{ "author": { "name": "Amazon Web Services", "organization": true, "roles": [ "author" ], "url": "https://aws.amazon.com" }, "dependencies": { "@aws-cdk/core": "1.156.1", "@aws-cdk/cx-api": "1.156.1", "@aws-cdk/region-info": "1.156.1", "constructs": "^3.3.69" }, "dependencyClosure": { "@aws-cdk/cloud-assembly-schema": { "targets": { "dotnet": { "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png", "namespace": "Amazon.CDK.CloudAssembly.Schema", "packageId": "Amazon.CDK.CloudAssembly.Schema" }, "java": { "maven": { "artifactId": "cdk-cloud-assembly-schema", "groupId": "software.amazon.awscdk" }, "package": "software.amazon.awscdk.cloudassembly.schema" }, "js": { "npm": "@aws-cdk/cloud-assembly-schema" }, "python": { "classifiers": [ "Framework :: AWS CDK", "Framework :: AWS CDK :: 1" ], "distName": "aws-cdk.cloud-assembly-schema", "module": "aws_cdk.cloud_assembly_schema" } } }, "@aws-cdk/core": { "targets": { "dotnet": { "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png", "namespace": "Amazon.CDK", "packageId": "Amazon.CDK" }, "java": { "maven": { "artifactId": "core", "groupId": "software.amazon.awscdk" }, "package": "software.amazon.awscdk.core" }, "js": { "npm": "@aws-cdk/core" }, "python": { "classifiers": [ "Framework :: AWS CDK", "Framework :: AWS CDK :: 1" ], "distName": "aws-cdk.core", "module": "aws_cdk.core" } } }, "@aws-cdk/cx-api": { "targets": { "dotnet": { "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png", "namespace": "Amazon.CDK.CXAPI", "packageId": "Amazon.CDK.CXAPI" }, "java": { "maven": { "artifactId": "cdk-cx-api", "groupId": "software.amazon.awscdk" }, "package": "software.amazon.awscdk.cxapi" }, "js": { "npm": "@aws-cdk/cx-api" }, "python": { "classifiers": [ "Framework :: AWS CDK", "Framework :: AWS CDK :: 1" ], "distName": "aws-cdk.cx-api", "module": "aws_cdk.cx_api" } } }, "@aws-cdk/region-info": { "targets": { "dotnet": { "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png", "namespace": "Amazon.CDK.RegionInfo", "packageId": "Amazon.CDK.RegionInfo" }, "java": { "maven": { "artifactId": "cdk-region-info", "groupId": "software.amazon.awscdk" }, "package": "software.amazon.awscdk.regioninfo" }, "js": { "npm": "@aws-cdk/region-info" }, "python": { "classifiers": [ "Framework :: AWS CDK", "Framework :: AWS CDK :: 1" ], "distName": "aws-cdk.region-info", "module": "aws_cdk.region_info" } } }, "constructs": { "targets": { "dotnet": { "namespace": "Constructs", "packageId": "Constructs" }, "go": { "moduleName": "github.com/aws/constructs-go" }, "java": { "maven": { "artifactId": "constructs", "groupId": "software.constructs" }, "package": "software.constructs" }, "js": { "npm": "constructs" }, "python": { "distName": "constructs", "module": "constructs" } } } }, "description": "CDK routines for easily assigning correct and minimal IAM permissions", "docs": { "stability": "stable" }, "homepage": "https://github.com/aws/aws-cdk", "jsiiVersion": "1.58.0 (build f8ba112)", "keywords": [ "aws", "cdk", "constructs", "iam" ], "license": "Apache-2.0", "metadata": { "jsii": { "compiledWithDeprecationWarnings": true, "pacmak": { "hasDefaultInterfaces": true }, "rosetta": { "strict": true } } }, "name": "@aws-cdk/aws-iam", "readme": { "markdown": "# AWS Identity and Access Management Construct Library\n\n\n---\n\n![cfn-resources: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge)\n\n![cdk-constructs: Stable](https://img.shields.io/badge/cdk--constructs-stable-success.svg?style=for-the-badge)\n\n---\n\n\n\nDefine a role and add permissions to it. This will automatically create and\nattach an IAM policy to the role:\n\n```ts lit=test/example.role.lit.ts\n const role = new Role(this, 'MyRole', {\n assumedBy: new ServicePrincipal('sns.amazonaws.com'),\n });\n\n role.addToPolicy(new PolicyStatement({\n resources: ['*'],\n actions: ['lambda:InvokeFunction'],\n }));\n```\n\nDefine a policy and attach it to groups, users and roles. Note that it is possible to attach\nthe policy either by calling `xxx.attachInlinePolicy(policy)` or `policy.attachToXxx(xxx)`.\n\n```ts lit=test/example.attaching.lit.ts\n const user = new User(this, 'MyUser', { password: cdk.SecretValue.unsafePlainText('1234') });\n const group = new Group(this, 'MyGroup');\n\n const policy = new Policy(this, 'MyPolicy');\n policy.attachToUser(user);\n group.attachInlinePolicy(policy);\n```\n\nManaged policies can be attached using `xxx.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`:\n\n```ts lit=test/example.managedpolicy.lit.ts\nconst group = new Group(this, 'MyGroup');\ngroup.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'));\n```\n\n## Granting permissions to resources\n\nMany of the AWS CDK resources have `grant*` methods that allow you to grant other resources access to that resource. As an example, the following code gives a Lambda function write permissions (Put, Update, Delete) to a DynamoDB table.\n\n```ts\ndeclare const fn: lambda.Function;\ndeclare const table: dynamodb.Table;\n\ntable.grantWriteData(fn);\n```\n\nThe more generic `grant` method allows you to give specific permissions to a resource:\n\n```ts\ndeclare const fn: lambda.Function;\ndeclare const table: dynamodb.Table;\n\ntable.grant(fn, 'dynamodb:PutItem');\n```\n\nThe `grant*` methods accept an `IGrantable` object. This interface is implemented by IAM principlal resources (groups, users and roles) and resources that assume a role such as a Lambda function, EC2 instance or a Codebuild project.\n\nYou can find which `grant*` methods exist for a resource in the [AWS CDK API Reference](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-construct-library.html).\n\n## Roles\n\nMany AWS resources require *Roles* to operate. These Roles define the AWS API\ncalls an instance or other AWS service is allowed to make.\n\nCreating Roles and populating them with the right permissions *Statements* is\na necessary but tedious part of setting up AWS infrastructure. In order to\nhelp you focus on your business logic, CDK will take care of creating\nroles and populating them with least-privilege permissions automatically.\n\nAll constructs that require Roles will create one for you if don't specify\none at construction time. Permissions will be added to that role\nautomatically if you associate the construct with other constructs from the\nAWS Construct Library (for example, if you tell an *AWS CodePipeline* to trigger\nan *AWS Lambda Function*, the Pipeline's Role will automatically get\n`lambda:InvokeFunction` permissions on that particular Lambda Function),\nor if you explicitly grant permissions using `grant` functions (see the\nprevious section).\n\n### Opting out of automatic permissions management\n\nYou may prefer to manage a Role's permissions yourself instead of having the\nCDK automatically manage them for you. This may happen in one of the\nfollowing cases:\n\n* You don't like the permissions that CDK automatically generates and\n want to substitute your own set.\n* The least-permissions policy that the CDK generates is becoming too\n big for IAM to store, and you need to add some wildcards to keep the\n policy size down.\n\nTo prevent constructs from updating your Role's policy, pass the object\nreturned by `myRole.withoutPolicyUpdates()` instead of `myRole` itself.\n\nFor example, to have an AWS CodePipeline *not* automatically add the required\npermissions to trigger the expected targets, do the following:\n\n```ts\nconst role = new iam.Role(this, 'Role', {\n assumedBy: new iam.ServicePrincipal('codepipeline.amazonaws.com'),\n // custom description if desired\n description: 'This is a custom role...',\n});\n\nnew codepipeline.Pipeline(this, 'Pipeline', {\n // Give the Pipeline an immutable view of the Role\n role: role.withoutPolicyUpdates(),\n});\n\n// You now have to manage the Role policies yourself\nrole.addToPolicy(new iam.PolicyStatement({\n actions: [/* whatever actions you want */],\n resources: [/* whatever resources you intend to touch */],\n}));\n```\n\n### Using existing roles\n\nIf there are Roles in your account that have already been created which you\nwould like to use in your CDK application, you can use `Role.fromRoleArn` to\nimport them, as follows:\n\n```ts\nconst role = iam.Role.fromRoleArn(this, 'Role', 'arn:aws:iam::123456789012:role/MyExistingRole', {\n // Set 'mutable' to 'false' to use the role as-is and prevent adding new\n // policies to it. The default is 'true', which means the role may be\n // modified as part of the deployment.\n mutable: false,\n});\n```\n\n## Configuring an ExternalId\n\nIf you need to create Roles that will be assumed by third parties, it is generally a good idea to [require an `ExternalId`\nto assume them](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html). Configuring\nan `ExternalId` works like this:\n\n```ts lit=test/example.external-id.lit.ts\nconst role = new iam.Role(this, 'MyRole', {\n assumedBy: new iam.AccountPrincipal('123456789012'),\n externalIds: ['SUPPLY-ME'],\n});\n```\n\n## Principals vs Identities\n\nWhen we say *Principal*, we mean an entity you grant permissions to. This\nentity can be an AWS Service, a Role, or something more abstract such as \"all\nusers in this account\" or even \"all users in this organization\". An\n*Identity* is an IAM representing a single IAM entity that can have\na policy attached, one of `Role`, `User`, or `Group`.\n\n## IAM Principals\n\nWhen defining policy statements as part of an AssumeRole policy or as part of a\nresource policy, statements would usually refer to a specific IAM principal\nunder `Principal`.\n\nIAM principals are modeled as classes that derive from the `iam.PolicyPrincipal`\nabstract class. Principal objects include principal type (string) and value\n(array of string), optional set of conditions and the action that this principal\nrequires when it is used in an assume role policy document.\n\nTo add a principal to a policy statement you can either use the abstract\n`statement.addPrincipal`, one of the concrete `addXxxPrincipal` methods:\n\n* `addAwsPrincipal`, `addArnPrincipal` or `new ArnPrincipal(arn)` for `{ \"AWS\": arn }`\n* `addAwsAccountPrincipal` or `new AccountPrincipal(accountId)` for `{ \"AWS\": account-arn }`\n* `addServicePrincipal` or `new ServicePrincipal(service)` for `{ \"Service\": service }`\n* `addAccountRootPrincipal` or `new AccountRootPrincipal()` for `{ \"AWS\": { \"Ref: \"AWS::AccountId\" } }`\n* `addCanonicalUserPrincipal` or `new CanonicalUserPrincipal(id)` for `{ \"CanonicalUser\": id }`\n* `addFederatedPrincipal` or `new FederatedPrincipal(federated, conditions, assumeAction)` for\n `{ \"Federated\": arn }` and a set of optional conditions and the assume role action to use.\n* `addAnyPrincipal` or `new AnyPrincipal` for `{ \"AWS\": \"*\" }`\n\nIf multiple principals are added to the policy statement, they will be merged together:\n\n```ts\nconst statement = new iam.PolicyStatement();\nstatement.addServicePrincipal('cloudwatch.amazonaws.com');\nstatement.addServicePrincipal('ec2.amazonaws.com');\nstatement.addArnPrincipal('arn:aws:boom:boom');\n```\n\nWill result in:\n\n```json\n{\n \"Principal\": {\n \"Service\": [ \"cloudwatch.amazonaws.com\", \"ec2.amazonaws.com\" ],\n \"AWS\": \"arn:aws:boom:boom\"\n }\n}\n```\n\nThe `CompositePrincipal` class can also be used to define complex principals, for example:\n\n```ts\nconst role = new iam.Role(this, 'MyRole', {\n assumedBy: new iam.CompositePrincipal(\n new iam.ServicePrincipal('ec2.amazonaws.com'),\n new iam.AccountPrincipal('1818188181818187272')\n ),\n});\n```\n\nThe `PrincipalWithConditions` class can be used to add conditions to a\nprincipal, especially those that don't take a `conditions` parameter in their\nconstructor. The `principal.withConditions()` method can be used to create a\n`PrincipalWithConditions` from an existing principal, for example:\n\n```ts\nconst principal = new iam.AccountPrincipal('123456789000')\n .withConditions({ StringEquals: { foo: \"baz\" } });\n```\n\n> NOTE: If you need to define an IAM condition that uses a token (such as a\n> deploy-time attribute of another resource) in a JSON map key, use `CfnJson` to\n> render this condition. See [this test](./test/integ.condition-with-ref.ts) for\n> an example.\n\nThe `WebIdentityPrincipal` class can be used as a principal for web identities like\nCognito, Amazon, Google or Facebook, for example:\n\n```ts\nconst principal = new iam.WebIdentityPrincipal('cognito-identity.amazonaws.com', {\n 'StringEquals': { 'cognito-identity.amazonaws.com:aud': 'us-east-2:12345678-abcd-abcd-abcd-123456' },\n 'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'unauthenticated' },\n});\n```\n\nIf your identity provider is configured to assume a Role with [session\ntags](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html), you\nneed to call `.withSessionTags()` to add the required permissions to the Role's\npolicy document:\n\n```ts\nnew iam.Role(this, 'Role', {\n assumedBy: new iam.WebIdentityPrincipal('cognito-identity.amazonaws.com', {\n 'StringEquals': {\n 'cognito-identity.amazonaws.com:aud': 'us-east-2:12345678-abcd-abcd-abcd-123456',\n },\n 'ForAnyValue:StringLike': {\n 'cognito-identity.amazonaws.com:amr': 'unauthenticated',\n },\n }).withSessionTags(),\n});\n```\n\n\n## Parsing JSON Policy Documents\n\nThe `PolicyDocument.fromJson` and `PolicyStatement.fromJson` static methods can be used to parse JSON objects. For example:\n\n```ts\nconst policyDocument = {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FirstStatement\",\n \"Effect\": \"Allow\",\n \"Action\": [\"iam:ChangePassword\"],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SecondStatement\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListAllMyBuckets\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ThirdStatement\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:List*\",\n \"s3:Get*\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::confidential-data\",\n \"arn:aws:s3:::confidential-data/*\"\n ],\n \"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": \"true\"}}\n }\n ]\n};\n\nconst customPolicyDocument = iam.PolicyDocument.fromJson(policyDocument);\n\n// You can pass this document as an initial document to a ManagedPolicy\n// or inline Policy.\nconst newManagedPolicy = new iam.ManagedPolicy(this, 'MyNewManagedPolicy', {\n document: customPolicyDocument,\n});\nconst newPolicy = new iam.Policy(this, 'MyNewPolicy', {\n document: customPolicyDocument,\n});\n```\n\n## Permissions Boundaries\n\n[Permissions\nBoundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)\ncan be used as a mechanism to prevent privilege esclation by creating new\n`Role`s. Permissions Boundaries are a Managed Policy, attached to Roles or\nUsers, that represent the *maximum* set of permissions they can have. The\neffective set of permissions of a Role (or User) will be the intersection of\nthe Identity Policy and the Permissions Boundary attached to the Role (or\nUser). Permissions Boundaries are typically created by account\nAdministrators, and their use on newly created `Role`s will be enforced by\nIAM policies.\n\nIt is possible to attach Permissions Boundaries to all Roles created in a construct\ntree all at once:\n\n```ts\n// This imports an existing policy.\nconst boundary = iam.ManagedPolicy.fromManagedPolicyArn(this, 'Boundary', 'arn:aws:iam::123456789012:policy/boundary');\n\n// This creates a new boundary\nconst boundary2 = new iam.ManagedPolicy(this, 'Boundary2', {\n statements: [\n new iam.PolicyStatement({\n effect: iam.Effect.DENY,\n actions: ['iam:*'],\n resources: ['*'],\n }),\n ],\n});\n\n// Directly apply the boundary to a Role you create\ndeclare const role: iam.Role;\niam.PermissionsBoundary.of(role).apply(boundary);\n\n// Apply the boundary to an Role that was implicitly created for you\ndeclare const fn: lambda.Function;\niam.PermissionsBoundary.of(fn).apply(boundary);\n\n// Apply the boundary to all Roles in a stack\niam.PermissionsBoundary.of(this).apply(boundary);\n\n// Remove a Permissions Boundary that is inherited, for example from the Stack level\ndeclare const customResource: CustomResource;\niam.PermissionsBoundary.of(customResource).clear();\n```\n\n## OpenID Connect Providers\n\nOIDC identity providers are entities in IAM that describe an external identity\nprovider (IdP) service that supports the [OpenID Connect] (OIDC) standard, such\nas Google or Salesforce. You use an IAM OIDC identity provider when you want to\nestablish trust between an OIDC-compatible IdP and your AWS account. This is\nuseful when creating a mobile app or web application that requires access to AWS\nresources, but you don't want to create custom sign-in code or manage your own\nuser identities. For more information about this scenario, see [About Web\nIdentity Federation] and the relevant documentation in the [Amazon Cognito\nIdentity Pools Developer Guide].\n\n[OpenID Connect]: http://openid.net/connect\n[About Web Identity Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html\n[Amazon Cognito Identity Pools Developer Guide]: https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html\n\nThe following examples defines an OpenID Connect provider. Two client IDs\n(audiences) are will be able to send authentication requests to\n.\n\n```ts\nconst provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {\n url: 'https://openid/connect',\n clientIds: [ 'myclient1', 'myclient2' ],\n});\n```\n\nYou can specify an optional list of `thumbprints`. If not specified, the\nthumbprint of the root certificate authority (CA) will automatically be obtained\nfrom the host as described\n[here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html).\n\nOnce you define an OpenID connect provider, you can use it with AWS services\nthat expect an IAM OIDC provider. For example, when you define an [Amazon\nCognito identity\npool](https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html)\nyou can reference the provider's ARN as follows:\n\n```ts\nimport * as cognito from '@aws-cdk/aws-cognito';\n\ndeclare const myProvider: iam.OpenIdConnectProvider;\nnew cognito.CfnIdentityPool(this, 'IdentityPool', {\n openIdConnectProviderArns: [myProvider.openIdConnectProviderArn],\n // And the other properties for your identity pool\n allowUnauthenticatedIdentities: false,\n});\n```\n\nThe `OpenIdConnectPrincipal` class can be used as a principal used with a `OpenIdConnectProvider`, for example:\n\n```ts\nconst provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {\n url: 'https://openid/connect',\n clientIds: [ 'myclient1', 'myclient2' ],\n});\nconst principal = new iam.OpenIdConnectPrincipal(provider);\n```\n\n## SAML provider\n\nAn IAM SAML 2.0 identity provider is an entity in IAM that describes an external\nidentity provider (IdP) service that supports the SAML 2.0 (Security Assertion\nMarkup Language 2.0) standard. You use an IAM identity provider when you want\nto establish trust between a SAML-compatible IdP such as Shibboleth or Active\nDirectory Federation Services and AWS, so that users in your organization can\naccess AWS resources. IAM SAML identity providers are used as principals in an\nIAM trust policy.\n\n```ts\nnew iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\n```\n\nThe `SamlPrincipal` class can be used as a principal with a `SamlProvider`:\n\n```ts\nconst provider = new iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\nconst principal = new iam.SamlPrincipal(provider, {\n StringEquals: {\n 'SAML:iss': 'issuer',\n },\n});\n```\n\nWhen creating a role for programmatic and AWS Management Console access, use the `SamlConsolePrincipal`\nclass:\n\n```ts\nconst provider = new iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\nnew iam.Role(this, 'Role', {\n assumedBy: new iam.SamlConsolePrincipal(provider),\n});\n```\n\n## Users\n\nIAM manages users for your AWS account. To create a new user:\n\n```ts\nconst user = new iam.User(this, 'MyUser');\n```\n\nTo import an existing user by name [with path](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names):\n\n```ts\nconst user = iam.User.fromUserName(this, 'MyImportedUserByName', 'johnsmith');\n```\n\nTo import an existing user by ARN:\n\n```ts\nconst user = iam.User.fromUserArn(this, 'MyImportedUserByArn', 'arn:aws:iam::123456789012:user/johnsmith');\n```\n\nTo import an existing user by attributes:\n\n```ts\nconst user = iam.User.fromUserAttributes(this, 'MyImportedUserByAttributes', {\n userArn: 'arn:aws:iam::123456789012:user/johnsmith',\n});\n```\n\n### Access Keys\n\nThe ability for a user to make API calls via the CLI or an SDK is enabled by the user having an\naccess key pair. To create an access key:\n\n```ts\nconst user = new iam.User(this, 'MyUser');\nconst accessKey = new iam.AccessKey(this, 'MyAccessKey', { user: user });\n```\n\nYou can force CloudFormation to rotate the access key by providing a monotonically increasing `serial`\nproperty. Simply provide a higher serial value than any number used previously:\n\n```ts\nconst user = new iam.User(this, 'MyUser');\nconst accessKey = new iam.AccessKey(this, 'MyAccessKey', { user: user, serial: 1 });\n```\n\nAn access key may only be associated with a single user and cannot be \"moved\" between users. Changing\nthe user associated with an access key replaces the access key (and its ID and secret value).\n\n## Groups\n\nAn IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users.\n\n```ts\nconst group = new iam.Group(this, 'MyGroup');\n```\n\nTo import an existing group by ARN:\n\n```ts\nconst group = iam.Group.fromGroupArn(this, 'MyImportedGroupByArn', 'arn:aws:iam::account-id:group/group-name');\n```\n\nTo import an existing group by name [with path](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names):\n\n```ts\nconst group = iam.Group.fromGroupName(this, 'MyImportedGroupByName', 'group-name');\n```\n\nTo add a user to a group (both for a new and imported user/group):\n\n```ts\nconst user = new iam.User(this, 'MyUser'); // or User.fromUserName(stack, 'User', 'johnsmith');\nconst group = new iam.Group(this, 'MyGroup'); // or Group.fromGroupArn(stack, 'Group', 'arn:aws:iam::account-id:group/group-name');\n\nuser.addToGroup(group);\n// or\ngroup.addUser(user);\n```\n\n## Features\n\n* Policy name uniqueness is enforced. If two policies by the same name are attached to the same\n principal, the attachment will fail.\n* Policy names are not required - the CDK logical ID will be used and ensured to be unique.\n* Policies are validated during synthesis to ensure that they have actions, and that policies\n attached to IAM principals specify relevant resources, while policies attached to resources\n specify which IAM principals they apply to.\n" }, "repository": { "directory": "packages/@aws-cdk/aws-iam", "type": "git", "url": "https://github.com/aws/aws-cdk.git" }, "schema": "jsii/0.10.0", "targets": { "dotnet": { "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png", "namespace": "Amazon.CDK.AWS.IAM", "packageId": "Amazon.CDK.AWS.IAM" }, "java": { "maven": { "artifactId": "iam", "groupId": "software.amazon.awscdk" }, "package": "software.amazon.awscdk.services.iam" }, "js": { "npm": "@aws-cdk/aws-iam" }, "python": { "classifiers": [ "Framework :: AWS CDK", "Framework :: AWS CDK :: 1" ], "distName": "aws-cdk.aws-iam", "module": "aws_cdk.aws_iam" } }, "types": { "@aws-cdk/aws-iam.AccessKey": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.Resource", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "// Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret.\nconst user = new iam.User(this, 'User');\nconst accessKey = new iam.AccessKey(this, 'AccessKey', { user });\nconst secretValue = secretsmanager.SecretStringValueBeta1.fromToken(accessKey.secretAccessKey.toString());\nnew secretsmanager.Secret(this, 'Secret', {\n secretStringBeta1: secretValue,\n});", "stability": "stable", "summary": "Define a new IAM Access Key." }, "fqn": "@aws-cdk/aws-iam.AccessKey", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/access-key.ts", "line": 80 }, "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.AccessKeyProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.IAccessKey" ], "kind": "class", "locationInModule": { "filename": "lib/access-key.ts", "line": 76 }, "name": "AccessKey", "properties": [ { "docs": { "stability": "stable", "summary": "The Access Key ID." }, "immutable": true, "locationInModule": { "filename": "lib/access-key.ts", "line": 77 }, "name": "accessKeyId", "overrides": "@aws-cdk/aws-iam.IAccessKey", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The Secret Access Key." }, "immutable": true, "locationInModule": { "filename": "lib/access-key.ts", "line": 78 }, "name": "secretAccessKey", "overrides": "@aws-cdk/aws-iam.IAccessKey", "type": { "fqn": "@aws-cdk/core.SecretValue" } } ], "symbolId": "lib/access-key:AccessKey" }, "@aws-cdk/aws-iam.AccessKeyProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "// Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret.\nconst user = new iam.User(this, 'User');\nconst accessKey = new iam.AccessKey(this, 'AccessKey', { user });\nconst secretValue = secretsmanager.SecretStringValueBeta1.fromToken(accessKey.secretAccessKey.toString());\nnew secretsmanager.Secret(this, 'Secret', {\n secretStringBeta1: secretValue,\n});", "stability": "stable", "summary": "Properties for defining an IAM access key." }, "fqn": "@aws-cdk/aws-iam.AccessKeyProps", "kind": "interface", "locationInModule": { "filename": "lib/access-key.ts", "line": 45 }, "name": "AccessKeyProps", "properties": [ { "abstract": true, "docs": { "remarks": "Changing this value will result in the access key being deleted and a new\naccess key (with a different ID and secret value) being assigned to the new\nuser.", "stability": "stable", "summary": "The IAM user this key will belong to." }, "immutable": true, "locationInModule": { "filename": "lib/access-key.ts", "line": 70 }, "name": "user", "type": { "fqn": "@aws-cdk/aws-iam.IUser" } }, { "abstract": true, "docs": { "default": "- No serial value", "remarks": "This value can only be incremented. Incrementing this\nvalue will cause CloudFormation to replace the Access Key resource.", "stability": "stable", "summary": "A CloudFormation-specific value that signifies the access key should be replaced/rotated." }, "immutable": true, "locationInModule": { "filename": "lib/access-key.ts", "line": 53 }, "name": "serial", "optional": true, "type": { "primitive": "number" } }, { "abstract": true, "docs": { "default": "- The access key is active", "remarks": "An Active access key is allowed to be used\nto make API calls; An Inactive key cannot.", "stability": "stable", "summary": "The status of the access key." }, "immutable": true, "locationInModule": { "filename": "lib/access-key.ts", "line": 61 }, "name": "status", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.AccessKeyStatus" } } ], "symbolId": "lib/access-key:AccessKeyProps" }, "@aws-cdk/aws-iam.AccessKeyStatus": { "assembly": "@aws-cdk/aws-iam", "docs": { "stability": "stable", "summary": "Valid statuses for an IAM Access Key." }, "fqn": "@aws-cdk/aws-iam.AccessKeyStatus", "kind": "enum", "locationInModule": { "filename": "lib/access-key.ts", "line": 9 }, "members": [ { "docs": { "remarks": "An active key can be used to make API calls.", "stability": "stable", "summary": "An active access key." }, "name": "ACTIVE" }, { "docs": { "remarks": "An inactive key cannot be used to make API calls.", "stability": "stable", "summary": "An inactive access key." }, "name": "INACTIVE" } ], "name": "AccessKeyStatus", "symbolId": "lib/access-key:AccessKeyStatus" }, "@aws-cdk/aws-iam.AccountPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.ArnPrincipal", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const cluster = new neptune.DatabaseCluster(this, 'Cluster', {\n vpc,\n instanceType: neptune.InstanceType.R5_LARGE,\n iamAuthentication: true, // Optional - will be automatically set if you call grantConnect().