aws-cdk-lib.aws_iam.Policy

class Policy (construct)

LanguageType name
.NETAmazon.CDK.AWS.IAM.Policy
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsiam#Policy
Javasoftware.amazon.awscdk.services.iam.Policy
Pythonaws_cdk.aws_iam.Policy
TypeScript (source)aws-cdk-lib » aws_iam » Policy

Implements IConstruct, IDependable, IResource, IPolicy, IGrantable

The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles, or groups.

For more information about IAM policies, see Overview of IAM Policies in the IAM User Guide guide.

Example

declare const postAuthFn: lambda.Function;

const userpool = new cognito.UserPool(this, 'myuserpool', {
  lambdaTriggers: {
    postAuthentication: postAuthFn,
  },
});

// provide permissions to describe the user pool scoped to the ARN the user pool
postAuthFn.role?.attachInlinePolicy(new iam.Policy(this, 'userpool-policy', {
  statements: [new iam.PolicyStatement({
    actions: ['cognito-idp:DescribeUserPool'],
    resources: [userpool.userPoolArn],
  })],
}));

Initializer

new Policy(scope: Construct, id: string, props?: PolicyProps)

Parameters

  • scope Construct
  • id string
  • props PolicyProps

Construct Props

NameTypeDescription
document?PolicyDocumentInitial PolicyDocument to use for this Policy.
force?booleanForce creation of an AWS::IAM::Policy.
groups?IGroup[]Groups to attach this policy to.
policyName?stringThe name of the policy.
roles?IRole[]Roles to attach this policy to.
statements?PolicyStatement[]Initial set of permissions to add to this policy document.
users?IUser[]Users to attach this policy to.

document?

Type: PolicyDocument (optional, default: An empty policy.)

Initial PolicyDocument to use for this Policy.

If omited, any PolicyStatement provided in the statements property will be applied against the empty default PolicyDocument.


force?

Type: boolean (optional, default: false)

Force creation of an AWS::IAM::Policy.

Unless set to true, this Policy construct will not materialize to an AWS::IAM::Policy CloudFormation resource in case it would have no effect (for example, if it remains unattached to an IAM identity or if it has no statements). This is generally desired behavior, since it prevents creating invalid--and hence undeployable--CloudFormation templates.

In cases where you know the policy must be created and it is actually an error if no statements have been added to it, you can set this to true.


groups?

Type: IGroup[] (optional, default: No groups.)

Groups to attach this policy to.

You can also use attachToGroup(group) to attach this policy to a group.


policyName?

Type: string (optional, default: Uses the logical ID of the policy resource, which is ensured to be unique within the stack.)

The name of the policy.

If you specify multiple policies for an entity, specify unique names. For example, if you specify a list of policies for an IAM role, each policy must have a unique name.


roles?

Type: IRole[] (optional, default: No roles.)

Roles to attach this policy to.

You can also use attachToRole(role) to attach this policy to a role.


statements?

Type: PolicyStatement[] (optional, default: No statements.)

Initial set of permissions to add to this policy document.

You can also use addStatements(...statement) to add permissions later.


users?

Type: IUser[] (optional, default: No users.)

Users to attach this policy to.

You can also use attachToUser(user) to attach this policy to a user.

Properties

NameTypeDescription
documentPolicyDocumentThe policy document.
envResourceEnvironmentThe environment this resource belongs to.
grantPrincipalIPrincipalThe principal to grant permissions to.
nodeNodeThe tree node.
policyNamestringThe name of this policy.
stackStackThe stack in which this resource is defined.

document

Type: PolicyDocument

The policy document.


env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


grantPrincipal

Type: IPrincipal

The principal to grant permissions to.


node

Type: Node

The tree node.


policyName

Type: string

The name of this policy.


stack

Type: Stack

The stack in which this resource is defined.

Methods

NameDescription
addStatements(...statement)Adds a statement to the policy document.
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
attachToGroup(group)Attaches this policy to a group.
attachToRole(role)Attaches this policy to a role.
attachToUser(user)Attaches this policy to a user.
toString()Returns a string representation of this construct.
static fromPolicyName(scope, id, policyName)Import a policy in this app based on its name.

addStatements(...statement)

public addStatements(...statement: PolicyStatement[]): void

Parameters

  • statement PolicyStatement

Adds a statement to the policy document.


applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


attachToGroup(group)

public attachToGroup(group: IGroup): void

Parameters

  • group IGroup

Attaches this policy to a group.


attachToRole(role)

public attachToRole(role: IRole): void

Parameters

  • role IRole

Attaches this policy to a role.


attachToUser(user)

public attachToUser(user: IUser): void

Parameters

  • user IUser

Attaches this policy to a user.


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


static fromPolicyName(scope, id, policyName)

public static fromPolicyName(scope: Construct, id: string, policyName: string): IPolicy

Parameters

  • scope Construct
  • id string
  • policyName string

Returns

  • IPolicy

Import a policy in this app based on its name.