a Token (such as a `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced managed policy has a `path` (like `arn:...:policy/AdminPolicy/AdminAllow`), the `managedPolicyName` property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Managed Policy ARN should be supplied without the `path` in order to resolve the correct managed policy resource. Experimental.

func ManagedPolicy_FromManagedPolicyName

func ManagedPolicy_FromManagedPolicyName(scope constructs.Construct, id *string, managedPolicyName *string) IManagedPolicy

Import a customer managed policy from the managedPolicyName.

For this managed policy, you only need to know the name to be able to use it. Experimental.

type IOpenIdConnectProvider

type IOpenIdConnectProvider interface {
	awscdk.IResource
	// The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
	// Experimental.
	OpenIdConnectProviderArn() *string
	// The issuer for OIDC Provider.
	// Experimental.
	OpenIdConnectProviderIssuer() *string
}

Represents an IAM OpenID Connect provider. Experimental.

func OpenIdConnectProvider_FromOpenIdConnectProviderArn

func OpenIdConnectProvider_FromOpenIdConnectProviderArn(scope constructs.Construct, id *string, openIdConnectProviderArn *string) IOpenIdConnectProvider

Imports an Open ID connect provider from an ARN. Experimental.

type IPolicy

type IPolicy interface {
	awscdk.IResource
	// The name of this policy.
	// Experimental.
	PolicyName() *string
}

Represents an IAM Policy. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html

Experimental.

func Policy_FromPolicyName

func Policy_FromPolicyName(scope constructs.Construct, id *string, policyName *string) IPolicy

Import a policy in this app based on its name. Experimental.

type IPrincipal

type IPrincipal interface {
	IGrantable
	// Add to the policy of this principal.
	// Experimental.
	AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult
	// When this Principal is used in an AssumeRole policy, the action to use.
	// Experimental.
	AssumeRoleAction() *string
	// Return the policy fragment that identifies this principal in a Policy.
	// Experimental.
	PolicyFragment() PrincipalPolicyFragment
	// The AWS account ID of this principal.
	//
	// Can be undefined when the account is not known
	// (for example, for service principals).
	// Can be a Token - in that case,
	// it's assumed to be AWS::AccountId.
	// Experimental.
	PrincipalAccount() *string
}

Represents a logical IAM principal.

An IPrincipal describes a logical entity that can perform AWS API calls against sets of resources, optionally under certain conditions.

Examples of simple principals are IAM objects that you create, such as Users or Roles.

An example of a more complex principals is a `ServicePrincipal` (such as `new ServicePrincipal("sns.amazonaws.com")`, which represents the Simple Notifications Service).

A single logical Principal may also map to a set of physical principals. For example, `new OrganizationPrincipal('o-1234')` represents all identities that are part of the given AWS Organization. Experimental.

type IResourceWithPolicy

type IResourceWithPolicy interface {
	awscdk.IResource
	// Add a statement to the resource's resource policy.
	// Experimental.
	AddToResourcePolicy(statement PolicyStatement) *AddToResourcePolicyResult
}

A resource with a resource policy that can be added to. Experimental.

type IRole

type IRole interface {
	IIdentity
	// Grant the actions defined in actions to the identity Principal on this resource.
	// Experimental.
	Grant(grantee IPrincipal, actions ...*string) Grant
	// Grant permissions to the given principal to pass this role.
	// Experimental.
	GrantPassRole(grantee IPrincipal) Grant
	// Returns the ARN of this role.
	// Experimental.
	RoleArn() *string
	// Returns the name of this role.
	// Experimental.
	RoleName() *string
}

A Role object. Experimental.

func Role_FromRoleArn

func Role_FromRoleArn(scope constructs.Construct, id *string, roleArn *string, options *FromRoleArnOptions) IRole

Import an external role by ARN.

If the imported Role ARN is a Token (such as a `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced role has a `path` (like `arn:...:role/AdminRoles/Alice`), the `roleName` property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the `path` in order to resolve the correct role resource. Experimental.

type ISamlProvider

type ISamlProvider interface {
	awscdk.IResource
	// The Amazon Resource Name (ARN) of the provider.
	// Experimental.
	SamlProviderArn() *string
}

A SAML provider. Experimental.

func SamlProvider_FromSamlProviderArn

func SamlProvider_FromSamlProviderArn(scope constructs.Construct, id *string, samlProviderArn *string) ISamlProvider

Import an existing provider. Experimental.

type IUser

type IUser interface {
	IIdentity
	// Adds this user to a group.
	// Experimental.
	AddToGroup(group IGroup)
	// The user's ARN.
	// Experimental.
	UserArn() *string
	// The user's name.
	// Experimental.
	UserName() *string
}

Represents an IAM user. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html

Experimental.

func User_FromUserArn

func User_FromUserArn(scope constructs.Construct, id *string, userArn *string) IUser

Import an existing user given a user ARN.

