sso

package
v0.0.96 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 22, 2023 License: Apache-2.0 Imports: 9 Imported by: 0

README

AWS IAM Identity Center (successor to AWS Single Sign-On)

The @cdk-extensions/sso package contains advanced constructs and patterns for setting up IAM Identity Center. The constructs presented here are intended to be replacements for equivalent AWS constructs in the CDK EC2 module, but with additional features included.

AWS CDK EC2 API Reference

To import and use this module within your CDK project:

import * as sso from '@cdk-extensions/sso';

Objective

AWS IAM Identity Center (successor to AWS Single Sign-On) expands the capabilities of AWS Identity and Access Management (IAM) to provide a central place that brings together administration of users and their access to AWS accounts and cloud applications.

See offical IAM Identity Center documentation

Assignment

Assigns access to a Principal for a specified AWS account using a specified permission set. This contructs extends AWS class Resource by adding the following properties:

Property Name Description
Instance The IAM Identity Center instance under which the operation will be executed
PermissionSet The permission set which governs the access being assigned. The permission set grants the principal permissions on the target
Principal The IAM Identity Center principal you wish to grant permissions to
Resource The underlying Assignment CloudFormation resource, in this case AWS::SSO::Assignment
Target The resource you wish to grant the principal entity access to using the permissions defined in the the permissionSet. For example, an AWS account
Usage

You can create an Assignment like this:

// SAMPLE CODE
Instance Access Control Attribute Configuration

Enables the attribute-based access control (ABAC) feature for the specified IAM Identity Center instance. You can also specify new attributes to add to your ABAC configuration during the enabling process. For more information about ABAC, see Attribute-Based Access Control in the IAM Identity Center User Guide. This contructs extends AWS class Resource by adding the following properties:

Property Name Description
Attributes Lists the attributes that are configured for ABAC in the specified IAM Identity Center instance. This array is readonly. Changes made to the array will not be reflected in this resource. To add new attributes usethe addAttribute method
Instance The ARN of the IAM Identity Center instance under which the operation will be executed
Resource The underlying InstanceAccessControlAttributeConfiguration CloudFormation resource, in this case AWS::SSO::InstanceAccessControlAttributeConfiguration
Usage

You can create an InstanceAccessControlAttributeConfiguration like this:

// SAMPLE CODE
Permission Set

Specifies a permission set within a specified IAM Identity Center instance. This contructs extends AWS class Resource by adding the following properties:

Property Name Description
Description A user friendly description providing details about the permission set
Instance The ARN of the IAM Identity Center instance under which the operation will be executed
Name The name of the permission set
PermissionBoundary Specifies the configuration of the AWS managed or customer managed policy that you want to set as a permissions boundary. Specify either CustomerManagedPolicyReference to use the name and path of a customer managed policy, or ManagedPolicyArn to use the ARN of an AWS managed policy. A permissions boundary represents the maximum permissions that any policy can grant your role. For more information, see Permissions Boundaries for IAM entities in the AWS Identity and Access Management User Guide.
Usage

You can create an PermissionSet like this:

// SAMPLE CODE

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Assignment_IsConstruct 

func Assignment_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.

func Assignment_IsOwnedResource 

func Assignment_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func Assignment_IsResource 

func Assignment_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func GroupBase_IsConstruct 

func GroupBase_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.

func GroupBase_IsOwnedResource 

func GroupBase_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func GroupBase_IsResource 

func GroupBase_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func InstanceAccessControlAttributeConfiguration_IsConstruct 

func InstanceAccessControlAttributeConfiguration_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.

func InstanceAccessControlAttributeConfiguration_IsOwnedResource 

func InstanceAccessControlAttributeConfiguration_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func InstanceAccessControlAttributeConfiguration_IsResource 

func InstanceAccessControlAttributeConfiguration_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func InstanceBase_IsConstruct 

func InstanceBase_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.

func InstanceBase_IsOwnedResource 

func InstanceBase_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func InstanceBase_IsResource 

func InstanceBase_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func NewAccessControlAttribute_Override 

func NewAccessControlAttribute_Override(a AccessControlAttribute, options *AccessControlAttributeOptions)

Creates a new instance of the AccessControlAttribute class.

func NewAssignment_Override 

func NewAssignment_Override(a Assignment, scope constructs.Construct, id *string, props *AssignmentProps)

Creates a new instance of the Assignment class.

