Documentation ¶
Index ¶
- func AccessKey_IsConstruct(x interface{}) *bool
- func AccessKey_IsResource(construct constructs.IConstruct) *bool
- func CfnAccessKey_CFN_RESOURCE_TYPE_NAME() *string
- func CfnAccessKey_IsCfnElement(x interface{}) *bool
- func CfnAccessKey_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnAccessKey_IsConstruct(x interface{}) *bool
- func CfnGroup_CFN_RESOURCE_TYPE_NAME() *string
- func CfnGroup_IsCfnElement(x interface{}) *bool
- func CfnGroup_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnGroup_IsConstruct(x interface{}) *bool
- func CfnInstanceProfile_CFN_RESOURCE_TYPE_NAME() *string
- func CfnInstanceProfile_IsCfnElement(x interface{}) *bool
- func CfnInstanceProfile_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnInstanceProfile_IsConstruct(x interface{}) *bool
- func CfnManagedPolicy_CFN_RESOURCE_TYPE_NAME() *string
- func CfnManagedPolicy_IsCfnElement(x interface{}) *bool
- func CfnManagedPolicy_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnManagedPolicy_IsConstruct(x interface{}) *bool
- func CfnOIDCProvider_CFN_RESOURCE_TYPE_NAME() *string
- func CfnOIDCProvider_IsCfnElement(x interface{}) *bool
- func CfnOIDCProvider_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnOIDCProvider_IsConstruct(x interface{}) *bool
- func CfnPolicy_CFN_RESOURCE_TYPE_NAME() *string
- func CfnPolicy_IsCfnElement(x interface{}) *bool
- func CfnPolicy_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnPolicy_IsConstruct(x interface{}) *bool
- func CfnRole_CFN_RESOURCE_TYPE_NAME() *string
- func CfnRole_IsCfnElement(x interface{}) *bool
- func CfnRole_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnRole_IsConstruct(x interface{}) *bool
- func CfnSAMLProvider_CFN_RESOURCE_TYPE_NAME() *string
- func CfnSAMLProvider_IsCfnElement(x interface{}) *bool
- func CfnSAMLProvider_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnSAMLProvider_IsConstruct(x interface{}) *bool
- func CfnServerCertificate_CFN_RESOURCE_TYPE_NAME() *string
- func CfnServerCertificate_IsCfnElement(x interface{}) *bool
- func CfnServerCertificate_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnServerCertificate_IsConstruct(x interface{}) *bool
- func CfnServiceLinkedRole_CFN_RESOURCE_TYPE_NAME() *string
- func CfnServiceLinkedRole_IsCfnElement(x interface{}) *bool
- func CfnServiceLinkedRole_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnServiceLinkedRole_IsConstruct(x interface{}) *bool
- func CfnUserToGroupAddition_CFN_RESOURCE_TYPE_NAME() *string
- func CfnUserToGroupAddition_IsCfnElement(x interface{}) *bool
- func CfnUserToGroupAddition_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnUserToGroupAddition_IsConstruct(x interface{}) *bool
- func CfnUser_CFN_RESOURCE_TYPE_NAME() *string
- func CfnUser_IsCfnElement(x interface{}) *bool
- func CfnUser_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnUser_IsConstruct(x interface{}) *bool
- func CfnVirtualMFADevice_CFN_RESOURCE_TYPE_NAME() *string
- func CfnVirtualMFADevice_IsCfnElement(x interface{}) *bool
- func CfnVirtualMFADevice_IsCfnResource(construct constructs.IConstruct) *bool
- func CfnVirtualMFADevice_IsConstruct(x interface{}) *bool
- func Group_IsConstruct(x interface{}) *bool
- func Group_IsResource(construct constructs.IConstruct) *bool
- func LazyRole_IsConstruct(x interface{}) *bool
- func LazyRole_IsResource(construct constructs.IConstruct) *bool
- func ManagedPolicy_IsConstruct(x interface{}) *bool
- func ManagedPolicy_IsResource(construct constructs.IConstruct) *bool
- func NewAccessKey_Override(a AccessKey, scope constructs.Construct, id *string, props *AccessKeyProps)
- func NewAccountPrincipal_Override(a AccountPrincipal, accountId interface{})
- func NewAccountRootPrincipal_Override(a AccountRootPrincipal)
- func NewAnyPrincipal_Override(a AnyPrincipal)
- func NewArnPrincipal_Override(a ArnPrincipal, arn *string)
- func NewCanonicalUserPrincipal_Override(c CanonicalUserPrincipal, canonicalUserId *string)
- func NewCfnAccessKey_Override(c CfnAccessKey, scope constructs.Construct, id *string, ...)
- func NewCfnGroup_Override(c CfnGroup, scope constructs.Construct, id *string, props *CfnGroupProps)
- func NewCfnInstanceProfile_Override(c CfnInstanceProfile, scope constructs.Construct, id *string, ...)
- func NewCfnManagedPolicy_Override(c CfnManagedPolicy, scope constructs.Construct, id *string, ...)
- func NewCfnOIDCProvider_Override(c CfnOIDCProvider, scope constructs.Construct, id *string, ...)
- func NewCfnPolicy_Override(c CfnPolicy, scope constructs.Construct, id *string, props *CfnPolicyProps)
- func NewCfnRole_Override(c CfnRole, scope constructs.Construct, id *string, props *CfnRoleProps)
- func NewCfnSAMLProvider_Override(c CfnSAMLProvider, scope constructs.Construct, id *string, ...)
- func NewCfnServerCertificate_Override(c CfnServerCertificate, scope constructs.Construct, id *string, ...)
- func NewCfnServiceLinkedRole_Override(c CfnServiceLinkedRole, scope constructs.Construct, id *string, ...)
- func NewCfnUserToGroupAddition_Override(c CfnUserToGroupAddition, scope constructs.Construct, id *string, ...)
- func NewCfnUser_Override(c CfnUser, scope constructs.Construct, id *string, props *CfnUserProps)
- func NewCfnVirtualMFADevice_Override(c CfnVirtualMFADevice, scope constructs.Construct, id *string, ...)
- func NewCompositeDependable_Override(c CompositeDependable, dependables ...constructs.IDependable)
- func NewCompositePrincipal_Override(c CompositePrincipal, principals ...IPrincipal)
- func NewFederatedPrincipal_Override(f FederatedPrincipal, federated *string, conditions *map[string]interface{}, ...)
- func NewGroup_Override(g Group, scope constructs.Construct, id *string, props *GroupProps)
- func NewLazyRole_Override(l LazyRole, scope constructs.Construct, id *string, props *LazyRoleProps)
- func NewManagedPolicy_Override(m ManagedPolicy, scope constructs.Construct, id *string, ...)
- func NewOpenIdConnectPrincipal_Override(o OpenIdConnectPrincipal, openIdConnectProvider IOpenIdConnectProvider, ...)
- func NewOpenIdConnectProvider_Override(o OpenIdConnectProvider, scope constructs.Construct, id *string, ...)
- func NewOrganizationPrincipal_Override(o OrganizationPrincipal, organizationId *string)
- func NewPolicyDocument_Override(p PolicyDocument, props *PolicyDocumentProps)
- func NewPolicyStatement_Override(p PolicyStatement, props *PolicyStatementProps)
- func NewPolicy_Override(p Policy, scope constructs.Construct, id *string, props *PolicyProps)
- func NewPrincipalBase_Override(p PrincipalBase)
- func NewPrincipalPolicyFragment_Override(p PrincipalPolicyFragment, principalJson *map[string]*[]*string, ...)
- func NewPrincipalWithConditions_Override(p PrincipalWithConditions, principal IPrincipal, ...)
- func NewRole_Override(r Role, scope constructs.Construct, id *string, props *RoleProps)
- func NewSamlConsolePrincipal_Override(s SamlConsolePrincipal, samlProvider ISamlProvider, ...)
- func NewSamlMetadataDocument_Override(s SamlMetadataDocument)
- func NewSamlPrincipal_Override(s SamlPrincipal, samlProvider ISamlProvider, ...)
- func NewSamlProvider_Override(s SamlProvider, scope constructs.Construct, id *string, ...)
- func NewServicePrincipal_Override(s ServicePrincipal, service *string, opts *ServicePrincipalOpts)
- func NewSessionTagsPrincipal_Override(s SessionTagsPrincipal, principal IPrincipal)
- func NewStarPrincipal_Override(s StarPrincipal)
- func NewUnknownPrincipal_Override(u UnknownPrincipal, props *UnknownPrincipalProps)
- func NewUser_Override(u User, scope constructs.Construct, id *string, props *UserProps)
- func NewWebIdentityPrincipal_Override(w WebIdentityPrincipal, identityProvider *string, ...)
- func OpenIdConnectProvider_IsConstruct(x interface{}) *bool
- func OpenIdConnectProvider_IsResource(construct constructs.IConstruct) *bool
- func Policy_IsConstruct(x interface{}) *bool
- func Policy_IsResource(construct constructs.IConstruct) *bool
- func Role_IsConstruct(x interface{}) *bool
- func Role_IsResource(construct constructs.IConstruct) *bool
- func SamlProvider_IsConstruct(x interface{}) *bool
- func SamlProvider_IsResource(construct constructs.IConstruct) *bool
- func User_IsConstruct(x interface{}) *bool
- func User_IsResource(construct constructs.IConstruct) *bool
- type AccessKey
- type AccessKeyProps
- type AccessKeyStatus
- type AccountPrincipal
- type AccountRootPrincipal
- type AddToPrincipalPolicyResult
- type AddToResourcePolicyResult
- type AnyPrincipal
- type ArnPrincipal
- type CanonicalUserPrincipal
- type CfnAccessKey
- type CfnAccessKeyProps
- type CfnGroup
- type CfnGroupProps
- type CfnGroup_PolicyProperty
- type CfnInstanceProfile
- type CfnInstanceProfileProps
- type CfnManagedPolicy
- type CfnManagedPolicyProps
- type CfnOIDCProvider
- type CfnOIDCProviderProps
- type CfnPolicy
- type CfnPolicyProps
- type CfnRole
- type CfnRoleProps
- type CfnRole_PolicyProperty
- type CfnSAMLProvider
- type CfnSAMLProviderProps
- type CfnServerCertificate
- type CfnServerCertificateProps
- type CfnServiceLinkedRole
- type CfnServiceLinkedRoleProps
- type CfnUser
- type CfnUserProps
- type CfnUserToGroupAddition
- type CfnUserToGroupAdditionProps
- type CfnUser_LoginProfileProperty
- type CfnUser_PolicyProperty
- type CfnVirtualMFADevice
- type CfnVirtualMFADeviceProps
- type CommonGrantOptions
- type CompositeDependable
- type CompositePrincipal
- type Effect
- type FederatedPrincipal
- type FromRoleArnOptions
- type Grant
- type GrantOnPrincipalAndResourceOptions
- type GrantOnPrincipalOptions
- type GrantWithResourceOptions
- type Group
- type GroupProps
- type IAccessKey
- type IAssumeRolePrincipal
- type IGrantable
- type IGroup
- type IIdentity
- type IManagedPolicy
- func ManagedPolicy_FromAwsManagedPolicyName(managedPolicyName *string) IManagedPolicy
- func ManagedPolicy_FromManagedPolicyArn(scope constructs.Construct, id *string, managedPolicyArn *string) IManagedPolicy
- func ManagedPolicy_FromManagedPolicyName(scope constructs.Construct, id *string, managedPolicyName *string) IManagedPolicy
- type IOpenIdConnectProvider
- type IPolicy
- type IPrincipal
- type IResourceWithPolicy
- type IRole
- type ISamlProvider
- type IUser
- type LazyRole
- type LazyRoleProps
- type ManagedPolicy
- type ManagedPolicyProps
- type OpenIdConnectPrincipal
- type OpenIdConnectProvider
- type OpenIdConnectProviderProps
- type OrganizationPrincipal
- type PermissionsBoundary
- type Policy
- type PolicyDocument
- type PolicyDocumentProps
- type PolicyProps
- type PolicyStatement
- type PolicyStatementProps
- type PrincipalBase
- type PrincipalPolicyFragment
- type PrincipalWithConditions
- type Role
- type RoleProps
- type SamlConsolePrincipal
- type SamlMetadataDocument
- type SamlPrincipal
- type SamlProvider
- type SamlProviderProps
- type ServicePrincipal
- type ServicePrincipalOpts
- type SessionTagsPrincipal
- type StarPrincipal
- type UnknownPrincipal
- type UnknownPrincipalProps
- type User
- type UserAttributes
- type UserProps
- type WebIdentityPrincipal
- type WithoutPolicyUpdatesOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AccessKey_IsConstruct ¶ added in v2.7.0
func AccessKey_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func AccessKey_IsResource ¶ added in v2.7.0
func AccessKey_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func CfnAccessKey_CFN_RESOURCE_TYPE_NAME ¶
func CfnAccessKey_CFN_RESOURCE_TYPE_NAME() *string
func CfnAccessKey_IsCfnElement ¶
func CfnAccessKey_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnAccessKey_IsCfnResource ¶
func CfnAccessKey_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnAccessKey_IsConstruct ¶
func CfnAccessKey_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnGroup_CFN_RESOURCE_TYPE_NAME ¶
func CfnGroup_CFN_RESOURCE_TYPE_NAME() *string
func CfnGroup_IsCfnElement ¶
func CfnGroup_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnGroup_IsCfnResource ¶
func CfnGroup_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnGroup_IsConstruct ¶
func CfnGroup_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnInstanceProfile_CFN_RESOURCE_TYPE_NAME ¶
func CfnInstanceProfile_CFN_RESOURCE_TYPE_NAME() *string
func CfnInstanceProfile_IsCfnElement ¶
func CfnInstanceProfile_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnInstanceProfile_IsCfnResource ¶
func CfnInstanceProfile_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnInstanceProfile_IsConstruct ¶
func CfnInstanceProfile_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnManagedPolicy_CFN_RESOURCE_TYPE_NAME ¶