If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail. Experimental.

func User_FromUserAttributes

func User_FromUserAttributes(scope constructs.Construct, id *string, attrs *UserAttributes) IUser

Import an existing user given user attributes.

If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail. Experimental.

func User_FromUserName

func User_FromUserName(scope constructs.Construct, id *string, userName *string) IUser

Import an existing user given a username. Experimental.

type LazyRole

type LazyRole interface {
	awscdk.Resource
	IRole
	AssumeRoleAction() *string
	Env() *awscdk.ResourceEnvironment
	GrantPrincipal() IPrincipal
	Node() constructs.Node
	PhysicalName() *string
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	RoleArn() *string
	RoleId() *string
	RoleName() *string
	Stack() awscdk.Stack
	AddManagedPolicy(policy IManagedPolicy)
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	AttachInlinePolicy(policy Policy)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	Grant(identity IPrincipal, actions ...*string) Grant
	GrantPassRole(identity IPrincipal) Grant
	ToString() *string
}

An IAM role that only gets attached to the construct tree once it gets used, not before.

This construct can be used to simplify logic in other constructs which need to create a role but only if certain configurations occur (such as when AutoScaling is configured). The role can be configured in one place, but if it never gets used it doesn't get instantiated and will not be synthesized or deployed. Experimental.

func NewLazyRole

func NewLazyRole(scope constructs.Construct, id *string, props *LazyRoleProps) LazyRole

Experimental.

type LazyRoleProps

type LazyRoleProps struct {
	// The IAM principal (i.e. `new ServicePrincipal('sns.amazonaws.com')`) which can assume this role.
	//
	// You can later modify the assume role policy document by accessing it via
	// the `assumeRolePolicy` property.
	// Experimental.
	AssumedBy IPrincipal `json:"assumedBy"`
	// A description of the role.
	//
	// It can be up to 1000 characters long.
	// Experimental.
	Description *string `json:"description"`
	// List of IDs that the role assumer needs to provide one of when assuming this role.
	//
	// If the configured and provided external IDs do not match, the
	// AssumeRole operation will fail.
	// Experimental.
	ExternalIds *[]*string `json:"externalIds"`
	// A list of named policies to inline into this role.
	//
	// These policies will be
	// created with the role, whereas those added by “addToPolicy“ are added
	// using a separate CloudFormation resource (allowing a way around circular
	// dependencies that could otherwise be introduced).
	// Experimental.
	InlinePolicies *map[string]PolicyDocument `json:"inlinePolicies"`
	// A list of managed policies associated with this role.
	//
	// You can add managed policies later using
	// `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
	// Experimental.
	ManagedPolicies *[]IManagedPolicy `json:"managedPolicies"`
	// The maximum session duration that you want to set for the specified role.
	//
	// This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
	//
	// Anyone who assumes the role from the AWS CLI or API can use the
	// DurationSeconds API parameter or the duration-seconds CLI parameter to
	// request a longer session. The MaxSessionDuration setting determines the
	// maximum duration that can be requested using the DurationSeconds
	// parameter.
	//
	// If users don't specify a value for the DurationSeconds parameter, their
	// security credentials are valid for one hour by default. This applies when
	// you use the AssumeRole* API operations or the assume-role* CLI operations
	// but does not apply when you use those operations to create a console URL.
	// Experimental.
	MaxSessionDuration awscdk.Duration `json:"maxSessionDuration"`
	// The path associated with this role.
	//
	// For information about IAM paths, see
	// Friendly Names and Paths in IAM User Guide.
	// Experimental.
	Path *string `json:"path"`
	// AWS supports permissions boundaries for IAM entities (users or roles).
	//
	// A permissions boundary is an advanced feature for using a managed policy
	// to set the maximum permissions that an identity-based policy can grant to
	// an IAM entity. An entity's permissions boundary allows it to perform only
	// the actions that are allowed by both its identity-based policies and its
	// permissions boundaries.
	// Experimental.
	PermissionsBoundary IManagedPolicy `json:"permissionsBoundary"`
	// A name for the IAM role.
	//
	// For valid values, see the RoleName parameter for
	// the CreateRole action in the IAM API Reference.
	//
	// IMPORTANT: If you specify a name, you cannot perform updates that require
	// replacement of this resource. You can perform updates that require no or
	// some interruption. If you must replace the resource, specify a new name.
	//
	// If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
	// acknowledge your template's capabilities. For more information, see
	// Acknowledging IAM Resources in AWS CloudFormation Templates.
	// Experimental.
	RoleName *string `json:"roleName"`
}

Properties for defining a LazyRole. Experimental.