func NewGroupBase_Override 

func NewGroupBase_Override(g GroupBase, scope constructs.IConstruct, id *string, props *awscdk.ResourceProps)

func NewGroup_Override 

func NewGroup_Override(g Group)

func NewInstanceAccessControlAttributeConfiguration_Override 

func NewInstanceAccessControlAttributeConfiguration_Override(i InstanceAccessControlAttributeConfiguration, scope constructs.Construct, id *string, props *InstanceAccessControlAttributeConfigurationProps)

Creates a new instance of the InstanceAccessControlAttributeConfiguration class.

func NewInstanceBase_Override 

func NewInstanceBase_Override(i InstanceBase, scope constructs.Construct, id *string, props *awscdk.ResourceProps)

func NewInstance_Override 

func NewInstance_Override(i Instance)

func NewManagedPolicyPermissionsBoundary_Override 

func NewManagedPolicyPermissionsBoundary_Override(m ManagedPolicyPermissionsBoundary, policy awsiam.IManagedPolicy)

func NewPermissionSet_Override 

func NewPermissionSet_Override(p PermissionSet, scope constructs.Construct, id *string, props *PermissionSetProps)

Creates a new instance of the PermissionSet class.

func NewPermissionsBoundary_Override 

func NewPermissionsBoundary_Override(p PermissionsBoundary)

func NewReferencedManagedPolicy_Override 

func NewReferencedManagedPolicy_Override(r ReferencedManagedPolicy, scope constructs.Construct, id *string, props *ReferencedManagedPolicyProps)

Creates a new instance of the ReferencedManagedPolicy class.

func NewReferencedPermissionsBoundary_Override 

func NewReferencedPermissionsBoundary_Override(r ReferencedPermissionsBoundary, options *ReferenceOptions)

func NewUserBase_Override 

func NewUserBase_Override(u UserBase, scope constructs.IConstruct, id *string, props *awscdk.ResourceProps)

func NewUser_Override 

func NewUser_Override(u User)

func PermissionSet_IsConstruct 

func PermissionSet_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.

func PermissionSet_IsOwnedResource 

func PermissionSet_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func PermissionSet_IsResource 

func PermissionSet_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func ReferencedManagedPolicy_FromAwsManagedPolicyName 

func ReferencedManagedPolicy_FromAwsManagedPolicyName(managedPolicyName *string) awsiam.IManagedPolicy

Import a managed policy from one of the policies that AWS manages.

For this managed policy, you only need to know the name to be able to use it.

Some managed policy names start with "service-role/", some start with "job-function/", and some don't start with anything. Include the prefix when constructing this object.

func ReferencedManagedPolicy_FromManagedPolicyArn 

func ReferencedManagedPolicy_FromManagedPolicyArn(scope constructs.Construct, id *string, managedPolicyArn *string) awsiam.IManagedPolicy

Import an external managed policy by ARN.

For this managed policy, you only need to know the ARN to be able to use it. This can be useful if you got the ARN from a CloudFormation Export.

If the imported Managed Policy ARN is a Token (such as a `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced managed policy has a `path` (like `arn:...:policy/AdminPolicy/AdminAllow`), the `managedPolicyName` property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Managed Policy ARN should be supplied without the `path` in order to resolve the correct managed policy resource.

func ReferencedManagedPolicy_FromManagedPolicyName 

func ReferencedManagedPolicy_FromManagedPolicyName(scope constructs.Construct, id *string, managedPolicyName *string) awsiam.IManagedPolicy

Import a customer managed policy from the managedPolicyName.

For this managed policy, you only need to know the name to be able to use it.

func ReferencedManagedPolicy_IsConstruct 

func ReferencedManagedPolicy_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.

func ReferencedManagedPolicy_IsOwnedResource 

func ReferencedManagedPolicy_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func ReferencedManagedPolicy_IsResource 

func ReferencedManagedPolicy_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

func ReferencedManagedPolicy_PolicyName 

func ReferencedManagedPolicy_PolicyName() *string

func ReferencedManagedPolicy_PolicyPath 

func ReferencedManagedPolicy_PolicyPath() *string

func UserBase_IsConstruct 

func UserBase_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.

func UserBase_IsOwnedResource 

func UserBase_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise.

func UserBase_IsResource 

func UserBase_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource.