func CfnManagedPolicy_CFN_RESOURCE_TYPE_NAME() *string
func CfnManagedPolicy_IsCfnElement ¶
func CfnManagedPolicy_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnManagedPolicy_IsCfnResource ¶
func CfnManagedPolicy_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnManagedPolicy_IsConstruct ¶
func CfnManagedPolicy_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnOIDCProvider_CFN_RESOURCE_TYPE_NAME ¶
func CfnOIDCProvider_CFN_RESOURCE_TYPE_NAME() *string
func CfnOIDCProvider_IsCfnElement ¶
func CfnOIDCProvider_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnOIDCProvider_IsCfnResource ¶
func CfnOIDCProvider_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnOIDCProvider_IsConstruct ¶
func CfnOIDCProvider_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnPolicy_CFN_RESOURCE_TYPE_NAME ¶
func CfnPolicy_CFN_RESOURCE_TYPE_NAME() *string
func CfnPolicy_IsCfnElement ¶
func CfnPolicy_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnPolicy_IsCfnResource ¶
func CfnPolicy_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnPolicy_IsConstruct ¶
func CfnPolicy_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnRole_CFN_RESOURCE_TYPE_NAME ¶
func CfnRole_CFN_RESOURCE_TYPE_NAME() *string
func CfnRole_IsCfnElement ¶
func CfnRole_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnRole_IsCfnResource ¶
func CfnRole_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnRole_IsConstruct ¶
func CfnRole_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnSAMLProvider_CFN_RESOURCE_TYPE_NAME ¶
func CfnSAMLProvider_CFN_RESOURCE_TYPE_NAME() *string
func CfnSAMLProvider_IsCfnElement ¶
func CfnSAMLProvider_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnSAMLProvider_IsCfnResource ¶
func CfnSAMLProvider_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnSAMLProvider_IsConstruct ¶
func CfnSAMLProvider_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnServerCertificate_CFN_RESOURCE_TYPE_NAME ¶
func CfnServerCertificate_CFN_RESOURCE_TYPE_NAME() *string
func CfnServerCertificate_IsCfnElement ¶
func CfnServerCertificate_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnServerCertificate_IsCfnResource ¶
func CfnServerCertificate_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnServerCertificate_IsConstruct ¶
func CfnServerCertificate_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnServiceLinkedRole_CFN_RESOURCE_TYPE_NAME ¶
func CfnServiceLinkedRole_CFN_RESOURCE_TYPE_NAME() *string
func CfnServiceLinkedRole_IsCfnElement ¶
func CfnServiceLinkedRole_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnServiceLinkedRole_IsCfnResource ¶
func CfnServiceLinkedRole_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnServiceLinkedRole_IsConstruct ¶
func CfnServiceLinkedRole_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnUserToGroupAddition_CFN_RESOURCE_TYPE_NAME ¶
func CfnUserToGroupAddition_CFN_RESOURCE_TYPE_NAME() *string
func CfnUserToGroupAddition_IsCfnElement ¶
func CfnUserToGroupAddition_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnUserToGroupAddition_IsCfnResource ¶
func CfnUserToGroupAddition_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnUserToGroupAddition_IsConstruct ¶
func CfnUserToGroupAddition_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnUser_CFN_RESOURCE_TYPE_NAME ¶
func CfnUser_CFN_RESOURCE_TYPE_NAME() *string
func CfnUser_IsCfnElement ¶
func CfnUser_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnUser_IsCfnResource ¶
func CfnUser_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnUser_IsConstruct ¶
func CfnUser_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func CfnVirtualMFADevice_CFN_RESOURCE_TYPE_NAME ¶
func CfnVirtualMFADevice_CFN_RESOURCE_TYPE_NAME() *string
func CfnVirtualMFADevice_IsCfnElement ¶
func CfnVirtualMFADevice_IsCfnElement(x interface{}) *bool
Returns `true` if a construct is a stack element (i.e. part of the synthesized cloudformation template).
Uses duck-typing instead of `instanceof` to allow stack elements from different versions of this library to be included in the same stack.
Returns: The construct as a stack element or undefined if it is not a stack element.
func CfnVirtualMFADevice_IsCfnResource ¶
func CfnVirtualMFADevice_IsCfnResource(construct constructs.IConstruct) *bool
Check whether the given construct is a CfnResource.
func CfnVirtualMFADevice_IsConstruct ¶
func CfnVirtualMFADevice_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func Group_IsConstruct ¶
func Group_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func Group_IsResource ¶
func Group_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func LazyRole_IsConstruct ¶
func LazyRole_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func LazyRole_IsResource ¶
func LazyRole_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func ManagedPolicy_IsConstruct ¶
func ManagedPolicy_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func ManagedPolicy_IsResource ¶
func ManagedPolicy_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func NewAccessKey_Override ¶ added in v2.7.0
func NewAccessKey_Override(a AccessKey, scope constructs.Construct, id *string, props *AccessKeyProps)
func NewAccountPrincipal_Override ¶
func NewAccountPrincipal_Override(a AccountPrincipal, accountId interface{})
func NewAccountRootPrincipal_Override ¶
func NewAccountRootPrincipal_Override(a AccountRootPrincipal)
func NewAnyPrincipal_Override ¶
func NewAnyPrincipal_Override(a AnyPrincipal)
func NewArnPrincipal_Override ¶
func NewArnPrincipal_Override(a ArnPrincipal, arn *string)
func NewCanonicalUserPrincipal_Override ¶
func NewCanonicalUserPrincipal_Override(c CanonicalUserPrincipal, canonicalUserId *string)
func NewCfnAccessKey_Override ¶
func NewCfnAccessKey_Override(c CfnAccessKey, scope constructs.Construct, id *string, props *CfnAccessKeyProps)
Create a new `AWS::IAM::AccessKey`.
func NewCfnGroup_Override ¶
func NewCfnGroup_Override(c CfnGroup, scope constructs.Construct, id *string, props *CfnGroupProps)
Create a new `AWS::IAM::Group`.
func NewCfnInstanceProfile_Override ¶
func NewCfnInstanceProfile_Override(c CfnInstanceProfile, scope constructs.Construct, id *string, props *CfnInstanceProfileProps)
Create a new `AWS::IAM::InstanceProfile`.
func NewCfnManagedPolicy_Override ¶
func NewCfnManagedPolicy_Override(c CfnManagedPolicy, scope constructs.Construct, id *string, props *CfnManagedPolicyProps)
Create a new `AWS::IAM::ManagedPolicy`.
func NewCfnOIDCProvider_Override ¶
func NewCfnOIDCProvider_Override(c CfnOIDCProvider, scope constructs.Construct, id *string, props *CfnOIDCProviderProps)
Create a new `AWS::IAM::OIDCProvider`.
func NewCfnPolicy_Override ¶
func NewCfnPolicy_Override(c CfnPolicy, scope constructs.Construct, id *string, props *CfnPolicyProps)
Create a new `AWS::IAM::Policy`.
func NewCfnRole_Override ¶
func NewCfnRole_Override(c CfnRole, scope constructs.Construct, id *string, props *CfnRoleProps)
Create a new `AWS::IAM::Role`.
func NewCfnSAMLProvider_Override ¶
func NewCfnSAMLProvider_Override(c CfnSAMLProvider, scope constructs.Construct, id *string, props *CfnSAMLProviderProps)
Create a new `AWS::IAM::SAMLProvider`.
func NewCfnServerCertificate_Override ¶
func NewCfnServerCertificate_Override(c CfnServerCertificate, scope constructs.Construct, id *string, props *CfnServerCertificateProps)
Create a new `AWS::IAM::ServerCertificate`.
func NewCfnServiceLinkedRole_Override ¶
func NewCfnServiceLinkedRole_Override(c CfnServiceLinkedRole, scope constructs.Construct, id *string, props *CfnServiceLinkedRoleProps)
Create a new `AWS::IAM::ServiceLinkedRole`.
func NewCfnUserToGroupAddition_Override ¶
func NewCfnUserToGroupAddition_Override(c CfnUserToGroupAddition, scope constructs.Construct, id *string, props *CfnUserToGroupAdditionProps)
Create a new `AWS::IAM::UserToGroupAddition`.
func NewCfnUser_Override ¶
func NewCfnUser_Override(c CfnUser, scope constructs.Construct, id *string, props *CfnUserProps)
Create a new `AWS::IAM::User`.
func NewCfnVirtualMFADevice_Override ¶
func NewCfnVirtualMFADevice_Override(c CfnVirtualMFADevice, scope constructs.Construct, id *string, props *CfnVirtualMFADeviceProps)
Create a new `AWS::IAM::VirtualMFADevice`.
func NewCompositeDependable_Override ¶
func NewCompositeDependable_Override(c CompositeDependable, dependables ...constructs.IDependable)
func NewCompositePrincipal_Override ¶
func NewCompositePrincipal_Override(c CompositePrincipal, principals ...IPrincipal)
func NewFederatedPrincipal_Override ¶
func NewFederatedPrincipal_Override(f FederatedPrincipal, federated *string, conditions *map[string]interface{}, assumeRoleAction *string)
func NewGroup_Override ¶
func NewGroup_Override(g Group, scope constructs.Construct, id *string, props *GroupProps)
func NewLazyRole_Override ¶
func NewLazyRole_Override(l LazyRole, scope constructs.Construct, id *string, props *LazyRoleProps)
func NewManagedPolicy_Override ¶
func NewManagedPolicy_Override(m ManagedPolicy, scope constructs.Construct, id *string, props *ManagedPolicyProps)
func NewOpenIdConnectPrincipal_Override ¶
func NewOpenIdConnectPrincipal_Override(o OpenIdConnectPrincipal, openIdConnectProvider IOpenIdConnectProvider, conditions *map[string]interface{})
func NewOpenIdConnectProvider_Override ¶
func NewOpenIdConnectProvider_Override(o OpenIdConnectProvider, scope constructs.Construct, id *string, props *OpenIdConnectProviderProps)
Defines an OpenID Connect provider.
func NewOrganizationPrincipal_Override ¶
func NewOrganizationPrincipal_Override(o OrganizationPrincipal, organizationId *string)
func NewPolicyDocument_Override ¶
func NewPolicyDocument_Override(p PolicyDocument, props *PolicyDocumentProps)
func NewPolicyStatement_Override ¶
func NewPolicyStatement_Override(p PolicyStatement, props *PolicyStatementProps)
func NewPolicy_Override ¶
func NewPolicy_Override(p Policy, scope constructs.Construct, id *string, props *PolicyProps)
func NewPrincipalBase_Override ¶
func NewPrincipalBase_Override(p PrincipalBase)
func NewPrincipalPolicyFragment_Override ¶
func NewPrincipalPolicyFragment_Override(p PrincipalPolicyFragment, principalJson *map[string]*[]*string, conditions *map[string]interface{})
func NewPrincipalWithConditions_Override ¶
func NewPrincipalWithConditions_Override(p PrincipalWithConditions, principal IPrincipal, conditions *map[string]interface{})
func NewRole_Override ¶
func NewSamlConsolePrincipal_Override ¶
func NewSamlConsolePrincipal_Override(s SamlConsolePrincipal, samlProvider ISamlProvider, conditions *map[string]interface{})
func NewSamlMetadataDocument_Override ¶
func NewSamlMetadataDocument_Override(s SamlMetadataDocument)
func NewSamlPrincipal_Override ¶
func NewSamlPrincipal_Override(s SamlPrincipal, samlProvider ISamlProvider, conditions *map[string]interface{})
func NewSamlProvider_Override ¶
func NewSamlProvider_Override(s SamlProvider, scope constructs.Construct, id *string, props *SamlProviderProps)
func NewServicePrincipal_Override ¶
func NewServicePrincipal_Override(s ServicePrincipal, service *string, opts *ServicePrincipalOpts)
func NewSessionTagsPrincipal_Override ¶ added in v2.4.0
func NewSessionTagsPrincipal_Override(s SessionTagsPrincipal, principal IPrincipal)
func NewStarPrincipal_Override ¶
func NewStarPrincipal_Override(s StarPrincipal)
func NewUnknownPrincipal_Override ¶
func NewUnknownPrincipal_Override(u UnknownPrincipal, props *UnknownPrincipalProps)
func NewUser_Override ¶
func NewWebIdentityPrincipal_Override ¶
func NewWebIdentityPrincipal_Override(w WebIdentityPrincipal, identityProvider *string, conditions *map[string]interface{})
func OpenIdConnectProvider_IsConstruct ¶
func OpenIdConnectProvider_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func OpenIdConnectProvider_IsResource ¶
func OpenIdConnectProvider_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func Policy_IsConstruct ¶
func Policy_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func Policy_IsResource ¶
func Policy_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func Role_IsConstruct ¶
func Role_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func Role_IsResource ¶
func Role_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func SamlProvider_IsConstruct ¶
func SamlProvider_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func SamlProvider_IsResource ¶
func SamlProvider_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
func User_IsConstruct ¶
func User_IsConstruct(x interface{}) *bool
Checks if `x` is a construct.
Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead
func User_IsResource ¶
func User_IsResource(construct constructs.IConstruct) *bool
Check whether the given construct is a Resource.
Types ¶
type AccessKey ¶ added in v2.7.0
type AccessKey interface { awscdk.Resource IAccessKey AccessKeyId() *string Env() *awscdk.ResourceEnvironment Node() constructs.Node PhysicalName() *string SecretAccessKey() awscdk.SecretValue Stack() awscdk.Stack ApplyRemovalPolicy(policy awscdk.RemovalPolicy) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string ToString() *string }
Define a new IAM Access Key.
TODO: EXAMPLE
func NewAccessKey ¶ added in v2.7.0
func NewAccessKey(scope constructs.Construct, id *string, props *AccessKeyProps) AccessKey
type AccessKeyProps ¶ added in v2.7.0
type AccessKeyProps struct { // The IAM user this key will belong to. // // Changing this value will result in the access key being deleted and a new // access key (with a different ID and secret value) being assigned to the new // user. User IUser `json:"user" yaml:"user"` // A CloudFormation-specific value that signifies the access key should be replaced/rotated. // // This value can only be incremented. Incrementing this // value will cause CloudFormation to replace the Access Key resource. Serial *float64 `json:"serial" yaml:"serial"` // The status of the access key. // // An Active access key is allowed to be used // to make API calls; An Inactive key cannot. Status AccessKeyStatus `json:"status" yaml:"status"` }
Properties for defining an IAM access key.
TODO: EXAMPLE
type AccessKeyStatus ¶ added in v2.7.0
type AccessKeyStatus string
Valid statuses for an IAM Access Key.
const ( AccessKeyStatus_ACTIVE AccessKeyStatus = "ACTIVE" AccessKeyStatus_INACTIVE AccessKeyStatus = "INACTIVE" )
type AccountPrincipal ¶
type AccountPrincipal interface { ArnPrincipal AccountId() interface{} Arn() *string AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
Specify AWS account ID as the principal entity in a policy to delegate authority to the account.
TODO: EXAMPLE
func NewAccountPrincipal ¶
func NewAccountPrincipal(accountId interface{}) AccountPrincipal
type AccountRootPrincipal ¶
type AccountRootPrincipal interface { AccountPrincipal AccountId() interface{} Arn() *string AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
Use the AWS account into which a stack is deployed as the principal entity in a policy.
TODO: EXAMPLE
func NewAccountRootPrincipal ¶
func NewAccountRootPrincipal() AccountRootPrincipal
type AddToPrincipalPolicyResult ¶
type AddToPrincipalPolicyResult struct { // Whether the statement was added to the identity's policies. StatementAdded *bool `json:"statementAdded" yaml:"statementAdded"` // Dependable which allows depending on the policy change being applied. PolicyDependable constructs.IDependable `json:"policyDependable" yaml:"policyDependable"` }
Result of calling `addToPrincipalPolicy`.
TODO: EXAMPLE
type AddToResourcePolicyResult ¶
type AddToResourcePolicyResult struct { // Whether the statement was added. StatementAdded *bool `json:"statementAdded" yaml:"statementAdded"` // Dependable which allows depending on the policy change being applied. PolicyDependable constructs.IDependable `json:"policyDependable" yaml:"policyDependable"` }
Result of calling addToResourcePolicy.
TODO: EXAMPLE
type AnyPrincipal ¶
type AnyPrincipal interface { ArnPrincipal Arn() *string AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
A principal representing all AWS identities in all accounts.
Some services behave differently when you specify `Principal: '*'` or `Principal: { AWS: "*" }` in their resource policy.
`AnyPrincipal` renders to `Principal: { AWS: "*" }`. This is correct most of the time, but in cases where you need the other principal, use `StarPrincipal` instead.
TODO: EXAMPLE
func NewAnyPrincipal ¶
func NewAnyPrincipal() AnyPrincipal
type ArnPrincipal ¶
type ArnPrincipal interface { PrincipalBase Arn() *string AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
Specify a principal by the Amazon Resource Name (ARN).
You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions. You cannot specify IAM groups or instance profiles as principals
TODO: EXAMPLE
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
func NewArnPrincipal ¶
func NewArnPrincipal(arn *string) ArnPrincipal
type CanonicalUserPrincipal ¶
type CanonicalUserPrincipal interface { PrincipalBase AssumeRoleAction() *string CanonicalUserId() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
A policy principal for canonicalUserIds - useful for S3 bucket policies that use Origin Access identities.
See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
and
for more details.
TODO: EXAMPLE
func NewCanonicalUserPrincipal ¶
func NewCanonicalUserPrincipal(canonicalUserId *string) CanonicalUserPrincipal
type CfnAccessKey ¶
type CfnAccessKey interface { awscdk.CfnResource awscdk.IInspectable AttrSecretAccessKey() *string CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string LogicalId() *string Node() constructs.Node Ref() *string Serial() *float64 SetSerial(val *float64) Stack() awscdk.Stack Status() *string SetStatus(val *string) UpdatedProperites() *map[string]interface{} UserName() *string SetUserName(val *string) AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::AccessKey`.
Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is `Active` .
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account . Consequently, you can use this operation to manage AWS account root user credentials. This is true even if the AWS account has no associated users.
For information about quotas on the number of keys you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
> To ensure the security of your AWS account , the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.
TODO: EXAMPLE
func NewCfnAccessKey ¶
func NewCfnAccessKey(scope constructs.Construct, id *string, props *CfnAccessKeyProps) CfnAccessKey
Create a new `AWS::IAM::AccessKey`.
type CfnAccessKeyProps ¶
type CfnAccessKeyProps struct { // The name of the IAM user that the new key will belong to. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- UserName *string `json:"userName" yaml:"userName"` // This value is specific to CloudFormation and can only be *incremented* . // // Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key. Serial *float64 `json:"serial" yaml:"serial"` // The status of the access key. // // `Active` means that the key is valid for API calls, while `Inactive` means it is not. Status *string `json:"status" yaml:"status"` }
Properties for defining a `CfnAccessKey`.
TODO: EXAMPLE
type CfnGroup ¶
type CfnGroup interface { awscdk.CfnResource awscdk.IInspectable AttrArn() *string CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string GroupName() *string SetGroupName(val *string) LogicalId() *string ManagedPolicyArns() *[]*string SetManagedPolicyArns(val *[]*string) Node() constructs.Node Path() *string SetPath(val *string) Policies() interface{} SetPolicies(val interface{}) Ref() *string Stack() awscdk.Stack UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::Group`.
Creates a new group.
For information about the number of groups you can create, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
TODO: EXAMPLE
func NewCfnGroup ¶
func NewCfnGroup(scope constructs.Construct, id *string, props *CfnGroupProps) CfnGroup
Create a new `AWS::IAM::Group`.
type CfnGroupProps ¶
type CfnGroupProps struct { // The name of the group to create. Do not include the path in this value. // // The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name. // // > If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. // // If you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) . // // > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}` . GroupName *string `json:"groupName" yaml:"groupName"` // The Amazon Resource Name (ARN) of the IAM policy you want to attach. // // For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* . ManagedPolicyArns *[]*string `json:"managedPolicyArns" yaml:"managedPolicyArns"` // The path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* . // // This parameter is optional. If it is not included, it defaults to a slash (/). // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\ u0021` ) through the DEL character ( `\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters. Path *string `json:"path" yaml:"path"` // Adds or updates an inline policy document that is embedded in the specified IAM group. // // To view AWS::IAM::Group snippets, see [Declaring an IAM Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group) . // // > The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. // // For information about limits on the number of inline policies that you can embed in a group, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* . Policies interface{} `json:"policies" yaml:"policies"` }
Properties for defining a `CfnGroup`.
TODO: EXAMPLE
type CfnGroup_PolicyProperty ¶
type CfnGroup_PolicyProperty struct { // The policy document. PolicyDocument interface{} `json:"policyDocument" yaml:"policyDocument"` // The friendly name (not ARN) identifying the policy. PolicyName *string `json:"policyName" yaml:"policyName"` }
Contains information about an attached policy.
An attached policy is a managed policy that has been attached to a user, group, or role.
For more information about managed policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
TODO: EXAMPLE
type CfnInstanceProfile ¶
type CfnInstanceProfile interface { awscdk.CfnResource awscdk.IInspectable AttrArn() *string CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string InstanceProfileName() *string SetInstanceProfileName(val *string) LogicalId() *string Node() constructs.Node Path() *string SetPath(val *string) Ref() *string Roles() *[]*string SetRoles(val *[]*string) Stack() awscdk.Stack UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::InstanceProfile`.
Creates a new instance profile. For information about instance profiles, see [Using instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) .
For information about the number of instance profiles you can create, see [IAM object quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
TODO: EXAMPLE
func NewCfnInstanceProfile ¶
func NewCfnInstanceProfile(scope constructs.Construct, id *string, props *CfnInstanceProfileProps) CfnInstanceProfile
Create a new `AWS::IAM::InstanceProfile`.
type CfnInstanceProfileProps ¶
type CfnInstanceProfileProps struct { // The name of the role to associate with the instance profile. // // Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions. Roles *[]*string `json:"roles" yaml:"roles"` // The name of the instance profile to create. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- InstanceProfileName *string `json:"instanceProfileName" yaml:"instanceProfileName"` // The path to the instance profile. // // For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* . // // This parameter is optional. If it is not included, it defaults to a slash (/). // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\ u0021` ) through the DEL character ( `\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters. Path *string `json:"path" yaml:"path"` }
Properties for defining a `CfnInstanceProfile`.
TODO: EXAMPLE
type CfnManagedPolicy ¶
type CfnManagedPolicy interface { awscdk.CfnResource awscdk.IInspectable CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string Description() *string SetDescription(val *string) Groups() *[]*string SetGroups(val *[]*string) LogicalId() *string ManagedPolicyName() *string SetManagedPolicyName(val *string) Node() constructs.Node Path() *string SetPath(val *string) PolicyDocument() interface{} SetPolicyDocument(val interface{}) Ref() *string Roles() *[]*string SetRoles(val *[]*string) Stack() awscdk.Stack UpdatedProperites() *map[string]interface{} Users() *[]*string SetUsers(val *[]*string) AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::ManagedPolicy`.
Creates a new managed policy for your AWS account .
This operation creates a policy version with a version identifier of `v1` and sets v1 as the policy's default version. For more information about policy versions, see [Versioning for managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-versions.html) in the *IAM User Guide* .
As a best practice, you can validate your IAM policies. To learn more, see [Validating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html) in the *IAM User Guide* .
For more information about managed policies in general, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
TODO: EXAMPLE
func NewCfnManagedPolicy ¶
func NewCfnManagedPolicy(scope constructs.Construct, id *string, props *CfnManagedPolicyProps) CfnManagedPolicy
Create a new `AWS::IAM::ManagedPolicy`.
type CfnManagedPolicyProps ¶
type CfnManagedPolicyProps struct { // The JSON policy document that you want to use as the content for the new policy. // // You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM. // // The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and AWS STS character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length) . // // To learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide* . // // The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: // // - Any printable ASCII character ranging from the space character ( `\ u0020` ) through the end of the ASCII character range // - The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\ u00FF` ) // - The special characters tab ( `\ u0009` ), line feed ( `\ u000A` ), and carriage return ( `\ u000D` ) PolicyDocument interface{} `json:"policyDocument" yaml:"policyDocument"` // A friendly description of the policy. // // Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables." // // The policy description is immutable. After a value is assigned, it cannot be changed. Description *string `json:"description" yaml:"description"` // The name (friendly name, not ARN) of the group to attach the policy to. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- Groups *[]*string `json:"groups" yaml:"groups"` // The friendly name of the policy. // // > If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. // // If you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) . // // > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}` . ManagedPolicyName *string `json:"managedPolicyName" yaml:"managedPolicyName"` // The path for the policy. // // For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* . // // This parameter is optional. If it is not included, it defaults to a slash (/). // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\ u0021` ) through the DEL character ( `\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters. // // > You cannot use an asterisk (*) in the path name. Path *string `json:"path" yaml:"path"` // The name (friendly name, not ARN) of the role to attach the policy to. // // This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- // // > If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy` ) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service` ) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that AWS CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy. Roles *[]*string `json:"roles" yaml:"roles"` // The name (friendly name, not ARN) of the IAM user to attach the policy to. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- Users *[]*string `json:"users" yaml:"users"` }
Properties for defining a `CfnManagedPolicy`.
TODO: EXAMPLE
type CfnOIDCProvider ¶
type CfnOIDCProvider interface { awscdk.CfnResource awscdk.IInspectable AttrArn() *string CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string ClientIdList() *[]*string SetClientIdList(val *[]*string) CreationStack() *[]*string LogicalId() *string Node() constructs.Node Ref() *string Stack() awscdk.Stack Tags() awscdk.TagManager ThumbprintList() *[]*string SetThumbprintList(val *[]*string) UpdatedProperites() *map[string]interface{} Url() *string SetUrl(val *string) AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::OIDCProvider`.
Creates an IAM entity to describe an identity provider (IdP) that supports [OpenID Connect (OIDC)](https://docs.aws.amazon.com/http://openid.net/connect/) .
The OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.
When you create the IAM OIDC provider, you specify the following:
- The URL of the OIDC identity provider (IdP) to trust - A list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider - A list of thumbprints of one or more server certificates that the IdP uses
You get all of this information from the OIDC IdP that you want to use to access AWS .