type ManagedPolicy

type ManagedPolicy interface {
	awscdk.Resource
	IManagedPolicy
	Description() *string
	Document() PolicyDocument
	Env() *awscdk.ResourceEnvironment
	ManagedPolicyArn() *string
	ManagedPolicyName() *string
	Node() constructs.Node
	Path() *string
	PhysicalName() *string
	Stack() awscdk.Stack
	AddStatements(statement ...PolicyStatement)
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	AttachToGroup(group IGroup)
	AttachToRole(role IRole)
	AttachToUser(user IUser)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	ToString() *string
}

Managed policy. Experimental.

func NewManagedPolicy

func NewManagedPolicy(scope constructs.Construct, id *string, props *ManagedPolicyProps) ManagedPolicy

Experimental.

type ManagedPolicyProps

type ManagedPolicyProps struct {
	// A description of the managed policy.
	//
	// Typically used to store information about the
	// permissions defined in the policy. For example, "Grants access to production DynamoDB tables."
	// The policy description is immutable. After a value is assigned, it cannot be changed.
	// Experimental.
	Description *string `json:"description"`
	// Initial PolicyDocument to use for this ManagedPolicy.
	//
	// If omited, any
	// `PolicyStatement` provided in the `statements` property will be applied
	// against the empty default `PolicyDocument`.
	// Experimental.
	Document PolicyDocument `json:"document"`
	// Groups to attach this policy to.
	//
	// You can also use `attachToGroup(group)` to attach this policy to a group.
	// Experimental.
	Groups *[]IGroup `json:"groups"`
	// The name of the managed policy.
	//
	// If you specify multiple policies for an entity,
	// specify unique names. For example, if you specify a list of policies for
	// an IAM role, each policy must have a unique name.
	// Experimental.
	ManagedPolicyName *string `json:"managedPolicyName"`
	// The path for the policy.
	//
	// This parameter allows (through its regex pattern) a string of characters
	// consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes.
	// In addition, it can contain any ASCII character from the ! (\u0021) through the DEL character (\u007F),
	// including most punctuation characters, digits, and upper and lowercased letters.
	//
	// For more information about paths, see IAM Identifiers in the IAM User Guide.
	// Experimental.
	Path *string `json:"path"`
	// Roles to attach this policy to.
	//
	// You can also use `attachToRole(role)` to attach this policy to a role.
	// Experimental.
	Roles *[]IRole `json:"roles"`
	// Initial set of permissions to add to this policy document.
	//
	// You can also use `addPermission(statement)` to add permissions later.
	// Experimental.
	Statements *[]PolicyStatement `json:"statements"`
	// Users to attach this policy to.
	//
	// You can also use `attachToUser(user)` to attach this policy to a user.
	// Experimental.
	Users *[]IUser `json:"users"`
}

Properties for defining an IAM managed policy. Experimental.

type OpenIdConnectPrincipal

type OpenIdConnectPrincipal interface {
	WebIdentityPrincipal
	AssumeRoleAction() *string
	Conditions() *map[string]interface{}
	Federated() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

A principal that represents a federated identity provider as from a OpenID Connect provider. Experimental.

func NewOpenIdConnectPrincipal

func NewOpenIdConnectPrincipal(openIdConnectProvider IOpenIdConnectProvider, conditions *map[string]interface{}) OpenIdConnectPrincipal

Experimental.

type OpenIdConnectProvider

type OpenIdConnectProvider interface {
	awscdk.Resource
	IOpenIdConnectProvider
	Env() *awscdk.ResourceEnvironment
	Node() constructs.Node
	OpenIdConnectProviderArn() *string
	OpenIdConnectProviderIssuer() *string
	PhysicalName() *string
	Stack() awscdk.Stack
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	ToString() *string
}

IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce.

You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html

Experimental.

func NewOpenIdConnectProvider

func NewOpenIdConnectProvider(scope constructs.Construct, id *string, props *OpenIdConnectProviderProps) OpenIdConnectProvider

Defines an OpenID Connect provider. Experimental.