\n});\nconst role = new iam.Role(this, 'DBRole', { assumedBy: new iam.AccountPrincipal(this.account) });\ncluster.grantConnect(role); // Grant the role connection access to the DB.", "stability": "stable", "summary": "Specify AWS account ID as the principal entity in a policy to delegate authority to the account." }, "fqn": "@aws-cdk/aws-iam.AccountPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 395 }, "parameters": [ { "docs": { "summary": "AWS account ID (i.e. 123456789012)." }, "name": "accountId", "type": { "primitive": "any" } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 388 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 400 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.ArnPrincipal", "returns": { "type": { "primitive": "string" } } } ], "name": "AccountPrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "AWS account ID (i.e. 123456789012)." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 395 }, "name": "accountId", "type": { "primitive": "any" } }, { "docs": { "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.", "stability": "stable", "summary": "The AWS account ID of this principal." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 389 }, "name": "principalAccount", "optional": true, "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "primitive": "string" } } ], "symbolId": "lib/principals:AccountPrincipal" }, "@aws-cdk/aws-iam.AccountRootPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.AccountPrincipal", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const bucket = new s3.Bucket(this, 'MyBucket');\nconst result = bucket.addToResourcePolicy(new iam.PolicyStatement({\n actions: ['s3:GetObject'],\n resources: [bucket.arnForObjects('file.txt')],\n principals: [new iam.AccountRootPrincipal()],\n}));", "stability": "stable", "summary": "Use the AWS account into which a stack is deployed as the principal entity in a policy." }, "fqn": "@aws-cdk/aws-iam.AccountRootPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 629 } }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 628 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 633 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.AccountPrincipal", "returns": { "type": { "primitive": "string" } } } ], "name": "AccountRootPrincipal", "symbolId": "lib/principals:AccountRootPrincipal" }, "@aws-cdk/aws-iam.AddToPrincipalPolicyResult": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Result of calling `addToPrincipalPolicy`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nimport * as cdk from '@aws-cdk/core';\n\ndeclare const dependable: cdk.IDependable;\nconst addToPrincipalPolicyResult: iam.AddToPrincipalPolicyResult = {\n statementAdded: false,\n\n // the properties below are optional\n policyDependable: dependable,\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult", "kind": "interface", "locationInModule": { "filename": "lib/principals.ts", "line": 95 }, "name": "AddToPrincipalPolicyResult", "properties": [ { "abstract": true, "docs": { "stability": "stable", "summary": "Whether the statement was added to the identity's policies." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 100 }, "name": "statementAdded", "type": { "primitive": "boolean" } }, { "abstract": true, "docs": { "default": "- Required if `statementAdded` is true.", "stability": "stable", "summary": "Dependable which allows depending on the policy change being applied." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 107 }, "name": "policyDependable", "optional": true, "type": { "fqn": "@aws-cdk/core.IDependable" } } ], "symbolId": "lib/principals:AddToPrincipalPolicyResult" }, "@aws-cdk/aws-iam.AddToResourcePolicyResult": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const bucket = s3.Bucket.fromBucketName(this, 'existingBucket', 'bucket-name');\n\n// No policy statement will be added to the resource\nconst result = bucket.addToResourcePolicy(new iam.PolicyStatement({\n actions: ['s3:GetObject'],\n resources: [bucket.arnForObjects('file.txt')],\n principals: [new iam.AccountRootPrincipal()],\n}));", "stability": "stable", "summary": "Result of calling addToResourcePolicy." }, "fqn": "@aws-cdk/aws-iam.AddToResourcePolicyResult", "kind": "interface", "locationInModule": { "filename": "lib/grant.ts", "line": 316 }, "name": "AddToResourcePolicyResult", "properties": [ { "abstract": true, "docs": { "stability": "stable", "summary": "Whether the statement was added." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 320 }, "name": "statementAdded", "type": { "primitive": "boolean" } }, { "abstract": true, "docs": { "default": "- If `statementAdded` is true, the resource object itself.\nOtherwise, no dependable.", "stability": "stable", "summary": "Dependable which allows depending on the policy change being applied." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 328 }, "name": "policyDependable", "optional": true, "type": { "fqn": "@aws-cdk/core.IDependable" } } ], "symbolId": "lib/grant:AddToResourcePolicyResult" }, "@aws-cdk/aws-iam.AnyPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.ArnPrincipal", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const topic = new sns.Topic(this, 'Topic');\nconst topicPolicy = new sns.TopicPolicy(this, 'TopicPolicy', {\n topics: [topic],\n});\n\ntopicPolicy.document.addStatements(new iam.PolicyStatement({\n actions: [\"sns:Subscribe\"],\n principals: [new iam.AnyPrincipal()],\n resources: [topic.topicArn],\n}));", "remarks": "Some services behave differently when you specify `Principal: '*'`\nor `Principal: { AWS: \"*\" }` in their resource policy.\n\n`AnyPrincipal` renders to `Principal: { AWS: \"*\" }`. This is correct\nmost of the time, but in cases where you need the other principal,\nuse `StarPrincipal` instead.", "stability": "stable", "summary": "A principal representing all AWS identities in all accounts." }, "fqn": "@aws-cdk/aws-iam.AnyPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 649 } }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 648 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 653 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.ArnPrincipal", "returns": { "type": { "primitive": "string" } } } ], "name": "AnyPrincipal", "symbolId": "lib/principals:AnyPrincipal" }, "@aws-cdk/aws-iam.Anyone": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.AnyPrincipal", "docs": { "deprecated": "use `AnyPrincipal`", "stability": "deprecated", "summary": "A principal representing all identities in all accounts.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst anyone = new iam.Anyone();", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.Anyone", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 649 } }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 662 }, "name": "Anyone", "symbolId": "lib/principals:Anyone" }, "@aws-cdk/aws-iam.ArnPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.PrincipalBase", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "declare const networkLoadBalancer1: elbv2.NetworkLoadBalancer;\ndeclare const networkLoadBalancer2: elbv2.NetworkLoadBalancer;\n\nnew ec2.VpcEndpointService(this, 'EndpointService', {\n vpcEndpointServiceLoadBalancers: [networkLoadBalancer1, networkLoadBalancer2],\n acceptanceRequired: true,\n allowedPrincipals: [new iam.ArnPrincipal('arn:aws:iam::123456789012:root')]\n});", "remarks": "You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions.\nYou cannot specify IAM groups or instance profiles as principals", "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html", "stability": "stable", "summary": "Specify a principal by the Amazon Resource Name (ARN)." }, "fqn": "@aws-cdk/aws-iam.ArnPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 360 }, "parameters": [ { "docs": { "summary": "Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name)." }, "name": "arn", "type": { "primitive": "string" } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 355 }, "methods": [ { "docs": { "stability": "stable", "summary": "A convenience method for adding a condition that the principal is part of the specified AWS Organization." }, "locationInModule": { "filename": "lib/principals.ts", "line": 376 }, "name": "inOrganization", "parameters": [ { "name": "organizationId", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.PrincipalBase" } } }, { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 368 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "returns": { "type": { "primitive": "string" } } } ], "name": "ArnPrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name)." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 360 }, "name": "arn", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 364 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } } ], "symbolId": "lib/principals:ArnPrincipal" }, "@aws-cdk/aws-iam.CanonicalUserPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.PrincipalBase", "docs": { "remarks": "See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html\n\nand\n\nhttps://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html\n\nfor more details.", "stability": "stable", "summary": "A policy principal for canonicalUserIds - useful for S3 bucket policies that use Origin Access identities.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst canonicalUserPrincipal = new iam.CanonicalUserPrincipal('canonicalUserId');", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.CanonicalUserPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 494 }, "parameters": [ { "docs": { "remarks": "root user and IAM users for an account all see the same ID.\n(i.e. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be)", "summary": "unique identifier assigned by AWS for every account." }, "name": "canonicalUserId", "type": { "primitive": "string" } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 487 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 502 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "returns": { "type": { "primitive": "string" } } } ], "name": "CanonicalUserPrincipal", "properties": [ { "docs": { "remarks": "root user and IAM users for an account all see the same ID.\n(i.e. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be)", "stability": "stable", "summary": "unique identifier assigned by AWS for every account." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 494 }, "name": "canonicalUserId", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 498 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } } ], "symbolId": "lib/principals:CanonicalUserPrincipal" }, "@aws-cdk/aws-iam.CfnAccessKey": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::AccessKey", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is `Active` .\n\nIf you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account . Consequently, you can use this operation to manage AWS account root user credentials. This is true even if the AWS account has no associated users.\n\nFor information about quotas on the number of keys you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .\n\n> To ensure the security of your AWS account , the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.", "stability": "external", "summary": "A CloudFormation `AWS::IAM::AccessKey`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnAccessKey = new iam.CfnAccessKey(this, 'MyCfnAccessKey', {\n userName: 'userName',\n\n // the properties below are optional\n serial: 123,\n status: 'status',\n});" }, "fqn": "@aws-cdk/aws-iam.CfnAccessKey", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::AccessKey`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 174 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnAccessKeyProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 113 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 190 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 203 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnAccessKey", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 117 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "SecretAccessKey" }, "remarks": "For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY.", "stability": "external", "summary": "Returns the secret access key for the specified AWS::IAM::AccessKey resource." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 142 }, "name": "attrSecretAccessKey", "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 195 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-username" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the IAM user that the new key will belong to." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 151 }, "name": "userName", "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-serial" }, "remarks": "Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.", "stability": "external", "summary": "This value is specific to CloudFormation and can only be *incremented* ." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 158 }, "name": "serial", "optional": true, "type": { "primitive": "number" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-status" }, "remarks": "`Active` means that the key is valid for API calls, while `Inactive` means it is not.", "stability": "external", "summary": "The status of the access key." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 165 }, "name": "status", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnAccessKey" }, "@aws-cdk/aws-iam.CfnAccessKeyProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnAccessKey`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnAccessKeyProps: iam.CfnAccessKeyProps = {\n userName: 'userName',\n\n // the properties below are optional\n serial: 123,\n status: 'status',\n};" }, "fqn": "@aws-cdk/aws-iam.CfnAccessKeyProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 19 }, "name": "CfnAccessKeyProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-username" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the IAM user that the new key will belong to." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 28 }, "name": "userName", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-serial" }, "remarks": "Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.", "stability": "external", "summary": "This value is specific to CloudFormation and can only be *incremented* ." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 35 }, "name": "serial", "optional": true, "type": { "primitive": "number" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-status" }, "remarks": "`Active` means that the key is valid for API calls, while `Inactive` means it is not.", "stability": "external", "summary": "The status of the access key." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 42 }, "name": "status", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnAccessKeyProps" }, "@aws-cdk/aws-iam.CfnGroup": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::Group", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Creates a new group.\n\nFor information about the number of groups you can create, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .", "stability": "external", "summary": "A CloudFormation `AWS::IAM::Group`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst cfnGroup = new iam.CfnGroup(this, 'MyCfnGroup', /* all optional props */ {\n groupName: 'groupName',\n managedPolicyArns: ['managedPolicyArns'],\n path: 'path',\n policies: [{\n policyDocument: policyDocument,\n policyName: 'policyName',\n }],\n});" }, "fqn": "@aws-cdk/aws-iam.CfnGroup", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::Group`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 415 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.CfnGroupProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 331 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 431 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 445 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnGroup", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 335 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "Arn" }, "remarks": "For example: `arn:aws:iam::123456789012:group/mystack-mygroup-1DZETITOWEKVO` .", "stability": "external", "summary": "Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::Group` resource." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 360 }, "name": "attrArn", "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 436 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-groupname" }, "remarks": "The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both \"ADMINS\" and \"admins\". If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name.\n\n> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.\n\nIf you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .\n\n> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{\"Fn::Join\": [\"\", [{\"Ref\": \"AWS::Region\"}, {\"Ref\": \"MyResourceName\"}]]}` .", "stability": "external", "summary": "The name of the group to create. Do not include the path in this value." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 375 }, "name": "groupName", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-managepolicyarns" }, "remarks": "For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .", "stability": "external", "summary": "The Amazon Resource Name (ARN) of the IAM policy you want to attach." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 384 }, "name": "managedPolicyArns", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-path" }, "remarks": "This parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* ." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 395 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-policies" }, "remarks": "To view AWS::IAM::Group snippets, see [Declaring an IAM Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group) .\n\n> The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.\n\nFor information about limits on the number of inline policies that you can embed in a group, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .", "stability": "external", "summary": "Adds or updates an inline policy document that is embedded in the specified IAM group." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 406 }, "name": "policies", "optional": true, "type": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "collection": { "elementtype": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "fqn": "@aws-cdk/aws-iam.CfnGroup.PolicyProperty" } ] } }, "kind": "array" } } ] } } } ], "symbolId": "lib/iam.generated:CfnGroup" }, "@aws-cdk/aws-iam.CfnGroup.PolicyProperty": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html", "exampleMetadata": "fixture=_generated" }, "remarks": "An attached policy is a managed policy that has been attached to a user, group, or role.\n\nFor more information about managed policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .", "stability": "external", "summary": "Contains information about an attached policy.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst policyProperty: iam.CfnGroup.PolicyProperty = {\n policyDocument: policyDocument,\n policyName: 'policyName',\n};" }, "fqn": "@aws-cdk/aws-iam.CfnGroup.PolicyProperty", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 463 }, "name": "PolicyProperty", "namespace": "CfnGroup", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policydocument" }, "stability": "external", "summary": "The policy document." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 469 }, "name": "policyDocument", "type": { "primitive": "any" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policyname" }, "stability": "external", "summary": "The friendly name (not ARN) identifying the policy." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 475 }, "name": "policyName", "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnGroup.PolicyProperty" }, "@aws-cdk/aws-iam.CfnGroupProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnGroup`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst cfnGroupProps: iam.CfnGroupProps = {\n groupName: 'groupName',\n managedPolicyArns: ['managedPolicyArns'],\n path: 'path',\n policies: [{\n policyDocument: policyDocument,\n policyName: 'policyName',\n }],\n};" }, "fqn": "@aws-cdk/aws-iam.CfnGroupProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 216 }, "name": "CfnGroupProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-groupname" }, "remarks": "The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both \"ADMINS\" and \"admins\". If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name.\n\n> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.\n\nIf you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .\n\n> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{\"Fn::Join\": [\"\", [{\"Ref\": \"AWS::Region\"}, {\"Ref\": \"MyResourceName\"}]]}` .", "stability": "external", "summary": "The name of the group to create. Do not include the path in this value." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 231 }, "name": "groupName", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-managepolicyarns" }, "remarks": "For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .", "stability": "external", "summary": "The Amazon Resource Name (ARN) of the IAM policy you want to attach." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 240 }, "name": "managedPolicyArns", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-path" }, "remarks": "This parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* ." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 251 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-policies" }, "remarks": "To view AWS::IAM::Group snippets, see [Declaring an IAM Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group) .\n\n> The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.\n\nFor information about limits on the number of inline policies that you can embed in a group, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .", "stability": "external", "summary": "Adds or updates an inline policy document that is embedded in the specified IAM group." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 262 }, "name": "policies", "optional": true, "type": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "collection": { "elementtype": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "fqn": "@aws-cdk/aws-iam.CfnGroup.PolicyProperty" } ] } }, "kind": "array" } } ] } } } ], "symbolId": "lib/iam.generated:CfnGroupProps" }, "@aws-cdk/aws-iam.CfnInstanceProfile": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::InstanceProfile", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Creates a new instance profile. For information about instance profiles, see [Using instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) .\n\nFor information about the number of instance profiles you can create, see [IAM object quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .", "stability": "external", "summary": "A CloudFormation `AWS::IAM::InstanceProfile`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnInstanceProfile = new iam.CfnInstanceProfile(this, 'MyCfnInstanceProfile', {\n roles: ['roles'],\n\n // the properties below are optional\n instanceProfileName: 'instanceProfileName',\n path: 'path',\n});" }, "fqn": "@aws-cdk/aws-iam.CfnInstanceProfile", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::InstanceProfile`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 703 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnInstanceProfileProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 634 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 719 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 732 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnInstanceProfile", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 638 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "Arn" }, "remarks": "`{\"Fn::GetAtt\" : [\"MyProfile\", \"Arn\"] }`\n\nThis returns a value such as `arn:aws:iam::1234567890:instance-profile/MyProfile-ASDNSDLKJ` .", "stability": "external", "summary": "Returns the Amazon Resource Name (ARN) for the instance profile. For example:." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 667 }, "name": "attrArn", "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 724 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-roles" }, "remarks": "Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.", "stability": "external", "summary": "The name of the role to associate with the instance profile." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 674 }, "name": "roles", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-instanceprofilename" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the instance profile to create." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 683 }, "name": "instanceProfileName", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-path" }, "remarks": "For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path to the instance profile." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 694 }, "name": "path", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnInstanceProfile" }, "@aws-cdk/aws-iam.CfnInstanceProfileProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnInstanceProfile`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnInstanceProfileProps: iam.CfnInstanceProfileProps = {\n roles: ['roles'],\n\n // the properties below are optional\n instanceProfileName: 'instanceProfileName',\n path: 'path',\n};" }, "fqn": "@aws-cdk/aws-iam.CfnInstanceProfileProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 540 }, "name": "CfnInstanceProfileProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-roles" }, "remarks": "Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.", "stability": "external", "summary": "The name of the role to associate with the instance profile." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 547 }, "name": "roles", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-instanceprofilename" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the instance profile to create." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 556 }, "name": "instanceProfileName", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-path" }, "remarks": "For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path to the instance profile." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 567 }, "name": "path", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnInstanceProfileProps" }, "@aws-cdk/aws-iam.CfnManagedPolicy": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::ManagedPolicy", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Creates a new managed policy for your AWS account .\n\nThis operation creates a policy version with a version identifier of `v1` and sets v1 as the policy's default version. For more information about policy versions, see [Versioning for managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-versions.html) in the *IAM User Guide* .\n\nAs a best practice, you can validate your IAM policies. To learn more, see [Validating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html) in the *IAM User Guide* .