aws-cdk-lib.aws_iam.PolicyStatement

class PolicyStatement

LanguageType name
.NETAmazon.CDK.AWS.IAM.PolicyStatement
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsiam#PolicyStatement
Javasoftware.amazon.awscdk.services.iam.PolicyStatement
Pythonaws_cdk.aws_iam.PolicyStatement
TypeScript (source)aws-cdk-lib » aws_iam » PolicyStatement

Represents a statement in an IAM policy document.

Example

    // Add gateway endpoints when creating the VPC
    const vpc = new ec2.Vpc(this, 'MyVpc', {
      gatewayEndpoints: {
        S3: {
          service: ec2.GatewayVpcEndpointAwsService.S3,
        },
      },
    });

    // Alternatively gateway endpoints can be added on the VPC
    const dynamoDbEndpoint = vpc.addGatewayEndpoint('DynamoDbEndpoint', {
      service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,
    });

    // This allows to customize the endpoint policy
    dynamoDbEndpoint.addToPolicy(
      new iam.PolicyStatement({ // Restrict to listing and describing tables
        principals: [new iam.AnyPrincipal()],
        actions: ['dynamodb:DescribeTable', 'dynamodb:ListTables'],
        resources: ['*'],
      }));

    // Add an interface endpoint
    vpc.addInterfaceEndpoint('EcrDockerEndpoint', {
      service: ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,

      // Uncomment the following to allow more fine-grained control over
      // who can access the endpoint via the '.connections' object.
      // open: false
    });

Initializer

new PolicyStatement(props?: PolicyStatementProps)

Parameters

  • props PolicyStatementProps

Properties

NameTypeDescription
actionsstring[]The Actions added to this statement.
conditionsanyThe conditions added to this statement.
effectEffectWhether to allow or deny the actions in this statement Set effect for this statement.
frozenbooleanWhether the PolicyStatement has been frozen.
hasPrincipalbooleanIndicates if this permission has a "Principal" section.
hasResourcebooleanIndicates if this permission has at least one resource associated with it.
notActionsstring[]The NotActions added to this statement.
notPrincipalsIPrincipal[]The NotPrincipals added to this statement.
notResourcesstring[]The NotResources added to this statement.
principalsIPrincipal[]The Principals added to this statement.
resourcesstring[]The Resources added to this statement.
sid?stringStatement ID for this statement Set Statement ID for this statement.

actions

Type: string[]

The Actions added to this statement.


conditions

Type: any

The conditions added to this statement.


effect

Type: Effect

Whether to allow or deny the actions in this statement Set effect for this statement.


frozen

Type: boolean

Whether the PolicyStatement has been frozen.

The statement object is frozen when freeze() is called.


hasPrincipal

Type: boolean

Indicates if this permission has a "Principal" section.


hasResource

Type: boolean

Indicates if this permission has at least one resource associated with it.


notActions

Type: string[]

The NotActions added to this statement.


notPrincipals

Type: IPrincipal[]

The NotPrincipals added to this statement.


notResources

Type: string[]

The NotResources added to this statement.


principals

Type: IPrincipal[]

The Principals added to this statement.


resources

Type: string[]

The Resources added to this statement.


sid?

Type: string (optional)

Statement ID for this statement Set Statement ID for this statement.

Methods

NameDescription
addAccountCondition(accountId)Add a StringEquals condition that limits to a given account from sts:ExternalId.
addAccountRootPrincipal()Adds an AWS account root user principal to this policy statement.
addActions(...actions)Specify allowed actions into the "Action" section of the policy statement.
addAllResources()Adds a "*" resource to this statement.
addAnyPrincipal()Adds all identities in all accounts ("*") to this policy statement.
addArnPrincipal(arn)Specify a principal using the ARN identifier of the principal.
addAwsAccountPrincipal(accountId)Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
addCanonicalUserPrincipal(canonicalUserId)Adds a canonical user ID principal to this policy document.
addCondition(key, value)Add a condition to the Policy.
addConditions(conditions)Add multiple conditions to the Policy.
addFederatedPrincipal(federated, conditions)Adds a federated identity provider such as Amazon Cognito to this policy statement.
addNotActions(...notActions)Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
addNotPrincipals(...notPrincipals)Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
addNotResources(...arns)Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.
addPrincipals(...principals)Adds principals to the "Principal" section of a policy statement.
addResources(...arns)Specify resources that this policy statement applies into the "Resource" section of this policy statement.
addServicePrincipal(service, opts?)Adds a service principal to this policy statement.
addSourceAccountCondition(accountId)Add an StringEquals condition that limits to a given account from aws:SourceAccount.
addSourceArnCondition(arn)Add an ArnEquals condition that limits to a given resource arn from aws:SourceArn.
copy(overrides?)Create a new PolicyStatement with the same exact properties as this one, except for the overrides.
freeze()Make the PolicyStatement immutable.
toJSON()JSON-ify the statement.
toStatementJson()JSON-ify the policy statement.
toString()String representation of this policy statement.
validateForAnyPolicy()Validate that the policy statement satisfies base requirements for a policy.
validateForIdentityPolicy()Validate that the policy statement satisfies all requirements for an identity-based policy.
validateForResourcePolicy()Validate that the policy statement satisfies all requirements for a resource-based policy.
static fromJson(obj)Creates a new PolicyStatement based on the object provided.

addAccountCondition(accountId)

public addAccountCondition(accountId: string): void

Parameters

  • accountId string

Add a StringEquals condition that limits to a given account from sts:ExternalId.