type OpenIdConnectProviderProps

type OpenIdConnectProviderProps struct {
	// The URL of the identity provider.
	//
	// The URL must begin with https:// and
	// should correspond to the iss claim in the provider's OpenID Connect ID
	// tokens. Per the OIDC standard, path components are allowed but query
	// parameters are not. Typically the URL consists of only a hostname, like
	// https://server.example.org or https://example.com.
	//
	// You cannot register the same provider multiple times in a single AWS
	// account. If you try to submit a URL that has already been used for an
	// OpenID Connect provider in the AWS account, you will get an error.
	// Experimental.
	Url *string `json:"url"`
	// A list of client IDs (also known as audiences).
	//
	// When a mobile or web app
	// registers with an OpenID Connect provider, they establish a value that
	// identifies the application. (This is the value that's sent as the client_id
	// parameter on OAuth requests.)
	//
	// You can register multiple client IDs with the same provider. For example,
	// you might have multiple applications that use the same OIDC provider. You
	// cannot register more than 100 client IDs with a single IAM OIDC provider.
	//
	// Client IDs are up to 255 characters long.
	// Experimental.
	ClientIds *[]*string `json:"clientIds"`
	// A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates.
	//
	// Typically this list includes only one entry. However, IAM lets you have up
	// to five thumbprints for an OIDC provider. This lets you maintain multiple
	// thumbprints if the identity provider is rotating certificates.
	//
	// The server certificate thumbprint is the hex-encoded SHA-1 hash value of
	// the X.509 certificate used by the domain where the OpenID Connect provider
	// makes its keys available. It is always a 40-character string.
	//
	// You must provide at least one thumbprint when creating an IAM OIDC
	// provider. For example, assume that the OIDC provider is server.example.com
	// and the provider stores its keys at
	// https://keys.server.example.com/openid-connect. In that case, the
	// thumbprint string would be the hex-encoded SHA-1 hash value of the
	// certificate used by https://keys.server.example.com.
	// Experimental.
	Thumbprints *[]*string `json:"thumbprints"`
}

Initialization properties for `OpenIdConnectProvider`. Experimental.

type OrganizationPrincipal

type OrganizationPrincipal interface {
	PrincipalBase
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	OrganizationId() *string
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

A principal that represents an AWS Organization. Experimental.

func NewOrganizationPrincipal

func NewOrganizationPrincipal(organizationId *string) OrganizationPrincipal

Experimental.

type PermissionsBoundary

type PermissionsBoundary interface {
	Apply(boundaryPolicy IManagedPolicy)
	Clear()
}

Modify the Permissions Boundaries of Users and Roles in a construct tree.

TODO: EXAMPLE

Experimental.

func PermissionsBoundary_Of

func PermissionsBoundary_Of(scope constructs.IConstruct) PermissionsBoundary

Access the Permissions Boundaries of a construct tree. Experimental.

type Policy

type Policy interface {
	awscdk.Resource
	IPolicy
	Document() PolicyDocument
	Env() *awscdk.ResourceEnvironment
	Node() constructs.Node
	PhysicalName() *string
	PolicyName() *string
	Stack() awscdk.Stack
	AddStatements(statement ...PolicyStatement)
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	AttachToGroup(group IGroup)
	AttachToRole(role IRole)
	AttachToUser(user IUser)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	ToString() *string
}

The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles, or groups.

For more information about IAM policies, see [Overview of IAM Policies](http://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html) in the IAM User Guide guide. Experimental.

func NewPolicy

func NewPolicy(scope constructs.Construct, id *string, props *PolicyProps) Policy

Experimental.

type PolicyDocument

type PolicyDocument interface {
	awscdk.IResolvable
	CreationStack() *[]*string
	IsEmpty() *bool
	StatementCount() *float64
	AddStatements(statement ...PolicyStatement)
	Resolve(context awscdk.IResolveContext) interface{}
	ToJSON() interface{}
	ToString() *string
	ValidateForAnyPolicy() *[]*string
	ValidateForIdentityPolicy() *[]*string
	ValidateForResourcePolicy() *[]*string
}

A PolicyDocument is a collection of statements. Experimental.

func NewPolicyDocument

func NewPolicyDocument(props *PolicyDocumentProps) PolicyDocument

Experimental.

func PolicyDocument_FromJson

func PolicyDocument_FromJson(obj interface{}) PolicyDocument

Creates a new PolicyDocument based on the object provided.

This will accept an object created from the `.toJSON()` call Experimental.

type PolicyDocumentProps

type PolicyDocumentProps struct {
	// Automatically assign Statement Ids to all statements.
	// Experimental.
	AssignSids *bool `json:"assignSids"`
	// Initial statements to add to the policy document.
	// Experimental.
	Statements *[]PolicyStatement `json:"statements"`
}

Properties for a new PolicyDocument. Experimental.