\n\nFor more information about managed policies in general, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .", "stability": "external", "summary": "A CloudFormation `AWS::IAM::ManagedPolicy`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst cfnManagedPolicy = new iam.CfnManagedPolicy(this, 'MyCfnManagedPolicy', {\n policyDocument: policyDocument,\n\n // the properties below are optional\n description: 'description',\n groups: ['groups'],\n managedPolicyName: 'managedPolicyName',\n path: 'path',\n roles: ['roles'],\n users: ['users'],\n});" }, "fqn": "@aws-cdk/aws-iam.CfnManagedPolicy", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::ManagedPolicy`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1034 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnManagedPolicyProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 915 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1053 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1070 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnManagedPolicy", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 919 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1058 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-policydocument" }, "remarks": "You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and AWS STS character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length) .\n\nTo learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide* .\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\ u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\ u00FF` )\n- The special characters tab ( `\\ u0009` ), line feed ( `\\ u000A` ), and carriage return ( `\\ u000D` )", "stability": "external", "summary": "The JSON policy document that you want to use as the content for the new policy." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 957 }, "name": "policyDocument", "type": { "primitive": "any" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-description" }, "remarks": "Typically used to store information about the permissions defined in the policy. For example, \"Grants access to production DynamoDB tables.\"\n\nThe policy description is immutable. After a value is assigned, it cannot be changed.", "stability": "external", "summary": "A friendly description of the policy." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 968 }, "name": "description", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name (friendly name, not ARN) of the group to attach the policy to." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 977 }, "name": "groups", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-managedpolicyname" }, "remarks": "> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.\n\nIf you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .\n\n> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{\"Fn::Join\": [\"\", [{\"Ref\": \"AWS::Region\"}, {\"Ref\": \"MyResourceName\"}]]}` .", "stability": "external", "summary": "The friendly name of the policy." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 990 }, "name": "managedPolicyName", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-ec2-dhcpoptions-path" }, "remarks": "For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.\n\n> You cannot use an asterisk (*) in the path name.", "stability": "external", "summary": "The path for the policy." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1005 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles" }, "remarks": "This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-\n\n> If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy` ) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service` ) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that AWS CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy.", "stability": "external", "summary": "The name (friendly name, not ARN) of the role to attach the policy to." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1016 }, "name": "roles", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-users" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name (friendly name, not ARN) of the IAM user to attach the policy to." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1025 }, "name": "users", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/iam.generated:CfnManagedPolicy" }, "@aws-cdk/aws-iam.CfnManagedPolicyProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnManagedPolicy`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst cfnManagedPolicyProps: iam.CfnManagedPolicyProps = {\n policyDocument: policyDocument,\n\n // the properties below are optional\n description: 'description',\n groups: ['groups'],\n managedPolicyName: 'managedPolicyName',\n path: 'path',\n roles: ['roles'],\n users: ['users'],\n};" }, "fqn": "@aws-cdk/aws-iam.CfnManagedPolicyProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 745 }, "name": "CfnManagedPolicyProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-policydocument" }, "remarks": "You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and AWS STS character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length) .\n\nTo learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide* .\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\ u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\ u00FF` )\n- The special characters tab ( `\\ u0009` ), line feed ( `\\ u000A` ), and carriage return ( `\\ u000D` )", "stability": "external", "summary": "The JSON policy document that you want to use as the content for the new policy." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 764 }, "name": "policyDocument", "type": { "primitive": "any" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-description" }, "remarks": "Typically used to store information about the permissions defined in the policy. For example, \"Grants access to production DynamoDB tables.\"\n\nThe policy description is immutable. After a value is assigned, it cannot be changed.", "stability": "external", "summary": "A friendly description of the policy." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 775 }, "name": "description", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name (friendly name, not ARN) of the group to attach the policy to." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 784 }, "name": "groups", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-managedpolicyname" }, "remarks": "> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.\n\nIf you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .\n\n> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{\"Fn::Join\": [\"\", [{\"Ref\": \"AWS::Region\"}, {\"Ref\": \"MyResourceName\"}]]}` .", "stability": "external", "summary": "The friendly name of the policy." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 797 }, "name": "managedPolicyName", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-ec2-dhcpoptions-path" }, "remarks": "For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.\n\n> You cannot use an asterisk (*) in the path name.", "stability": "external", "summary": "The path for the policy." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 812 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles" }, "remarks": "This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-\n\n> If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy` ) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service` ) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that AWS CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy.", "stability": "external", "summary": "The name (friendly name, not ARN) of the role to attach the policy to." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 823 }, "name": "roles", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-users" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name (friendly name, not ARN) of the IAM user to attach the policy to." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 832 }, "name": "users", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/iam.generated:CfnManagedPolicyProps" }, "@aws-cdk/aws-iam.CfnOIDCProvider": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::OIDCProvider", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Creates an IAM entity to describe an identity provider (IdP) that supports [OpenID Connect (OIDC)](https://docs.aws.amazon.com/http://openid.net/connect/) .\n\nThe OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.\n\nWhen you create the IAM OIDC provider, you specify the following:\n\n- The URL of the OIDC identity provider (IdP) to trust\n- A list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider\n- A list of thumbprints of one or more server certificates that the IdP uses\n\nYou get all of this information from the OIDC IdP that you want to use to access AWS .\n\n> The trust for the OIDC provider is derived from the IAM provider that this operation creates. Therefore, it is best to limit access to the [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) operation to highly privileged users.", "stability": "external", "summary": "A CloudFormation `AWS::IAM::OIDCProvider`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnOIDCProvider = new iam.CfnOIDCProvider(this, 'MyCfnOIDCProvider', {\n thumbprintList: ['thumbprintList'],\n\n // the properties below are optional\n clientIdList: ['clientIdList'],\n tags: [{\n key: 'key',\n value: 'value',\n }],\n url: 'url',\n});" }, "fqn": "@aws-cdk/aws-iam.CfnOIDCProvider", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::OIDCProvider`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1257 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnOIDCProviderProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1191 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1274 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1288 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnOIDCProvider", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1195 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "Arn" }, "stability": "external", "summary": "Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::OIDCProvider` resource." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1220 }, "name": "attrArn", "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1279 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-tags" }, "remarks": "The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .", "stability": "external", "summary": "A list of tags that are attached to the specified IAM OIDC provider." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1241 }, "name": "tags", "type": { "fqn": "@aws-cdk/core.TagManager" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-thumbprintlist" }, "remarks": "For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .", "stability": "external", "summary": "A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1227 }, "name": "thumbprintList", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-clientidlist" }, "remarks": "For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .", "stability": "external", "summary": "A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1234 }, "name": "clientIdList", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-url" }, "remarks": "For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .", "stability": "external", "summary": "The URL that the IAM OIDC provider resource object is associated with." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1248 }, "name": "url", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnOIDCProvider" }, "@aws-cdk/aws-iam.CfnOIDCProviderProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnOIDCProvider`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnOIDCProviderProps: iam.CfnOIDCProviderProps = {\n thumbprintList: ['thumbprintList'],\n\n // the properties below are optional\n clientIdList: ['clientIdList'],\n tags: [{\n key: 'key',\n value: 'value',\n }],\n url: 'url',\n};" }, "fqn": "@aws-cdk/aws-iam.CfnOIDCProviderProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1083 }, "name": "CfnOIDCProviderProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-thumbprintlist" }, "remarks": "For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .", "stability": "external", "summary": "A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1090 }, "name": "thumbprintList", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-clientidlist" }, "remarks": "For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .", "stability": "external", "summary": "A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1097 }, "name": "clientIdList", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-tags" }, "remarks": "The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .", "stability": "external", "summary": "A list of tags that are attached to the specified IAM OIDC provider." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1104 }, "name": "tags", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/core.CfnTag" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-url" }, "remarks": "For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .", "stability": "external", "summary": "The URL that the IAM OIDC provider resource object is associated with." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1111 }, "name": "url", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnOIDCProviderProps" }, "@aws-cdk/aws-iam.CfnPolicy": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::Policy", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Adds or updates an inline policy document that is embedded in the specified IAM user, group, or role.\n\nAn IAM user can also have a managed policy attached to it. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .\n\nThe Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.\n\nFor information about limits on the number of inline policies that you can embed in an identity, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .", "stability": "external", "summary": "A CloudFormation `AWS::IAM::Policy`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst cfnPolicy = new iam.CfnPolicy(this, 'MyCfnPolicy', {\n policyDocument: policyDocument,\n policyName: 'policyName',\n\n // the properties below are optional\n groups: ['groups'],\n roles: ['roles'],\n users: ['users'],\n});" }, "fqn": "@aws-cdk/aws-iam.CfnPolicy", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::Policy`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1517 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnPolicyProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1432 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1535 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1550 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnPolicy", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1436 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1540 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument" }, "remarks": "You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\ u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\ u00FF` )\n- The special characters tab ( `\\ u0009` ), line feed ( `\\ u000A` ), and carriage return ( `\\ u000D` )", "stability": "external", "summary": "The policy document." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1470 }, "name": "policyDocument", "type": { "primitive": "any" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policyname" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the policy document." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1479 }, "name": "policyName", "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-groups" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", "stability": "external", "summary": "The name of the group to associate the policy with." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1488 }, "name": "groups", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles" }, "remarks": "This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-\n\n> If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy` ) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service` ) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that AWS CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy.", "stability": "external", "summary": "The name of the role to associate the policy with." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1499 }, "name": "roles", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-users" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the user to associate the policy with." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1508 }, "name": "users", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/iam.generated:CfnPolicy" }, "@aws-cdk/aws-iam.CfnPolicyProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnPolicy`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst cfnPolicyProps: iam.CfnPolicyProps = {\n policyDocument: policyDocument,\n policyName: 'policyName',\n\n // the properties below are optional\n groups: ['groups'],\n roles: ['roles'],\n users: ['users'],\n};" }, "fqn": "@aws-cdk/aws-iam.CfnPolicyProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1301 }, "name": "CfnPolicyProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument" }, "remarks": "You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.\n\nThe [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\ u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\ u00FF` )\n- The special characters tab ( `\\ u0009` ), line feed ( `\\ u000A` ), and carriage return ( `\\ u000D` )", "stability": "external", "summary": "The policy document." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1316 }, "name": "policyDocument", "type": { "primitive": "any" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policyname" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the policy document." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1325 }, "name": "policyName", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-groups" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.", "stability": "external", "summary": "The name of the group to associate the policy with." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1334 }, "name": "groups", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles" }, "remarks": "This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-\n\n> If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy` ) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service` ) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that AWS CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy.", "stability": "external", "summary": "The name of the role to associate the policy with." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1345 }, "name": "roles", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-users" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the user to associate the policy with." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1354 }, "name": "users", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/iam.generated:CfnPolicyProps" }, "@aws-cdk/aws-iam.CfnRole": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::Role", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Creates a new role for your AWS account . For more information about roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html) . For information about quotas for role names and the number of roles you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .", "stability": "external", "summary": "A CloudFormation `AWS::IAM::Role`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const assumeRolePolicyDocument: any;\ndeclare const policyDocument: any;\nconst cfnRole = new iam.CfnRole(this, 'MyCfnRole', {\n assumeRolePolicyDocument: assumeRolePolicyDocument,\n\n // the properties below are optional\n description: 'description',\n managedPolicyArns: ['managedPolicyArns'],\n maxSessionDuration: 123,\n path: 'path',\n permissionsBoundary: 'permissionsBoundary',\n policies: [{\n policyDocument: policyDocument,\n policyName: 'policyName',\n }],\n roleName: 'roleName',\n tags: [{\n key: 'key',\n value: 'value',\n }],\n});" }, "fqn": "@aws-cdk/aws-iam.CfnRole", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::Role`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1874 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnRoleProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1735 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1897 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1916 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnRole", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1739 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "Arn" }, "remarks": "`{\"Fn::GetAtt\" : [\"MyRole\", \"Arn\"] }`\n\nThis will return a value such as `arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF` .", "stability": "external", "summary": "Returns the Amazon Resource Name (ARN) for the role. For example:." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1768 }, "name": "attrArn", "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "RoleId" }, "remarks": "For more information about IDs, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in the *IAM User Guide* .", "stability": "external", "summary": "Returns the stable and unique string identifying the role. For example, `AIDAJQABLZS4A3QDU576Q` ." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1776 }, "name": "attrRoleId", "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1902 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-tags" }, "remarks": "For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .", "stability": "external", "summary": "A list of tags that are attached to the role." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1865 }, "name": "tags", "type": { "fqn": "@aws-cdk/core.TagManager" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument" }, "remarks": "Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples) . For more information about the elements that you can use in an IAM policy, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide* .", "stability": "external", "summary": "The trust policy that is associated with this role." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1783 }, "name": "assumeRolePolicyDocument", "type": { "primitive": "any" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-description" }, "stability": "external", "summary": "A description of the role that you provide." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1790 }, "name": "description", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-managepolicyarns" }, "remarks": "For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .", "stability": "external", "summary": "A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1799 }, "name": "managedPolicyArns", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-maxsessionduration" }, "remarks": "If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.\n\nAnyone who assumes the role from the or API can use the `DurationSeconds` API parameter or the `duration-seconds` CLI parameter to request a longer session. The `MaxSessionDuration` setting determines the maximum duration that can be requested using the `DurationSeconds` parameter. If users don't specify a value for the `DurationSeconds` parameter, their security credentials are valid for one hour by default. This applies when you use the `AssumeRole*` API operations or the `assume-role*` CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide* .", "stability": "external", "summary": "The maximum session duration (in seconds) that you want to set for the specified role." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1808 }, "name": "maxSessionDuration", "optional": true, "type": { "primitive": "number" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-path" }, "remarks": "This parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* ." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1819 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary" }, "remarks": "For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide* .", "stability": "external", "summary": "The ARN of the policy used to set the permissions boundary for the role." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1828 }, "name": "permissionsBoundary", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-policies" }, "remarks": "When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) .\n\nA role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .\n\nFor information about limits on the number of inline policies that you can embed with a role, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .\n\n> If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy` ) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service` ) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that AWS CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy.", "stability": "external", "summary": "Adds or updates an inline policy document that is embedded in the specified IAM role." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1843 }, "name": "policies", "optional": true, "type": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "collection": { "elementtype": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "fqn": "@aws-cdk/aws-iam.CfnRole.PolicyProperty" } ] } }, "kind": "array" } } ] } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename" }, "remarks": "For valid values, see the `RoleName` parameter for the [`CreateRole`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *IAM User Guide* .\n\nThis parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both \"Role1\" and \"role1\".\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the role name.\n\nIf you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .\n\n> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{\"Fn::Join\": [\"\", [{\"Ref\": \"AWS::Region\"}, {\"Ref\": \"MyResourceName\"}]]}` .", "stability": "external", "summary": "A name for the IAM role, up to 64 characters in length." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1858 }, "name": "roleName", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnRole" }, "@aws-cdk/aws-iam.CfnRole.PolicyProperty": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html", "exampleMetadata": "fixture=_generated" }, "remarks": "An attached policy is a managed policy that has been attached to a user, group, or role.\n\nFor more information about managed policies, refer to [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .", "stability": "external", "summary": "Contains information about an attached policy.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst policyProperty: iam.CfnRole.PolicyProperty = {\n policyDocument: policyDocument,\n policyName: 'policyName',\n};" }, "fqn": "@aws-cdk/aws-iam.CfnRole.PolicyProperty", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1934 }, "name": "PolicyProperty", "namespace": "CfnRole", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policydocument" }, "stability": "external", "summary": "The policy document." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1940 }, "name": "policyDocument", "type": { "primitive": "any" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policyname" }, "stability": "external", "summary": "The friendly name (not ARN) identifying the policy." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1946 }, "name": "policyName", "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnRole.PolicyProperty" }, "@aws-cdk/aws-iam.CfnRoleProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnRole`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const assumeRolePolicyDocument: any;\ndeclare const policyDocument: any;\nconst cfnRoleProps: iam.CfnRoleProps = {\n assumeRolePolicyDocument: assumeRolePolicyDocument,\n\n // the properties below are optional\n description: 'description',\n managedPolicyArns: ['managedPolicyArns'],\n maxSessionDuration: 123,\n path: 'path',\n permissionsBoundary: 'permissionsBoundary',\n policies: [{\n policyDocument: policyDocument,\n policyName: 'policyName',\n }],\n roleName: 'roleName',\n tags: [{\n key: 'key',\n value: 'value',\n }],\n};" }, "fqn": "@aws-cdk/aws-iam.CfnRoleProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1563 }, "name": "CfnRoleProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument" }, "remarks": "Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples) . For more information about the elements that you can use in an IAM policy, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide* .", "stability": "external", "summary": "The trust policy that is associated with this role." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1570 }, "name": "assumeRolePolicyDocument", "type": { "primitive": "any" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-description" }, "stability": "external", "summary": "A description of the role that you provide." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1577 }, "name": "description", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-managepolicyarns" }, "remarks": "For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .", "stability": "external", "summary": "A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1586 }, "name": "managedPolicyArns", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-maxsessionduration" }, "remarks": "If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.\n\nAnyone who assumes the role from the or API can use the `DurationSeconds` API parameter or the `duration-seconds` CLI parameter to request a longer session. The `MaxSessionDuration` setting determines the maximum duration that can be requested using the `DurationSeconds` parameter. If users don't specify a value for the `DurationSeconds` parameter, their security credentials are valid for one hour by default. This applies when you use the `AssumeRole*` API operations or the `assume-role*` CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide* .", "stability": "external", "summary": "The maximum session duration (in seconds) that you want to set for the specified role." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1595 }, "name": "maxSessionDuration", "optional": true, "type": { "primitive": "number" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-path" }, "remarks": "This parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* ." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1606 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary" }, "remarks": "For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide* .", "stability": "external", "summary": "The ARN of the policy used to set the permissions boundary for the role." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1615 }, "name": "permissionsBoundary", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-policies" }, "remarks": "When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) .\n\nA role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .\n\nFor information about limits on the number of inline policies that you can embed with a role, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .\n\n> If an external policy (such as `AWS::IAM::Policy` or `AWS::IAM::ManagedPolicy` ) has a `Ref` to a role and if a resource (such as `AWS::ECS::Service` ) also has a `Ref` to the same role, add a `DependsOn` attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an `AWS::ECS::Service` resource, the `DependsOn` attribute ensures that AWS CloudFormation deletes the `AWS::ECS::Service` resource before deleting its role's policy.", "stability": "external", "summary": "Adds or updates an inline policy document that is embedded in the specified IAM role." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1630 }, "name": "policies", "optional": true, "type": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "collection": { "elementtype": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "fqn": "@aws-cdk/aws-iam.CfnRole.PolicyProperty" } ] } }, "kind": "array" } } ] } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename" }, "remarks": "For valid values, see the `RoleName` parameter for the [`CreateRole`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *IAM User Guide* .\n\nThis parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both \"Role1\" and \"role1\".\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the role name.\n\nIf you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .\n\n> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{\"Fn::Join\": [\"\", [{\"Ref\": \"AWS::Region\"}, {\"Ref\": \"MyResourceName\"}]]}` .", "stability": "external", "summary": "A name for the IAM role, up to 64 characters in length." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1645 }, "name": "roleName", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-tags" }, "remarks": "For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .", "stability": "external", "summary": "A list of tags that are attached to the role." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 1652 }, "name": "tags", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/core.CfnTag" }, "kind": "array" } } } ], "symbolId": "lib/iam.generated:CfnRoleProps" }, "@aws-cdk/aws-iam.CfnSAMLProvider": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::SAMLProvider", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.\n\nThe SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS .\n\nWhen you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.\n\n> This operation requires [Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) .\n\nFor more information, see [Enabling SAML 2.0 federated users to access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) and [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide* .", "stability": "external", "summary": "A CloudFormation `AWS::IAM::SAMLProvider`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnSAMLProvider = new iam.CfnSAMLProvider(this, 'MyCfnSAMLProvider', {\n samlMetadataDocument: 'samlMetadataDocument',\n\n // the properties below are optional\n name: 'name',\n tags: [{\n key: 'key',\n value: 'value',\n }],\n});" }, "fqn": "@aws-cdk/aws-iam.CfnSAMLProvider", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::SAMLProvider`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2176 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnSAMLProviderProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2111 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2192 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2205 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnSAMLProvider", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2115 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "Arn" }, "stability": "external", "summary": "Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::SAMLProvider` resource." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2140 }, "name": "attrArn", "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2197 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-tags" }, "remarks": "Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .\n\n> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.", "stability": "external", "summary": "A list of tags that you want to attach to the new IAM SAML provider." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2167 }, "name": "tags", "type": { "fqn": "@aws-cdk/core.TagManager" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-samlmetadatadocument" }, "remarks": "For more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide*", "stability": "external", "summary": "An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2149 }, "name": "samlMetadataDocument", "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-name" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the provider to create." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2158 }, "name": "name", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnSAMLProvider" }, "@aws-cdk/aws-iam.CfnSAMLProviderProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnSAMLProvider`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnSAMLProviderProps: iam.CfnSAMLProviderProps = {\n samlMetadataDocument: 'samlMetadataDocument',\n\n // the properties below are optional\n name: 'name',\n tags: [{\n key: 'key',\n value: 'value',\n }],\n};" }, "fqn": "@aws-cdk/aws-iam.CfnSAMLProviderProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2011 }, "name": "CfnSAMLProviderProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-samlmetadatadocument" }, "remarks": "For more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide*", "stability": "external", "summary": "An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2020 }, "name": "samlMetadataDocument", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-name" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the provider to create." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2029 }, "name": "name", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-tags" }, "remarks": "Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .\n\n> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.", "stability": "external", "summary": "A list of tags that you want to attach to the new IAM SAML provider." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2038 }, "name": "tags", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/core.CfnTag" }, "kind": "array" } } } ], "symbolId": "lib/iam.generated:CfnSAMLProviderProps" }, "@aws-cdk/aws-iam.CfnServerCertificate": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::ServerCertificate", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Uploads a server certificate entity for the AWS account . The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.\n\nWe recommend that you use [AWS Certificate Manager](https://docs.aws.amazon.com/acm/) to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the [AWS Certificate Manager User Guide](https://docs.aws.amazon.com/acm/latest/userguide/) .\n\nFor more information about working with server certificates, see [Working with server certificates](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) in the *IAM User Guide* . This topic includes a list of AWS services that can use the server certificates that you manage with IAM.\n\nFor information about the number of server certificates you can upload, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .\n\n> Because the body of the public key certificate, private key, and the certificate chain can be large, you should use POST rather than GET when calling `UploadServerCertificate` . For information about setting up signatures and authorization through the API, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the *AWS General Reference* . For general information about using the Query API with IAM, see [Calling the API by making HTTP query requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/programming.html) in the *IAM User Guide* .", "stability": "external", "summary": "A CloudFormation `AWS::IAM::ServerCertificate`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnServerCertificate = new iam.CfnServerCertificate(this, 'MyCfnServerCertificate', /* all optional props */ {\n certificateBody: 'certificateBody',\n certificateChain: 'certificateChain',\n path: 'path',\n privateKey: 'privateKey',\n serverCertificateName: 'serverCertificateName',\n tags: [{\n key: 'key',\n value: 'value',\n }],\n});" }, "fqn": "@aws-cdk/aws-iam.CfnServerCertificate", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::ServerCertificate`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2445 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.CfnServerCertificateProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2353 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2463 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2479 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnServerCertificate", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2357 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "Arn" }, "stability": "external", "summary": "Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::ServerCertificate` resource." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2382 }, "name": "attrArn", "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2468 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-tags" }, "remarks": "For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .", "stability": "external", "summary": "A list of tags that are attached to the server certificate." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2436 }, "name": "tags", "type": { "fqn": "@aws-cdk/core.TagManager" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatebody" }, "stability": "external", "summary": "The contents of the public key certificate." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2389 }, "name": "certificateBody", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatechain" }, "stability": "external", "summary": "The contents of the public key certificate chain." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2396 }, "name": "certificateChain", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-path" }, "remarks": "For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.\n\n> If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the `path` parameter. The path must begin with `/cloudfront` and must include a trailing slash (for example, `/cloudfront/test/` ).", "stability": "external", "summary": "The path for the server certificate." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2407 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-privatekey" }, "remarks": "The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\ u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\ u00FF` )\n- The special characters tab ( `\\ u0009` ), line feed ( `\\ u000A` ), and carriage return ( `\\ u000D` )", "stability": "external", "summary": "The contents of the private key in PEM-encoded format." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2420 }, "name": "privateKey", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-servercertificatename" }, "remarks": "Do not include the path in this value. The name of the certificate cannot contain any spaces.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name for the server certificate." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2429 }, "name": "serverCertificateName", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnServerCertificate" }, "@aws-cdk/aws-iam.CfnServerCertificateProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnServerCertificate`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnServerCertificateProps: iam.CfnServerCertificateProps = {\n certificateBody: 'certificateBody',\n certificateChain: 'certificateChain',\n path: 'path',\n privateKey: 'privateKey',\n serverCertificateName: 'serverCertificateName',\n tags: [{\n key: 'key',\n value: 'value',\n }],\n};" }, "fqn": "@aws-cdk/aws-iam.CfnServerCertificateProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2218 }, "name": "CfnServerCertificateProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatebody" }, "stability": "external", "summary": "The contents of the public key certificate." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2225 }, "name": "certificateBody", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatechain" }, "stability": "external", "summary": "The contents of the public key certificate chain." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2232 }, "name": "certificateChain", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-path" }, "remarks": "For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.\n\n> If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the `path` parameter. The path must begin with `/cloudfront` and must include a trailing slash (for example, `/cloudfront/test/` ).", "stability": "external", "summary": "The path for the server certificate." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2243 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-privatekey" }, "remarks": "The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:\n\n- Any printable ASCII character ranging from the space character ( `\\ u0020` ) through the end of the ASCII character range\n- The printable characters in the Basic Latin and Latin-1 Supplement character set (through `\\ u00FF` )\n- The special characters tab ( `\\ u0009` ), line feed ( `\\ u000A` ), and carriage return ( `\\ u000D` )", "stability": "external", "summary": "The contents of the private key in PEM-encoded format." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2256 }, "name": "privateKey", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-servercertificatename" }, "remarks": "Do not include the path in this value. The name of the certificate cannot contain any spaces.\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name for the server certificate." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2265 }, "name": "serverCertificateName", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-tags" }, "remarks": "For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .", "stability": "external", "summary": "A list of tags that are attached to the server certificate." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2272 }, "name": "tags", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/core.CfnTag" }, "kind": "array" } } } ], "symbolId": "lib/iam.generated:CfnServerCertificateProps" }, "@aws-cdk/aws-iam.CfnServiceLinkedRole": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::ServiceLinkedRole", "exampleMetadata": "infused", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html" }, "example": "const slr = new iam.CfnServiceLinkedRole(this, 'ElasticSLR', {\n awsServiceName: 'es.amazonaws.com',\n});", "remarks": "Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state. Allowing the service to control the role helps improve service stability and proper cleanup when a service and its role are no longer needed. For more information, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the *IAM User Guide* .\n\nTo attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role.", "stability": "external", "summary": "A CloudFormation `AWS::IAM::ServiceLinkedRole`." }, "fqn": "@aws-cdk/aws-iam.CfnServiceLinkedRole", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::ServiceLinkedRole`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2641 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnServiceLinkedRoleProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2584 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2656 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2669 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnServiceLinkedRole", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2588 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2661 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-awsservicename" }, "remarks": "You use a string similar to a URL but without the http:// in front. For example: `elasticbeanstalk.amazonaws.com` .\n\nService principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.", "stability": "external", "summary": "The service principal for the AWS service to which this role is attached." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2616 }, "name": "awsServiceName", "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-customsuffix" }, "remarks": "If you make multiple requests for the same service, then you must supply a different `CustomSuffix` for each request. Otherwise the request fails with a duplicate role name error. For example, you could add `-1` or `-debug` to the suffix.\n\nSome services do not support the `CustomSuffix` parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix.", "stability": "external", "summary": "A string that you provide, which is combined with the service-provided prefix to form the complete role name." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2625 }, "name": "customSuffix", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-description" }, "stability": "external", "summary": "The description of the role." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2632 }, "name": "description", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnServiceLinkedRole" }, "@aws-cdk/aws-iam.CfnServiceLinkedRoleProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html" }, "example": "const slr = new iam.CfnServiceLinkedRole(this, 'ElasticSLR', {\n awsServiceName: 'es.amazonaws.com',\n});", "stability": "external", "summary": "Properties for defining a `CfnServiceLinkedRole`." }, "fqn": "@aws-cdk/aws-iam.CfnServiceLinkedRoleProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2492 }, "name": "CfnServiceLinkedRoleProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-awsservicename" }, "remarks": "You use a string similar to a URL but without the http:// in front. For example: `elasticbeanstalk.amazonaws.com` .\n\nService principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.", "stability": "external", "summary": "The service principal for the AWS service to which this role is attached." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2501 }, "name": "awsServiceName", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-customsuffix" }, "remarks": "If you make multiple requests for the same service, then you must supply a different `CustomSuffix` for each request. Otherwise the request fails with a duplicate role name error. For example, you could add `-1` or `-debug` to the suffix.\n\nSome services do not support the `CustomSuffix` parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix.", "stability": "external", "summary": "A string that you provide, which is combined with the service-provided prefix to form the complete role name." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2510 }, "name": "customSuffix", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-description" }, "stability": "external", "summary": "The description of the role." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2517 }, "name": "description", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnServiceLinkedRoleProps" }, "@aws-cdk/aws-iam.CfnUser": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::User", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Creates a new IAM user for your AWS account .\n\nFor information about quotas for the number of IAM users you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .", "stability": "external", "summary": "A CloudFormation `AWS::IAM::User`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst cfnUser = new iam.CfnUser(this, 'MyCfnUser', /* all optional props */ {\n groups: ['groups'],\n loginProfile: {\n password: 'password',\n\n // the properties below are optional\n passwordResetRequired: false,\n },\n managedPolicyArns: ['managedPolicyArns'],\n path: 'path',\n permissionsBoundary: 'permissionsBoundary',\n policies: [{\n policyDocument: policyDocument,\n policyName: 'policyName',\n }],\n tags: [{\n key: 'key',\n value: 'value',\n }],\n userName: 'userName',\n});" }, "fqn": "@aws-cdk/aws-iam.CfnUser", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::User`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2961 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.CfnUserProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2843 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2981 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2999 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnUser", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2847 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "Arn" }, "remarks": "For example: `arn:aws:iam::123456789012:user/mystack-myuser-1CCXAFG2H2U4D` .", "stability": "external", "summary": "Returns the Amazon Resource Name (ARN) for the specified `AWS::IAM::User` resource." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2872 }, "name": "attrArn", "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2986 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-tags" }, "remarks": "Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .\n\n> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.", "stability": "external", "summary": "A list of tags that you want to attach to the new user." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2937 }, "name": "tags", "type": { "fqn": "@aws-cdk/core.TagManager" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-groups" }, "stability": "external", "summary": "A list of group names to which you want to add the user." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2879 }, "name": "groups", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-loginprofile" }, "remarks": "A password allows an IAM user to access AWS services through the AWS Management Console .\n\nYou can use the AWS CLI , the AWS API, or the *Users* page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the *My Security Credentials* page in the AWS Management Console .\n\nFor more information about managing passwords, see [Managing passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .", "stability": "external", "summary": "Creates a password for the specified IAM user." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2890 }, "name": "loginProfile", "optional": true, "type": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "fqn": "@aws-cdk/aws-iam.CfnUser.LoginProfileProperty" } ] } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-managepolicyarns" }, "remarks": "For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .", "stability": "external", "summary": "A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2899 }, "name": "managedPolicyArns", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-path" }, "remarks": "For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path for the user name." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2910 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-permissionsboundary" }, "stability": "external", "summary": "The ARN of the policy that is used to set the permissions boundary for the user." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2917 }, "name": "permissionsBoundary", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-policies" }, "remarks": "To view AWS::IAM::User snippets, see [Declaring an IAM User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) .\n\n> The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.\n\nFor information about limits on the number of inline policies that you can embed in a user, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .", "stability": "external", "summary": "Adds or updates an inline policy document that is embedded in the specified IAM user." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2928 }, "name": "policies", "optional": true, "type": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "collection": { "elementtype": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "fqn": "@aws-cdk/aws-iam.CfnUser.PolicyProperty" } ] } }, "kind": "array" } } ] } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-username" }, "remarks": "This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both \"John\" and \"john\".\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name.\n\nIf you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .\n\n> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{\"Fn::Join\": [\"\", [{\"Ref\": \"AWS::Region\"}, {\"Ref\": \"MyResourceName\"}]]}` .", "stability": "external", "summary": "The name of the user to create. Do not include the path in this value." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2952 }, "name": "userName", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnUser" }, "@aws-cdk/aws-iam.CfnUser.LoginProfileProperty": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html", "exampleMetadata": "fixture=_generated" }, "remarks": "For more information about managing passwords, see [Managing Passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .", "stability": "external", "summary": "Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console .", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst loginProfileProperty: iam.CfnUser.LoginProfileProperty = {\n password: 'password',\n\n // the properties below are optional\n passwordResetRequired: false,\n};" }, "fqn": "@aws-cdk/aws-iam.CfnUser.LoginProfileProperty", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3013 }, "name": "LoginProfileProperty", "namespace": "CfnUser", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html#cfn-iam-user-loginprofile-password" }, "stability": "external", "summary": "The user's password." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3019 }, "name": "password", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html#cfn-iam-user-loginprofile-passwordresetrequired" }, "stability": "external", "summary": "Specifies whether the user is required to set a new password on next sign-in." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3025 }, "name": "passwordResetRequired", "optional": true, "type": { "union": { "types": [ { "primitive": "boolean" }, { "fqn": "@aws-cdk/core.IResolvable" } ] } } } ], "symbolId": "lib/iam.generated:CfnUser.LoginProfileProperty" }, "@aws-cdk/aws-iam.CfnUser.PolicyProperty": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html", "exampleMetadata": "fixture=_generated" }, "remarks": "An attached policy is a managed policy that has been attached to a user, group, or role.\n\nFor more information about managed policies, refer to [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .", "stability": "external", "summary": "Contains information about an attached policy.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst policyProperty: iam.CfnUser.PolicyProperty = {\n policyDocument: policyDocument,\n policyName: 'policyName',\n};" }, "fqn": "@aws-cdk/aws-iam.CfnUser.PolicyProperty", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3094 }, "name": "PolicyProperty", "namespace": "CfnUser", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policydocument" }, "stability": "external", "summary": "The policy document." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3100 }, "name": "policyDocument", "type": { "primitive": "any" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policyname" }, "stability": "external", "summary": "The friendly name (not ARN) identifying the policy." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3106 }, "name": "policyName", "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnUser.PolicyProperty" }, "@aws-cdk/aws-iam.CfnUserProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnUser`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const policyDocument: any;\nconst cfnUserProps: iam.CfnUserProps = {\n groups: ['groups'],\n loginProfile: {\n password: 'password',\n\n // the properties below are optional\n passwordResetRequired: false,\n },\n managedPolicyArns: ['managedPolicyArns'],\n path: 'path',\n permissionsBoundary: 'permissionsBoundary',\n policies: [{\n policyDocument: policyDocument,\n policyName: 'policyName',\n }],\n tags: [{\n key: 'key',\n value: 'value',\n }],\n userName: 'userName',\n};" }, "fqn": "@aws-cdk/aws-iam.CfnUserProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2682 }, "name": "CfnUserProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-groups" }, "stability": "external", "summary": "A list of group names to which you want to add the user." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2689 }, "name": "groups", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-loginprofile" }, "remarks": "A password allows an IAM user to access AWS services through the AWS Management Console .\n\nYou can use the AWS CLI , the AWS API, or the *Users* page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the *My Security Credentials* page in the AWS Management Console .\n\nFor more information about managing passwords, see [Managing passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .", "stability": "external", "summary": "Creates a password for the specified IAM user." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2700 }, "name": "loginProfile", "optional": true, "type": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "fqn": "@aws-cdk/aws-iam.CfnUser.LoginProfileProperty" } ] } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-managepolicyarns" }, "remarks": "For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .", "stability": "external", "summary": "A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2709 }, "name": "managedPolicyArns", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-path" }, "remarks": "For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path for the user name." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2720 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-permissionsboundary" }, "stability": "external", "summary": "The ARN of the policy that is used to set the permissions boundary for the user." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2727 }, "name": "permissionsBoundary", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-policies" }, "remarks": "To view AWS::IAM::User snippets, see [Declaring an IAM User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) .\n\n> The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.\n\nFor information about limits on the number of inline policies that you can embed in a user, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .", "stability": "external", "summary": "Adds or updates an inline policy document that is embedded in the specified IAM user." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2738 }, "name": "policies", "optional": true, "type": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "collection": { "elementtype": { "union": { "types": [ { "fqn": "@aws-cdk/core.IResolvable" }, { "fqn": "@aws-cdk/aws-iam.CfnUser.PolicyProperty" } ] } }, "kind": "array" } } ] } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-tags" }, "remarks": "Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .\n\n> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.", "stability": "external", "summary": "A list of tags that you want to attach to the new user." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2747 }, "name": "tags", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/core.CfnTag" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-username" }, "remarks": "This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both \"John\" and \"john\".\n\nIf you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name.\n\nIf you specify a name, you must specify the `CAPABILITY_NAMED_IAM` value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .\n\n> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using `Fn::Join` and `AWS::Region` to create a Region-specific name, as in the following example: `{\"Fn::Join\": [\"\", [{\"Ref\": \"AWS::Region\"}, {\"Ref\": \"MyResourceName\"}]]}` .", "stability": "external", "summary": "The name of the user to create. Do not include the path in this value." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 2762 }, "name": "userName", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnUserProps" }, "@aws-cdk/aws-iam.CfnUserToGroupAddition": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::UserToGroupAddition", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Adds the specified user to the specified group.", "stability": "external", "summary": "A CloudFormation `AWS::IAM::UserToGroupAddition`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnUserToGroupAddition = new iam.CfnUserToGroupAddition(this, 'MyCfnUserToGroupAddition', {\n groupName: 'groupName',\n users: ['users'],\n});" }, "fqn": "@aws-cdk/aws-iam.CfnUserToGroupAddition", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::UserToGroupAddition`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3298 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnUserToGroupAdditionProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3250 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3313 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3325 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnUserToGroupAddition", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3254 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3318 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-groupname" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the group to update." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3282 }, "name": "groupName", "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-users" }, "stability": "external", "summary": "A list of the names of the users that you want to add to the group." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3289 }, "name": "users", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/iam.generated:CfnUserToGroupAddition" }, "@aws-cdk/aws-iam.CfnUserToGroupAdditionProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnUserToGroupAddition`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnUserToGroupAdditionProps: iam.CfnUserToGroupAdditionProps = {\n groupName: 'groupName',\n users: ['users'],\n};" }, "fqn": "@aws-cdk/aws-iam.CfnUserToGroupAdditionProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3171 }, "name": "CfnUserToGroupAdditionProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-groupname" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the group to update." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3180 }, "name": "groupName", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-users" }, "stability": "external", "summary": "A list of the names of the users that you want to add to the group." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3187 }, "name": "users", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/iam.generated:CfnUserToGroupAdditionProps" }, "@aws-cdk/aws-iam.CfnVirtualMFADevice": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.CfnResource", "docs": { "custom": { "cloudformationResource": "AWS::IAM::VirtualMFADevice", "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html", "exampleMetadata": "fixture=_generated" }, "remarks": "Creates a new virtual MFA device for the AWS account . After creating the virtual MFA, use [EnableMFADevice](https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableMFADevice.html) to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, see [Using a virtual MFA device](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_VirtualMFA.html) in the *IAM User Guide* .\n\nFor information about the maximum number of MFA devices you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .\n\n> The seed information contained in the QR code and the Base32 string should be treated like any other secret access information. In other words, protect the seed information as you would your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.", "stability": "external", "summary": "A CloudFormation `AWS::IAM::VirtualMFADevice`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnVirtualMFADevice = new iam.CfnVirtualMFADevice(this, 'MyCfnVirtualMFADevice', {\n users: ['users'],\n\n // the properties below are optional\n path: 'path',\n tags: [{\n key: 'key',\n value: 'value',\n }],\n virtualMfaDeviceName: 'virtualMfaDeviceName',\n});" }, "fqn": "@aws-cdk/aws-iam.CfnVirtualMFADevice", "initializer": { "docs": { "stability": "external", "summary": "Create a new `AWS::IAM::VirtualMFADevice`." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3520 }, "parameters": [ { "docs": { "summary": "- scope in which this resource is defined." }, "name": "scope", "type": { "fqn": "@aws-cdk/core.Construct" } }, { "docs": { "summary": "- scoped id of the resource." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "- resource properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.CfnVirtualMFADeviceProps" } } ] }, "interfaces": [ "@aws-cdk/core.IInspectable" ], "kind": "class", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3446 }, "methods": [ { "docs": { "stability": "external", "summary": "Examines the CloudFormation resource and discloses attributes." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3537 }, "name": "inspect", "overrides": "@aws-cdk/core.IInspectable", "parameters": [ { "docs": { "summary": "- tree inspector to collect and process attributes." }, "name": "inspector", "type": { "fqn": "@aws-cdk/core.TreeInspector" } } ] }, { "docs": { "stability": "external" }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3551 }, "name": "renderProperties", "overrides": "@aws-cdk/core.CfnResource", "parameters": [ { "name": "props", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } } ], "name": "CfnVirtualMFADevice", "properties": [ { "const": true, "docs": { "stability": "external", "summary": "The CloudFormation resource type name for this resource class." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3450 }, "name": "CFN_RESOURCE_TYPE_NAME", "static": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "cloudformationAttribute": "SerialNumber" }, "stability": "external", "summary": "Returns the serial number for the specified `AWS::IAM::VirtualMFADevice` resource." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3475 }, "name": "attrSerialNumber", "type": { "primitive": "string" } }, { "docs": { "stability": "external" }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3542 }, "name": "cfnProperties", "overrides": "@aws-cdk/core.CfnResource", "protected": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-tags" }, "remarks": "Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .\n\n> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.", "stability": "external", "summary": "A list of tags that you want to attach to the new IAM virtual MFA device." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3502 }, "name": "tags", "type": { "fqn": "@aws-cdk/core.TagManager" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-users" }, "stability": "external", "summary": "The IAM user associated with this virtual MFA device." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3482 }, "name": "users", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-path" }, "remarks": "For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path for the virtual MFA device." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3493 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-virtualmfadevicename" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device." }, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3511 }, "name": "virtualMfaDeviceName", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnVirtualMFADevice" }, "@aws-cdk/aws-iam.CfnVirtualMFADeviceProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html", "exampleMetadata": "fixture=_generated" }, "stability": "external", "summary": "Properties for defining a `CfnVirtualMFADevice`.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnVirtualMFADeviceProps: iam.CfnVirtualMFADeviceProps = {\n users: ['users'],\n\n // the properties below are optional\n path: 'path',\n tags: [{\n key: 'key',\n value: 'value',\n }],\n virtualMfaDeviceName: 'virtualMfaDeviceName',\n};" }, "fqn": "@aws-cdk/aws-iam.CfnVirtualMFADeviceProps", "kind": "interface", "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3338 }, "name": "CfnVirtualMFADeviceProps", "properties": [ { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-users" }, "stability": "external", "summary": "The IAM user associated with this virtual MFA device." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3345 }, "name": "users", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-path" }, "remarks": "For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .\n\nThis parameter is optional. If it is not included, it defaults to a slash (/).\n\nThis parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( `\\ u0021` ) through the DEL character ( `\\ u007F` ), including most punctuation characters, digits, and upper and lowercased letters.", "stability": "external", "summary": "The path for the virtual MFA device." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3356 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-tags" }, "remarks": "Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .\n\n> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.", "stability": "external", "summary": "A list of tags that you want to attach to the new IAM virtual MFA device." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3365 }, "name": "tags", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/core.CfnTag" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-virtualmfadevicename" }, "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-", "stability": "external", "summary": "The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device." }, "immutable": true, "locationInModule": { "filename": "lib/iam.generated.ts", "line": 3374 }, "name": "virtualMfaDeviceName", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/iam.generated:CfnVirtualMFADeviceProps" }, "@aws-cdk/aws-iam.CommonGrantOptions": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Basic options for a grant operation.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const grantable: iam.IGrantable;\nconst commonGrantOptions: iam.CommonGrantOptions = {\n actions: ['actions'],\n grantee: grantable,\n resourceArns: ['resourceArns'],\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.CommonGrantOptions", "kind": "interface", "locationInModule": { "filename": "lib/grant.ts", "line": 9 }, "name": "CommonGrantOptions", "properties": [ { "abstract": true, "docs": { "stability": "stable", "summary": "The actions to grant." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 20 }, "name": "actions", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "if principal is undefined, no work is done.", "stability": "stable", "summary": "The principal to grant to." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 15 }, "name": "grantee", "type": { "fqn": "@aws-cdk/aws-iam.IGrantable" } }, { "abstract": true, "docs": { "stability": "stable", "summary": "The resource ARNs to grant to." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 25 }, "name": "resourceArns", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/grant:CommonGrantOptions" }, "@aws-cdk/aws-iam.CompositeDependable": { "assembly": "@aws-cdk/aws-iam", "docs": { "remarks": "Not as simple as eagerly getting the dependency roots from the\ninner dependables, as they may be mutable so we need to defer\nthe query.", "stability": "stable", "summary": "Composite dependable.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nimport * as cdk from '@aws-cdk/core';\n\ndeclare const dependable: cdk.IDependable;\nconst compositeDependable = new iam.CompositeDependable(dependable);", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.CompositeDependable", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/grant.ts", "line": 339 }, "parameters": [ { "name": "dependables", "type": { "fqn": "@aws-cdk/core.IDependable" }, "variadic": true } ], "variadic": true }, "interfaces": [ "@aws-cdk/core.IDependable" ], "kind": "class", "locationInModule": { "filename": "lib/grant.ts", "line": 338 }, "name": "CompositeDependable", "symbolId": "lib/grant:CompositeDependable" }, "@aws-cdk/aws-iam.CompositePrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.PrincipalBase", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const role = new iam.Role(this, 'MyRole', {\n assumedBy: new iam.CompositePrincipal(\n new iam.ServicePrincipal('ec2.amazonaws.com'),\n new iam.AccountPrincipal('1818188181818187272')\n ),\n});", "remarks": "A composite principal cannot\nhave conditions. i.e. multiple ServicePrincipals that form a composite principal", "stability": "stable", "summary": "Represents a principal that has multiple types of principals." }, "fqn": "@aws-cdk/aws-iam.CompositePrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 692 }, "parameters": [ { "name": "principals", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" }, "variadic": true } ], "variadic": true }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 688 }, "methods": [ { "docs": { "remarks": "Composite principals cannot have\nconditions.", "stability": "stable", "summary": "Adds IAM principals to the composite principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 707 }, "name": "addPrincipals", "parameters": [ { "docs": { "summary": "IAM principals that will be added to the composite principal." }, "name": "principals", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" }, "variadic": true } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.CompositePrincipal" } }, "variadic": true }, { "docs": { "remarks": "Add the statements to the AssumeRolePolicyDocument necessary to give this principal\npermissions to assume the given role.", "stability": "stable", "summary": "Add the princpial to the AssumeRolePolicyDocument." }, "locationInModule": { "filename": "lib/principals.ts", "line": 712 }, "name": "addToAssumeRolePolicy", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "parameters": [ { "name": "doc", "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } } ] }, { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 739 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "returns": { "type": { "primitive": "string" } } } ], "name": "CompositePrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 689 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 718 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } } ], "symbolId": "lib/principals:CompositePrincipal" }, "@aws-cdk/aws-iam.Effect": { "assembly": "@aws-cdk/aws-iam", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "declare const books: apigateway.Resource;\ndeclare const iamUser: iam.User;\n\nconst getBooks = books.addMethod('GET', new apigateway.HttpIntegration('http://amazon.com'), {\n authorizationType: apigateway.AuthorizationType.IAM\n});\n\niamUser.attachInlinePolicy(new iam.Policy(this, 'AllowBooks', {\n statements: [\n new iam.PolicyStatement({\n actions: [ 'execute-api:Invoke' ],\n effect: iam.Effect.ALLOW,\n resources: [ getBooks.methodArn ]\n })\n ]\n}))", "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html", "stability": "stable", "summary": "The Effect element of an IAM policy." }, "fqn": "@aws-cdk/aws-iam.Effect", "kind": "enum", "locationInModule": { "filename": "lib/policy-statement.ts", "line": 485 }, "members": [ { "docs": { "remarks": "By default, access to resources are denied.", "stability": "stable", "summary": "Allows access to a resource in an IAM policy statement." }, "name": "ALLOW" }, { "docs": { "remarks": "By default, all requests are denied implicitly.", "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html", "stability": "stable", "summary": "Explicitly deny access to a resource." }, "name": "DENY" } ], "name": "Effect", "symbolId": "lib/policy-statement:Effect" }, "@aws-cdk/aws-iam.FederatedPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.PrincipalBase", "docs": { "remarks": "Additional condition keys are available when the temporary security credentials are used to make a request.\nYou can use these keys to write policies that limit the access of federated users.", "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif", "stability": "stable", "summary": "Principal entity that represents a federated identity provider such as Amazon Cognito, that can be used to provide temporary security credentials to users who have been authenticated.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const conditions: any;\nconst federatedPrincipal = new iam.FederatedPrincipal('federated', {\n conditionsKey: conditions,\n}, /* all optional props */ 'assumeRoleAction');", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.FederatedPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 525 }, "parameters": [ { "docs": { "summary": "federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)." }, "name": "federated", "type": { "primitive": "string" } }, { "docs": { "remarks": "See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).", "summary": "The conditions under which the policy is in effect." }, "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "name": "assumeRoleAction", "optional": true, "type": { "primitive": "string" } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 515 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 538 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "returns": { "type": { "primitive": "string" } } } ], "name": "FederatedPrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 516 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "primitive": "string" } }, { "docs": { "remarks": "See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).", "stability": "stable", "summary": "The conditions under which the policy is in effect." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 527 }, "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "stability": "stable", "summary": "federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 526 }, "name": "federated", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 534 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } } ], "symbolId": "lib/principals:FederatedPrincipal" }, "@aws-cdk/aws-iam.FromRoleArnOptions": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const role = iam.Role.fromRoleArn(this, 'Role', 'arn:aws:iam::123456789012:role/MyExistingRole', {\n // Set 'mutable' to 'false' to use the role as-is and prevent adding new\n // policies to it. The default is 'true', which means the role may be\n // modified as part of the deployment.\n mutable: false,\n});", "stability": "stable", "summary": "Options allowing customizing the behavior of {@link Role.fromRoleArn}." }, "fqn": "@aws-cdk/aws-iam.FromRoleArnOptions", "kind": "interface", "locationInModule": { "filename": "lib/role.ts", "line": 143 }, "name": "FromRoleArnOptions", "properties": [ { "abstract": true, "docs": { "default": "false", "remarks": "If this is `false` or not specified, grant permissions added to this role are ignored.\nIt is your own responsibility to make sure the role has the required permissions.\n\nIf this is `true`, any grant permissions will be added to the resource instead.", "stability": "stable", "summary": "For immutable roles: add grants to resources instead of dropping them." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 161 }, "name": "addGrantsToResources", "optional": true, "type": { "primitive": "boolean" } }, { "abstract": true, "docs": { "default": "true", "stability": "stable", "summary": "Whether the imported role can be modified by attaching policy resources to it." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 149 }, "name": "mutable", "optional": true, "type": { "primitive": "boolean" } } ], "symbolId": "lib/role:FromRoleArnOptions" }, "@aws-cdk/aws-iam.Grant": { "assembly": "@aws-cdk/aws-iam", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "declare const instance: ec2.Instance;\ndeclare const volume: ec2.Volume;\n\nconst attachGrant = volume.grantAttachVolumeByResourceTag(instance.grantPrincipal, [instance]);\nconst detachGrant = volume.grantDetachVolumeByResourceTag(instance.grantPrincipal, [instance]);", "remarks": "This class is not instantiable by consumers on purpose, so that they will be\nrequired to call the Grant factory functions.", "stability": "stable", "summary": "Result of a grant() operation." }, "fqn": "@aws-cdk/aws-iam.Grant", "interfaces": [ "@aws-cdk/core.IDependable" ], "kind": "class", "locationInModule": { "filename": "lib/grant.ts", "line": 99 }, "methods": [ { "docs": { "remarks": "Absence of a principal leads to a warning, but failing to add\nthe permissions to a present principal is not an error.", "stability": "stable", "summary": "Try to grant the given permissions to the given principal." }, "locationInModule": { "filename": "lib/grant.ts", "line": 158 }, "name": "addToPrincipal", "parameters": [ { "name": "options", "type": { "fqn": "@aws-cdk/aws-iam.GrantOnPrincipalOptions" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } }, "static": true }, { "docs": { "remarks": "As long as any principal is given, granting on the principal may fail (in\ncase of a non-identity principal), but granting on the resource will\nnever fail.\n\nStatement will be the resource statement.", "stability": "stable", "summary": "Add a grant both on the principal and on the resource." }, "locationInModule": { "filename": "lib/grant.ts", "line": 185 }, "name": "addToPrincipalAndResource", "parameters": [ { "name": "options", "type": { "fqn": "@aws-cdk/aws-iam.GrantOnPrincipalAndResourceOptions" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } }, "static": true }, { "docs": { "remarks": "The permissions will be added to the principal policy primarily, falling\nback to the resource policy if necessary. The permissions must be granted\nsomewhere.\n\n- Trying to grant permissions to a principal that does not admit adding to\n the principal policy while not providing a resource with a resource policy\n is an error.\n- Trying to grant permissions to an absent principal (possible in the\n case of imported resources) leads to a warning being added to the\n resource construct.", "stability": "stable", "summary": "Grant the given permissions to the principal." }, "locationInModule": { "filename": "lib/grant.ts", "line": 114 }, "name": "addToPrincipalOrResource", "parameters": [ { "name": "options", "type": { "fqn": "@aws-cdk/aws-iam.GrantWithResourceOptions" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } }, "static": true }, { "docs": { "remarks": "This can be used for e.g. imported resources where you may not be able to modify\nthe resource's policy or some underlying policy which you don't know about.", "stability": "stable", "summary": "Returns a \"no-op\" `Grant` object which represents a \"dropped grant\"." }, "locationInModule": { "filename": "lib/grant.ts", "line": 217 }, "name": "drop", "parameters": [ { "docs": { "summary": "The intended grantee." }, "name": "grantee", "type": { "fqn": "@aws-cdk/aws-iam.IGrantable" } }, { "docs": { "summary": "The user's intent (will be ignored at the moment)." }, "name": "_intent", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } }, "static": true }, { "docs": { "remarks": "The same as construct.node.addDependency(grant), but slightly nicer to read.", "stability": "stable", "summary": "Make sure this grant is applied before the given constructs are deployed." }, "locationInModule": { "filename": "lib/grant.ts", "line": 279 }, "name": "applyBefore", "parameters": [ { "name": "constructs", "type": { "fqn": "@aws-cdk/core.IConstruct" }, "variadic": true } ], "variadic": true }, { "docs": { "stability": "stable", "summary": "Throw an error if this grant wasn't successful." }, "locationInModule": { "filename": "lib/grant.ts", "line": 267 }, "name": "assertSuccess" } ], "name": "Grant", "properties": [ { "docs": { "stability": "stable", "summary": "Whether the grant operation was successful." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 260 }, "name": "success", "type": { "primitive": "boolean" } }, { "docs": { "remarks": "Can be accessed to (e.g.) add additional conditions to the statement.", "stability": "stable", "summary": "The statement that was added to the principal's policy." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 228 }, "name": "principalStatement", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } }, { "docs": { "remarks": "Can be accessed to (e.g.) add additional conditions to the statement.", "stability": "stable", "summary": "The statement that was added to the resource policy." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 235 }, "name": "resourceStatement", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "symbolId": "lib/grant:Grant" }, "@aws-cdk/aws-iam.GrantOnPrincipalAndResourceOptions": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Options for a grant operation to both identity and resource.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const grantable: iam.IGrantable;\ndeclare const principal: iam.IPrincipal;\ndeclare const resourceWithPolicy: iam.IResourceWithPolicy;\nconst grantOnPrincipalAndResourceOptions: iam.GrantOnPrincipalAndResourceOptions = {\n actions: ['actions'],\n grantee: grantable,\n resource: resourceWithPolicy,\n resourceArns: ['resourceArns'],\n\n // the properties below are optional\n resourcePolicyPrincipal: principal,\n resourceSelfArns: ['resourceSelfArns'],\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.GrantOnPrincipalAndResourceOptions", "interfaces": [ "@aws-cdk/aws-iam.CommonGrantOptions" ], "kind": "interface", "locationInModule": { "filename": "lib/grant.ts", "line": 68 }, "name": "GrantOnPrincipalAndResourceOptions", "properties": [ { "abstract": true, "docs": { "remarks": "The statement will always be added to the resource policy.", "stability": "stable", "summary": "The resource with a resource policy." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 74 }, "name": "resource", "type": { "fqn": "@aws-cdk/aws-iam.IResourceWithPolicy" } }, { "abstract": true, "docs": { "default": "- the principal of the grantee will be used", "stability": "stable", "summary": "The principal to use in the statement for the resource policy." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 90 }, "name": "resourcePolicyPrincipal", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "abstract": true, "docs": { "default": "Same as regular resource ARNs", "remarks": "(Depending on the resource type, this needs to be '*' in a resource policy).", "stability": "stable", "summary": "When referring to the resource in a resource policy, use this as ARN." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 83 }, "name": "resourceSelfArns", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/grant:GrantOnPrincipalAndResourceOptions" }, "@aws-cdk/aws-iam.GrantOnPrincipalOptions": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Options for a grant operation that only applies to principals.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nimport * as cdk from '@aws-cdk/core';\n\ndeclare const construct: cdk.Construct;\ndeclare const grantable: iam.IGrantable;\nconst grantOnPrincipalOptions: iam.GrantOnPrincipalOptions = {\n actions: ['actions'],\n grantee: grantable,\n resourceArns: ['resourceArns'],\n\n // the properties below are optional\n scope: construct,\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.GrantOnPrincipalOptions", "interfaces": [ "@aws-cdk/aws-iam.CommonGrantOptions" ], "kind": "interface", "locationInModule": { "filename": "lib/grant.ts", "line": 55 }, "name": "GrantOnPrincipalOptions", "properties": [ { "abstract": true, "docs": { "default": "- the construct in which this construct is defined", "stability": "stable", "summary": "Construct to report warnings on in case grant could not be registered." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 61 }, "name": "scope", "optional": true, "type": { "fqn": "@aws-cdk/core.IConstruct" } } ], "symbolId": "lib/grant:GrantOnPrincipalOptions" }, "@aws-cdk/aws-iam.GrantWithResourceOptions": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Options for a grant operation.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const grantable: iam.IGrantable;\ndeclare const resourceWithPolicy: iam.IResourceWithPolicy;\nconst grantWithResourceOptions: iam.GrantWithResourceOptions = {\n actions: ['actions'],\n grantee: grantable,\n resource: resourceWithPolicy,\n resourceArns: ['resourceArns'],\n\n // the properties below are optional\n resourceSelfArns: ['resourceSelfArns'],\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.GrantWithResourceOptions", "interfaces": [ "@aws-cdk/aws-iam.CommonGrantOptions" ], "kind": "interface", "locationInModule": { "filename": "lib/grant.ts", "line": 32 }, "name": "GrantWithResourceOptions", "properties": [ { "abstract": true, "docs": { "remarks": "The statement will be added to the resource policy if it couldn't be\nadded to the principal policy.", "stability": "stable", "summary": "The resource with a resource policy." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 39 }, "name": "resource", "type": { "fqn": "@aws-cdk/aws-iam.IResourceWithPolicy" } }, { "abstract": true, "docs": { "default": "Same as regular resource ARNs", "remarks": "(Depending on the resource type, this needs to be '*' in a resource policy).", "stability": "stable", "summary": "When referring to the resource in a resource policy, use this as ARN." }, "immutable": true, "locationInModule": { "filename": "lib/grant.ts", "line": 48 }, "name": "resourceSelfArns", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/grant:GrantWithResourceOptions" }, "@aws-cdk/aws-iam.Group": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.Resource", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const user = new iam.User(this, 'MyUser'); // or User.fromUserName(stack, 'User', 'johnsmith');\nconst group = new iam.Group(this, 'MyGroup'); // or Group.fromGroupArn(stack, 'Group', 'arn:aws:iam::account-id:group/group-name');\n\nuser.addToGroup(group);\n// or\ngroup.addUser(user);", "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html", "stability": "stable", "summary": "An IAM Group (collection of IAM users) lets you specify permissions for multiple users, which can make it easier to manage permissions for those users." }, "fqn": "@aws-cdk/aws-iam.Group", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/group.ts", "line": 182 }, "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "props", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.GroupProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.IGroup" ], "kind": "class", "locationInModule": { "filename": "lib/group.ts", "line": 130 }, "methods": [ { "docs": { "remarks": "If the imported Group ARN is a Token (such as a\n`CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced\ngroup has a `path` (like `arn:...:group/AdminGroup/NetworkAdmin`), the\n`groupName` property will not resolve to the correct value. Instead it\nwill resolve to the first path component. We unfortunately cannot express\nthe correct calculation of the full path name as a CloudFormation\nexpression. In this scenario the Group ARN should be supplied without the\n`path` in order to resolve the correct group resource.", "stability": "stable", "summary": "Import an external group by ARN." }, "locationInModule": { "filename": "lib/group.ts", "line": 147 }, "name": "fromGroupArn", "parameters": [ { "docs": { "summary": "construct scope." }, "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "docs": { "summary": "construct id." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "the ARN of the group to import (e.g. `arn:aws:iam::account-id:group/group-name`)." }, "name": "groupArn", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IGroup" } }, "static": true }, { "docs": { "remarks": "This method has same caveats of `fromGroupArn`", "stability": "stable", "summary": "Import an existing group by given name (with path)." }, "locationInModule": { "filename": "lib/group.ts", "line": 167 }, "name": "fromGroupName", "parameters": [ { "docs": { "summary": "construct scope." }, "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "docs": { "summary": "construct id." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "the groupName (path included) of the existing group to import." }, "name": "groupName", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IGroup" } }, "static": true }, { "docs": { "stability": "stable", "summary": "Attaches a managed policy to this group." }, "locationInModule": { "filename": "lib/group.ts", "line": 209 }, "name": "addManagedPolicy", "overrides": "@aws-cdk/aws-iam.IIdentity", "parameters": [ { "docs": { "summary": "The managed policy to attach." }, "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } } ] }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/group.ts", "line": 119 }, "name": "addToPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "primitive": "boolean" } } }, { "docs": { "stability": "stable", "summary": "Adds an IAM statement to the default policy." }, "locationInModule": { "filename": "lib/group.ts", "line": 109 }, "name": "addToPrincipalPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult" } } }, { "docs": { "stability": "stable", "summary": "Adds a user to this group." }, "locationInModule": { "filename": "lib/group.ts", "line": 102 }, "name": "addUser", "parameters": [ { "name": "user", "type": { "fqn": "@aws-cdk/aws-iam.IUser" } } ] }, { "docs": { "stability": "stable", "summary": "Attaches a policy to this group." }, "locationInModule": { "filename": "lib/group.ts", "line": 90 }, "name": "attachInlinePolicy", "overrides": "@aws-cdk/aws-iam.IIdentity", "parameters": [ { "docs": { "summary": "The policy to attach." }, "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.Policy" } } ] } ], "name": "Group", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 77 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The principal to grant permissions to." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 75 }, "name": "grantPrincipal", "overrides": "@aws-cdk/aws-iam.IGrantable", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "docs": { "stability": "stable", "summary": "Returns the IAM Group ARN." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 178 }, "name": "groupArn", "overrides": "@aws-cdk/aws-iam.IGroup", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Returns the IAM Group Name." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 177 }, "name": "groupName", "overrides": "@aws-cdk/aws-iam.IGroup", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 82 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } }, { "docs": { "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.", "stability": "stable", "summary": "The AWS account ID of this principal." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 76 }, "name": "principalAccount", "optional": true, "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } } ], "symbolId": "lib/group:Group" }, "@aws-cdk/aws-iam.GroupProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Properties for defining an IAM group.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const managedPolicy: iam.ManagedPolicy;\nconst groupProps: iam.GroupProps = {\n groupName: 'groupName',\n managedPolicies: [managedPolicy],\n path: 'path',\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.GroupProps", "kind": "interface", "locationInModule": { "filename": "lib/group.ts", "line": 36 }, "name": "GroupProps", "properties": [ { "abstract": true, "docs": { "default": "Generated by CloudFormation (recommended)", "remarks": "For valid values, see the GroupName parameter\nfor the CreateGroup action in the IAM API Reference. If you don't specify\na name, AWS CloudFormation generates a unique physical ID and uses that\nID for the group name.\n\nIf you specify a name, you must specify the CAPABILITY_NAMED_IAM value to\nacknowledge your template's capabilities. For more information, see\nAcknowledging IAM Resources in AWS CloudFormation Templates.", "stability": "stable", "summary": "A name for the IAM group." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 49 }, "name": "groupName", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "default": "- No managed policies.", "remarks": "You can add managed policies later using\n`addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.", "stability": "stable", "summary": "A list of managed policies associated with this role." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 59 }, "name": "managedPolicies", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "/", "remarks": "For more information about paths, see [IAM\nIdentifiers](http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?Using_Identifiers.html)\nin the IAM User Guide.", "stability": "stable", "summary": "The path to the group." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 68 }, "name": "path", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/group:GroupProps" }, "@aws-cdk/aws-iam.IAccessKey": { "assembly": "@aws-cdk/aws-iam", "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html", "stability": "stable", "summary": "Represents an IAM Access Key." }, "fqn": "@aws-cdk/aws-iam.IAccessKey", "interfaces": [ "@aws-cdk/core.IResource" ], "kind": "interface", "locationInModule": { "filename": "lib/access-key.ts", "line": 26 }, "name": "IAccessKey", "properties": [ { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The Access Key ID." }, "immutable": true, "locationInModule": { "filename": "lib/access-key.ts", "line": 32 }, "name": "accessKeyId", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The Secret Access Key." }, "immutable": true, "locationInModule": { "filename": "lib/access-key.ts", "line": 39 }, "name": "secretAccessKey", "type": { "fqn": "@aws-cdk/core.SecretValue" } } ], "symbolId": "lib/access-key:IAccessKey" }, "@aws-cdk/aws-iam.IAssumeRolePrincipal": { "assembly": "@aws-cdk/aws-iam", "docs": { "remarks": "More complex types of identity providers need more control over Role's policy documents\nthan simply `{ Effect: 'Allow', Action: 'AssumeRole', Principal: }`.\n\nIf that control is necessary, they can implement `IAssumeRolePrincipal` to get full\naccess to a Role's AssumeRolePolicyDocument.", "stability": "stable", "summary": "A type of principal that has more control over its own representation in AssumeRolePolicyDocuments." }, "fqn": "@aws-cdk/aws-iam.IAssumeRolePrincipal", "interfaces": [ "@aws-cdk/aws-iam.IPrincipal" ], "kind": "interface", "locationInModule": { "filename": "lib/principals.ts", "line": 82 }, "methods": [ { "abstract": true, "docs": { "remarks": "Add the statements to the AssumeRolePolicyDocument necessary to give this principal\npermissions to assume the given role.", "stability": "stable", "summary": "Add the princpial to the AssumeRolePolicyDocument." }, "locationInModule": { "filename": "lib/principals.ts", "line": 89 }, "name": "addToAssumeRolePolicy", "parameters": [ { "name": "document", "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } } ] } ], "name": "IAssumeRolePrincipal", "symbolId": "lib/principals:IAssumeRolePrincipal" }, "@aws-cdk/aws-iam.IGrantable": { "assembly": "@aws-cdk/aws-iam", "docs": { "stability": "stable", "summary": "Any object that has an associated principal that a permission can be granted to." }, "fqn": "@aws-cdk/aws-iam.IGrantable", "kind": "interface", "locationInModule": { "filename": "lib/principals.ts", "line": 13 }, "name": "IGrantable", "properties": [ { "abstract": true, "docs": { "stability": "stable", "summary": "The principal to grant permissions to." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 17 }, "name": "grantPrincipal", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } } ], "symbolId": "lib/principals:IGrantable" }, "@aws-cdk/aws-iam.IGroup": { "assembly": "@aws-cdk/aws-iam", "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html", "stability": "stable", "summary": "Represents an IAM Group." }, "fqn": "@aws-cdk/aws-iam.IGroup", "interfaces": [ "@aws-cdk/aws-iam.IIdentity" ], "kind": "interface", "locationInModule": { "filename": "lib/group.ts", "line": 17 }, "name": "IGroup", "properties": [ { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "Returns the IAM Group ARN." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 30 }, "name": "groupArn", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "Returns the IAM Group Name." }, "immutable": true, "locationInModule": { "filename": "lib/group.ts", "line": 23 }, "name": "groupName", "type": { "primitive": "string" } } ], "symbolId": "lib/group:IGroup" }, "@aws-cdk/aws-iam.IIdentity": { "assembly": "@aws-cdk/aws-iam", "docs": { "stability": "stable", "summary": "A construct that represents an IAM principal, such as a user, group or role." }, "fqn": "@aws-cdk/aws-iam.IIdentity", "interfaces": [ "@aws-cdk/aws-iam.IPrincipal", "@aws-cdk/core.IResource" ], "kind": "interface", "locationInModule": { "filename": "lib/identity-base.ts", "line": 9 }, "methods": [ { "abstract": true, "docs": { "stability": "stable", "summary": "Attaches a managed policy to this principal." }, "locationInModule": { "filename": "lib/identity-base.ts", "line": 21 }, "name": "addManagedPolicy", "parameters": [ { "docs": { "summary": "The managed policy." }, "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } } ] }, { "abstract": true, "docs": { "remarks": "This is the same as calling `policy.addToXxx(principal)`.", "stability": "stable", "summary": "Attaches an inline policy to this principal." }, "locationInModule": { "filename": "lib/identity-base.ts", "line": 15 }, "name": "attachInlinePolicy", "parameters": [ { "docs": { "summary": "The policy resource to attach to this principal [disable-awslint:ref-via-interface]." }, "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.Policy" } } ] } ], "name": "IIdentity", "symbolId": "lib/identity-base:IIdentity" }, "@aws-cdk/aws-iam.IManagedPolicy": { "assembly": "@aws-cdk/aws-iam", "docs": { "stability": "stable", "summary": "A managed policy." }, "fqn": "@aws-cdk/aws-iam.IManagedPolicy", "kind": "interface", "locationInModule": { "filename": "lib/managed-policy.ts", "line": 14 }, "name": "IManagedPolicy", "properties": [ { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The ARN of the managed policy." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 19 }, "name": "managedPolicyArn", "type": { "primitive": "string" } } ], "symbolId": "lib/managed-policy:IManagedPolicy" }, "@aws-cdk/aws-iam.IOpenIdConnectProvider": { "assembly": "@aws-cdk/aws-iam", "docs": { "stability": "stable", "summary": "Represents an IAM OpenID Connect provider." }, "fqn": "@aws-cdk/aws-iam.IOpenIdConnectProvider", "interfaces": [ "@aws-cdk/core.IResource" ], "kind": "interface", "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 19 }, "name": "IOpenIdConnectProvider", "properties": [ { "abstract": true, "docs": { "stability": "stable", "summary": "The Amazon Resource Name (ARN) of the IAM OpenID Connect provider." }, "immutable": true, "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 23 }, "name": "openIdConnectProviderArn", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "stability": "stable", "summary": "The issuer for OIDC Provider." }, "immutable": true, "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 28 }, "name": "openIdConnectProviderIssuer", "type": { "primitive": "string" } } ], "symbolId": "lib/oidc-provider:IOpenIdConnectProvider" }, "@aws-cdk/aws-iam.IPolicy": { "assembly": "@aws-cdk/aws-iam", "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html", "stability": "stable", "summary": "Represents an IAM Policy." }, "fqn": "@aws-cdk/aws-iam.IPolicy", "interfaces": [ "@aws-cdk/core.IResource" ], "kind": "interface", "locationInModule": { "filename": "lib/policy.ts", "line": 16 }, "name": "IPolicy", "properties": [ { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The name of this policy." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 22 }, "name": "policyName", "type": { "primitive": "string" } } ], "symbolId": "lib/policy:IPolicy" }, "@aws-cdk/aws-iam.IPrincipal": { "assembly": "@aws-cdk/aws-iam", "docs": { "remarks": "An IPrincipal describes a logical entity that can perform AWS API calls\nagainst sets of resources, optionally under certain conditions.\n\nExamples of simple principals are IAM objects that you create, such\nas Users or Roles.\n\nAn example of a more complex principals is a `ServicePrincipal` (such as\n`new ServicePrincipal(\"sns.amazonaws.com\")`, which represents the Simple\nNotifications Service).\n\nA single logical Principal may also map to a set of physical principals.\nFor example, `new OrganizationPrincipal('o-1234')` represents all\nidentities that are part of the given AWS Organization.", "stability": "stable", "summary": "Represents a logical IAM principal." }, "fqn": "@aws-cdk/aws-iam.IPrincipal", "interfaces": [ "@aws-cdk/aws-iam.IGrantable" ], "kind": "interface", "locationInModule": { "filename": "lib/principals.ts", "line": 37 }, "methods": [ { "abstract": true, "docs": { "deprecated": "Use `addToPrincipalPolicy` instead.", "returns": "true if the statement was added, false if the principal in\nquestion does not have a policy document to add the statement to.", "stability": "deprecated", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 65 }, "name": "addToPolicy", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "primitive": "boolean" } } }, { "abstract": true, "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 70 }, "name": "addToPrincipalPolicy", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult" } } } ], "name": "IPrincipal", "properties": [ { "abstract": true, "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 41 }, "name": "assumeRoleAction", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 46 }, "name": "policyFragment", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } }, { "abstract": true, "docs": { "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.", "stability": "stable", "summary": "The AWS account ID of this principal." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 55 }, "name": "principalAccount", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/principals:IPrincipal" }, "@aws-cdk/aws-iam.IResourceWithPolicy": { "assembly": "@aws-cdk/aws-iam", "docs": { "stability": "stable", "summary": "A resource with a resource policy that can be added to." }, "fqn": "@aws-cdk/aws-iam.IResourceWithPolicy", "interfaces": [ "@aws-cdk/core.IResource" ], "kind": "interface", "locationInModule": { "filename": "lib/grant.ts", "line": 306 }, "methods": [ { "abstract": true, "docs": { "stability": "stable", "summary": "Add a statement to the resource's resource policy." }, "locationInModule": { "filename": "lib/grant.ts", "line": 310 }, "name": "addToResourcePolicy", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToResourcePolicyResult" } } } ], "name": "IResourceWithPolicy", "symbolId": "lib/grant:IResourceWithPolicy" }, "@aws-cdk/aws-iam.IRole": { "assembly": "@aws-cdk/aws-iam", "docs": { "stability": "stable", "summary": "A Role object." }, "fqn": "@aws-cdk/aws-iam.IRole", "interfaces": [ "@aws-cdk/aws-iam.IIdentity" ], "kind": "interface", "locationInModule": { "filename": "lib/role.ts", "line": 478 }, "methods": [ { "abstract": true, "docs": { "stability": "stable", "summary": "Grant the actions defined in actions to the identity Principal on this resource." }, "locationInModule": { "filename": "lib/role.ts", "line": 496 }, "name": "grant", "parameters": [ { "name": "grantee", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "name": "actions", "type": { "primitive": "string" }, "variadic": true } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } }, "variadic": true }, { "abstract": true, "docs": { "stability": "stable", "summary": "Grant permissions to the given principal to pass this role." }, "locationInModule": { "filename": "lib/role.ts", "line": 501 }, "name": "grantPassRole", "parameters": [ { "name": "grantee", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } } } ], "name": "IRole", "properties": [ { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "Returns the ARN of this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 484 }, "name": "roleArn", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "Returns the name of this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 491 }, "name": "roleName", "type": { "primitive": "string" } } ], "symbolId": "lib/role:IRole" }, "@aws-cdk/aws-iam.ISamlProvider": { "assembly": "@aws-cdk/aws-iam", "docs": { "stability": "stable", "summary": "A SAML provider." }, "fqn": "@aws-cdk/aws-iam.ISamlProvider", "interfaces": [ "@aws-cdk/core.IResource" ], "kind": "interface", "locationInModule": { "filename": "lib/saml-provider.ts", "line": 9 }, "name": "ISamlProvider", "properties": [ { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The Amazon Resource Name (ARN) of the provider." }, "immutable": true, "locationInModule": { "filename": "lib/saml-provider.ts", "line": 15 }, "name": "samlProviderArn", "type": { "primitive": "string" } } ], "symbolId": "lib/saml-provider:ISamlProvider" }, "@aws-cdk/aws-iam.IUser": { "assembly": "@aws-cdk/aws-iam", "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html", "stability": "stable", "summary": "Represents an IAM user." }, "fqn": "@aws-cdk/aws-iam.IUser", "interfaces": [ "@aws-cdk/aws-iam.IIdentity" ], "kind": "interface", "locationInModule": { "filename": "lib/user.ts", "line": 17 }, "methods": [ { "abstract": true, "docs": { "stability": "stable", "summary": "Adds this user to a group." }, "locationInModule": { "filename": "lib/user.ts", "line": 33 }, "name": "addToGroup", "parameters": [ { "name": "group", "type": { "fqn": "@aws-cdk/aws-iam.IGroup" } } ] } ], "name": "IUser", "properties": [ { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The user's ARN." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 28 }, "name": "userArn", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The user's name." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 22 }, "name": "userName", "type": { "primitive": "string" } } ], "symbolId": "lib/user:IUser" }, "@aws-cdk/aws-iam.LazyRole": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.Resource", "docs": { "custom": { "resource": "AWS::IAM::Role", "exampleMetadata": "fixture=_generated" }, "remarks": "This construct can be used to simplify logic in other constructs\nwhich need to create a role but only if certain configurations occur\n(such as when AutoScaling is configured). The role can be configured in one\nplace, but if it never gets used it doesn't get instantiated and will\nnot be synthesized or deployed.", "stability": "stable", "summary": "An IAM role that only gets attached to the construct tree once it gets used, not before.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nimport * as cdk from '@aws-cdk/core';\n\ndeclare const managedPolicy: iam.ManagedPolicy;\ndeclare const policyDocument: iam.PolicyDocument;\ndeclare const principal: iam.IPrincipal;\nconst lazyRole = new iam.LazyRole(this, 'MyLazyRole', {\n assumedBy: principal,\n\n // the properties below are optional\n description: 'description',\n externalId: 'externalId',\n externalIds: ['externalIds'],\n inlinePolicies: {\n inlinePoliciesKey: policyDocument,\n },\n managedPolicies: [managedPolicy],\n maxSessionDuration: cdk.Duration.minutes(30),\n path: 'path',\n permissionsBoundary: managedPolicy,\n roleName: 'roleName',\n});" }, "fqn": "@aws-cdk/aws-iam.LazyRole", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 38 }, "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.LazyRoleProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.IRole" ], "kind": "class", "locationInModule": { "filename": "lib/lazy-role.ts", "line": 28 }, "methods": [ { "docs": { "stability": "stable", "summary": "Attaches a managed policy to this role." }, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 76 }, "name": "addManagedPolicy", "overrides": "@aws-cdk/aws-iam.IIdentity", "parameters": [ { "docs": { "summary": "The managed policy to attach." }, "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } } ] }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 56 }, "name": "addToPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "primitive": "boolean" } } }, { "docs": { "remarks": "If there is no default policy attached to this role, it will be created.", "stability": "stable", "summary": "Adds a permission to the role's default policy document." }, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 47 }, "name": "addToPrincipalPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "docs": { "summary": "The permission statement to add to the policy document." }, "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult" } } }, { "docs": { "stability": "stable", "summary": "Attaches a policy to this role." }, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 64 }, "name": "attachInlinePolicy", "overrides": "@aws-cdk/aws-iam.IIdentity", "parameters": [ { "docs": { "summary": "The policy to attach." }, "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.Policy" } } ] }, { "docs": { "stability": "stable", "summary": "Grant the actions defined in actions to the identity Principal on this resource." }, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 111 }, "name": "grant", "overrides": "@aws-cdk/aws-iam.IRole", "parameters": [ { "name": "identity", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "name": "actions", "type": { "primitive": "string" }, "variadic": true } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } }, "variadic": true }, { "docs": { "stability": "stable", "summary": "Grant permissions to the given principal to pass this role." }, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 118 }, "name": "grantPassRole", "overrides": "@aws-cdk/aws-iam.IRole", "parameters": [ { "name": "identity", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } } } ], "name": "LazyRole", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 31 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The principal to grant permissions to." }, "immutable": true, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 29 }, "name": "grantPrincipal", "overrides": "@aws-cdk/aws-iam.IGrantable", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 104 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } }, { "docs": { "stability": "stable", "summary": "Returns the ARN of this role." }, "immutable": true, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 87 }, "name": "roleArn", "overrides": "@aws-cdk/aws-iam.IRole", "type": { "primitive": "string" } }, { "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "Returns the stable and unique string identifying the role (i.e. AIDAJQABLZS4A3QDU576Q)." }, "immutable": true, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 96 }, "name": "roleId", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Returns the name of this role." }, "immutable": true, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 100 }, "name": "roleName", "overrides": "@aws-cdk/aws-iam.IRole", "type": { "primitive": "string" } }, { "docs": { "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.", "stability": "stable", "summary": "The AWS account ID of this principal." }, "immutable": true, "locationInModule": { "filename": "lib/lazy-role.ts", "line": 30 }, "name": "principalAccount", "optional": true, "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } } ], "symbolId": "lib/lazy-role:LazyRole" }, "@aws-cdk/aws-iam.LazyRoleProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Properties for defining a LazyRole.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nimport * as cdk from '@aws-cdk/core';\n\ndeclare const managedPolicy: iam.ManagedPolicy;\ndeclare const policyDocument: iam.PolicyDocument;\ndeclare const principal: iam.IPrincipal;\nconst lazyRoleProps: iam.LazyRoleProps = {\n assumedBy: principal,\n\n // the properties below are optional\n description: 'description',\n externalId: 'externalId',\n externalIds: ['externalIds'],\n inlinePolicies: {\n inlinePoliciesKey: policyDocument,\n },\n managedPolicies: [managedPolicy],\n maxSessionDuration: cdk.Duration.minutes(30),\n path: 'path',\n permissionsBoundary: managedPolicy,\n roleName: 'roleName',\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.LazyRoleProps", "interfaces": [ "@aws-cdk/aws-iam.RoleProps" ], "kind": "interface", "locationInModule": { "filename": "lib/lazy-role.ts", "line": 13 }, "name": "LazyRoleProps", "symbolId": "lib/lazy-role:LazyRoleProps" }, "@aws-cdk/aws-iam.ManagedPolicy": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.Resource", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const myRole = new iam.Role(this, 'My Role', {\n assumedBy: new iam.ServicePrincipal('sns.amazonaws.com'),\n});\n\nconst fn = new lambda.Function(this, 'MyFunction', {\n runtime: lambda.Runtime.NODEJS_16_X,\n handler: 'index.handler',\n code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),\n role: myRole, // user-provided role\n});\n\nmyRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName(\"service-role/AWSLambdaBasicExecutionRole\"));\nmyRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName(\"service-role/AWSLambdaVPCAccessExecutionRole\")); // only required if your function lives in a VPC", "stability": "stable", "summary": "Managed policy." }, "fqn": "@aws-cdk/aws-iam.ManagedPolicy", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 208 }, "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "props", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.ManagedPolicyProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.IManagedPolicy" ], "kind": "class", "locationInModule": { "filename": "lib/managed-policy.ts", "line": 102 }, "methods": [ { "docs": { "remarks": "For this managed policy, you only need to know the name to be able to use it.\n\nSome managed policy names start with \"service-role/\", some start with\n\"job-function/\", and some don't start with anything. Include the\nprefix when constructing this object.", "stability": "stable", "summary": "Import a managed policy from one of the policies that AWS manages." }, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 157 }, "name": "fromAwsManagedPolicyName", "parameters": [ { "name": "managedPolicyName", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } }, "static": true }, { "docs": { "remarks": "For this managed policy, you only need to know the ARN to be able to use it.\nThis can be useful if you got the ARN from a CloudFormation Export.\n\nIf the imported Managed Policy ARN is a Token (such as a\n`CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced\nmanaged policy has a `path` (like `arn:...:policy/AdminPolicy/AdminAllow`), the\n`managedPolicyName` property will not resolve to the correct value. Instead it\nwill resolve to the first path component. We unfortunately cannot express\nthe correct calculation of the full path name as a CloudFormation\nexpression. In this scenario the Managed Policy ARN should be supplied without the\n`path` in order to resolve the correct managed policy resource.", "stability": "stable", "summary": "Import an external managed policy by ARN." }, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 141 }, "name": "fromManagedPolicyArn", "parameters": [ { "docs": { "summary": "construct scope." }, "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "docs": { "summary": "construct id." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "the ARN of the managed policy to import." }, "name": "managedPolicyArn", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } }, "static": true }, { "docs": { "remarks": "For this managed policy, you only need to know the name to be able to use it.", "stability": "stable", "summary": "Import a customer managed policy from the managedPolicyName." }, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 109 }, "name": "fromManagedPolicyName", "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "managedPolicyName", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } }, "static": true }, { "docs": { "stability": "stable", "summary": "Adds a statement to the policy document." }, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 259 }, "name": "addStatements", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" }, "variadic": true } ], "variadic": true }, { "docs": { "stability": "stable", "summary": "Attaches this policy to a group." }, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 282 }, "name": "attachToGroup", "parameters": [ { "name": "group", "type": { "fqn": "@aws-cdk/aws-iam.IGroup" } } ] }, { "docs": { "stability": "stable", "summary": "Attaches this policy to a role." }, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 274 }, "name": "attachToRole", "parameters": [ { "name": "role", "type": { "fqn": "@aws-cdk/aws-iam.IRole" } } ] }, { "docs": { "stability": "stable", "summary": "Attaches this policy to a user." }, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 266 }, "name": "attachToUser", "parameters": [ { "name": "user", "type": { "fqn": "@aws-cdk/aws-iam.IUser" } } ] }, { "docs": { "remarks": "This method can be implemented by derived constructs in order to perform\nvalidation logic. It is called on all constructs before synthesis.", "stability": "stable", "summary": "Validate the current construct." }, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 287 }, "name": "validate", "overrides": "@aws-cdk/core.Construct", "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } } ], "name": "ManagedPolicy", "properties": [ { "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The description of this policy." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 195 }, "name": "description", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The policy document." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 181 }, "name": "document", "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } }, { "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "Returns the ARN of this managed policy." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 176 }, "name": "managedPolicyArn", "overrides": "@aws-cdk/aws-iam.IManagedPolicy", "type": { "primitive": "string" } }, { "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The name of this policy." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 188 }, "name": "managedPolicyName", "type": { "primitive": "string" } }, { "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The path of this policy." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 202 }, "name": "path", "type": { "primitive": "string" } } ], "symbolId": "lib/managed-policy:ManagedPolicy" }, "@aws-cdk/aws-iam.ManagedPolicyProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const policyDocument = {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FirstStatement\",\n \"Effect\": \"Allow\",\n \"Action\": [\"iam:ChangePassword\"],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SecondStatement\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListAllMyBuckets\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ThirdStatement\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:List*\",\n \"s3:Get*\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::confidential-data\",\n \"arn:aws:s3:::confidential-data/*\"\n ],\n \"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": \"true\"}}\n }\n ]\n};\n\nconst customPolicyDocument = iam.PolicyDocument.fromJson(policyDocument);\n\n// You can pass this document as an initial document to a ManagedPolicy\n// or inline Policy.\nconst newManagedPolicy = new iam.ManagedPolicy(this, 'MyNewManagedPolicy', {\n document: customPolicyDocument,\n});\nconst newPolicy = new iam.Policy(this, 'MyNewPolicy', {\n document: customPolicyDocument,\n});", "stability": "stable", "summary": "Properties for defining an IAM managed policy." }, "fqn": "@aws-cdk/aws-iam.ManagedPolicyProps", "kind": "interface", "locationInModule": { "filename": "lib/managed-policy.ts", "line": 25 }, "name": "ManagedPolicyProps", "properties": [ { "abstract": true, "docs": { "default": "- empty", "remarks": "Typically used to store information about the\npermissions defined in the policy. For example, \"Grants access to production DynamoDB tables.\"\nThe policy description is immutable. After a value is assigned, it cannot be changed.", "stability": "stable", "summary": "A description of the managed policy." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 42 }, "name": "description", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "default": "- An empty policy.", "remarks": "If omited, any\n`PolicyStatement` provided in the `statements` property will be applied\nagainst the empty default `PolicyDocument`.", "stability": "stable", "summary": "Initial PolicyDocument to use for this ManagedPolicy." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 95 }, "name": "document", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } }, { "abstract": true, "docs": { "default": "- No groups.", "remarks": "You can also use `attachToGroup(group)` to attach this policy to a group.", "stability": "stable", "summary": "Groups to attach this policy to." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 78 }, "name": "groups", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IGroup" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- A name is automatically generated.", "remarks": "If you specify multiple policies for an entity,\nspecify unique names. For example, if you specify a list of policies for\nan IAM role, each policy must have a unique name.", "stability": "stable", "summary": "The name of the managed policy." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 33 }, "name": "managedPolicyName", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "default": "- \"/\"", "remarks": "This parameter allows (through its regex pattern) a string of characters\nconsisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes.\nIn addition, it can contain any ASCII character from the ! (\\u0021) through the DEL character (\\u007F),\nincluding most punctuation characters, digits, and upper and lowercased letters.\n\nFor more information about paths, see IAM Identifiers in the IAM User Guide.", "stability": "stable", "summary": "The path for the policy." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 54 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "default": "- No roles.", "remarks": "You can also use `attachToRole(role)` to attach this policy to a role.", "stability": "stable", "summary": "Roles to attach this policy to." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 70 }, "name": "roles", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IRole" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- No statements.", "remarks": "You can also use `addPermission(statement)` to add permissions later.", "stability": "stable", "summary": "Initial set of permissions to add to this policy document." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 86 }, "name": "statements", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- No users.", "remarks": "You can also use `attachToUser(user)` to attach this policy to a user.", "stability": "stable", "summary": "Users to attach this policy to." }, "immutable": true, "locationInModule": { "filename": "lib/managed-policy.ts", "line": 62 }, "name": "users", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IUser" }, "kind": "array" } } } ], "symbolId": "lib/managed-policy:ManagedPolicyProps" }, "@aws-cdk/aws-iam.OpenIdConnectPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.WebIdentityPrincipal", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {\n url: 'https://openid/connect',\n clientIds: [ 'myclient1', 'myclient2' ],\n});\nconst principal = new iam.OpenIdConnectPrincipal(provider);", "stability": "stable", "summary": "A principal that represents a federated identity provider as from a OpenID Connect provider." }, "fqn": "@aws-cdk/aws-iam.OpenIdConnectPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 580 }, "parameters": [ { "docs": { "summary": "OpenID Connect provider." }, "name": "openIdConnectProvider", "type": { "fqn": "@aws-cdk/aws-iam.IOpenIdConnectProvider" } }, { "docs": { "remarks": "See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).", "summary": "The conditions under which the policy is in effect." }, "name": "conditions", "optional": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 572 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 588 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.WebIdentityPrincipal", "returns": { "type": { "primitive": "string" } } } ], "name": "OpenIdConnectPrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 584 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.WebIdentityPrincipal", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } } ], "symbolId": "lib/principals:OpenIdConnectPrincipal" }, "@aws-cdk/aws-iam.OpenIdConnectProvider": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.Resource", "docs": { "custom": { "exampleMetadata": "infused", "resource": "AWS::CloudFormation::CustomResource" }, "example": "const provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {\n url: 'https://openid/connect',\n clientIds: [ 'myclient1', 'myclient2' ],\n});", "remarks": "You use an IAM OIDC identity provider\nwhen you want to establish trust between an OIDC-compatible IdP and your AWS\naccount. This is useful when creating a mobile app or web application that\nrequires access to AWS resources, but you don't want to create custom sign-in\ncode or manage your own user identities.", "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html", "stability": "stable", "summary": "IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce." }, "fqn": "@aws-cdk/aws-iam.OpenIdConnectProvider", "initializer": { "docs": { "stability": "stable", "summary": "Defines an OpenID Connect provider." }, "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 135 }, "parameters": [ { "docs": { "summary": "The definition scope." }, "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "docs": { "summary": "Construct ID." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "Initialization properties." }, "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.OpenIdConnectProviderProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.IOpenIdConnectProvider" ], "kind": "class", "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 104 }, "methods": [ { "docs": { "stability": "stable", "summary": "Imports an Open ID connect provider from an ARN." }, "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 111 }, "name": "fromOpenIdConnectProviderArn", "parameters": [ { "docs": { "summary": "The definition scope." }, "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "docs": { "summary": "ID of the construct." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "the ARN to import." }, "name": "openIdConnectProviderArn", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IOpenIdConnectProvider" } }, "static": true } ], "name": "OpenIdConnectProvider", "properties": [ { "docs": { "stability": "stable", "summary": "The Amazon Resource Name (ARN) of the IAM OpenID Connect provider." }, "immutable": true, "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 125 }, "name": "openIdConnectProviderArn", "overrides": "@aws-cdk/aws-iam.IOpenIdConnectProvider", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The issuer for OIDC Provider." }, "immutable": true, "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 127 }, "name": "openIdConnectProviderIssuer", "overrides": "@aws-cdk/aws-iam.IOpenIdConnectProvider", "type": { "primitive": "string" } } ], "symbolId": "lib/oidc-provider:OpenIdConnectProvider" }, "@aws-cdk/aws-iam.OpenIdConnectProviderProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {\n url: 'https://openid/connect',\n clientIds: [ 'myclient1', 'myclient2' ],\n});", "stability": "stable", "summary": "Initialization properties for `OpenIdConnectProvider`." }, "fqn": "@aws-cdk/aws-iam.OpenIdConnectProviderProps", "kind": "interface", "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 34 }, "name": "OpenIdConnectProviderProps", "properties": [ { "abstract": true, "docs": { "remarks": "The URL must begin with https:// and\nshould correspond to the iss claim in the provider's OpenID Connect ID\ntokens. Per the OIDC standard, path components are allowed but query\nparameters are not. Typically the URL consists of only a hostname, like\nhttps://server.example.org or https://example.com.\n\nYou cannot register the same provider multiple times in a single AWS\naccount. If you try to submit a URL that has already been used for an\nOpenID Connect provider in the AWS account, you will get an error.", "stability": "stable", "summary": "The URL of the identity provider." }, "immutable": true, "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 46 }, "name": "url", "type": { "primitive": "string" } }, { "abstract": true, "docs": { "default": "- no clients are allowed", "remarks": "When a mobile or web app\nregisters with an OpenID Connect provider, they establish a value that\nidentifies the application. (This is the value that's sent as the client_id\nparameter on OAuth requests.)\n\nYou can register multiple client IDs with the same provider. For example,\nyou might have multiple applications that use the same OIDC provider. You\ncannot register more than 100 client IDs with a single IAM OIDC provider.\n\nClient IDs are up to 255 characters long.", "stability": "stable", "summary": "A list of client IDs (also known as audiences)." }, "immutable": true, "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 62 }, "name": "clientIds", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- If no thumbprints are specified (an empty array or `undefined`),\nthe thumbprint of the root certificate authority will be obtained from the\nprovider's server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html", "remarks": "Typically this list includes only one entry. However, IAM lets you have up\nto five thumbprints for an OIDC provider. This lets you maintain multiple\nthumbprints if the identity provider is rotating certificates.\n\nThe server certificate thumbprint is the hex-encoded SHA-1 hash value of\nthe X.509 certificate used by the domain where the OpenID Connect provider\nmakes its keys available. It is always a 40-character string.\n\nYou must provide at least one thumbprint when creating an IAM OIDC\nprovider. For example, assume that the OIDC provider is server.example.com\nand the provider stores its keys at\nhttps://keys.server.example.com/openid-connect. In that case, the\nthumbprint string would be the hex-encoded SHA-1 hash value of the\ncertificate used by https://keys.server.example.com.", "stability": "stable", "summary": "A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates." }, "immutable": true, "locationInModule": { "filename": "lib/oidc-provider.ts", "line": 87 }, "name": "thumbprints", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } ], "symbolId": "lib/oidc-provider:OpenIdConnectProviderProps" }, "@aws-cdk/aws-iam.OrganizationPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.PrincipalBase", "docs": { "stability": "stable", "summary": "A principal that represents an AWS Organization.