This method can only be called once: subsequent calls will overwrite earlier calls.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html


addAccountRootPrincipal()

public addAccountRootPrincipal(): void

Adds an AWS account root user principal to this policy statement.


addActions(...actions)

public addActions(...actions: string[]): void

Parameters

  • actions string — actions that will be allowed.

Specify allowed actions into the "Action" section of the policy statement.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html


addAllResources()

public addAllResources(): void

Adds a "*" resource to this statement.


addAnyPrincipal()

public addAnyPrincipal(): void

Adds all identities in all accounts ("*") to this policy statement.


addArnPrincipal(arn)

public addArnPrincipal(arn: string): void

Parameters

  • arn string — ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).

Specify a principal using the ARN identifier of the principal.

You cannot specify IAM groups and instance profiles as principals.


addAwsAccountPrincipal(accountId)

public addAwsAccountPrincipal(accountId: string): void

Parameters

  • accountId string

Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.


addCanonicalUserPrincipal(canonicalUserId)

public addCanonicalUserPrincipal(canonicalUserId: string): void

Parameters

  • canonicalUserId string — unique identifier assigned by AWS for every account.

Adds a canonical user ID principal to this policy document.


addCondition(key, value)

public addCondition(key: string, value: any): void

Parameters

  • key string
  • value any

Add a condition to the Policy.

If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:

declare const stmt: iam.PolicyStatement;

stmt.addCondition('StringEquals', { 'aws:SomeField': '1' });
stmt.addCondition('StringEquals', { 'aws:SomeField': '2' });

Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.

If you meant to add a condition to say that the field can be either 1 or 2, write this:

declare const stmt: iam.PolicyStatement;

stmt.addCondition('StringEquals', { 'aws:SomeField': ['1', '2'] });

addConditions(conditions)

public addConditions(conditions: { [string]: any }): void

Parameters

  • conditions { [string]: any }

Add multiple conditions to the Policy.

See the addCondition function for a caveat on calling this method multiple times.


addFederatedPrincipal(federated, conditions)

public addFederatedPrincipal(federated: any, conditions: { [string]: any }): void

Parameters

  • federated any — federated identity provider (i.e. 'cognito-identity.amazonaws.com').
  • conditions { [string]: any } — The conditions under which the policy is in effect.

Adds a federated identity provider such as Amazon Cognito to this policy statement.


addNotActions(...notActions)

public addNotActions(...notActions: string[]): void

Parameters

  • notActions string — actions that will be denied.

Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html


addNotPrincipals(...notPrincipals)

public addNotPrincipals(...notPrincipals: IPrincipal[]): void

Parameters

  • notPrincipals IPrincipal — IAM principals that will be denied access.

Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html


addNotResources(...arns)

public addNotResources(...arns: string[]): void

Parameters

  • arns string — Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.

Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.

All resources except the specified list will be matched.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html


addPrincipals(...principals)

public addPrincipals(...principals: IPrincipal[]): void

Parameters

  • principals IPrincipal — IAM principals that will be added.

Adds principals to the "Principal" section of a policy statement.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html


addResources(...arns)

public addResources(...arns: string[]): void

Parameters

  • arns string — Amazon Resource Names (ARNs) of the resources that this policy statement applies to.

Specify resources that this policy statement applies into the "Resource" section of this policy statement.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html


addServicePrincipal(service, opts?)

public addServicePrincipal(service: string, opts?: ServicePrincipalOpts): void

Parameters

  • service string — the service name for which a service principal is requested (e.g: s3.amazonaws.com).
  • opts ServicePrincipalOpts — options for adding the service principal (such as specifying a principal in a different region).

Adds a service principal to this policy statement.


addSourceAccountCondition(accountId)

public addSourceAccountCondition(accountId: string): void

Parameters

  • accountId string

Add an StringEquals condition that limits to a given account from aws:SourceAccount.

This method can only be called once: subsequent calls will overwrite earlier calls.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount


addSourceArnCondition(arn)

public addSourceArnCondition(arn: string): void

Parameters

  • arn string

Add an ArnEquals condition that limits to a given resource arn from aws:SourceArn.

This method can only be called once: subsequent calls will overwrite earlier calls.

See also: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn


copy(overrides?)

public copy(overrides?: PolicyStatementProps): PolicyStatement

Parameters

  • overrides PolicyStatementProps

Returns

  • PolicyStatement

Create a new PolicyStatement with the same exact properties as this one, except for the overrides.


freeze()

public freeze(): PolicyStatement

Returns

  • PolicyStatement

Make the PolicyStatement immutable.

After calling this, any of the addXxx() methods will throw an exception.

Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.


toJSON()

public toJSON(): any

Returns

  • any

JSON-ify the statement.

Used when JSON.stringify() is called


toStatementJson()

public toStatementJson(): any

Returns

  • any

JSON-ify the policy statement.

Used when JSON.stringify() is called


toString()

public toString(): string

Returns

  • string

String representation of this policy statement.


validateForAnyPolicy()

public validateForAnyPolicy(): string[]

Returns

  • string[]

Validate that the policy statement satisfies base requirements for a policy.


validateForIdentityPolicy()

public validateForIdentityPolicy(): string[]

Returns

  • string[]

Validate that the policy statement satisfies all requirements for an identity-based policy.


validateForResourcePolicy()

public validateForResourcePolicy(): string[]

Returns

  • string[]

Validate that the policy statement satisfies all requirements for a resource-based policy.


static fromJson(obj)

public static fromJson(obj: any): PolicyStatement

Parameters

  • obj any — the PolicyStatement in object form.

Returns

  • PolicyStatement

Creates a new PolicyStatement based on the object provided.

This will accept an object created from the .toJSON() call