type PolicyProps

type PolicyProps struct {
	// Initial PolicyDocument to use for this Policy.
	//
	// If omited, any
	// `PolicyStatement` provided in the `statements` property will be applied
	// against the empty default `PolicyDocument`.
	// Experimental.
	Document PolicyDocument `json:"document"`
	// Force creation of an `AWS::IAM::Policy`.
	//
	// Unless set to `true`, this `Policy` construct will not materialize to an
	// `AWS::IAM::Policy` CloudFormation resource in case it would have no effect
	// (for example, if it remains unattached to an IAM identity or if it has no
	// statements). This is generally desired behavior, since it prevents
	// creating invalid--and hence undeployable--CloudFormation templates.
	//
	// In cases where you know the policy must be created and it is actually
	// an error if no statements have been added to it, you can set this to `true`.
	// Experimental.
	Force *bool `json:"force"`
	// Groups to attach this policy to.
	//
	// You can also use `attachToGroup(group)` to attach this policy to a group.
	// Experimental.
	Groups *[]IGroup `json:"groups"`
	// The name of the policy.
	//
	// If you specify multiple policies for an entity,
	// specify unique names. For example, if you specify a list of policies for
	// an IAM role, each policy must have a unique name.
	// Experimental.
	PolicyName *string `json:"policyName"`
	// Roles to attach this policy to.
	//
	// You can also use `attachToRole(role)` to attach this policy to a role.
	// Experimental.
	Roles *[]IRole `json:"roles"`
	// Initial set of permissions to add to this policy document.
	//
	// You can also use `addStatements(...statement)` to add permissions later.
	// Experimental.
	Statements *[]PolicyStatement `json:"statements"`
	// Users to attach this policy to.
	//
	// You can also use `attachToUser(user)` to attach this policy to a user.
	// Experimental.
	Users *[]IUser `json:"users"`
}

Properties for defining an IAM inline policy document. Experimental.

type PolicyStatement

type PolicyStatement interface {
	Effect() Effect
	SetEffect(val Effect)
	HasPrincipal() *bool
	HasResource() *bool
	Sid() *string
	SetSid(val *string)
	AddAccountCondition(accountId *string)
	AddAccountRootPrincipal()
	AddActions(actions ...*string)
	AddAllResources()
	AddAnyPrincipal()
	AddArnPrincipal(arn *string)
	AddAwsAccountPrincipal(accountId *string)
	AddCanonicalUserPrincipal(canonicalUserId *string)
	AddCondition(key *string, value interface{})
	AddConditions(conditions *map[string]interface{})
	AddFederatedPrincipal(federated interface{}, conditions *map[string]interface{})
	AddNotActions(notActions ...*string)
	AddNotPrincipals(notPrincipals ...IPrincipal)
	AddNotResources(arns ...*string)
	AddPrincipals(principals ...IPrincipal)
	AddResources(arns ...*string)
	AddServicePrincipal(service *string, opts *ServicePrincipalOpts)
	ToJSON() interface{}
	ToStatementJson() interface{}
	ToString() *string
	ValidateForAnyPolicy() *[]*string
	ValidateForIdentityPolicy() *[]*string
	ValidateForResourcePolicy() *[]*string
}

Represents a statement in an IAM policy document. Experimental.

func NewPolicyStatement

func NewPolicyStatement(props *PolicyStatementProps) PolicyStatement

Experimental.

func PolicyStatement_FromJson

func PolicyStatement_FromJson(obj interface{}) PolicyStatement

Creates a new PolicyStatement based on the object provided.

This will accept an object created from the `.toJSON()` call Experimental.

type PolicyStatementProps

type PolicyStatementProps struct {
	// List of actions to add to the statement.
	// Experimental.
	Actions *[]*string `json:"actions"`
	// Conditions to add to the statement.
	// Experimental.
	Conditions *map[string]interface{} `json:"conditions"`
	// Whether to allow or deny the actions in this statement.
	// Experimental.
	Effect Effect `json:"effect"`
	// List of not actions to add to the statement.
	// Experimental.
	NotActions *[]*string `json:"notActions"`
	// List of not principals to add to the statement.
	// Experimental.
	NotPrincipals *[]IPrincipal `json:"notPrincipals"`
	// NotResource ARNs to add to the statement.
	// Experimental.
	NotResources *[]*string `json:"notResources"`
	// List of principals to add to the statement.
	// Experimental.
	Principals *[]IPrincipal `json:"principals"`
	// Resource ARNs to add to the statement.
	// Experimental.
	Resources *[]*string `json:"resources"`
	// The Sid (statement ID) is an optional identifier that you provide for the policy statement.
	//
	// You can assign a Sid value to each statement in a
	// statement array. In services that let you specify an ID element, such as
	// SQS and SNS, the Sid value is just a sub-ID of the policy document's ID. In
	// IAM, the Sid value must be unique within a JSON policy.
	// Experimental.
	Sid *string `json:"sid"`
}

Interface for creating a policy statement. Experimental.

type PrincipalBase

type PrincipalBase interface {
	IPrincipal
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

Base class for policy principals. Experimental.

type PrincipalPolicyFragment

type PrincipalPolicyFragment interface {
	Conditions() *map[string]interface{}
	PrincipalJson() *map[string]*[]*string
}

A collection of the fields in a PolicyStatement that can be used to identify a principal.

