aws-cdk-lib.aws_codebuild.UntrustedCodeBoundaryPolicy

class UntrustedCodeBoundaryPolicy (construct)

LanguageType name
.NETAmazon.CDK.AWS.CodeBuild.UntrustedCodeBoundaryPolicy
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awscodebuild#UntrustedCodeBoundaryPolicy
Javasoftware.amazon.awscdk.services.codebuild.UntrustedCodeBoundaryPolicy
Pythonaws_cdk.aws_codebuild.UntrustedCodeBoundaryPolicy
TypeScript (source)aws-cdk-lib » aws_codebuild » UntrustedCodeBoundaryPolicy

Implements IConstruct, IDependable, IResource, IManagedPolicy, IGrantable

Permissions Boundary for a CodeBuild Project running untrusted code.

This class is a Policy, intended to be used as a Permissions Boundary for a CodeBuild project. It allows most of the actions necessary to run the CodeBuild project, but disallows reading from Parameter Store and Secrets Manager.

Use this when your CodeBuild project is running untrusted code (for example, if you are using one to automatically build Pull Requests that anyone can submit), and you want to prevent your future self from accidentally exposing Secrets to this build.

(The reason you might want to do this is because otherwise anyone who can submit a Pull Request to your project can write a script to email those secrets to themselves).

Example

declare const project: codebuild.Project;
iam.PermissionsBoundary.of(project).apply(new codebuild.UntrustedCodeBoundaryPolicy(this, 'Boundary'));

Initializer

new UntrustedCodeBoundaryPolicy(scope: Construct, id: string, props?: UntrustedCodeBoundaryPolicyProps)

Parameters

  • scope Construct
  • id string
  • props UntrustedCodeBoundaryPolicyProps

Construct Props

NameTypeDescription
additionalStatements?PolicyStatement[]Additional statements to add to the default set of statements.
managedPolicyName?stringThe name of the managed policy.

additionalStatements?

Type: PolicyStatement[] (optional, default: No additional statements)

Additional statements to add to the default set of statements.


managedPolicyName?

Type: string (optional, default: A name is automatically generated.)

The name of the managed policy.

Properties

NameTypeDescription
descriptionstringThe description of this policy.
documentPolicyDocumentThe policy document.
envResourceEnvironmentThe environment this resource belongs to.
grantPrincipalIPrincipalThe principal to grant permissions to.
managedPolicyArnstringReturns the ARN of this managed policy.
managedPolicyNamestringThe name of this policy.
nodeNodeThe tree node.
pathstringThe path of this policy.
stackStackThe stack in which this resource is defined.

description

Type: string

The description of this policy.


document

Type: PolicyDocument

The policy document.


env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


grantPrincipal

Type: IPrincipal

The principal to grant permissions to.


managedPolicyArn

Type: string

Returns the ARN of this managed policy.


managedPolicyName

Type: string

The name of this policy.


node

Type: Node

The tree node.


path

Type: string

The path of this policy.


stack

Type: Stack

The stack in which this resource is defined.

Methods

NameDescription
addStatements(...statement)Adds a statement to the policy document.
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
attachToGroup(group)Attaches this policy to a group.
attachToRole(role)Attaches this policy to a role.
attachToUser(user)Attaches this policy to a user.
toString()Returns a string representation of this construct.

addStatements(...statement)

public addStatements(...statement: PolicyStatement[]): void

Parameters

  • statement PolicyStatement

Adds a statement to the policy document.


applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


attachToGroup(group)

public attachToGroup(group: IGroup): void

Parameters

  • group IGroup

Attaches this policy to a group.


attachToRole(role)

public attachToRole(role: IRole): void

Parameters

  • role IRole

Attaches this policy to a role.


attachToUser(user)

public attachToUser(user: IUser): void

Parameters

  • user IUser

Attaches this policy to a user.


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.