aws-cdk-lib.aws_iam.AccountPrincipal

class AccountPrincipal

LanguageType name
.NETAmazon.CDK.AWS.IAM.AccountPrincipal
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsiam#AccountPrincipal
Javasoftware.amazon.awscdk.services.iam.AccountPrincipal
Pythonaws_cdk.aws_iam.AccountPrincipal
TypeScript (source)aws-cdk-lib » aws_iam » AccountPrincipal

Implements IAssumeRolePrincipal, IGrantable, IPrincipal, IComparablePrincipal

Extends ArnPrincipal

Specify AWS account ID as the principal entity in a policy to delegate authority to the account.

Example

const cluster = new neptune.DatabaseCluster(this, 'Cluster', {
  vpc,
  instanceType: neptune.InstanceType.R5_LARGE,
  iamAuthentication: true, // Optional - will be automatically set if you call grantConnect() or grant().
});
const role = new iam.Role(this, 'DBRole', { assumedBy: new iam.AccountPrincipal(this.account) });
// Use one of the following statements to grant the role the necessary permissions
cluster.grantConnect(role); // Grant the role neptune-db:* access to the DB
cluster.grant(role, 'neptune-db:ReadDataViaQuery', 'neptune-db:WriteDataViaQuery'); // Grant the role the specified actions to the DB

Initializer

new AccountPrincipal(accountId: any)

Parameters

  • accountId any — AWS account ID (i.e. '123456789012').

Properties

NameTypeDescription
accountIdanyAWS account ID (i.e. '123456789012').
arnstringAmazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name).
assumeRoleActionstringWhen this Principal is used in an AssumeRole policy, the action to use.
grantPrincipalIPrincipalThe principal to grant permissions to.
policyFragmentPrincipalPolicyFragmentReturn the policy fragment that identifies this principal in a Policy.
principalAccount?stringThe AWS account ID of this principal.

accountId

Type: any

AWS account ID (i.e. '123456789012').


arn

Type: string

Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name).


assumeRoleAction

Type: string

When this Principal is used in an AssumeRole policy, the action to use.


grantPrincipal

Type: IPrincipal

The principal to grant permissions to.


policyFragment

Type: PrincipalPolicyFragment

Return the policy fragment that identifies this principal in a Policy.


principalAccount?

Type: string (optional)

The AWS account ID of this principal.

Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

Methods

NameDescription
addToAssumeRolePolicy(document)Add the principal to the AssumeRolePolicyDocument.
addToPolicy(statement)Add to the policy of this principal.
addToPrincipalPolicy(_statement)Add to the policy of this principal.
dedupeString()Return whether or not this principal is equal to the given principal.
inOrganization(organizationId)A convenience method for adding a condition that the principal is part of the specified AWS Organization.
toJSON()JSON-ify the principal.
toString()Returns a string representation of an object.
withConditions(conditions)Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added.
withSessionTags()Returns a new principal using this principal as the base, with session tags enabled.

addToAssumeRolePolicy(document)

public addToAssumeRolePolicy(document: PolicyDocument): void

Parameters

  • document PolicyDocument

Add the principal to the AssumeRolePolicyDocument.

Add the statements to the AssumeRolePolicyDocument necessary to give this principal permissions to assume the given role.


addToPolicy(statement)

public addToPolicy(statement: PolicyStatement): boolean

Parameters

  • statement PolicyStatement

Returns

  • boolean

Add to the policy of this principal.


addToPrincipalPolicy(_statement)

public addToPrincipalPolicy(_statement: PolicyStatement): AddToPrincipalPolicyResult

Parameters

  • _statement PolicyStatement

Returns

  • AddToPrincipalPolicyResult

Add to the policy of this principal.


dedupeString()

public dedupeString(): string

Returns

  • string

Return whether or not this principal is equal to the given principal.


inOrganization(organizationId)

public inOrganization(organizationId: string): PrincipalBase

Parameters

  • organizationId string

Returns

  • PrincipalBase

A convenience method for adding a condition that the principal is part of the specified AWS Organization.


toJSON()

public toJSON(): { [string]: string[] }

Returns

  • { [string]: string[] }

JSON-ify the principal.

Used when JSON.stringify() is called


toString()

public toString(): string

Returns

  • string

Returns a string representation of an object.


withConditions(conditions)

public withConditions(conditions: { [string]: any }): PrincipalBase

Parameters

  • conditions { [string]: any }

Returns

  • PrincipalBase

Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added.

When there is a value for the same operator and key in both the principal and the conditions parameter, the value from the conditions parameter will be used.


withSessionTags()

public withSessionTags(): PrincipalBase

Returns

  • PrincipalBase

Returns a new principal using this principal as the base, with session tags enabled.