This consists of the JSON used in the "Principal" field, and optionally a set of "Condition"s that need to be applied to the policy.

Generally, a principal looks like:

{ '<TYPE>': ['ID', 'ID', ...] }

And this is also the type of the field `principalJson`. However, there is a special type of principal that is just the string '*', which is treated differently by some services. To represent that principal, `principalJson` should contain `{ 'LiteralString': ['*'] }`. Experimental.

func NewPrincipalPolicyFragment

func NewPrincipalPolicyFragment(principalJson *map[string]*[]*string, conditions *map[string]interface{}) PrincipalPolicyFragment

Experimental.

type PrincipalWithConditions

type PrincipalWithConditions interface {
	IPrincipal
	AssumeRoleAction() *string
	Conditions() *map[string]interface{}
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddCondition(key *string, value interface{})
	AddConditions(conditions *map[string]interface{})
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
}

An IAM principal with additional conditions specifying when the policy is in effect.

For more information about conditions, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html Experimental.

func NewPrincipalWithConditions

func NewPrincipalWithConditions(principal IPrincipal, conditions *map[string]interface{}) PrincipalWithConditions

Experimental.

type Role

type Role interface {
	awscdk.Resource
	IRole
	AssumeRoleAction() *string
	AssumeRolePolicy() PolicyDocument
	Env() *awscdk.ResourceEnvironment
	GrantPrincipal() IPrincipal
	Node() constructs.Node
	PermissionsBoundary() IManagedPolicy
	PhysicalName() *string
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	RoleArn() *string
	RoleId() *string
	RoleName() *string
	Stack() awscdk.Stack
	AddManagedPolicy(policy IManagedPolicy)
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	AttachInlinePolicy(policy Policy)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	Grant(grantee IPrincipal, actions ...*string) Grant
	GrantPassRole(identity IPrincipal) Grant
	ToString() *string
	WithoutPolicyUpdates(options *WithoutPolicyUpdatesOptions) IRole
}

IAM Role.

Defines an IAM role. The role is created with an assume policy document associated with the specified AWS service principal defined in `serviceAssumeRole`. Experimental.

func NewRole

func NewRole(scope constructs.Construct, id *string, props *RoleProps) Role

Experimental.

type RoleProps

type RoleProps struct {
	// The IAM principal (i.e. `new ServicePrincipal('sns.amazonaws.com')`) which can assume this role.
	//
	// You can later modify the assume role policy document by accessing it via
	// the `assumeRolePolicy` property.
	// Experimental.
	AssumedBy IPrincipal `json:"assumedBy"`
	// A description of the role.
	//
	// It can be up to 1000 characters long.
	// Experimental.
	Description *string `json:"description"`
	// List of IDs that the role assumer needs to provide one of when assuming this role.
	//
	// If the configured and provided external IDs do not match, the
	// AssumeRole operation will fail.
	// Experimental.
	ExternalIds *[]*string `json:"externalIds"`
	// A list of named policies to inline into this role.
	//
	// These policies will be
	// created with the role, whereas those added by “addToPolicy“ are added
	// using a separate CloudFormation resource (allowing a way around circular
	// dependencies that could otherwise be introduced).
	// Experimental.
	InlinePolicies *map[string]PolicyDocument `json:"inlinePolicies"`
	// A list of managed policies associated with this role.
	//
	// You can add managed policies later using
	// `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
	// Experimental.
	ManagedPolicies *[]IManagedPolicy `json:"managedPolicies"`
	// The maximum session duration that you want to set for the specified role.
	//
	// This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
	//
	// Anyone who assumes the role from the AWS CLI or API can use the
	// DurationSeconds API parameter or the duration-seconds CLI parameter to
	// request a longer session. The MaxSessionDuration setting determines the
	// maximum duration that can be requested using the DurationSeconds
	// parameter.
	//
	// If users don't specify a value for the DurationSeconds parameter, their
	// security credentials are valid for one hour by default. This applies when
	// you use the AssumeRole* API operations or the assume-role* CLI operations
	// but does not apply when you use those operations to create a console URL.
	// Experimental.
	MaxSessionDuration awscdk.Duration `json:"maxSessionDuration"`
	// The path associated with this role.
	//
	// For information about IAM paths, see
	// Friendly Names and Paths in IAM User Guide.
	// Experimental.
	Path *string `json:"path"`
	// AWS supports permissions boundaries for IAM entities (users or roles).
	//
	// A permissions boundary is an advanced feature for using a managed policy
	// to set the maximum permissions that an identity-based policy can grant to
	// an IAM entity. An entity's permissions boundary allows it to perform only
	// the actions that are allowed by both its identity-based policies and its
	// permissions boundaries.
	// Experimental.
	PermissionsBoundary IManagedPolicy `json:"permissionsBoundary"`
	// A name for the IAM role.
	//
	// For valid values, see the RoleName parameter for
	// the CreateRole action in the IAM API Reference.
	//
	// IMPORTANT: If you specify a name, you cannot perform updates that require
	// replacement of this resource. You can perform updates that require no or
	// some interruption. If you must replace the resource, specify a new name.
	//
	// If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
	// acknowledge your template's capabilities. For more information, see
	// Acknowledging IAM Resources in AWS CloudFormation Templates.
	// Experimental.
	RoleName *string `json:"roleName"`
}