Types

type AccessControlAttribute 

type AccessControlAttribute interface {
	// The name of the attribute associated with your identities in your identity source.
	//
	// This is used to map a specified attribute in your
	// identity source with an attribute in IAM Identity Center.
	Name() *string
	// A list of identity sources to use when mapping a specified attribute to IAM Identity Center.
	//
	// Note that the array is readonly and changes made
	// to it will not be reflected when generating ABAC attribute
	// configuration. To add a source to the attribute use the {@link addSource}
	// method.
	Sources() *[]*string
	// Adds an identity source to use when mapping the attribute to IAM Identity Center.
	//
	// Returns: The ABAC attribute the source was associated with.
	AddSource(source *string) AccessControlAttribute
	// Generates the raw CloudFormation configuration that this attribute represents within the context of a given scope.
	//
	// Returns: The raw CloudFormation configuration that this attribute
	// represents.
	Bind(scope constructs.IConstruct) *awssso.CfnInstanceAccessControlAttributeConfiguration_AccessControlAttributeProperty
}

Represents and ABAC attribute in IAM Identity Center.

These are IAM Identity Center identity store attributes that you can configure for use in attributes-based access control (ABAC). You can create permissions policies that determine who can access your AWS resources based upon the configured attribute values. When you enable ABAC and specify `AccessControlAttributes`, IAM Identity Center passes the attribute values of the authenticated user into IAM for use in policy evaluation.

func NewAccessControlAttribute 

func NewAccessControlAttribute(options *AccessControlAttributeOptions) AccessControlAttribute

Creates a new instance of the AccessControlAttribute class.

type AccessControlAttributeOptions 

type AccessControlAttributeOptions struct {
	// The name of the attribute associated with your identities in your identity source.
	//
	// This is used to map a specified attribute in your
	// identity source with an attribute in IAM Identity Center.
	Name *string `field:"required" json:"name" yaml:"name"`
	// A list of identity sources to use when mapping a specified attribute to IAM Identity Center.
	// See: [AWS::SSO::InstanceAccessControlAttributeConfiguration AccessControlAttributeValue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue.html#cfn-sso-instanceaccesscontrolattributeconfiguration-accesscontrolattributevalue-source)
	//
	Sources *[]*string `field:"optional" json:"sources" yaml:"sources"`
}

Configuration options for adding an ABAC attribute to IAM Identity Center.

type Assignment 

type Assignment interface {
	awscdk.Resource
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The IAM Identity Center instance under which the operation will be executed.
	Instance() IInstance
	// The tree node.
	Node() constructs.Node
	// The permission set which governs the access being assigned.
	//
	// The
	// permission set grants the {@link principal} permissions on
	// {@link target}.
	PermissionSet() IPermissionSet
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The IAM Identity Center principal you wish to grant permissions to.
	Principal() IIdentityCenterPrincipal
	// The underlying Assignment CloudFormation resource.
	Resource() awssso.CfnAssignment
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// The resource you wish to grant the {@link principal} entity access to using the permissions defined in the {@link permissionSet}.
	//
	// For example,
	// an AWS account.
	Target() AssignmentTarget
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Assigns access to a Principal for a specified AWS account using a specified permission set.

func NewAssignment 

func NewAssignment(scope constructs.Construct, id *string, props *AssignmentProps) Assignment

Creates a new instance of the Assignment class.

type AssignmentProps 

type AssignmentProps struct {
	// The AWS account ID this resource belongs to.
	// Default: - the resource is in the same account as the stack it belongs to.
	//
	Account *string `field:"optional" json:"account" yaml:"account"`
	// ARN to deduce region and account from.
	//
	// The ARN is parsed and the account and region are taken from the ARN.
	// This should be used for imported resources.
	//
	// Cannot be supplied together with either `account` or `region`.
	// Default: - take environment from `account`, `region` parameters, or use Stack environment.
	//
	EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
	// The value passed in by users to the physical name prop of the resource.
	//
	// - `undefined` implies that a physical name will be allocated by
	//   CloudFormation during deployment.
	// - a concrete value implies a specific physical name
	// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
	//   by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
	// Default: - The physical name will be allocated by CloudFormation at deployment time.
	//
	PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
	// The AWS region this resource belongs to.
	// Default: - the resource is in the same region as the stack it belongs to.
	//
	Region *string `field:"optional" json:"region" yaml:"region"`
	// The IAM Identity Center {@link aws-sso.IInstance instance } under which the operation will be executed.
	Instance IInstance `field:"required" json:"instance" yaml:"instance"`
	// The permission set which governs the access being assigned.
	//
	// The
	// permission set grants the {@link principal} permissions on
	// {@link target}.
	PermissionSet IPermissionSet `field:"required" json:"permissionSet" yaml:"permissionSet"`
	// The IAM Identity Center principal you wish to grant permissions to.
	Principal IIdentityCenterPrincipal `field:"required" json:"principal" yaml:"principal"`
	// The resource you wish to grant the {@link principal} entity access to using the permissions defined in the {@link permissionSet}.
	//
	// For example,
	// an AWS account.
	Target AssignmentTarget `field:"required" json:"target" yaml:"target"`
}