> The trust for the OIDC provider is derived from the IAM provider that this operation creates. Therefore, it is best to limit access to the [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) operation to highly privileged users.
TODO: EXAMPLE
func NewCfnOIDCProvider ¶
func NewCfnOIDCProvider(scope constructs.Construct, id *string, props *CfnOIDCProviderProps) CfnOIDCProvider
Create a new `AWS::IAM::OIDCProvider`.
type CfnOIDCProviderProps ¶
type CfnOIDCProviderProps struct { // A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object. // // For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) . ThumbprintList *[]*string `json:"thumbprintList" yaml:"thumbprintList"` // A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object. // // For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) . ClientIdList *[]*string `json:"clientIdList" yaml:"clientIdList"` // A list of tags that are attached to the specified IAM OIDC provider. // // The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* . Tags *[]*awscdk.CfnTag `json:"tags" yaml:"tags"` // The URL that the IAM OIDC provider resource object is associated with. // // For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) . Url *string `json:"url" yaml:"url"` }
Properties for defining a `CfnOIDCProvider`.
TODO: EXAMPLE
type CfnPolicy ¶
type CfnPolicy interface { awscdk.CfnResource awscdk.IInspectable CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string Groups() *[]*string SetGroups(val *[]*string) LogicalId() *string Node() constructs.Node PolicyDocument() interface{} SetPolicyDocument(val interface{}) PolicyName() *string SetPolicyName(val *string) Ref() *string Roles() *[]*string SetRoles(val *[]*string) Stack() awscdk.Stack UpdatedProperites() *map[string]interface{} Users() *[]*string SetUsers(val *[]*string) AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::Policy`.
Adds or updates an inline policy document that is embedded in the specified IAM user, group, or role.
An IAM user can also have a managed policy attached to it. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.
For information about limits on the number of inline policies that you can embed in an identity, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
TODO: EXAMPLE
func NewCfnPolicy ¶
func NewCfnPolicy(scope constructs.Construct, id *string, props *CfnPolicyProps) CfnPolicy
Create a new `AWS::IAM::Policy`.
type CfnPolicyProps ¶
type CfnPolicyProps struct { // The policy document. // // You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM. // // The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: // // - Any printable ASCII character ranging from the space character ( `\ u0020` ) through the end of the ASCII character range // - The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\ u00FF` ) // - The special characters tab ( `\ u0009` ), line feed ( `\ u000A` ), and carriage return ( `\ u000D` ) PolicyDocument interface{} `json:"policyDocument" yaml:"policyDocument"` // The name of the policy document. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- PolicyName *string `json:"policyName" yaml:"policyName"` // The name of the group to associate the policy with. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. Groups *[]*string `json:"groups" yaml:"groups"` // The name of the role to associate the policy with. // // This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- // // > If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy` ) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service` ) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that AWS CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy. Roles *[]*string `json:"roles" yaml:"roles"` // The name of the user to associate the policy with. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- Users *[]*string `json:"users" yaml:"users"` }
Properties for defining a `CfnPolicy`.
TODO: EXAMPLE
type CfnRole ¶
type CfnRole interface { awscdk.CfnResource awscdk.IInspectable AssumeRolePolicyDocument() interface{} SetAssumeRolePolicyDocument(val interface{}) AttrArn() *string AttrRoleId() *string CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string Description() *string SetDescription(val *string) LogicalId() *string ManagedPolicyArns() *[]*string SetManagedPolicyArns(val *[]*string) MaxSessionDuration() *float64 SetMaxSessionDuration(val *float64) Node() constructs.Node Path() *string SetPath(val *string) PermissionsBoundary() *string SetPermissionsBoundary(val *string) Policies() interface{} SetPolicies(val interface{}) Ref() *string RoleName() *string SetRoleName(val *string) Stack() awscdk.Stack Tags() awscdk.TagManager UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::Role`.
Creates a new role for your AWS account . For more information about roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html) . For information about quotas for role names and the number of roles you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
TODO: EXAMPLE
func NewCfnRole ¶
func NewCfnRole(scope constructs.Construct, id *string, props *CfnRoleProps) CfnRole
Create a new `AWS::IAM::Role`.
type CfnRoleProps ¶
type CfnRoleProps struct { // The trust policy that is associated with this role. // // Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples) . For more information about the elements that you can use in an IAM policy, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide* . AssumeRolePolicyDocument interface{} `json:"assumeRolePolicyDocument" yaml:"assumeRolePolicyDocument"` // A description of the role that you provide. Description *string `json:"description" yaml:"description"` // A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role. // // For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* . ManagedPolicyArns *[]*string `json:"managedPolicyArns" yaml:"managedPolicyArns"` // The maximum session duration (in seconds) that you want to set for the specified role. // // If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours. // // Anyone who assumes the role from the or API can use the `DurationSeconds` API parameter or the `duration-seconds` CLI parameter to request a longer session. The `MaxSessionDuration` setting determines the maximum duration that can be requested using the `DurationSeconds` parameter. If users don't specify a value for the `DurationSeconds` parameter, their security credentials are valid for one hour by default. This applies when you use the `AssumeRole*` API operations or the `assume-role*` CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide* . MaxSessionDuration *float64 `json:"maxSessionDuration" yaml:"maxSessionDuration"` // The path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* . // // This parameter is optional. If it is not included, it defaults to a slash (/). // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\ u0021` ) through the DEL character ( `\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters. Path *string `json:"path" yaml:"path"` // The ARN of the policy used to set the permissions boundary for the role. // // For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide* . PermissionsBoundary *string `json:"permissionsBoundary" yaml:"permissionsBoundary"` // Adds or updates an inline policy document that is embedded in the specified IAM role. // // When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) . // // A role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* . // // For information about limits on the number of inline policies that you can embed with a role, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* . // // > If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy` ) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service` ) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that AWS CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy. Policies interface{} `json:"policies" yaml:"policies"` // A name for the IAM role, up to 64 characters in length. // // For valid values, see the `RoleName` parameter for the [`CreateRole`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *IAM User Guide* . // // This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both "Role1" and "role1". // // If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the role name. // // If you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) . // // > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}` . RoleName *string `json:"roleName" yaml:"roleName"` // A list of tags that are attached to the role. // // For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* . Tags *[]*awscdk.CfnTag `json:"tags" yaml:"tags"` }
Properties for defining a `CfnRole`.
TODO: EXAMPLE
type CfnRole_PolicyProperty ¶
type CfnRole_PolicyProperty struct { // The policy document. PolicyDocument interface{} `json:"policyDocument" yaml:"policyDocument"` // The friendly name (not ARN) identifying the policy. PolicyName *string `json:"policyName" yaml:"policyName"` }
Contains information about an attached policy.
An attached policy is a managed policy that has been attached to a user, group, or role.
For more information about managed policies, refer to [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
TODO: EXAMPLE
type CfnSAMLProvider ¶
type CfnSAMLProvider interface { awscdk.CfnResource awscdk.IInspectable AttrArn() *string CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string LogicalId() *string Name() *string SetName(val *string) Node() constructs.Node Ref() *string SamlMetadataDocument() *string SetSamlMetadataDocument(val *string) Stack() awscdk.Stack Tags() awscdk.TagManager UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::SAMLProvider`.
Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.
The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS .
When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.
> This operation requires [Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) .
For more information, see [Enabling SAML 2.0 federated users to access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) and [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide* .
TODO: EXAMPLE
func NewCfnSAMLProvider ¶
func NewCfnSAMLProvider(scope constructs.Construct, id *string, props *CfnSAMLProviderProps) CfnSAMLProvider
Create a new `AWS::IAM::SAMLProvider`.
type CfnSAMLProviderProps ¶
type CfnSAMLProviderProps struct { // An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP. // // For more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide* SamlMetadataDocument *string `json:"samlMetadataDocument" yaml:"samlMetadataDocument"` // The name of the provider to create. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- Name *string `json:"name" yaml:"name"` // A list of tags that you want to attach to the new IAM SAML provider. // // Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* . // // > If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. Tags *[]*awscdk.CfnTag `json:"tags" yaml:"tags"` }
Properties for defining a `CfnSAMLProvider`.
TODO: EXAMPLE
type CfnServerCertificate ¶
type CfnServerCertificate interface { awscdk.CfnResource awscdk.IInspectable AttrArn() *string CertificateBody() *string SetCertificateBody(val *string) CertificateChain() *string SetCertificateChain(val *string) CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string LogicalId() *string Node() constructs.Node Path() *string SetPath(val *string) PrivateKey() *string SetPrivateKey(val *string) Ref() *string ServerCertificateName() *string SetServerCertificateName(val *string) Stack() awscdk.Stack Tags() awscdk.TagManager UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::ServerCertificate`.
Uploads a server certificate entity for the AWS account . The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.
We recommend that you use [AWS Certificate Manager](https://docs.aws.amazon.com/acm/) to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the [AWS Certificate Manager User Guide](https://docs.aws.amazon.com/acm/latest/userguide/) .
For more information about working with server certificates, see [Working with server certificates](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) in the *IAM User Guide* . This topic includes a list of AWS services that can use the server certificates that you manage with IAM.
For information about the number of server certificates you can upload, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
> Because the body of the public key certificate, private key, and the certificate chain can be large, you should use POST rather than GET when calling `UploadServerCertificate` . For information about setting up signatures and authorization through the API, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the *AWS General Reference* . For general information about using the Query API with IAM, see [Calling the API by making HTTP query requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/programming.html) in the *IAM User Guide* .
TODO: EXAMPLE
func NewCfnServerCertificate ¶
func NewCfnServerCertificate(scope constructs.Construct, id *string, props *CfnServerCertificateProps) CfnServerCertificate
Create a new `AWS::IAM::ServerCertificate`.
type CfnServerCertificateProps ¶
type CfnServerCertificateProps struct { // The contents of the public key certificate. CertificateBody *string `json:"certificateBody" yaml:"certificateBody"` // The contents of the public key certificate chain. CertificateChain *string `json:"certificateChain" yaml:"certificateChain"` // The path for the server certificate. // // For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* . // // This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\ u0021` ) through the DEL character ( `\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters. // // > If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the `path` parameter. The path must begin with `/cloudfront` and must include a trailing slash (for example, `/cloudfront/test/` ). Path *string `json:"path" yaml:"path"` // The contents of the private key in PEM-encoded format. // // The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following: // // - Any printable ASCII character ranging from the space character ( `\ u0020` ) through the end of the ASCII character range // - The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\ u00FF` ) // - The special characters tab ( `\ u0009` ), line feed ( `\ u000A` ), and carriage return ( `\ u000D` ) PrivateKey *string `json:"privateKey" yaml:"privateKey"` // The name for the server certificate. // // Do not include the path in this value. The name of the certificate cannot contain any spaces. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- ServerCertificateName *string `json:"serverCertificateName" yaml:"serverCertificateName"` // A list of tags that are attached to the server certificate. // // For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* . Tags *[]*awscdk.CfnTag `json:"tags" yaml:"tags"` }
Properties for defining a `CfnServerCertificate`.
TODO: EXAMPLE
type CfnServiceLinkedRole ¶
type CfnServiceLinkedRole interface { awscdk.CfnResource awscdk.IInspectable AwsServiceName() *string SetAwsServiceName(val *string) CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string CustomSuffix() *string SetCustomSuffix(val *string) Description() *string SetDescription(val *string) LogicalId() *string Node() constructs.Node Ref() *string Stack() awscdk.Stack UpdatedProperites() *map[string]interface{} AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::ServiceLinkedRole`.
Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state. Allowing the service to control the role helps improve service stability and proper cleanup when a service and its role are no longer needed. For more information, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the *IAM User Guide* .
To attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role.
TODO: EXAMPLE
func NewCfnServiceLinkedRole ¶
func NewCfnServiceLinkedRole(scope constructs.Construct, id *string, props *CfnServiceLinkedRoleProps) CfnServiceLinkedRole
Create a new `AWS::IAM::ServiceLinkedRole`.
type CfnServiceLinkedRoleProps ¶
type CfnServiceLinkedRoleProps struct { // The service principal for the AWS service to which this role is attached. // // You use a string similar to a URL but without the http:// in front. For example: `elasticbeanstalk.amazonaws.com` . // // Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service. AwsServiceName *string `json:"awsServiceName" yaml:"awsServiceName"` // A string that you provide, which is combined with the service-provided prefix to form the complete role name. // // If you make multiple requests for the same service, then you must supply a different `CustomSuffix` for each request. Otherwise the request fails with a duplicate role name error. For example, you could add `-1` or `-debug` to the suffix. // // Some services do not support the `CustomSuffix` parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix. CustomSuffix *string `json:"customSuffix" yaml:"customSuffix"` // The description of the role. Description *string `json:"description" yaml:"description"` }
Properties for defining a `CfnServiceLinkedRole`.
TODO: EXAMPLE
type CfnUser ¶
type CfnUser interface { awscdk.CfnResource awscdk.IInspectable AttrArn() *string CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string Groups() *[]*string SetGroups(val *[]*string) LogicalId() *string LoginProfile() interface{} SetLoginProfile(val interface{}) ManagedPolicyArns() *[]*string SetManagedPolicyArns(val *[]*string) Node() constructs.Node Path() *string SetPath(val *string) PermissionsBoundary() *string SetPermissionsBoundary(val *string) Policies() interface{} SetPolicies(val interface{}) Ref() *string Stack() awscdk.Stack Tags() awscdk.TagManager UpdatedProperites() *map[string]interface{} UserName() *string SetUserName(val *string) AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::User`.