Properties for defining an IAM Role. Experimental.

type SamlConsolePrincipal

type SamlConsolePrincipal interface {
	SamlPrincipal
	AssumeRoleAction() *string
	Conditions() *map[string]interface{}
	Federated() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

Principal entity that represents a SAML federated identity provider for programmatic and AWS Management Console access. Experimental.

func NewSamlConsolePrincipal

func NewSamlConsolePrincipal(samlProvider ISamlProvider, conditions *map[string]interface{}) SamlConsolePrincipal

Experimental.

type SamlMetadataDocument

type SamlMetadataDocument interface {
	Xml() *string
}

A SAML metadata document. Experimental.

func SamlMetadataDocument_FromFile

func SamlMetadataDocument_FromFile(path *string) SamlMetadataDocument

Create a SAML metadata document from a XML file. Experimental.

func SamlMetadataDocument_FromXml

func SamlMetadataDocument_FromXml(xml *string) SamlMetadataDocument

Create a SAML metadata document from a XML string. Experimental.

type SamlPrincipal

type SamlPrincipal interface {
	FederatedPrincipal
	AssumeRoleAction() *string
	Conditions() *map[string]interface{}
	Federated() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

Principal entity that represents a SAML federated identity provider. Experimental.

func NewSamlPrincipal

func NewSamlPrincipal(samlProvider ISamlProvider, conditions *map[string]interface{}) SamlPrincipal

Experimental.

type SamlProvider

type SamlProvider interface {
	awscdk.Resource
	ISamlProvider
	Env() *awscdk.ResourceEnvironment
	Node() constructs.Node
	PhysicalName() *string
	SamlProviderArn() *string
	Stack() awscdk.Stack
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	ToString() *string
}

A SAML provider. Experimental.

func NewSamlProvider

func NewSamlProvider(scope constructs.Construct, id *string, props *SamlProviderProps) SamlProvider

Experimental.

type SamlProviderProps

type SamlProviderProps struct {
	// An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.
	// Experimental.
	MetadataDocument SamlMetadataDocument `json:"metadataDocument"`
	// The name of the provider to create.
	//
	// This parameter allows a string of characters consisting of upper and
	// lowercase alphanumeric characters with no spaces. You can also include
	// any of the following characters: _+=,.@-
	//
	// Length must be between 1 and 128 characters.
	// Experimental.
	Name *string `json:"name"`
}

Properties for a SAML provider. Experimental.

type ServicePrincipal

type ServicePrincipal interface {
	PrincipalBase
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	Service() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com). Experimental.

func NewServicePrincipal

func NewServicePrincipal(service *string, opts *ServicePrincipalOpts) ServicePrincipal

Experimental.

type ServicePrincipalOpts

type ServicePrincipalOpts struct {
	// Additional conditions to add to the Service Principal.
	// Experimental.
	Conditions *map[string]interface{} `json:"conditions"`
	// The region in which the service is operating.
	// Experimental.
	Region *string `json:"region"`
}

Options for a service principal. Experimental.

type StarPrincipal

type StarPrincipal interface {
	PrincipalBase
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

A principal that uses a literal '*' in the IAM JSON language.

Some services behave differently when you specify `Principal: "*"` or `Principal: { AWS: "*" }` in their resource policy.

`StarPrincipal` renders to `Principal: *`. Most of the time, you should use `AnyPrincipal` instead. Experimental.

func NewStarPrincipal

func NewStarPrincipal() StarPrincipal

Experimental.

type UnknownPrincipal

type UnknownPrincipal interface {
	IPrincipal
	AssumeRoleAction() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult
}

A principal for use in resources that need to have a role but it's unknown.

Some resources have roles associated with them which they assume, such as Lambda Functions, CodeBuild projects, StepFunctions machines, etc.