Configuration for Assignment resource.

type AssignmentTarget 

type AssignmentTarget interface {
	// The unique identifier for the resource for which permissions will be granted.
	TargetId() *string
	// The type of resource for which permissions will be granted.
	TargetType() AssignmentTargetType
}

Represents a resource that can have permissions granted for using IAM Identity Center such as an AWS account.

func AssignmentTarget_AwsAccount 

func AssignmentTarget_AwsAccount(accountId *string) AssignmentTarget

Creates an assignment target that represents an AWS account.

Returns: An AssignmentTarget representing the AWS account.

func AssignmentTarget_Of 

func AssignmentTarget_Of(targetType AssignmentTargetType, targetId *string) AssignmentTarget

An escape hatch method that allows specifying a custom target for an assignment in the event new target options are added and the provided methods for configuring targets are yet to catch up.

It is recommended that the provided static methods be used whenever possible for configuring assignment targets instead of calling `of`.

type AssignmentTargetType 

type AssignmentTargetType interface {
	// The name describing the type of target.
	Name() *string
}

Provides a wrapper around the accepted values for the IAM Identity Center [Assignment.TargetType attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-assignment.html#cfn-sso-assignment-targettype).

Accepted values are provided as static properties that can be used when configuring an assignment.

func AssignmentTargetType_AWS_ACCOUNT 

func AssignmentTargetType_AWS_ACCOUNT() AssignmentTargetType

func AssignmentTargetType_Of 

func AssignmentTargetType_Of(name *string) AssignmentTargetType

An escape hatch method that allows specifying a custom target type in the even more options are added and the provided static types are yet to catch up.

It is recommended that the provided static types be used when possible instead of calling `of`.

Returns: An {@link AssignmentTargetType } object representing the specified type.

type Group 

type Group interface {
}

func NewGroup 

func NewGroup() Group

type GroupBase 

type GroupBase interface {
	awscdk.Resource
	IGroup
	IIdentityCenterPrincipal
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// A GUID identifier for a group object in IAM Identity Center are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
	GroupId() *string
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The unique ID that identifies the entity withing IAM Identity Center.
	PrincipalId() *string
	// The type of entity being represented.
	PrincipalType() IdentityCenterPrincipalType
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

type IGroup 

type IGroup interface {
	// A GUID identifier for a group object in IAM Identity Center are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
	GroupId() *string
}

func Group_FromGroupId 

func Group_FromGroupId(scope constructs.IConstruct, id *string, groupId *string) IGroup

type IIdentityCenterPrincipal 

type IIdentityCenterPrincipal interface {
	// The unique ID that identifies the entity withing IAM Identity Center.
	PrincipalId() *string
	// The type of entity being represented.
	PrincipalType() IdentityCenterPrincipalType
}

Represents an entity that can be granted permissions via IAM Identity Center.

type IInstance 

type IInstance interface {
	// The ARN of the IAM Identity Center instance under which the operation will be executed.
	//
	// For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
	// See: [AWS::SSO::Assignment](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-assignment.html#cfn-sso-assignment-instancearn)
	//
	InstanceArn() *string
	// The ID of the IAM Identity Center instance under which the operation will be executed.
	InstanceId() *string
}

func Instance_FromArn 

func Instance_FromArn(scope constructs.IConstruct, id *string, arn *string) IInstance

func Instance_FromInstanceId 

func Instance_FromInstanceId(scope constructs.IConstruct, id *string, instanceId *string) IInstance

type IPermissionSet 

type IPermissionSet interface {
	PermissionSetArn() *string
}

Represents an IAM Identity Center permission set resource.

func PermissionSet_FromArn 

func PermissionSet_FromArn(scope constructs.Construct, id *string, arn *string) IPermissionSet

type IUser 

type IUser interface {
	// A GUID identifier for a user object in IAM Identity Center (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
	UserId() *string
}

func User_FromUserId 

func User_FromUserId(scope constructs.IConstruct, id *string, userId *string) IUser

type IdentityCenterPrincipalType 

type IdentityCenterPrincipalType interface {
	// The name for a type of IAM Identity Center Principal.
	Name() *string
}

Provides a wrapper around the accepted values for the IAM Identity Center [Assignment.PrincipalType attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-assignment.html#cfn-sso-assignment-principaltype).

Accepted values are provided as static properties that can be used when configuring an assignment.

func IdentityCenterPrincipalType_GROUP 

func IdentityCenterPrincipalType_GROUP() IdentityCenterPrincipalType

func IdentityCenterPrincipalType_Of 

func IdentityCenterPrincipalType_Of(name *string) IdentityCenterPrincipalType

An escape hatch method that allows specifying a custom principal types in the even more options are added and the provided static types are yet to catch up.

It is recommended that the provided static types be used when possible instead of calling `of`.

func IdentityCenterPrincipalType_USER 

func IdentityCenterPrincipalType_USER() IdentityCenterPrincipalType

type Instance 

type Instance interface {
}

func NewInstance 

func NewInstance() Instance

type InstanceAccessControlAttributeConfiguration 

type InstanceAccessControlAttributeConfiguration interface {
	awscdk.Resource
	// Lists the attributes that are configured for ABAC in the specified IAM Identity Center instance.
	//
	// This array is readonly. Changes made to the
	// array will not be reflected in this resource. To add new attributes use
	// the `{@link addAttribute}` method.
	Attributes() *[]AccessControlAttribute
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The ARN of the IAM Identity Center {@link aws-sso.IInstance instance } under which the operation will be executed.
	Instance() IInstance
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The underlying InstanceAccessControlAttributeConfiguration CloudFormation resource.
	Resource() awssso.CfnInstanceAccessControlAttributeConfiguration
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Adds a new ABAC attribute in the specified IAM Identity Center instance.
	//
	// Returns: An AccessControlAttribute resource that will be applied to the
	// configuration and supports continued management.
	AddAttribute(key *string, sources ...*string) AccessControlAttribute
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Enables the attribute-based access control (ABAC) feature for the specified IAM Identity Center instance.

You can also specify new attributes to add to your ABAC configuration during the enabling process. For more information about ABAC, see [Attribute-Based Access Control](https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html) in the IAM Identity Center User Guide.

func NewInstanceAccessControlAttributeConfiguration 

func NewInstanceAccessControlAttributeConfiguration(scope constructs.Construct, id *string, props *InstanceAccessControlAttributeConfigurationProps) InstanceAccessControlAttributeConfiguration

Creates a new instance of the InstanceAccessControlAttributeConfiguration class.

type InstanceAccessControlAttributeConfigurationProps 

type InstanceAccessControlAttributeConfigurationProps struct {
	// The AWS account ID this resource belongs to.
	// Default: - the resource is in the same account as the stack it belongs to.
	//
	Account *string `field:"optional" json:"account" yaml:"account"`
	// ARN to deduce region and account from.
	//
	// The ARN is parsed and the account and region are taken from the ARN.
	// This should be used for imported resources.
	//
	// Cannot be supplied together with either `account` or `region`.
	// Default: - take environment from `account`, `region` parameters, or use Stack environment.
	//
	EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
	// The value passed in by users to the physical name prop of the resource.
	//
	// - `undefined` implies that a physical name will be allocated by
	//   CloudFormation during deployment.
	// - a concrete value implies a specific physical name
	// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
	//   by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
	// Default: - The physical name will be allocated by CloudFormation at deployment time.
	//
	PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
	// The AWS region this resource belongs to.
	// Default: - the resource is in the same region as the stack it belongs to.
	//
	Region *string `field:"optional" json:"region" yaml:"region"`
	// The ARN of the IAM Identity Center instance under which the operation will be executed.
	Instance IInstance `field:"required" json:"instance" yaml:"instance"`
	// Lists the attributes that are configured for ABAC in the specified IAM Identity Center instance.
	AttributeMapping *map[string]*[]*string `field:"optional" json:"attributeMapping" yaml:"attributeMapping"`
}

Configuration for InstanceAccessControlAttributeConfiguration resource.

