aws-cdk-lib.aws_iam.User

class User (construct)

LanguageType name
.NETAmazon.CDK.AWS.IAM.User
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsiam#User
Javasoftware.amazon.awscdk.services.iam.User
Pythonaws_cdk.aws_iam.User
TypeScript (source)aws-cdk-lib » aws_iam » User

Implements IConstruct, IDependable, IResource, IIdentity, IGrantable, IPrincipal, IUser

Define a new IAM user.

Example

const user = new iam.User(this, 'MyUser');

declare const definition: sfn.IChainable;
const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
  definition,
});

//give user permission to send task success to the state machine
stateMachine.grant(user, 'states:SendTaskSuccess');

Initializer

new User(scope: Construct, id: string, props?: UserProps)

Parameters

  • scope Construct
  • id string
  • props UserProps

Construct Props

NameTypeDescription
groups?IGroup[]Groups to add this user to.
managedPolicies?IManagedPolicy[]A list of managed policies associated with this role.
password?SecretValueThe password for the user. This is required so the user can access the AWS Management Console.
passwordResetRequired?booleanSpecifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console.
path?stringThe path for the user name.
permissionsBoundary?IManagedPolicyAWS supports permissions boundaries for IAM entities (users or roles).
userName?stringA name for the IAM user.

groups?

Type: IGroup[] (optional, default: No groups.)

Groups to add this user to.

You can also use addToGroup to add this user to a group.


managedPolicies?

Type: IManagedPolicy[] (optional, default: No managed policies.)

A list of managed policies associated with this role.

You can add managed policies later using addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName)).


password?

Type: SecretValue (optional, default: User won't be able to access the management console without a password.)

The password for the user. This is required so the user can access the AWS Management Console.

You can use SecretValue.unsafePlainText to specify a password in plain text or use secretsmanager.Secret.fromSecretAttributes to reference a secret in Secrets Manager.


passwordResetRequired?

Type: boolean (optional, default: false)

Specifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console.

If this is set to 'true', you must also specify "initialPassword".


path?

Type: string (optional, default: /)

The path for the user name.

For more information about paths, see IAM Identifiers in the IAM User Guide.


permissionsBoundary?

Type: IManagedPolicy (optional, default: No permissions boundary.)

AWS supports permissions boundaries for IAM entities (users or roles).

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.


userName?

Type: string (optional, default: Generated by CloudFormation (recommended))

A name for the IAM user.

For valid values, see the UserName parameter for the CreateUser action in the IAM API Reference. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name.

If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.

Properties

NameTypeDescription
assumeRoleActionstringWhen this Principal is used in an AssumeRole policy, the action to use.
envResourceEnvironmentThe environment this resource belongs to.
grantPrincipalIPrincipalThe principal to grant permissions to.
nodeNodeThe tree node.
policyFragmentPrincipalPolicyFragmentReturn the policy fragment that identifies this principal in a Policy.
stackStackThe stack in which this resource is defined.
userArnstringAn attribute that represents the user's ARN.
userNamestringAn attribute that represents the user name.
permissionsBoundary?IManagedPolicyReturns the permissions boundary attached to this user.
principalAccount?stringThe AWS account ID of this principal.

assumeRoleAction

Type: string

When this Principal is used in an AssumeRole policy, the action to use.


env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


grantPrincipal

Type: IPrincipal

The principal to grant permissions to.


node

Type: Node

The tree node.


policyFragment

Type: PrincipalPolicyFragment

Return the policy fragment that identifies this principal in a Policy.


stack

Type: Stack

The stack in which this resource is defined.


userArn

Type: string

An attribute that represents the user's ARN.


userName

Type: string

An attribute that represents the user name.


permissionsBoundary?

Type: IManagedPolicy (optional)

Returns the permissions boundary attached to this user.


principalAccount?

Type: string (optional)

The AWS account ID of this principal.

Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

Methods

NameDescription
addManagedPolicy(policy)Attaches a managed policy to the user.
addToGroup(group)Adds this user to a group.
addToPolicy(statement)Add to the policy of this principal.
addToPrincipalPolicy(statement)Adds an IAM statement to the default policy.
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
attachInlinePolicy(policy)Attaches a policy to this user.
toString()Returns a string representation of this construct.
static fromUserArn(scope, id, userArn)Import an existing user given a user ARN.
static fromUserAttributes(scope, id, attrs)Import an existing user given user attributes.
static fromUserName(scope, id, userName)Import an existing user given a username.

addManagedPolicy(policy)

public addManagedPolicy(policy: IManagedPolicy): void

Parameters

  • policy IManagedPolicy — The managed policy to attach.

Attaches a managed policy to the user.


addToGroup(group)

public addToGroup(group: IGroup): void

Parameters

  • group IGroup

Adds this user to a group.


addToPolicy(statement)

public addToPolicy(statement: PolicyStatement): boolean

Parameters

  • statement PolicyStatement

Returns

  • boolean

Add to the policy of this principal.


addToPrincipalPolicy(statement)

public addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult

Parameters

  • statement PolicyStatement

Returns

  • AddToPrincipalPolicyResult

Adds an IAM statement to the default policy.


applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


attachInlinePolicy(policy)

public attachInlinePolicy(policy: Policy): void

Parameters

  • policy Policy

Attaches a policy to this user.


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


static fromUserArn(scope, id, userArn)

public static fromUserArn(scope: Construct, id: string, userArn: string): IUser

Parameters

  • scope Construct — construct scope.
  • id string — construct id.
  • userArn string — the ARN of an existing user to import.

Returns

  • IUser

Import an existing user given a user ARN.

If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.


static fromUserAttributes(scope, id, attrs)

public static fromUserAttributes(scope: Construct, id: string, attrs: UserAttributes): IUser

Parameters

  • scope Construct — construct scope.
  • id string — construct id.
  • attrs UserAttributes — the attributes of the user to import.

Returns

  • IUser

Import an existing user given user attributes.

If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.


static fromUserName(scope, id, userName)

public static fromUserName(scope: Construct, id: string, userName: string): IUser

Parameters

  • scope Construct — construct scope.
  • id string — construct id.
  • userName string — the username of the existing user to import.

Returns

  • IUser

Import an existing user given a username.