Creates a new IAM user for your AWS account .
For information about quotas for the number of IAM users you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
TODO: EXAMPLE
func NewCfnUser ¶
func NewCfnUser(scope constructs.Construct, id *string, props *CfnUserProps) CfnUser
Create a new `AWS::IAM::User`.
type CfnUserProps ¶
type CfnUserProps struct { // A list of group names to which you want to add the user. Groups *[]*string `json:"groups" yaml:"groups"` // Creates a password for the specified IAM user. // // A password allows an IAM user to access AWS services through the AWS Management Console . // // You can use the AWS CLI , the AWS API, or the *Users* page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the *My Security Credentials* page in the AWS Management Console . // // For more information about managing passwords, see [Managing passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* . LoginProfile interface{} `json:"loginProfile" yaml:"loginProfile"` // A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user. // // For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* . ManagedPolicyArns *[]*string `json:"managedPolicyArns" yaml:"managedPolicyArns"` // The path for the user name. // // For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* . // // This parameter is optional. If it is not included, it defaults to a slash (/). // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\ u0021` ) through the DEL character ( `\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters. Path *string `json:"path" yaml:"path"` // The ARN of the policy that is used to set the permissions boundary for the user. PermissionsBoundary *string `json:"permissionsBoundary" yaml:"permissionsBoundary"` // Adds or updates an inline policy document that is embedded in the specified IAM user. // // To view AWS::IAM::User snippets, see [Declaring an IAM User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) . // // > The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail. // // For information about limits on the number of inline policies that you can embed in a user, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* . Policies interface{} `json:"policies" yaml:"policies"` // A list of tags that you want to attach to the new user. // // Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* . // // > If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. Tags *[]*awscdk.CfnTag `json:"tags" yaml:"tags"` // The name of the user to create. Do not include the path in this value. // // This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john". // // If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name. // // If you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) . // // > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}` . UserName *string `json:"userName" yaml:"userName"` }
Properties for defining a `CfnUser`.
TODO: EXAMPLE
type CfnUserToGroupAddition ¶
type CfnUserToGroupAddition interface { awscdk.CfnResource awscdk.IInspectable CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string GroupName() *string SetGroupName(val *string) LogicalId() *string Node() constructs.Node Ref() *string Stack() awscdk.Stack UpdatedProperites() *map[string]interface{} Users() *[]*string SetUsers(val *[]*string) AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::UserToGroupAddition`.
Adds the specified user to the specified group.
TODO: EXAMPLE
func NewCfnUserToGroupAddition ¶
func NewCfnUserToGroupAddition(scope constructs.Construct, id *string, props *CfnUserToGroupAdditionProps) CfnUserToGroupAddition
Create a new `AWS::IAM::UserToGroupAddition`.
type CfnUserToGroupAdditionProps ¶
type CfnUserToGroupAdditionProps struct { // The name of the group to update. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- GroupName *string `json:"groupName" yaml:"groupName"` // A list of the names of the users that you want to add to the group. Users *[]*string `json:"users" yaml:"users"` }
Properties for defining a `CfnUserToGroupAddition`.
TODO: EXAMPLE
type CfnUser_LoginProfileProperty ¶
type CfnUser_LoginProfileProperty struct { // The user's password. Password *string `json:"password" yaml:"password"` // Specifies whether the user is required to set a new password on next sign-in. PasswordResetRequired interface{} `json:"passwordResetRequired" yaml:"passwordResetRequired"` }
Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console .
For more information about managing passwords, see [Managing Passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .
TODO: EXAMPLE
type CfnUser_PolicyProperty ¶
type CfnUser_PolicyProperty struct { // The policy document. PolicyDocument interface{} `json:"policyDocument" yaml:"policyDocument"` // The friendly name (not ARN) identifying the policy. PolicyName *string `json:"policyName" yaml:"policyName"` }
Contains information about an attached policy.
An attached policy is a managed policy that has been attached to a user, group, or role.
For more information about managed policies, refer to [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
TODO: EXAMPLE
type CfnVirtualMFADevice ¶
type CfnVirtualMFADevice interface { awscdk.CfnResource awscdk.IInspectable AttrSerialNumber() *string CfnOptions() awscdk.ICfnResourceOptions CfnProperties() *map[string]interface{} CfnResourceType() *string CreationStack() *[]*string LogicalId() *string Node() constructs.Node Path() *string SetPath(val *string) Ref() *string Stack() awscdk.Stack Tags() awscdk.TagManager UpdatedProperites() *map[string]interface{} Users() *[]*string SetUsers(val *[]*string) VirtualMfaDeviceName() *string SetVirtualMfaDeviceName(val *string) AddDeletionOverride(path *string) AddDependsOn(target awscdk.CfnResource) AddMetadata(key *string, value interface{}) AddOverride(path *string, value interface{}) AddPropertyDeletionOverride(propertyPath *string) AddPropertyOverride(propertyPath *string, value interface{}) ApplyRemovalPolicy(policy awscdk.RemovalPolicy, options *awscdk.RemovalPolicyOptions) GetAtt(attributeName *string) awscdk.Reference GetMetadata(key *string) interface{} Inspect(inspector awscdk.TreeInspector) OverrideLogicalId(newLogicalId *string) RenderProperties(props *map[string]interface{}) *map[string]interface{} ShouldSynthesize() *bool ToString() *string ValidateProperties(_properties interface{}) }
A CloudFormation `AWS::IAM::VirtualMFADevice`.
Creates a new virtual MFA device for the AWS account . After creating the virtual MFA, use [EnableMFADevice](https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableMFADevice.html) to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, see [Using a virtual MFA device](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_VirtualMFA.html) in the *IAM User Guide* .
For information about the maximum number of MFA devices you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
> The seed information contained in the QR code and the Base32 string should be treated like any other secret access information. In other words, protect the seed information as you would your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.
TODO: EXAMPLE
func NewCfnVirtualMFADevice ¶
func NewCfnVirtualMFADevice(scope constructs.Construct, id *string, props *CfnVirtualMFADeviceProps) CfnVirtualMFADevice
Create a new `AWS::IAM::VirtualMFADevice`.
type CfnVirtualMFADeviceProps ¶
type CfnVirtualMFADeviceProps struct { // The IAM user associated with this virtual MFA device. Users *[]*string `json:"users" yaml:"users"` // The path for the virtual MFA device. // // For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* . // // This parameter is optional. If it is not included, it defaults to a slash (/). // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\ u0021` ) through the DEL character ( `\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters. Path *string `json:"path" yaml:"path"` // A list of tags that you want to attach to the new IAM virtual MFA device. // // Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* . // // > If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. Tags *[]*awscdk.CfnTag `json:"tags" yaml:"tags"` // The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device. // // This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- VirtualMfaDeviceName *string `json:"virtualMfaDeviceName" yaml:"virtualMfaDeviceName"` }
Properties for defining a `CfnVirtualMFADevice`.
TODO: EXAMPLE
type CommonGrantOptions ¶
type CommonGrantOptions struct { // The actions to grant. Actions *[]*string `json:"actions" yaml:"actions"` // The principal to grant to. Grantee IGrantable `json:"grantee" yaml:"grantee"` // The resource ARNs to grant to. ResourceArns *[]*string `json:"resourceArns" yaml:"resourceArns"` }
Basic options for a grant operation.
TODO: EXAMPLE
type CompositeDependable ¶
type CompositeDependable interface { constructs.IDependable }
Composite dependable.
Not as simple as eagerly getting the dependency roots from the inner dependables, as they may be mutable so we need to defer the query.
TODO: EXAMPLE
func NewCompositeDependable ¶
func NewCompositeDependable(dependables ...constructs.IDependable) CompositeDependable
type CompositePrincipal ¶
type CompositePrincipal interface { PrincipalBase AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddPrincipals(principals ...IPrincipal) CompositePrincipal AddToAssumeRolePolicy(doc PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
Represents a principal that has multiple types of principals.
A composite principal cannot have conditions. i.e. multiple ServicePrincipals that form a composite principal
TODO: EXAMPLE
func NewCompositePrincipal ¶
func NewCompositePrincipal(principals ...IPrincipal) CompositePrincipal
type Effect ¶
type Effect string
The Effect element of an IAM policy.
TODO: EXAMPLE
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html
type FederatedPrincipal ¶
type FederatedPrincipal interface { PrincipalBase AssumeRoleAction() *string Conditions() *map[string]interface{} Federated() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
Principal entity that represents a federated identity provider such as Amazon Cognito, that can be used to provide temporary security credentials to users who have been authenticated.
Additional condition keys are available when the temporary security credentials are used to make a request. You can use these keys to write policies that limit the access of federated users.
TODO: EXAMPLE
func NewFederatedPrincipal ¶
func NewFederatedPrincipal(federated *string, conditions *map[string]interface{}, assumeRoleAction *string) FederatedPrincipal
type FromRoleArnOptions ¶
type FromRoleArnOptions struct { // For immutable roles: add grants to resources instead of dropping them. // // If this is `false` or not specified, grant permissions added to this role are ignored. // It is your own responsibility to make sure the role has the required permissions. // // If this is `true`, any grant permissions will be added to the resource instead. AddGrantsToResources *bool `json:"addGrantsToResources" yaml:"addGrantsToResources"` // Whether the imported role can be modified by attaching policy resources to it. Mutable *bool `json:"mutable" yaml:"mutable"` }
Options allowing customizing the behavior of {@link Role.fromRoleArn}.
TODO: EXAMPLE
type Grant ¶
type Grant interface { constructs.IDependable PrincipalStatement() PolicyStatement ResourceStatement() PolicyStatement Success() *bool ApplyBefore(constructs ...constructs.IConstruct) AssertSuccess() }
Result of a grant() operation.
This class is not instantiable by consumers on purpose, so that they will be required to call the Grant factory functions.
TODO: EXAMPLE
func Grant_AddToPrincipal ¶
func Grant_AddToPrincipal(options *GrantOnPrincipalOptions) Grant
Try to grant the given permissions to the given principal.
Absence of a principal leads to a warning, but failing to add the permissions to a present principal is not an error.
func Grant_AddToPrincipalAndResource ¶
func Grant_AddToPrincipalAndResource(options *GrantOnPrincipalAndResourceOptions) Grant
Add a grant both on the principal and on the resource.
As long as any principal is given, granting on the principal may fail (in case of a non-identity principal), but granting on the resource will never fail.
Statement will be the resource statement.
func Grant_AddToPrincipalOrResource ¶
func Grant_AddToPrincipalOrResource(options *GrantWithResourceOptions) Grant
Grant the given permissions to the principal.
The permissions will be added to the principal policy primarily, falling back to the resource policy if necessary. The permissions must be granted somewhere.
- Trying to grant permissions to a principal that does not admit adding to the principal policy while not providing a resource with a resource policy is an error.
- Trying to grant permissions to an absent principal (possible in the case of imported resources) leads to a warning being added to the resource construct.
func Grant_Drop ¶
func Grant_Drop(grantee IGrantable, _intent *string) Grant
Returns a "no-op" `Grant` object which represents a "dropped grant".
This can be used for e.g. imported resources where you may not be able to modify the resource's policy or some underlying policy which you don't know about.
type GrantOnPrincipalAndResourceOptions ¶
type GrantOnPrincipalAndResourceOptions struct { // The actions to grant. Actions *[]*string `json:"actions" yaml:"actions"` // The principal to grant to. Grantee IGrantable `json:"grantee" yaml:"grantee"` // The resource ARNs to grant to. ResourceArns *[]*string `json:"resourceArns" yaml:"resourceArns"` // The resource with a resource policy. // // The statement will always be added to the resource policy. Resource IResourceWithPolicy `json:"resource" yaml:"resource"` // The principal to use in the statement for the resource policy. ResourcePolicyPrincipal IPrincipal `json:"resourcePolicyPrincipal" yaml:"resourcePolicyPrincipal"` // When referring to the resource in a resource policy, use this as ARN. // // (Depending on the resource type, this needs to be '*' in a resource policy). ResourceSelfArns *[]*string `json:"resourceSelfArns" yaml:"resourceSelfArns"` }
Options for a grant operation to both identity and resource.
TODO: EXAMPLE
type GrantOnPrincipalOptions ¶
type GrantOnPrincipalOptions struct { // The actions to grant. Actions *[]*string `json:"actions" yaml:"actions"` // The principal to grant to. Grantee IGrantable `json:"grantee" yaml:"grantee"` // The resource ARNs to grant to. ResourceArns *[]*string `json:"resourceArns" yaml:"resourceArns"` // Construct to report warnings on in case grant could not be registered. Scope constructs.IConstruct `json:"scope" yaml:"scope"` }
Options for a grant operation that only applies to principals.
TODO: EXAMPLE
type GrantWithResourceOptions ¶
type GrantWithResourceOptions struct { // The actions to grant. Actions *[]*string `json:"actions" yaml:"actions"` // The principal to grant to. Grantee IGrantable `json:"grantee" yaml:"grantee"` // The resource ARNs to grant to. ResourceArns *[]*string `json:"resourceArns" yaml:"resourceArns"` // The resource with a resource policy. // // The statement will be added to the resource policy if it couldn't be // added to the principal policy. Resource IResourceWithPolicy `json:"resource" yaml:"resource"` // When referring to the resource in a resource policy, use this as ARN. // // (Depending on the resource type, this needs to be '*' in a resource policy). ResourceSelfArns *[]*string `json:"resourceSelfArns" yaml:"resourceSelfArns"` }
Options for a grant operation.
TODO: EXAMPLE
type Group ¶
type Group interface { awscdk.Resource IGroup AssumeRoleAction() *string Env() *awscdk.ResourceEnvironment GrantPrincipal() IPrincipal GroupArn() *string GroupName() *string Node() constructs.Node PhysicalName() *string PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string Stack() awscdk.Stack AddManagedPolicy(policy IManagedPolicy) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult AddUser(user IUser) ApplyRemovalPolicy(policy awscdk.RemovalPolicy) AttachInlinePolicy(policy Policy) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string ToString() *string }
An IAM Group (collection of IAM users) lets you specify permissions for multiple users, which can make it easier to manage permissions for those users.
TODO: EXAMPLE
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html
func NewGroup ¶
func NewGroup(scope constructs.Construct, id *string, props *GroupProps) Group
type GroupProps ¶
type GroupProps struct { // A name for the IAM group. // // For valid values, see the GroupName parameter // for the CreateGroup action in the IAM API Reference. If you don't specify // a name, AWS CloudFormation generates a unique physical ID and uses that // ID for the group name. // // If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to // acknowledge your template's capabilities. For more information, see // Acknowledging IAM Resources in AWS CloudFormation Templates. GroupName *string `json:"groupName" yaml:"groupName"` // A list of managed policies associated with this role. // // You can add managed policies later using // `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`. ManagedPolicies *[]IManagedPolicy `json:"managedPolicies" yaml:"managedPolicies"` // The path to the group. // // For more information about paths, see [IAM // Identifiers](http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?Using_Identifiers.html) // in the IAM User Guide. Path *string `json:"path" yaml:"path"` }
Properties for defining an IAM group.
TODO: EXAMPLE
type IAccessKey ¶ added in v2.7.0
type IAccessKey interface { awscdk.IResource // The Access Key ID. AccessKeyId() *string // The Secret Access Key. SecretAccessKey() awscdk.SecretValue }
Represents an IAM Access Key. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
type IAssumeRolePrincipal ¶ added in v2.4.0
type IAssumeRolePrincipal interface { IPrincipal // Add the princpial to the AssumeRolePolicyDocument. // // Add the statements to the AssumeRolePolicyDocument necessary to give this principal // permissions to assume the given role. AddToAssumeRolePolicy(document PolicyDocument) }
A type of principal that has more control over its own representation in AssumeRolePolicyDocuments.
More complex types of identity providers need more control over Role's policy documents than simply `{ Effect: 'Allow', Action: 'AssumeRole', Principal: <Whatever> }`.
If that control is necessary, they can implement `IAssumeRolePrincipal` to get full access to a Role's AssumeRolePolicyDocument.
type IGrantable ¶
type IGrantable interface { // The principal to grant permissions to. GrantPrincipal() IPrincipal }
Any object that has an associated principal that a permission can be granted to.
type IGroup ¶
type IGroup interface { IIdentity // Returns the IAM Group ARN. GroupArn() *string // Returns the IAM Group Name. GroupName() *string }
Represents an IAM Group. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html
func Group_FromGroupArn ¶
Import an external group by ARN.
If the imported Group ARN is a Token (such as a `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced group has a `path` (like `arn:...:group/AdminGroup/NetworkAdmin`), the `groupName` property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Group ARN should be supplied without the `path` in order to resolve the correct group resource.
func Group_FromGroupName ¶ added in v2.1.0
Import an existing group by given name (with path).
This method has same caveats of `fromGroupArn`
type IIdentity ¶
type IIdentity interface { IPrincipal awscdk.IResource // Attaches a managed policy to this principal. AddManagedPolicy(policy IManagedPolicy) // Attaches an inline policy to this principal. // // This is the same as calling `policy.addToXxx(principal)`. AttachInlinePolicy(policy Policy) }
A construct that represents an IAM principal, such as a user, group or role.
type IManagedPolicy ¶
type IManagedPolicy interface { // The ARN of the managed policy. ManagedPolicyArn() *string }
A managed policy.
func ManagedPolicy_FromAwsManagedPolicyName ¶
func ManagedPolicy_FromAwsManagedPolicyName(managedPolicyName *string) IManagedPolicy
Import a managed policy from one of the policies that AWS manages.
For this managed policy, you only need to know the name to be able to use it.
Some managed policy names start with "service-role/", some start with "job-function/", and some don't start with anything. Include the prefix when constructing this object.
func ManagedPolicy_FromManagedPolicyArn ¶
func ManagedPolicy_FromManagedPolicyArn(scope constructs.Construct, id *string, managedPolicyArn *string) IManagedPolicy
Import an external managed policy by ARN.
For this managed policy, you only need to know the ARN to be able to use it. This can be useful if you got the ARN from a CloudFormation Export.
If the imported Managed Policy ARN is a Token (such as a `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced managed policy has a `path` (like `arn:...:policy/AdminPolicy/AdminAllow`), the `managedPolicyName` property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Managed Policy ARN should be supplied without the `path` in order to resolve the correct managed policy resource.
func ManagedPolicy_FromManagedPolicyName ¶
func ManagedPolicy_FromManagedPolicyName(scope constructs.Construct, id *string, managedPolicyName *string) IManagedPolicy
Import a customer managed policy from the managedPolicyName.
For this managed policy, you only need to know the name to be able to use it.
type IOpenIdConnectProvider ¶
type IOpenIdConnectProvider interface { awscdk.IResource // The Amazon Resource Name (ARN) of the IAM OpenID Connect provider. OpenIdConnectProviderArn() *string // The issuer for OIDC Provider. OpenIdConnectProviderIssuer() *string }
Represents an IAM OpenID Connect provider.
func OpenIdConnectProvider_FromOpenIdConnectProviderArn ¶
func OpenIdConnectProvider_FromOpenIdConnectProviderArn(scope constructs.Construct, id *string, openIdConnectProviderArn *string) IOpenIdConnectProvider
Imports an Open ID connect provider from an ARN.
type IPolicy ¶
type IPolicy interface { awscdk.IResource // The name of this policy. PolicyName() *string }
Represents an IAM Policy. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html
func Policy_FromPolicyName ¶
Import a policy in this app based on its name.
type IPrincipal ¶
type IPrincipal interface { IGrantable // Add to the policy of this principal. AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult // When this Principal is used in an AssumeRole policy, the action to use. AssumeRoleAction() *string // Return the policy fragment that identifies this principal in a Policy. PolicyFragment() PrincipalPolicyFragment // The AWS account ID of this principal. // // Can be undefined when the account is not known // (for example, for service principals). // Can be a Token - in that case, // it's assumed to be AWS::AccountId. PrincipalAccount() *string }
Represents a logical IAM principal.
An IPrincipal describes a logical entity that can perform AWS API calls against sets of resources, optionally under certain conditions.
Examples of simple principals are IAM objects that you create, such as Users or Roles.
An example of a more complex principals is a `ServicePrincipal` (such as `new ServicePrincipal("sns.amazonaws.com")`, which represents the Simple Notifications Service).
A single logical Principal may also map to a set of physical principals. For example, `new OrganizationPrincipal('o-1234')` represents all identities that are part of the given AWS Organization.
type IResourceWithPolicy ¶
type IResourceWithPolicy interface { awscdk.IResource // Add a statement to the resource's resource policy. AddToResourcePolicy(statement PolicyStatement) *AddToResourcePolicyResult }
A resource with a resource policy that can be added to.
type IRole ¶
type IRole interface { IIdentity // Grant the actions defined in actions to the identity Principal on this resource. Grant(grantee IPrincipal, actions ...*string) Grant // Grant permissions to the given principal to pass this role. GrantPassRole(grantee IPrincipal) Grant // Returns the ARN of this role. RoleArn() *string // Returns the name of this role. RoleName() *string }
A Role object.
func Role_FromRoleArn ¶
func Role_FromRoleArn(scope constructs.Construct, id *string, roleArn *string, options *FromRoleArnOptions) IRole
Import an external role by ARN.
If the imported Role ARN is a Token (such as a `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced role has a `path` (like `arn:...:role/AdminRoles/Alice`), the `roleName` property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the `path` in order to resolve the correct role resource.
func Role_FromRoleName ¶ added in v2.13.0
Import an external role by name.
The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.
type ISamlProvider ¶
type ISamlProvider interface { awscdk.IResource // The Amazon Resource Name (ARN) of the provider. SamlProviderArn() *string }
A SAML provider.
func SamlProvider_FromSamlProviderArn ¶
func SamlProvider_FromSamlProviderArn(scope constructs.Construct, id *string, samlProviderArn *string) ISamlProvider
Import an existing provider.
type IUser ¶
type IUser interface { IIdentity // Adds this user to a group. AddToGroup(group IGroup) // The user's ARN. UserArn() *string // The user's name. UserName() *string }
Represents an IAM user. See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
func User_FromUserArn ¶
Import an existing user given a user ARN.
If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.
func User_FromUserAttributes ¶
func User_FromUserAttributes(scope constructs.Construct, id *string, attrs *UserAttributes) IUser
Import an existing user given user attributes.
If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.
func User_FromUserName ¶
Import an existing user given a username.
type LazyRole ¶
type LazyRole interface { awscdk.Resource IRole AssumeRoleAction() *string Env() *awscdk.ResourceEnvironment GrantPrincipal() IPrincipal Node() constructs.Node PhysicalName() *string PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string RoleArn() *string RoleId() *string RoleName() *string Stack() awscdk.Stack AddManagedPolicy(policy IManagedPolicy) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult ApplyRemovalPolicy(policy awscdk.RemovalPolicy) AttachInlinePolicy(policy Policy) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string Grant(identity IPrincipal, actions ...*string) Grant GrantPassRole(identity IPrincipal) Grant ToString() *string }
An IAM role that only gets attached to the construct tree once it gets used, not before.
This construct can be used to simplify logic in other constructs which need to create a role but only if certain configurations occur (such as when AutoScaling is configured). The role can be configured in one place, but if it never gets used it doesn't get instantiated and will not be synthesized or deployed.
TODO: EXAMPLE
func NewLazyRole ¶
func NewLazyRole(scope constructs.Construct, id *string, props *LazyRoleProps) LazyRole
type LazyRoleProps ¶
type LazyRoleProps struct { // The IAM principal (i.e. `new ServicePrincipal('sns.amazonaws.com')`) which can assume this role. // // You can later modify the assume role policy document by accessing it via // the `assumeRolePolicy` property. AssumedBy IPrincipal `json:"assumedBy" yaml:"assumedBy"` // A description of the role. // // It can be up to 1000 characters long. Description *string `json:"description" yaml:"description"` // List of IDs that the role assumer needs to provide one of when assuming this role. // // If the configured and provided external IDs do not match, the // AssumeRole operation will fail. ExternalIds *[]*string `json:"externalIds" yaml:"externalIds"` // A list of named policies to inline into this role. // // These policies will be // created with the role, whereas those added by “addToPolicy“ are added // using a separate CloudFormation resource (allowing a way around circular // dependencies that could otherwise be introduced). InlinePolicies *map[string]PolicyDocument `json:"inlinePolicies" yaml:"inlinePolicies"` // A list of managed policies associated with this role. // // You can add managed policies later using // `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`. ManagedPolicies *[]IManagedPolicy `json:"managedPolicies" yaml:"managedPolicies"` // The maximum session duration that you want to set for the specified role. // // This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours. // // Anyone who assumes the role from the AWS CLI or API can use the // DurationSeconds API parameter or the duration-seconds CLI parameter to // request a longer session. The MaxSessionDuration setting determines the // maximum duration that can be requested using the DurationSeconds // parameter. // // If users don't specify a value for the DurationSeconds parameter, their // security credentials are valid for one hour by default. This applies when // you use the AssumeRole* API operations or the assume-role* CLI operations // but does not apply when you use those operations to create a console URL. MaxSessionDuration awscdk.Duration `json:"maxSessionDuration" yaml:"maxSessionDuration"` // The path associated with this role. // // For information about IAM paths, see // Friendly Names and Paths in IAM User Guide. Path *string `json:"path" yaml:"path"` // AWS supports permissions boundaries for IAM entities (users or roles). // // A permissions boundary is an advanced feature for using a managed policy // to set the maximum permissions that an identity-based policy can grant to // an IAM entity. An entity's permissions boundary allows it to perform only // the actions that are allowed by both its identity-based policies and its // permissions boundaries. PermissionsBoundary IManagedPolicy `json:"permissionsBoundary" yaml:"permissionsBoundary"` // A name for the IAM role. // // For valid values, see the RoleName parameter for // the CreateRole action in the IAM API Reference. // // IMPORTANT: If you specify a name, you cannot perform updates that require // replacement of this resource. You can perform updates that require no or // some interruption. If you must replace the resource, specify a new name. // // If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to // acknowledge your template's capabilities. For more information, see // Acknowledging IAM Resources in AWS CloudFormation Templates. RoleName *string `json:"roleName" yaml:"roleName"` }
Properties for defining a LazyRole.
TODO: EXAMPLE
type ManagedPolicy ¶
type ManagedPolicy interface { awscdk.Resource IManagedPolicy Description() *string Document() PolicyDocument Env() *awscdk.ResourceEnvironment ManagedPolicyArn() *string ManagedPolicyName() *string Node() constructs.Node Path() *string PhysicalName() *string Stack() awscdk.Stack AddStatements(statement ...PolicyStatement) ApplyRemovalPolicy(policy awscdk.RemovalPolicy) AttachToGroup(group IGroup) AttachToRole(role IRole) AttachToUser(user IUser) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string ToString() *string }
Managed policy.
TODO: EXAMPLE
func NewManagedPolicy ¶
func NewManagedPolicy(scope constructs.Construct, id *string, props *ManagedPolicyProps) ManagedPolicy
type ManagedPolicyProps ¶
type ManagedPolicyProps struct { // A description of the managed policy. // // Typically used to store information about the // permissions defined in the policy. For example, "Grants access to production DynamoDB tables." // The policy description is immutable. After a value is assigned, it cannot be changed. Description *string `json:"description" yaml:"description"` // Initial PolicyDocument to use for this ManagedPolicy. // // If omited, any // `PolicyStatement` provided in the `statements` property will be applied // against the empty default `PolicyDocument`. Document PolicyDocument `json:"document" yaml:"document"` // Groups to attach this policy to. // // You can also use `attachToGroup(group)` to attach this policy to a group. Groups *[]IGroup `json:"groups" yaml:"groups"` // The name of the managed policy. // // If you specify multiple policies for an entity, // specify unique names. For example, if you specify a list of policies for // an IAM role, each policy must have a unique name. ManagedPolicyName *string `json:"managedPolicyName" yaml:"managedPolicyName"` // The path for the policy. // // This parameter allows (through its regex pattern) a string of characters // consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. // In addition, it can contain any ASCII character from the ! (\u0021) through the DEL character (\u007F), // including most punctuation characters, digits, and upper and lowercased letters. // // For more information about paths, see IAM Identifiers in the IAM User Guide. Path *string `json:"path" yaml:"path"` // Roles to attach this policy to. // // You can also use `attachToRole(role)` to attach this policy to a role. Roles *[]IRole `json:"roles" yaml:"roles"` // Initial set of permissions to add to this policy document. // // You can also use `addPermission(statement)` to add permissions later. Statements *[]PolicyStatement `json:"statements" yaml:"statements"` // Users to attach this policy to. // // You can also use `attachToUser(user)` to attach this policy to a user. Users *[]IUser `json:"users" yaml:"users"` }
Properties for defining an IAM managed policy.
TODO: EXAMPLE
type OpenIdConnectPrincipal ¶
type OpenIdConnectPrincipal interface { WebIdentityPrincipal AssumeRoleAction() *string Conditions() *map[string]interface{} Federated() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
A principal that represents a federated identity provider as from a OpenID Connect provider.
TODO: EXAMPLE
func NewOpenIdConnectPrincipal ¶
func NewOpenIdConnectPrincipal(openIdConnectProvider IOpenIdConnectProvider, conditions *map[string]interface{}) OpenIdConnectPrincipal
type OpenIdConnectProvider ¶
type OpenIdConnectProvider interface { awscdk.Resource IOpenIdConnectProvider Env() *awscdk.ResourceEnvironment Node() constructs.Node OpenIdConnectProviderArn() *string OpenIdConnectProviderIssuer() *string PhysicalName() *string Stack() awscdk.Stack ApplyRemovalPolicy(policy awscdk.RemovalPolicy) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string ToString() *string }
IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce.
You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities.
TODO: EXAMPLE
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
func NewOpenIdConnectProvider ¶
func NewOpenIdConnectProvider(scope constructs.Construct, id *string, props *OpenIdConnectProviderProps) OpenIdConnectProvider
Defines an OpenID Connect provider.
type OpenIdConnectProviderProps ¶
type OpenIdConnectProviderProps struct { // The URL of the identity provider. // // The URL must begin with https:// and // should correspond to the iss claim in the provider's OpenID Connect ID // tokens. Per the OIDC standard, path components are allowed but query // parameters are not. Typically the URL consists of only a hostname, like // https://server.example.org or https://example.com. // // You cannot register the same provider multiple times in a single AWS // account. If you try to submit a URL that has already been used for an // OpenID Connect provider in the AWS account, you will get an error. Url *string `json:"url" yaml:"url"` // A list of client IDs (also known as audiences). // // When a mobile or web app // registers with an OpenID Connect provider, they establish a value that // identifies the application. (This is the value that's sent as the client_id // parameter on OAuth requests.) // // You can register multiple client IDs with the same provider. For example, // you might have multiple applications that use the same OIDC provider. You // cannot register more than 100 client IDs with a single IAM OIDC provider. // // Client IDs are up to 255 characters long. ClientIds *[]*string `json:"clientIds" yaml:"clientIds"` // A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates. // // Typically this list includes only one entry. However, IAM lets you have up // to five thumbprints for an OIDC provider. This lets you maintain multiple // thumbprints if the identity provider is rotating certificates. // // The server certificate thumbprint is the hex-encoded SHA-1 hash value of // the X.509 certificate used by the domain where the OpenID Connect provider // makes its keys available. It is always a 40-character string. // // You must provide at least one thumbprint when creating an IAM OIDC // provider. For example, assume that the OIDC provider is server.example.com // and the provider stores its keys at // https://keys.server.example.com/openid-connect. In that case, the // thumbprint string would be the hex-encoded SHA-1 hash value of the // certificate used by https://keys.server.example.com. Thumbprints *[]*string `json:"thumbprints" yaml:"thumbprints"` }
Initialization properties for `OpenIdConnectProvider`.
TODO: EXAMPLE
type OrganizationPrincipal ¶
type OrganizationPrincipal interface { PrincipalBase AssumeRoleAction() *string GrantPrincipal() IPrincipal OrganizationId() *string PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
A principal that represents an AWS Organization.
TODO: EXAMPLE
func NewOrganizationPrincipal ¶
func NewOrganizationPrincipal(organizationId *string) OrganizationPrincipal
type PermissionsBoundary ¶
type PermissionsBoundary interface { Apply(boundaryPolicy IManagedPolicy) Clear() }
Modify the Permissions Boundaries of Users and Roles in a construct tree.
```ts const policy = iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess'); iam.PermissionsBoundary.of(this).apply(policy); ```
TODO: EXAMPLE
func PermissionsBoundary_Of ¶
func PermissionsBoundary_Of(scope constructs.IConstruct) PermissionsBoundary
Access the Permissions Boundaries of a construct tree.
type Policy ¶
type Policy interface { awscdk.Resource IPolicy Document() PolicyDocument Env() *awscdk.ResourceEnvironment Node() constructs.Node PhysicalName() *string PolicyName() *string Stack() awscdk.Stack AddStatements(statement ...PolicyStatement) ApplyRemovalPolicy(policy awscdk.RemovalPolicy) AttachToGroup(group IGroup) AttachToRole(role IRole) AttachToUser(user IUser) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string ToString() *string }
The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles, or groups.
For more information about IAM policies, see [Overview of IAM Policies](http://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html) in the IAM User Guide guide.
TODO: EXAMPLE
func NewPolicy ¶
func NewPolicy(scope constructs.Construct, id *string, props *PolicyProps) Policy
type PolicyDocument ¶
type PolicyDocument interface { awscdk.IResolvable CreationStack() *[]*string IsEmpty() *bool StatementCount() *float64 AddStatements(statement ...PolicyStatement) Resolve(context awscdk.IResolveContext) interface{} ToJSON() interface{} ToString() *string ValidateForAnyPolicy() *[]*string ValidateForIdentityPolicy() *[]*string ValidateForResourcePolicy() *[]*string }
A PolicyDocument is a collection of statements.
TODO: EXAMPLE
func NewPolicyDocument ¶
func NewPolicyDocument(props *PolicyDocumentProps) PolicyDocument
func PolicyDocument_FromJson ¶
func PolicyDocument_FromJson(obj interface{}) PolicyDocument
Creates a new PolicyDocument based on the object provided.
This will accept an object created from the `.toJSON()` call
type PolicyDocumentProps ¶
type PolicyDocumentProps struct { // Automatically assign Statement Ids to all statements. AssignSids *bool `json:"assignSids" yaml:"assignSids"` // Initial statements to add to the policy document. Statements *[]PolicyStatement `json:"statements" yaml:"statements"` }
Properties for a new PolicyDocument.
TODO: EXAMPLE
type PolicyProps ¶
type PolicyProps struct { // Initial PolicyDocument to use for this Policy. // // If omited, any // `PolicyStatement` provided in the `statements` property will be applied // against the empty default `PolicyDocument`. Document PolicyDocument `json:"document" yaml:"document"` // Force creation of an `AWS::IAM::Policy`. // // Unless set to `true`, this `Policy` construct will not materialize to an // `AWS::IAM::Policy` CloudFormation resource in case it would have no effect // (for example, if it remains unattached to an IAM identity or if it has no // statements). This is generally desired behavior, since it prevents // creating invalid--and hence undeployable--CloudFormation templates. // // In cases where you know the policy must be created and it is actually // an error if no statements have been added to it, you can set this to `true`. Force *bool `json:"force" yaml:"force"` // Groups to attach this policy to. // // You can also use `attachToGroup(group)` to attach this policy to a group. Groups *[]IGroup `json:"groups" yaml:"groups"` // The name of the policy. // // If you specify multiple policies for an entity, // specify unique names. For example, if you specify a list of policies for // an IAM role, each policy must have a unique name. PolicyName *string `json:"policyName" yaml:"policyName"` // Roles to attach this policy to. // // You can also use `attachToRole(role)` to attach this policy to a role. Roles *[]IRole `json:"roles" yaml:"roles"` // Initial set of permissions to add to this policy document. // // You can also use `addStatements(...statement)` to add permissions later. Statements *[]PolicyStatement `json:"statements" yaml:"statements"` // Users to attach this policy to. // // You can also use `attachToUser(user)` to attach this policy to a user. Users *[]IUser `json:"users" yaml:"users"` }
Properties for defining an IAM inline policy document.
TODO: EXAMPLE
type PolicyStatement ¶
type PolicyStatement interface { Effect() Effect SetEffect(val Effect) HasPrincipal() *bool HasResource() *bool Sid() *string SetSid(val *string) AddAccountCondition(accountId *string) AddAccountRootPrincipal() AddActions(actions ...*string) AddAllResources() AddAnyPrincipal() AddArnPrincipal(arn *string) AddAwsAccountPrincipal(accountId *string) AddCanonicalUserPrincipal(canonicalUserId *string) AddCondition(key *string, value interface{}) AddConditions(conditions *map[string]interface{}) AddFederatedPrincipal(federated interface{}, conditions *map[string]interface{}) AddNotActions(notActions ...*string) AddNotPrincipals(notPrincipals ...IPrincipal) AddNotResources(arns ...*string) AddPrincipals(principals ...IPrincipal) AddResources(arns ...*string) AddServicePrincipal(service *string, opts *ServicePrincipalOpts) ToJSON() interface{} ToStatementJson() interface{} ToString() *string ValidateForAnyPolicy() *[]*string ValidateForIdentityPolicy() *[]*string ValidateForResourcePolicy() *[]*string }
Represents a statement in an IAM policy document.
TODO: EXAMPLE
func NewPolicyStatement ¶
func NewPolicyStatement(props *PolicyStatementProps) PolicyStatement
func PolicyStatement_FromJson ¶
func PolicyStatement_FromJson(obj interface{}) PolicyStatement
Creates a new PolicyStatement based on the object provided.
This will accept an object created from the `.toJSON()` call
type PolicyStatementProps ¶
type PolicyStatementProps struct { // List of actions to add to the statement. Actions *[]*string `json:"actions" yaml:"actions"` // Conditions to add to the statement. Conditions *map[string]interface{} `json:"conditions" yaml:"conditions"` // Whether to allow or deny the actions in this statement. Effect Effect `json:"effect" yaml:"effect"` // List of not actions to add to the statement. NotActions *[]*string `json:"notActions" yaml:"notActions"` // List of not principals to add to the statement. NotPrincipals *[]IPrincipal `json:"notPrincipals" yaml:"notPrincipals"` // NotResource ARNs to add to the statement. NotResources *[]*string `json:"notResources" yaml:"notResources"` // List of principals to add to the statement. Principals *[]IPrincipal `json:"principals" yaml:"principals"` // Resource ARNs to add to the statement. Resources *[]*string `json:"resources" yaml:"resources"` // The Sid (statement ID) is an optional identifier that you provide for the policy statement. // // You can assign a Sid value to each statement in a // statement array. In services that let you specify an ID element, such as // SQS and SNS, the Sid value is just a sub-ID of the policy document's ID. In // IAM, the Sid value must be unique within a JSON policy. Sid *string `json:"sid" yaml:"sid"` }
Interface for creating a policy statement.
TODO: EXAMPLE
type PrincipalBase ¶
type PrincipalBase interface { IAssumeRolePrincipal AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
Base class for policy principals.
TODO: EXAMPLE
type PrincipalPolicyFragment ¶
type PrincipalPolicyFragment interface { Conditions() *map[string]interface{} PrincipalJson() *map[string]*[]*string }
A collection of the fields in a PolicyStatement that can be used to identify a principal.
This consists of the JSON used in the "Principal" field, and optionally a set of "Condition"s that need to be applied to the policy.
Generally, a principal looks like:
{ '<TYPE>': ['ID', 'ID', ...] }
And this is also the type of the field `principalJson`. However, there is a special type of principal that is just the string '*', which is treated differently by some services. To represent that principal, `principalJson` should contain `{ 'LiteralString': ['*'] }`.
TODO: EXAMPLE
func NewPrincipalPolicyFragment ¶
func NewPrincipalPolicyFragment(principalJson *map[string]*[]*string, conditions *map[string]interface{}) PrincipalPolicyFragment
type PrincipalWithConditions ¶
type PrincipalWithConditions interface { PrincipalBase AssumeRoleAction() *string Conditions() *map[string]interface{} GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddCondition(key *string, value interface{}) AddConditions(conditions *map[string]interface{}) AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
An IAM principal with additional conditions specifying when the policy is in effect.
For more information about conditions, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
TODO: EXAMPLE
func NewPrincipalWithConditions ¶
func NewPrincipalWithConditions(principal IPrincipal, conditions *map[string]interface{}) PrincipalWithConditions
type Role ¶
type Role interface { awscdk.Resource IRole AssumeRoleAction() *string AssumeRolePolicy() PolicyDocument Env() *awscdk.ResourceEnvironment GrantPrincipal() IPrincipal Node() constructs.Node PermissionsBoundary() IManagedPolicy PhysicalName() *string PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string RoleArn() *string RoleId() *string RoleName() *string Stack() awscdk.Stack AddManagedPolicy(policy IManagedPolicy) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult ApplyRemovalPolicy(policy awscdk.RemovalPolicy) AttachInlinePolicy(policy Policy) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string Grant(grantee IPrincipal, actions ...*string) Grant GrantPassRole(identity IPrincipal) Grant ToString() *string WithoutPolicyUpdates(options *WithoutPolicyUpdatesOptions) IRole }
IAM Role.
Defines an IAM role. The role is created with an assume policy document associated with the specified AWS service principal defined in `serviceAssumeRole`.
TODO: EXAMPLE
type RoleProps ¶
type RoleProps struct { // The IAM principal (i.e. `new ServicePrincipal('sns.amazonaws.com')`) which can assume this role. // // You can later modify the assume role policy document by accessing it via // the `assumeRolePolicy` property. AssumedBy IPrincipal `json:"assumedBy" yaml:"assumedBy"` // A description of the role. // // It can be up to 1000 characters long. Description *string `json:"description" yaml:"description"` // List of IDs that the role assumer needs to provide one of when assuming this role. // // If the configured and provided external IDs do not match, the // AssumeRole operation will fail. ExternalIds *[]*string `json:"externalIds" yaml:"externalIds"` // A list of named policies to inline into this role. // // These policies will be // created with the role, whereas those added by “addToPolicy“ are added // using a separate CloudFormation resource (allowing a way around circular // dependencies that could otherwise be introduced). InlinePolicies *map[string]PolicyDocument `json:"inlinePolicies" yaml:"inlinePolicies"` // A list of managed policies associated with this role. // // You can add managed policies later using // `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`. ManagedPolicies *[]IManagedPolicy `json:"managedPolicies" yaml:"managedPolicies"` // The maximum session duration that you want to set for the specified role. // // This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours. // // Anyone who assumes the role from the AWS CLI or API can use the // DurationSeconds API parameter or the duration-seconds CLI parameter to // request a longer session. The MaxSessionDuration setting determines the // maximum duration that can be requested using the DurationSeconds // parameter. // // If users don't specify a value for the DurationSeconds parameter, their // security credentials are valid for one hour by default. This applies when // you use the AssumeRole* API operations or the assume-role* CLI operations // but does not apply when you use those operations to create a console URL. MaxSessionDuration awscdk.Duration `json:"maxSessionDuration" yaml:"maxSessionDuration"` // The path associated with this role. // // For information about IAM paths, see // Friendly Names and Paths in IAM User Guide. Path *string `json:"path" yaml:"path"` // AWS supports permissions boundaries for IAM entities (users or roles). // // A permissions boundary is an advanced feature for using a managed policy // to set the maximum permissions that an identity-based policy can grant to // an IAM entity. An entity's permissions boundary allows it to perform only // the actions that are allowed by both its identity-based policies and its // permissions boundaries. PermissionsBoundary IManagedPolicy `json:"permissionsBoundary" yaml:"permissionsBoundary"` // A name for the IAM role. // // For valid values, see the RoleName parameter for // the CreateRole action in the IAM API Reference. // // IMPORTANT: If you specify a name, you cannot perform updates that require // replacement of this resource. You can perform updates that require no or // some interruption. If you must replace the resource, specify a new name. // // If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to // acknowledge your template's capabilities. For more information, see // Acknowledging IAM Resources in AWS CloudFormation Templates. RoleName *string `json:"roleName" yaml:"roleName"` }
Properties for defining an IAM Role.
TODO: EXAMPLE
type SamlConsolePrincipal ¶
type SamlConsolePrincipal interface { SamlPrincipal AssumeRoleAction() *string Conditions() *map[string]interface{} Federated() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
Principal entity that represents a SAML federated identity provider for programmatic and AWS Management Console access.
TODO: EXAMPLE
func NewSamlConsolePrincipal ¶
func NewSamlConsolePrincipal(samlProvider ISamlProvider, conditions *map[string]interface{}) SamlConsolePrincipal
type SamlMetadataDocument ¶
type SamlMetadataDocument interface {
Xml() *string
}
A SAML metadata document.
TODO: EXAMPLE
func SamlMetadataDocument_FromFile ¶
func SamlMetadataDocument_FromFile(path *string) SamlMetadataDocument
Create a SAML metadata document from a XML file.
func SamlMetadataDocument_FromXml ¶
func SamlMetadataDocument_FromXml(xml *string) SamlMetadataDocument
Create a SAML metadata document from a XML string.
type SamlPrincipal ¶
type SamlPrincipal interface { FederatedPrincipal AssumeRoleAction() *string Conditions() *map[string]interface{} Federated() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
Principal entity that represents a SAML federated identity provider.
TODO: EXAMPLE
func NewSamlPrincipal ¶
func NewSamlPrincipal(samlProvider ISamlProvider, conditions *map[string]interface{}) SamlPrincipal
type SamlProvider ¶
type SamlProvider interface { awscdk.Resource ISamlProvider Env() *awscdk.ResourceEnvironment Node() constructs.Node PhysicalName() *string SamlProviderArn() *string Stack() awscdk.Stack ApplyRemovalPolicy(policy awscdk.RemovalPolicy) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string ToString() *string }
A SAML provider.
TODO: EXAMPLE
func NewSamlProvider ¶
func NewSamlProvider(scope constructs.Construct, id *string, props *SamlProviderProps) SamlProvider
type SamlProviderProps ¶
type SamlProviderProps struct { // An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP. MetadataDocument SamlMetadataDocument `json:"metadataDocument" yaml:"metadataDocument"` // The name of the provider to create. // // This parameter allows a string of characters consisting of upper and // lowercase alphanumeric characters with no spaces. You can also include // any of the following characters: _+=,.@- // // Length must be between 1 and 128 characters. Name *string `json:"name" yaml:"name"` }
Properties for a SAML provider.
TODO: EXAMPLE
type ServicePrincipal ¶
type ServicePrincipal interface { PrincipalBase AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string Service() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).
TODO: EXAMPLE
func NewServicePrincipal ¶
func NewServicePrincipal(service *string, opts *ServicePrincipalOpts) ServicePrincipal
type ServicePrincipalOpts ¶
type ServicePrincipalOpts struct { // Additional conditions to add to the Service Principal. Conditions *map[string]interface{} `json:"conditions" yaml:"conditions"` // The region in which the service is operating. // Deprecated: You should not need to set this. The stack's region is always correct. Region *string `json:"region" yaml:"region"` }
Options for a service principal.
TODO: EXAMPLE
type SessionTagsPrincipal ¶ added in v2.4.0
type SessionTagsPrincipal interface { PrincipalBase AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(doc PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
Enables session tags on role assumptions from a principal.
For more information on session tags, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
TODO: EXAMPLE
func NewSessionTagsPrincipal ¶ added in v2.4.0
func NewSessionTagsPrincipal(principal IPrincipal) SessionTagsPrincipal
type StarPrincipal ¶
type StarPrincipal interface { PrincipalBase AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
A principal that uses a literal '*' in the IAM JSON language.
Some services behave differently when you specify `Principal: "*"` or `Principal: { AWS: "*" }` in their resource policy.
`StarPrincipal` renders to `Principal: *`. Most of the time, you should use `AnyPrincipal` instead.
TODO: EXAMPLE
func NewStarPrincipal ¶
func NewStarPrincipal() StarPrincipal
type UnknownPrincipal ¶
type UnknownPrincipal interface { IPrincipal AssumeRoleAction() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult }
A principal for use in resources that need to have a role but it's unknown.
Some resources have roles associated with them which they assume, such as Lambda Functions, CodeBuild projects, StepFunctions machines, etc.
When those resources are imported, their actual roles are not always imported with them. When that happens, we use an instance of this class instead, which will add user warnings when statements are attempted to be added to it.
TODO: EXAMPLE
func NewUnknownPrincipal ¶
func NewUnknownPrincipal(props *UnknownPrincipalProps) UnknownPrincipal
type UnknownPrincipalProps ¶
type UnknownPrincipalProps struct {
// The resource the role proxy is for.
Resource constructs.IConstruct `json:"resource" yaml:"resource"`
}
Properties for an UnknownPrincipal.
TODO: EXAMPLE
type User ¶
type User interface { awscdk.Resource IIdentity IUser AssumeRoleAction() *string Env() *awscdk.ResourceEnvironment GrantPrincipal() IPrincipal Node() constructs.Node PermissionsBoundary() IManagedPolicy PhysicalName() *string PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string Stack() awscdk.Stack UserArn() *string UserName() *string AddManagedPolicy(policy IManagedPolicy) AddToGroup(group IGroup) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(statement PolicyStatement) *AddToPrincipalPolicyResult ApplyRemovalPolicy(policy awscdk.RemovalPolicy) AttachInlinePolicy(policy Policy) GeneratePhysicalName() *string GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string GetResourceNameAttribute(nameAttr *string) *string ToString() *string }
Define a new IAM user.
TODO: EXAMPLE
type UserAttributes ¶
type UserAttributes struct { // The ARN of the user. // // Format: arn:<partition>:iam::<account-id>:user/<user-name-with-path> UserArn *string `json:"userArn" yaml:"userArn"` }
Represents a user defined outside of this stack.
TODO: EXAMPLE
type UserProps ¶
type UserProps struct { // Groups to add this user to. // // You can also use `addToGroup` to add this // user to a group. Groups *[]IGroup `json:"groups" yaml:"groups"` // A list of managed policies associated with this role. // // You can add managed policies later using // `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`. ManagedPolicies *[]IManagedPolicy `json:"managedPolicies" yaml:"managedPolicies"` // The password for the user. This is required so the user can access the AWS Management Console. // // You can use `SecretValue.plainText` to specify a password in plain text or // use `secretsmanager.Secret.fromSecretAttributes` to reference a secret in // Secrets Manager. Password awscdk.SecretValue `json:"password" yaml:"password"` // Specifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console. // // If this is set to 'true', you must also specify "initialPassword". PasswordResetRequired *bool `json:"passwordResetRequired" yaml:"passwordResetRequired"` // The path for the user name. // // For more information about paths, see IAM // Identifiers in the IAM User Guide. Path *string `json:"path" yaml:"path"` // AWS supports permissions boundaries for IAM entities (users or roles). // // A permissions boundary is an advanced feature for using a managed policy // to set the maximum permissions that an identity-based policy can grant to // an IAM entity. An entity's permissions boundary allows it to perform only // the actions that are allowed by both its identity-based policies and its // permissions boundaries. PermissionsBoundary IManagedPolicy `json:"permissionsBoundary" yaml:"permissionsBoundary"` // A name for the IAM user. // // For valid values, see the UserName parameter for // the CreateUser action in the IAM API Reference. If you don't specify a // name, AWS CloudFormation generates a unique physical ID and uses that ID // for the user name. // // If you specify a name, you cannot perform updates that require // replacement of this resource. You can perform updates that require no or // some interruption. If you must replace the resource, specify a new name. // // If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to // acknowledge your template's capabilities. For more information, see // Acknowledging IAM Resources in AWS CloudFormation Templates. UserName *string `json:"userName" yaml:"userName"` }
Properties for defining an IAM user.
TODO: EXAMPLE
type WebIdentityPrincipal ¶
type WebIdentityPrincipal interface { FederatedPrincipal AssumeRoleAction() *string Conditions() *map[string]interface{} Federated() *string GrantPrincipal() IPrincipal PolicyFragment() PrincipalPolicyFragment PrincipalAccount() *string AddToAssumeRolePolicy(document PolicyDocument) AddToPolicy(statement PolicyStatement) *bool AddToPrincipalPolicy(_statement PolicyStatement) *AddToPrincipalPolicyResult ToJSON() *map[string]*[]*string ToString() *string WithConditions(conditions *map[string]interface{}) PrincipalBase WithSessionTags() PrincipalBase }
A principal that represents a federated identity provider as Web Identity such as Cognito, Amazon, Facebook, Google, etc.
TODO: EXAMPLE
func NewWebIdentityPrincipal ¶
func NewWebIdentityPrincipal(identityProvider *string, conditions *map[string]interface{}) WebIdentityPrincipal
type WithoutPolicyUpdatesOptions ¶
type WithoutPolicyUpdatesOptions struct { // Add grants to resources instead of dropping them. // // If this is `false` or not specified, grant permissions added to this role are ignored. // It is your own responsibility to make sure the role has the required permissions. // // If this is `true`, any grant permissions will be added to the resource instead. AddGrantsToResources *bool `json:"addGrantsToResources" yaml:"addGrantsToResources"` }
Options for the `withoutPolicyUpdates()` modifier of a Role.
TODO: EXAMPLE