When those resources are imported, their actual roles are not always imported with them. When that happens, we use an instance of this class instead, which will add user warnings when statements are attempted to be added to it. Experimental.

func NewUnknownPrincipal

func NewUnknownPrincipal(props *UnknownPrincipalProps) UnknownPrincipal

Experimental.

type UnknownPrincipalProps

type UnknownPrincipalProps struct {
	// The resource the role proxy is for.
	// Experimental.
	Resource constructs.IConstruct `json:"resource"`
}

Properties for an UnknownPrincipal. Experimental.

type User

type User interface {
	awscdk.Resource
	IIdentity
	IUser
	AssumeRoleAction() *string
	Env() *awscdk.ResourceEnvironment
	GrantPrincipal() IPrincipal
	Node() constructs.Node
	PermissionsBoundary() IManagedPolicy
	PhysicalName() *string
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	Stack() awscdk.Stack
	UserArn() *string
	UserName() *string
	AddManagedPolicy(policy IManagedPolicy)
	AddToGroup(group IGroup)
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	AttachInlinePolicy(policy Policy)
	GeneratePhysicalName() *string
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	GetResourceNameAttribute(nameAttr *string) *string
	ToString() *string
}

Define a new IAM user. Experimental.

func NewUser

func NewUser(scope constructs.Construct, id *string, props *UserProps) User

Experimental.

type UserAttributes

type UserAttributes struct {
	// The ARN of the user.
	//
	// Format: arn:<partition>:iam::<account-id>:user/<user-name-with-path>
	// Experimental.
	UserArn *string `json:"userArn"`
}

Represents a user defined outside of this stack. Experimental.

type UserProps

type UserProps struct {
	// Groups to add this user to.
	//
	// You can also use `addToGroup` to add this
	// user to a group.
	// Experimental.
	Groups *[]IGroup `json:"groups"`
	// A list of managed policies associated with this role.
	//
	// You can add managed policies later using
	// `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
	// Experimental.
	ManagedPolicies *[]IManagedPolicy `json:"managedPolicies"`
	// The password for the user. This is required so the user can access the AWS Management Console.
	//
	// You can use `SecretValue.plainText` to specify a password in plain text or
	// use `secretsmanager.Secret.fromSecretAttributes` to reference a secret in
	// Secrets Manager.
	// Experimental.
	Password awscdk.SecretValue `json:"password"`
	// Specifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console.
	//
	// If this is set to 'true', you must also specify "initialPassword".
	// Experimental.
	PasswordResetRequired *bool `json:"passwordResetRequired"`
	// The path for the user name.
	//
	// For more information about paths, see IAM
	// Identifiers in the IAM User Guide.
	// Experimental.
	Path *string `json:"path"`
	// AWS supports permissions boundaries for IAM entities (users or roles).
	//
	// A permissions boundary is an advanced feature for using a managed policy
	// to set the maximum permissions that an identity-based policy can grant to
	// an IAM entity. An entity's permissions boundary allows it to perform only
	// the actions that are allowed by both its identity-based policies and its
	// permissions boundaries.
	// Experimental.
	PermissionsBoundary IManagedPolicy `json:"permissionsBoundary"`
	// A name for the IAM user.
	//
	// For valid values, see the UserName parameter for
	// the CreateUser action in the IAM API Reference. If you don't specify a
	// name, AWS CloudFormation generates a unique physical ID and uses that ID
	// for the user name.
	//
	// If you specify a name, you cannot perform updates that require
	// replacement of this resource. You can perform updates that require no or
	// some interruption. If you must replace the resource, specify a new name.
	//
	// If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
	// acknowledge your template's capabilities. For more information, see
	// Acknowledging IAM Resources in AWS CloudFormation Templates.
	// Experimental.
	UserName *string `json:"userName"`
}

Properties for defining an IAM user. Experimental.

type WebIdentityPrincipal

type WebIdentityPrincipal interface {
	FederatedPrincipal
	AssumeRoleAction() *string
	Conditions() *map[string]interface{}
	Federated() *string
	GrantPrincipal() IPrincipal
	PolicyFragment() PrincipalPolicyFragment
	PrincipalAccount() *string
	AddToPolicy(statement PolicyStatement) *bool
	AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult
	ToJSON() *map[string]*[]*string
	ToString() *string
	WithConditions(conditions *map[string]interface{}) IPrincipal
}

A principal that represents a federated identity provider as Web Identity such as Cognito, Amazon, Facebook, Google, etc. Experimental.

func NewWebIdentityPrincipal

func NewWebIdentityPrincipal(identityProvider *string, conditions *map[string]interface{}) WebIdentityPrincipal

Experimental.

type WithoutPolicyUpdatesOptions

type WithoutPolicyUpdatesOptions struct {
	// Add grants to resources instead of dropping them.
	//
	// If this is `false` or not specified, grant permissions added to this role are ignored.
	// It is your own responsibility to make sure the role has the required permissions.
	//
	// If this is `true`, any grant permissions will be added to the resource instead.
	// Experimental.
	AddGrantsToResources *bool `json:"addGrantsToResources"`
}

Options for the `withoutPolicyUpdates()` modifier of a Role. Experimental.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL