aws-cdk-lib.custom_resources.AwsCustomResourcePolicy

class AwsCustomResourcePolicy

LanguageType name
.NETAmazon.CDK.CustomResources.AwsCustomResourcePolicy
Gogithub.com/aws/aws-cdk-go/awscdk/v2/customresources#AwsCustomResourcePolicy
Javasoftware.amazon.awscdk.customresources.AwsCustomResourcePolicy
Pythonaws_cdk.custom_resources.AwsCustomResourcePolicy
TypeScript (source)aws-cdk-lib » custom_resources » AwsCustomResourcePolicy

The IAM Policy that will be applied to the different calls.

Example

const getParameter = new cr.AwsCustomResource(this, 'GetParameter', {
  onUpdate: { // will also be called for a CREATE event
    service: 'SSM',
    action: 'getParameter',
    parameters: {
      Name: 'my-parameter',
      WithDecryption: true,
    },
    physicalResourceId: cr.PhysicalResourceId.of(Date.now().toString()), // Update physical id to always fetch the latest version
  },
  policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
    resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
  }),
});

// Use the value in another construct with
getParameter.getResponseField('Parameter.Value');

Properties

NameTypeDescription
statementsPolicyStatement[]statements for explicit policy.
resources?string[]resources for auto-generated from SDK calls.
static ANY_RESOURCEstring[]Use this constant to configure access to any resource.

statements

Type: PolicyStatement[]

statements for explicit policy.


resources?

Type: string[] (optional)

resources for auto-generated from SDK calls.


static ANY_RESOURCE

Type: string[]

Use this constant to configure access to any resource.

Methods

NameDescription
static fromSdkCalls(options)Generate IAM Policy Statements from the configured SDK calls.
static fromStatements(statements)Explicit IAM Policy Statements.

static fromSdkCalls(options)

public static fromSdkCalls(options: SdkCallsPolicyOptions): AwsCustomResourcePolicy

Parameters

  • options SdkCallsPolicyOptions — options for the policy generation.

Returns

  • AwsCustomResourcePolicy

Generate IAM Policy Statements from the configured SDK calls.

Each SDK call with be translated to an IAM Policy Statement in the form of: call.service:call.action (e.g s3:PutObject).

This policy generator assumes the IAM policy name has the same name as the API call. This is true in 99% of cases, but there are exceptions (for example, S3's PutBucketLifecycleConfiguration requires s3:PutLifecycleConfiguration permissions, Lambda's Invoke requires lambda:InvokeFunction permissions). Use fromStatements if you want to do a call that requires different IAM action names.


static fromStatements(statements)

public static fromStatements(statements: PolicyStatement[]): AwsCustomResourcePolicy

Parameters

  • statements PolicyStatement[] — the statements to propagate to the SDK calls.

Returns

  • AwsCustomResourcePolicy

Explicit IAM Policy Statements.