type InstanceBase 

type InstanceBase interface {
	awscdk.Resource
	IInstance
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The ARN of the IAM Identity Center instance under which the operation will be executed.
	//
	// For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
	InstanceArn() *string
	// The ID of the IAM Identity Center instance under which the operation will be executed.
	InstanceId() *string
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

type ManagedPolicyPermissionsBoundary 

type ManagedPolicyPermissionsBoundary interface {
	PermissionsBoundary
	ManagedPolicy() awsiam.IManagedPolicy
	Bind(_scope constructs.IConstruct) *awssso.CfnPermissionSet_PermissionsBoundaryProperty
}

func ManagedPolicyPermissionsBoundary_FromManagedPolicy 

func ManagedPolicyPermissionsBoundary_FromManagedPolicy(policy awsiam.IManagedPolicy) ManagedPolicyPermissionsBoundary

func NewManagedPolicyPermissionsBoundary 

func NewManagedPolicyPermissionsBoundary(policy awsiam.IManagedPolicy) ManagedPolicyPermissionsBoundary

func PermissionsBoundary_FromManagedPolicy 

func PermissionsBoundary_FromManagedPolicy(policy awsiam.IManagedPolicy) ManagedPolicyPermissionsBoundary

func ReferencedPermissionsBoundary_FromManagedPolicy 

func ReferencedPermissionsBoundary_FromManagedPolicy(policy awsiam.IManagedPolicy) ManagedPolicyPermissionsBoundary

type PermissionSet 

type PermissionSet interface {
	awscdk.Resource
	IPermissionSet
	// A user friendly description providing details about the permission set.
	Description() *string
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The ARN of the IAM Identity Center instance under which the operation will be executed.
	Instance() IInstance
	// The name of the permission set.
	Name() *string
	// The tree node.
	Node() constructs.Node
	// Specifies the configuration of the AWS managed or customer managed policy that you want to set as a permissions boundary.
	//
	// Specify either
	// CustomerManagedPolicyReference to use the name and path of a customer
	// managed policy, or ManagedPolicyArn to use the ARN of an AWS managed
	// policy. A permissions boundary represents the maximum permissions that
	// any policy can grant your role. For more information, see [Permissions
	// boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) for IAM entities in the AWS Identity and Access Management
	// User Guide.
	PermissionsBoundary() PermissionsBoundary
	// The permission set ARN of the permission set, such as `arn:aws:sso:::permissionSet/ins-instanceid/ps-permissionsetid`.
	PermissionSetArn() *string
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// Used to redirect users within the application during the federation authentication process.
	//
	// For example, you can redirect users to a
	// specific page that is most applicable to their job after singing in to
	// an AWS account.
	RelayState() *string
	// The underlying PermissionSet CloudFormation resource.
	Resource() awssso.CfnPermissionSet
	// The length of time that the application user sessions are valid for.
	SessionDuration() awscdk.Duration
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Adds a custom managed policy to the permission set.
	//
	// When using customer
	// managed policies it is required that a managed policy with a matching
	// name and path exist in any AWS account for which the permission set
	// will be assigned.
	//
	// Returns: A dynamically generated ManagedPolicy class that can be used
	// to create compatible managed policies in other accounts.
	AddCustomerManagedPolicy(options *ReferenceOptions) ReferencedManagedPolicy
	// Adds a new Managed Policy to the permission set.
	//
	// Only Managed Policies
	// created and maintained by AWS are supported. To add a custom Managed
	// Policy that you control use the {@link addCustomerManagedPolicy} method.
	//
	// Returns: The Permission Set resource the Managed Policy was added to.
	AddManagedPolicy(policy awsiam.IManagedPolicy) PermissionSet
	// Adds a permission to the permission set's default policy document.
	//
	// If there is no default policy attached to this permission set, it will be created.
	//
	// Returns: An [AddToPrincipalPolicyResult](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.AddToPrincipalPolicyResult.html) object that provides details of
	// the result of the operation.
	AddToPrincipalPolicy(statement awsiam.PolicyStatement) *awsiam.AddToPrincipalPolicyResult
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Specifies a permission set within a specified IAM Identity Center instance.

func NewPermissionSet 

func NewPermissionSet(scope constructs.Construct, id *string, props *PermissionSetProps) PermissionSet

Creates a new instance of the PermissionSet class.

type PermissionSetProps 

type PermissionSetProps struct {
	// The AWS account ID this resource belongs to.
	// Default: - the resource is in the same account as the stack it belongs to.
	//
	Account *string `field:"optional" json:"account" yaml:"account"`
	// ARN to deduce region and account from.
	//
	// The ARN is parsed and the account and region are taken from the ARN.
	// This should be used for imported resources.
	//
	// Cannot be supplied together with either `account` or `region`.
	// Default: - take environment from `account`, `region` parameters, or use Stack environment.
	//
	EnvironmentFromArn *string `field:"optional" json:"environmentFromArn" yaml:"environmentFromArn"`
	// The value passed in by users to the physical name prop of the resource.
	//
	// - `undefined` implies that a physical name will be allocated by
	//   CloudFormation during deployment.
	// - a concrete value implies a specific physical name
	// - `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
	//   by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
	// Default: - The physical name will be allocated by CloudFormation at deployment time.
	//
	PhysicalName *string `field:"optional" json:"physicalName" yaml:"physicalName"`
	// The AWS region this resource belongs to.
	// Default: - the resource is in the same region as the stack it belongs to.
	//
	Region *string `field:"optional" json:"region" yaml:"region"`
	// The ARN of the IAM Identity Center instance under which the operation will be executed.
	Instance IInstance `field:"required" json:"instance" yaml:"instance"`
	// A user friendly description providing details about the permission set.
	// See: [AWS::SSO::PermissionSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-permissionset.html#cfn-sso-permissionset-description)
	//
	Description *string `field:"optional" json:"description" yaml:"description"`
	// Adds inline policy documents that will be embedded in the permission set.
	// See: [AWS::SSO::PermissionSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-permissionset.html#cfn-sso-permissionset-inlinepolicy)
	//
	InlinePolicies *map[string]awsiam.PolicyDocument `field:"optional" json:"inlinePolicies" yaml:"inlinePolicies"`
	// A list of the IAM managed policies that you want to attach to the permission set.
	//
	// Managed policies specified here must be AWS managed.
	// To reference custom managed policies use the {@link PermissionSet.addCustomerManagedPolicy}
	// method.
	// See: [AWS::SSO::PermissionSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-permissionset.html#cfn-sso-permissionset-managedpolicies)
	//
	ManagedPolicies *[]awsiam.IManagedPolicy `field:"optional" json:"managedPolicies" yaml:"managedPolicies"`
	// The name of the permission set.
	// See: [AWS::SSO::PermissionSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-permissionset.html#cfn-sso-permissionset-name)
	//
	Name *string `field:"optional" json:"name" yaml:"name"`
	// Specifies the configuration of the AWS managed or customer managed policy that you want to set as a permissions boundary.
	//
	// Specify either
	// CustomerManagedPolicyReference to use the name and path of a customer
	// managed policy, or ManagedPolicyArn to use the ARN of an AWS managed
	// policy. A permissions boundary represents the maximum permissions that
	// any policy can grant your role. For more information, see [Permissions
	// boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) for IAM entities in the AWS Identity and Access Management
	// User Guide.
	// See: [AWS::SSO::PermissionSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-permissionset.html#cfn-sso-permissionset-permissionsboundary)
	//
	PermissionsBoundary PermissionsBoundary `field:"optional" json:"permissionsBoundary" yaml:"permissionsBoundary"`
	// Used to redirect users within the application during the federation authentication process.
	//
	// For example, you can redirect users to a
	// specific page that is most applicable to their job after singing in to
	// an AWS account.
	// See: [AWS::SSO::PermissionSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-permissionset.html#cfn-sso-permissionset-relaystatetype)
	//
	RelayState *string `field:"optional" json:"relayState" yaml:"relayState"`
	// The length of time that the application user sessions are valid for.
	// See: [AWS::SSO::PermissionSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sso-permissionset.html#cfn-sso-permissionset-sessionduration)
	//
	SessionDuration awscdk.Duration `field:"optional" json:"sessionDuration" yaml:"sessionDuration"`
}

Configuration for PermissionSet resource.

type PermissionsBoundary 

type PermissionsBoundary interface {
	Bind(scope constructs.IConstruct) *awssso.CfnPermissionSet_PermissionsBoundaryProperty
}

type ReferenceOptions 

type ReferenceOptions struct {
	// The name of the customer managed policy.
	Name *string `field:"required" json:"name" yaml:"name"`
	// The path for the policy.
	//
	// For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the IAM User
	// Guide.
	//
	// This parameter is optional. If it is not included, it defaults to a slash (/).
	//
	// This parameter allows a string of characters consisting of either a
	// forward slash (/) by itself or a string that must begin and end with
	// forward slashes. In addition, it can contain any ASCII character from
	// the ! (`\u0021`) through the DEL character (`\u007F`), including most
	// punctuation characters, digits, and upper and lowercased letters.
	// Default: '/”.
	//
	Path *string `field:"optional" json:"path" yaml:"path"`
}

Configuration options for creating a referenced customer managed policy.

type ReferencedManagedPolicy 

type ReferencedManagedPolicy interface {
	awsiam.ManagedPolicy
	// The description of this policy.
	Description() *string
	// The policy document.
	Document() awsiam.PolicyDocument
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The principal to grant permissions to.
	GrantPrincipal() awsiam.IPrincipal
	// Returns the ARN of this managed policy.
	ManagedPolicyArn() *string
	// The name of this policy.
	ManagedPolicyName() *string
	// The tree node.
	Node() constructs.Node
	// The path of this policy.
	Path() *string
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The name of the managed policy.
	ReferencedName() *string
	// The path for the managed policy.
	//
	// For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the IAM User
	// Guide.
	ReferencedPath() *string
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// Adds a statement to the policy document.
	AddStatements(statement ...awsiam.PolicyStatement)
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	// Attaches this policy to a group.
	AttachToGroup(group awsiam.IGroup)
	// Attaches this policy to a role.
	AttachToRole(role awsiam.IRole)
	// Attaches this policy to a user.
	AttachToUser(user awsiam.IUser)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

A managed policy that is referenced via IAM Identity Center.

func ReferencedManagedPolicy_Of 

func ReferencedManagedPolicy_Of(options *ReferenceOptions) ReferencedManagedPolicy

Dynamically generates a new class that can be used to create a managed policy that matches a reference in IAM Identity Center.

Returns: A dynamically generated class that will match the provided reference configuration.

type ReferencedManagedPolicyProps 

type ReferencedManagedPolicyProps struct {
	// A friendly description of the policy.
	//
	// Typically used to store information about the permissions defined in the
	// policy. For example, "Grants access to production DynamoDB tables."
	//
	// The policy description is immutable. After a value is assigned, it
	// cannot be changed.
	Description *string `field:"optional" json:"description" yaml:"description"`
	// The policy document that you want to use as the content for the new policy.
	Document awsiam.PolicyDocument `field:"optional" json:"document" yaml:"document"`
	// The groups to attach the policy to.
	//
	// When creating managed policies that will be referenced by IAM identity
	// center it is possible to associate them with other resources such as
	// users, groups, and roles. However, this is typically not done as IAM
	// Identity Center will handle configuring associations in the background.
	Groups *[]awsiam.IGroup `field:"optional" json:"groups" yaml:"groups"`
	// The roles to attach the policy to.
	//
	// When creating managed policies that will be referenced by IAM identity
	// center it is possible to associate them with other resources such as
	// users, groups, and roles. However, this is typically not done as IAM
	// Identity Center will handle configuring associations in the background.
	Roles *[]awsiam.IRole `field:"optional" json:"roles" yaml:"roles"`
	// Initial set of permissions to add to this policy document.
	Statements *[]awsiam.PolicyStatement `field:"optional" json:"statements" yaml:"statements"`
	// The users to attach the policy to.
	//
	// When creating managed policies that will be referenced by IAM identity
	// center it is possible to associate them with other resources such as
	// users, groups, and roles. However, this is typically not done as IAM
	// Identity Center will handle configuring associations in the background.
	Users *[]awsiam.IUser `field:"optional" json:"users" yaml:"users"`
}

Represents configuration options when creating a managed policy from a class generated when adding a custom policy reference.

type ReferencedPermissionsBoundary 

type ReferencedPermissionsBoundary interface {
	PermissionsBoundary
	ReferencedPolicy() ReferencedManagedPolicy
	Bind(_scope constructs.IConstruct) *awssso.CfnPermissionSet_PermissionsBoundaryProperty
}

func ManagedPolicyPermissionsBoundary_FromReference 

func ManagedPolicyPermissionsBoundary_FromReference(options *ReferenceOptions) ReferencedPermissionsBoundary

func NewReferencedPermissionsBoundary 

func NewReferencedPermissionsBoundary(options *ReferenceOptions) ReferencedPermissionsBoundary

func PermissionsBoundary_FromReference 

func PermissionsBoundary_FromReference(options *ReferenceOptions) ReferencedPermissionsBoundary

func ReferencedPermissionsBoundary_FromReference 

func ReferencedPermissionsBoundary_FromReference(options *ReferenceOptions) ReferencedPermissionsBoundary

type User 

type User interface {
}

func NewUser 

func NewUser() User

type UserBase 

type UserBase interface {
	awscdk.Resource
	IIdentityCenterPrincipal
	IUser
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	Node() constructs.Node
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	PhysicalName() *string
	// The unique ID that identifies the entity withing IAM Identity Center.
	PrincipalId() *string
	// The type of entity being represented.
	PrincipalType() IdentityCenterPrincipalType
	// The stack in which this resource is defined.
	Stack() awscdk.Stack
	// A GUID identifier for a user object in IAM Identity Center (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
	UserId() *string
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	ToString() *string
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.