aws-cdk-lib.aws_iam.ServicePrincipal

class ServicePrincipal

LanguageType name
.NETAmazon.CDK.AWS.IAM.ServicePrincipal
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsiam#ServicePrincipal
Javasoftware.amazon.awscdk.services.iam.ServicePrincipal
Pythonaws_cdk.aws_iam.ServicePrincipal
TypeScript (source)aws-cdk-lib » aws_iam » ServicePrincipal

Implements IAssumeRolePrincipal, IGrantable, IPrincipal, IComparablePrincipal

Extends PrincipalBase

An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).

Example

const lambdaRole = new iam.Role(this, 'Role', {
  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
  description: 'Example role...',
});

const stream = new kinesis.Stream(this, 'MyEncryptedStream', {
  encryption: kinesis.StreamEncryption.KMS,
});

// give lambda permissions to read stream
stream.grantRead(lambdaRole);

Initializer

new ServicePrincipal(service: string, opts?: ServicePrincipalOpts)

Parameters

  • service string — AWS service (i.e. sqs.amazonaws.com).
  • opts ServicePrincipalOpts

Reference an AWS service, optionally in a given region.

Properties

NameTypeDescription
assumeRoleActionstringWhen this Principal is used in an AssumeRole policy, the action to use.
grantPrincipalIPrincipalThe principal to grant permissions to.
policyFragmentPrincipalPolicyFragmentReturn the policy fragment that identifies this principal in a Policy.
servicestringAWS service (i.e. sqs.amazonaws.com).
principalAccount?stringThe AWS account ID of this principal.

assumeRoleAction

Type: string

When this Principal is used in an AssumeRole policy, the action to use.


grantPrincipal

Type: IPrincipal

The principal to grant permissions to.


policyFragment

Type: PrincipalPolicyFragment

Return the policy fragment that identifies this principal in a Policy.


service

Type: string

AWS service (i.e. sqs.amazonaws.com).


principalAccount?

Type: string (optional)

The AWS account ID of this principal.

Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

Methods

NameDescription
addToAssumeRolePolicy(document)Add the principal to the AssumeRolePolicyDocument.
addToPolicy(statement)Add to the policy of this principal.
addToPrincipalPolicy(_statement)Add to the policy of this principal.
dedupeString()Return whether or not this principal is equal to the given principal.
toJSON()JSON-ify the principal.
toString()Returns a string representation of an object.
withConditions(conditions)Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added.
withSessionTags()Returns a new principal using this principal as the base, with session tags enabled.
static servicePrincipalName(service)Return the service principal name based on the region it's used in.

addToAssumeRolePolicy(document)

public addToAssumeRolePolicy(document: PolicyDocument): void

Parameters

  • document PolicyDocument

Add the principal to the AssumeRolePolicyDocument.

Add the statements to the AssumeRolePolicyDocument necessary to give this principal permissions to assume the given role.


addToPolicy(statement)

public addToPolicy(statement: PolicyStatement): boolean

Parameters

  • statement PolicyStatement

Returns

  • boolean

Add to the policy of this principal.


addToPrincipalPolicy(_statement)

public addToPrincipalPolicy(_statement: PolicyStatement): AddToPrincipalPolicyResult

Parameters

  • _statement PolicyStatement

Returns

  • AddToPrincipalPolicyResult

Add to the policy of this principal.


dedupeString()

public dedupeString(): string

Returns

  • string

Return whether or not this principal is equal to the given principal.


toJSON()

public toJSON(): { [string]: string[] }

Returns

  • { [string]: string[] }

JSON-ify the principal.

Used when JSON.stringify() is called


toString()

public toString(): string

Returns

  • string

Returns a string representation of an object.


withConditions(conditions)

public withConditions(conditions: { [string]: any }): PrincipalBase

Parameters

  • conditions { [string]: any }

Returns

  • PrincipalBase

Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added.

When there is a value for the same operator and key in both the principal and the conditions parameter, the value from the conditions parameter will be used.


withSessionTags()

public withSessionTags(): PrincipalBase

Returns

  • PrincipalBase

Returns a new principal using this principal as the base, with session tags enabled.


static servicePrincipalName(service)

public static servicePrincipalName(service: string): string

Parameters

  • service string

Returns

  • string

Return the service principal name based on the region it's used in.

Some service principal names used to be different for different partitions, and some were not. This method would return the appropriate region-specific service principal name, getting that information from the region-info module.

These days all service principal names are standardized, and they are all of the form <servicename>.amazonaws.com.

If the feature flag @aws-cdk/aws-iam:standardizedServicePrincipals is set, this method will always return its input. If this feature flag is not set, this method will perform the legacy behavior, which appends the region-specific domain suffix for some select services (for example, it would append .cn to some service principal names). Example

const principalName = iam.ServicePrincipal.servicePrincipalName('ec2.amazonaws.com');