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst organizationPrincipal = new iam.OrganizationPrincipal('organizationId');", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.OrganizationPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 458 }, "parameters": [ { "docs": { "summary": "The unique identifier (ID) of an organization (i.e. o-12345abcde)." }, "name": "organizationId", "type": { "primitive": "string" } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 453 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 469 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "returns": { "type": { "primitive": "string" } } } ], "name": "OrganizationPrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "The unique identifier (ID) of an organization (i.e. o-12345abcde)." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 458 }, "name": "organizationId", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 462 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } } ], "symbolId": "lib/principals:OrganizationPrincipal" }, "@aws-cdk/aws-iam.PermissionsBoundary": { "assembly": "@aws-cdk/aws-iam", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "declare const project: codebuild.Project;\niam.PermissionsBoundary.of(project).apply(new codebuild.UntrustedCodeBoundaryPolicy(this, 'Boundary'));", "remarks": "```ts\nconst policy = iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess');\niam.PermissionsBoundary.of(this).apply(policy);\n```", "stability": "stable", "summary": "Modify the Permissions Boundaries of Users and Roles in a construct tree." }, "fqn": "@aws-cdk/aws-iam.PermissionsBoundary", "kind": "class", "locationInModule": { "filename": "lib/permissions-boundary.ts", "line": 14 }, "methods": [ { "docs": { "stability": "stable", "summary": "Access the Permissions Boundaries of a construct tree." }, "locationInModule": { "filename": "lib/permissions-boundary.ts", "line": 18 }, "name": "of", "parameters": [ { "name": "scope", "type": { "fqn": "constructs.IConstruct" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.PermissionsBoundary" } }, "static": true }, { "docs": { "remarks": "Will override any Permissions Boundaries configured previously; in case\na Permission Boundary is applied in multiple scopes, the Boundary applied\nclosest to the Role wins.", "stability": "stable", "summary": "Apply the given policy as Permissions Boundary to all Roles and Users in the scope." }, "locationInModule": { "filename": "lib/permissions-boundary.ts", "line": 33 }, "name": "apply", "parameters": [ { "name": "boundaryPolicy", "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } } ] }, { "docs": { "stability": "stable", "summary": "Remove previously applied Permissions Boundaries." }, "locationInModule": { "filename": "lib/permissions-boundary.ts", "line": 49 }, "name": "clear" } ], "name": "PermissionsBoundary", "symbolId": "lib/permissions-boundary:PermissionsBoundary" }, "@aws-cdk/aws-iam.Policy": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.Resource", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "declare const postAuthFn: lambda.Function;\n\nconst userpool = new cognito.UserPool(this, 'myuserpool', {\n lambdaTriggers: {\n postAuthentication: postAuthFn,\n },\n});\n\n// provide permissions to describe the user pool scoped to the ARN the user pool\npostAuthFn.role?.attachInlinePolicy(new iam.Policy(this, 'userpool-policy', {\n statements: [new iam.PolicyStatement({\n actions: ['cognito-idp:DescribeUserPool'],\n resources: [userpool.userPoolArn],\n })],\n}));", "remarks": "For more information about IAM policies, see [Overview of IAM\nPolicies](http://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html)\nin the IAM User Guide guide.", "stability": "stable", "summary": "The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles, or groups." }, "fqn": "@aws-cdk/aws-iam.Policy", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/policy.ts", "line": 128 }, "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "props", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.PolicyProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.IPolicy" ], "kind": "class", "locationInModule": { "filename": "lib/policy.ts", "line": 103 }, "methods": [ { "docs": { "stability": "stable", "summary": "Import a policy in this app based on its name." }, "locationInModule": { "filename": "lib/policy.ts", "line": 108 }, "name": "fromPolicyName", "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "policyName", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IPolicy" } }, "static": true }, { "docs": { "stability": "stable", "summary": "Adds a statement to the policy document." }, "locationInModule": { "filename": "lib/policy.ts", "line": 185 }, "name": "addStatements", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" }, "variadic": true } ], "variadic": true }, { "docs": { "stability": "stable", "summary": "Attaches this policy to a group." }, "locationInModule": { "filename": "lib/policy.ts", "line": 210 }, "name": "attachToGroup", "parameters": [ { "name": "group", "type": { "fqn": "@aws-cdk/aws-iam.IGroup" } } ] }, { "docs": { "stability": "stable", "summary": "Attaches this policy to a role." }, "locationInModule": { "filename": "lib/policy.ts", "line": 201 }, "name": "attachToRole", "parameters": [ { "name": "role", "type": { "fqn": "@aws-cdk/aws-iam.IRole" } } ] }, { "docs": { "stability": "stable", "summary": "Attaches this policy to a user." }, "locationInModule": { "filename": "lib/policy.ts", "line": 192 }, "name": "attachToUser", "parameters": [ { "name": "user", "type": { "fqn": "@aws-cdk/aws-iam.IUser" } } ] }, { "docs": { "remarks": "This method can be implemented by derived constructs in order to perform\nvalidation logic. It is called on all constructs before synthesis.", "stability": "stable", "summary": "Validate the current construct." }, "locationInModule": { "filename": "lib/policy.ts", "line": 226 }, "name": "validate", "overrides": "@aws-cdk/core.Construct", "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } } ], "name": "Policy", "properties": [ { "docs": { "stability": "stable", "summary": "The policy document." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 119 }, "name": "document", "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } }, { "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "The name of this policy." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 221 }, "name": "policyName", "overrides": "@aws-cdk/aws-iam.IPolicy", "type": { "primitive": "string" } } ], "symbolId": "lib/policy:Policy" }, "@aws-cdk/aws-iam.PolicyDocument": { "assembly": "@aws-cdk/aws-iam", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const myTrustedAdminRole = iam.Role.fromRoleArn(this, 'TrustedRole', 'arn:aws:iam:....');\n// Creates a limited admin policy and assigns to the account root.\nconst myCustomPolicy = new iam.PolicyDocument({\n statements: [new iam.PolicyStatement({\n actions: [\n 'kms:Create*',\n 'kms:Describe*',\n 'kms:Enable*',\n 'kms:List*',\n 'kms:Put*',\n ],\n principals: [new iam.AccountRootPrincipal()],\n resources: ['*'],\n })],\n});\nconst key = new kms.Key(this, 'MyKey', {\n policy: myCustomPolicy,\n});", "stability": "stable", "summary": "A PolicyDocument is a collection of statements." }, "fqn": "@aws-cdk/aws-iam.PolicyDocument", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/policy-document.ts", "line": 68 }, "parameters": [ { "name": "props", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocumentProps" } } ] }, "interfaces": [ "@aws-cdk/core.IResolvable" ], "kind": "class", "locationInModule": { "filename": "lib/policy-document.ts", "line": 46 }, "methods": [ { "docs": { "remarks": "This will accept an object created from the `.toJSON()` call", "stability": "stable", "summary": "Creates a new PolicyDocument based on the object provided." }, "locationInModule": { "filename": "lib/policy-document.ts", "line": 53 }, "name": "fromJson", "parameters": [ { "docs": { "summary": "the PolicyDocument in object form." }, "name": "obj", "type": { "primitive": "any" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } }, "static": true }, { "docs": { "stability": "stable", "summary": "Adds a statement to the policy document." }, "locationInModule": { "filename": "lib/policy-document.ts", "line": 104 }, "name": "addStatements", "parameters": [ { "docs": { "summary": "the statement to add." }, "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" }, "variadic": true } ], "variadic": true }, { "docs": { "stability": "stable", "summary": "Produce the Token's value at resolution time." }, "locationInModule": { "filename": "lib/policy-document.ts", "line": 76 }, "name": "resolve", "overrides": "@aws-cdk/core.IResolvable", "parameters": [ { "name": "context", "type": { "fqn": "@aws-cdk/core.IResolveContext" } } ], "returns": { "type": { "primitive": "any" } } }, { "docs": { "remarks": "Used when JSON.stringify() is called", "stability": "stable", "summary": "JSON-ify the document." }, "locationInModule": { "filename": "lib/policy-document.ts", "line": 122 }, "name": "toJSON", "returns": { "type": { "primitive": "any" } } }, { "docs": { "stability": "stable", "summary": "Encode the policy document as a string." }, "locationInModule": { "filename": "lib/policy-document.ts", "line": 111 }, "name": "toString", "overrides": "@aws-cdk/core.IResolvable", "returns": { "type": { "primitive": "string" } } }, { "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json", "stability": "stable", "summary": "Validate that all policy statements in the policy document satisfies the requirements for any policy." }, "locationInModule": { "filename": "lib/policy-document.ts", "line": 132 }, "name": "validateForAnyPolicy", "returns": { "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } }, { "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json", "stability": "stable", "summary": "Validate that all policy statements in the policy document satisfies the requirements for an identity-based policy." }, "locationInModule": { "filename": "lib/policy-document.ts", "line": 160 }, "name": "validateForIdentityPolicy", "returns": { "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } }, { "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json", "stability": "stable", "summary": "Validate that all policy statements in the policy document satisfies the requirements for a resource-based policy." }, "locationInModule": { "filename": "lib/policy-document.ts", "line": 146 }, "name": "validateForResourcePolicy", "returns": { "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } } ], "name": "PolicyDocument", "properties": [ { "docs": { "remarks": "This may return an array with a single informational element indicating how\nto get this property populated, if it was skipped for performance reasons.", "stability": "stable", "summary": "The creation stack of this resolvable which will be appended to errors thrown during resolution." }, "immutable": true, "locationInModule": { "filename": "lib/policy-document.ts", "line": 63 }, "name": "creationStack", "overrides": "@aws-cdk/core.IResolvable", "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "docs": { "stability": "stable", "summary": "Whether the policy document contains any statements." }, "immutable": true, "locationInModule": { "filename": "lib/policy-document.ts", "line": 87 }, "name": "isEmpty", "type": { "primitive": "boolean" } }, { "docs": { "remarks": "Can be used, for example, to generate unique \"sid\"s within the policy.", "stability": "stable", "summary": "The number of statements already added to this policy." }, "immutable": true, "locationInModule": { "filename": "lib/policy-document.ts", "line": 95 }, "name": "statementCount", "type": { "primitive": "number" } } ], "symbolId": "lib/policy-document:PolicyDocument" }, "@aws-cdk/aws-iam.PolicyDocumentProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const myTrustedAdminRole = iam.Role.fromRoleArn(this, 'TrustedRole', 'arn:aws:iam:....');\n// Creates a limited admin policy and assigns to the account root.\nconst myCustomPolicy = new iam.PolicyDocument({\n statements: [new iam.PolicyStatement({\n actions: [\n 'kms:Create*',\n 'kms:Describe*',\n 'kms:Enable*',\n 'kms:List*',\n 'kms:Put*',\n ],\n principals: [new iam.AccountRootPrincipal()],\n resources: ['*'],\n })],\n});\nconst key = new kms.Key(this, 'MyKey', {\n policy: myCustomPolicy,\n});", "stability": "stable", "summary": "Properties for a new PolicyDocument." }, "fqn": "@aws-cdk/aws-iam.PolicyDocumentProps", "kind": "interface", "locationInModule": { "filename": "lib/policy-document.ts", "line": 9 }, "name": "PolicyDocumentProps", "properties": [ { "abstract": true, "docs": { "default": "false", "stability": "stable", "summary": "Automatically assign Statement Ids to all statements." }, "immutable": true, "locationInModule": { "filename": "lib/policy-document.ts", "line": 15 }, "name": "assignSids", "optional": true, "type": { "primitive": "boolean" } }, { "abstract": true, "docs": { "default": "- false, unless the feature flag `@aws-cdk/aws-iam:minimizePolicies` is set", "remarks": "To avoid overrunning the maximum policy size, combine statements if they produce\nthe same result. Merging happens according to the following rules:\n\n- The Effect of both statements is the same\n- Neither of the statements have a 'Sid'\n- Combine Principals if the rest of the statement is exactly the same.\n- Combine Resources if the rest of the statement is exactly the same.\n- Combine Actions if the rest of the statement is exactly the same.\n- We will never combine NotPrincipals, NotResources or NotActions, because doing\n so would change the meaning of the policy document.", "stability": "stable", "summary": "Try to minimize the policy by merging statements." }, "immutable": true, "locationInModule": { "filename": "lib/policy-document.ts", "line": 40 }, "name": "minimize", "optional": true, "type": { "primitive": "boolean" } }, { "abstract": true, "docs": { "default": "- No statements", "stability": "stable", "summary": "Initial statements to add to the policy document." }, "immutable": true, "locationInModule": { "filename": "lib/policy-document.ts", "line": 22 }, "name": "statements", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" }, "kind": "array" } } } ], "symbolId": "lib/policy-document:PolicyDocumentProps" }, "@aws-cdk/aws-iam.PolicyProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "declare const postAuthFn: lambda.Function;\n\nconst userpool = new cognito.UserPool(this, 'myuserpool', {\n lambdaTriggers: {\n postAuthentication: postAuthFn,\n },\n});\n\n// provide permissions to describe the user pool scoped to the ARN the user pool\npostAuthFn.role?.attachInlinePolicy(new iam.Policy(this, 'userpool-policy', {\n statements: [new iam.PolicyStatement({\n actions: ['cognito-idp:DescribeUserPool'],\n resources: [userpool.userPoolArn],\n })],\n}));", "stability": "stable", "summary": "Properties for defining an IAM inline policy document." }, "fqn": "@aws-cdk/aws-iam.PolicyProps", "kind": "interface", "locationInModule": { "filename": "lib/policy.ts", "line": 28 }, "name": "PolicyProps", "properties": [ { "abstract": true, "docs": { "default": "- An empty policy.", "remarks": "If omited, any\n`PolicyStatement` provided in the `statements` property will be applied\nagainst the empty default `PolicyDocument`.", "stability": "stable", "summary": "Initial PolicyDocument to use for this Policy." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 94 }, "name": "document", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } }, { "abstract": true, "docs": { "default": "false", "remarks": "Unless set to `true`, this `Policy` construct will not materialize to an\n`AWS::IAM::Policy` CloudFormation resource in case it would have no effect\n(for example, if it remains unattached to an IAM identity or if it has no\nstatements). This is generally desired behavior, since it prevents\ncreating invalid--and hence undeployable--CloudFormation templates.\n\nIn cases where you know the policy must be created and it is actually\nan error if no statements have been added to it, you can set this to `true`.", "stability": "stable", "summary": "Force creation of an `AWS::IAM::Policy`." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 85 }, "name": "force", "optional": true, "type": { "primitive": "boolean" } }, { "abstract": true, "docs": { "default": "- No groups.", "remarks": "You can also use `attachToGroup(group)` to attach this policy to a group.", "stability": "stable", "summary": "Groups to attach this policy to." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 61 }, "name": "groups", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IGroup" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- Uses the logical ID of the policy resource, which is ensured\nto be unique within the stack.", "remarks": "If you specify multiple policies for an entity,\nspecify unique names. For example, if you specify a list of policies for\nan IAM role, each policy must have a unique name.", "stability": "stable", "summary": "The name of the policy." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 37 }, "name": "policyName", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "default": "- No roles.", "remarks": "You can also use `attachToRole(role)` to attach this policy to a role.", "stability": "stable", "summary": "Roles to attach this policy to." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 53 }, "name": "roles", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IRole" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- No statements.", "remarks": "You can also use `addStatements(...statement)` to add permissions later.", "stability": "stable", "summary": "Initial set of permissions to add to this policy document." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 69 }, "name": "statements", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- No users.", "remarks": "You can also use `attachToUser(user)` to attach this policy to a user.", "stability": "stable", "summary": "Users to attach this policy to." }, "immutable": true, "locationInModule": { "filename": "lib/policy.ts", "line": 45 }, "name": "users", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IUser" }, "kind": "array" } } } ], "symbolId": "lib/policy:PolicyProps" }, "@aws-cdk/aws-iam.PolicyStatement": { "assembly": "@aws-cdk/aws-iam", "docs": { "custom": { "exampleMetadata": "lit=test/integ.vpc-endpoint.lit.ts infused" }, "example": " // Add gateway endpoints when creating the VPC\n const vpc = new ec2.Vpc(this, 'MyVpc', {\n gatewayEndpoints: {\n S3: {\n service: ec2.GatewayVpcEndpointAwsService.S3,\n },\n },\n });\n\n // Alternatively gateway endpoints can be added on the VPC\n const dynamoDbEndpoint = vpc.addGatewayEndpoint('DynamoDbEndpoint', {\n service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,\n });\n\n // This allows to customize the endpoint policy\n dynamoDbEndpoint.addToPolicy(\n new iam.PolicyStatement({ // Restrict to listing and describing tables\n principals: [new iam.AnyPrincipal()],\n actions: ['dynamodb:DescribeTable', 'dynamodb:ListTables'],\n resources: ['*'],\n }));\n\n // Add an interface endpoint\n vpc.addInterfaceEndpoint('EcrDockerEndpoint', {\n service: ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,\n\n // Uncomment the following to allow more fine-grained control over\n // who can access the endpoint via the '.connections' object.\n // open: false\n });", "stability": "stable", "summary": "Represents a statement in an IAM policy document." }, "fqn": "@aws-cdk/aws-iam.PolicyStatement", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 76 }, "parameters": [ { "name": "props", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatementProps" } } ] }, "kind": "class", "locationInModule": { "filename": "lib/policy-statement.ts", "line": 26 }, "methods": [ { "docs": { "remarks": "This will accept an object created from the `.toJSON()` call", "stability": "stable", "summary": "Creates a new PolicyStatement based on the object provided." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 33 }, "name": "fromJson", "parameters": [ { "docs": { "summary": "the PolicyStatement in object form." }, "name": "obj", "type": { "primitive": "any" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } }, "static": true }, { "docs": { "remarks": "This method can only be called once: subsequent calls will overwrite earlier calls.", "stability": "stable", "summary": "Add a condition that limits to a given account." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 356 }, "name": "addAccountCondition", "parameters": [ { "name": "accountId", "type": { "primitive": "string" } } ] }, { "docs": { "stability": "stable", "summary": "Adds an AWS account root user principal to this policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 239 }, "name": "addAccountRootPrincipal" }, { "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html", "stability": "stable", "summary": "Specify allowed actions into the \"Action\" section of the policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 110 }, "name": "addActions", "parameters": [ { "docs": { "summary": "actions that will be allowed." }, "name": "actions", "type": { "primitive": "string" }, "variadic": true } ], "variadic": true }, { "docs": { "stability": "stable", "summary": "Adds a ``\"*\"`` resource to this statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 296 }, "name": "addAllResources" }, { "docs": { "stability": "stable", "summary": "Adds all identities in all accounts (\"*\") to this policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 255 }, "name": "addAnyPrincipal" }, { "docs": { "remarks": "You cannot specify IAM groups and instance profiles as principals.", "stability": "stable", "summary": "Specify a principal using the ARN identifier of the principal." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 211 }, "name": "addArnPrincipal", "parameters": [ { "docs": { "summary": "ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name)." }, "name": "arn", "type": { "primitive": "string" } } ] }, { "docs": { "stability": "stable", "summary": "Specify AWS account ID as the principal entity to the \"Principal\" section of a policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 201 }, "name": "addAwsAccountPrincipal", "parameters": [ { "name": "accountId", "type": { "primitive": "string" } } ] }, { "docs": { "stability": "stable", "summary": "Adds a canonical user ID principal to this policy document." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 248 }, "name": "addCanonicalUserPrincipal", "parameters": [ { "docs": { "summary": "unique identifier assigned by AWS for every account." }, "name": "canonicalUserId", "type": { "primitive": "string" } } ] }, { "docs": { "remarks": "If multiple calls are made to add a condition with the same operator and field, only\nthe last one wins. For example:\n\n```ts\ndeclare const stmt: iam.PolicyStatement;\n\nstmt.addCondition('StringEquals', { 'aws:SomeField': '1' });\nstmt.addCondition('StringEquals', { 'aws:SomeField': '2' });\n```\n\nWill end up with the single condition `StringEquals: { 'aws:SomeField': '2' }`.\n\nIf you meant to add a condition to say that the field can be *either* `1` or `2`, write\nthis:\n\n```ts\ndeclare const stmt: iam.PolicyStatement;\n\nstmt.addCondition('StringEquals', { 'aws:SomeField': ['1', '2'] });\n```", "stability": "stable", "summary": "Add a condition to the Policy." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 335 }, "name": "addCondition", "parameters": [ { "name": "key", "type": { "primitive": "string" } }, { "name": "value", "type": { "primitive": "any" } } ] }, { "docs": { "remarks": "See the `addCondition` function for a caveat on calling this method multiple times.", "stability": "stable", "summary": "Add multiple conditions to the Policy." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 345 }, "name": "addConditions", "parameters": [ { "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ] }, { "docs": { "stability": "stable", "summary": "Adds a federated identity provider such as Amazon Cognito to this policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 232 }, "name": "addFederatedPrincipal", "parameters": [ { "docs": { "summary": "federated identity provider (i.e. 'cognito-identity.amazonaws.com')." }, "name": "federated", "type": { "primitive": "any" } }, { "docs": { "remarks": "See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).", "summary": "The conditions under which the policy is in effect." }, "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ] }, { "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html", "stability": "stable", "summary": "Explicitly allow all actions except the specified list of actions into the \"NotAction\" section of the policy document." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 125 }, "name": "addNotActions", "parameters": [ { "docs": { "remarks": "All other actions will be permitted.", "summary": "actions that will be denied." }, "name": "notActions", "type": { "primitive": "string" }, "variadic": true } ], "variadic": true }, { "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html", "stability": "stable", "summary": "Specify principals that is not allowed or denied access to the \"NotPrincipal\" section of a policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 180 }, "name": "addNotPrincipals", "parameters": [ { "docs": { "summary": "IAM principals that will be denied access." }, "name": "notPrincipals", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" }, "variadic": true } ], "variadic": true }, { "docs": { "remarks": "All resources except the specified list will be matched.", "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html", "stability": "stable", "summary": "Specify resources that this policy statement will not apply to in the \"NotResource\" section of this policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 286 }, "name": "addNotResources", "parameters": [ { "docs": { "summary": "Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to." }, "name": "arns", "type": { "primitive": "string" }, "variadic": true } ], "variadic": true }, { "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html", "stability": "stable", "summary": "Adds principals to the \"Principal\" section of a policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 150 }, "name": "addPrincipals", "parameters": [ { "docs": { "summary": "IAM principals that will be added." }, "name": "principals", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" }, "variadic": true } ], "variadic": true }, { "docs": { "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html", "stability": "stable", "summary": "Specify resources that this policy statement applies into the \"Resource\" section of this policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 271 }, "name": "addResources", "parameters": [ { "docs": { "summary": "Amazon Resource Names (ARNs) of the resources that this policy statement applies to." }, "name": "arns", "type": { "primitive": "string" }, "variadic": true } ], "variadic": true }, { "docs": { "stability": "stable", "summary": "Adds a service principal to this policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 221 }, "name": "addServicePrincipal", "parameters": [ { "docs": { "summary": "the service name for which a service principal is requested (e.g: `s3.amazonaws.com`)." }, "name": "service", "type": { "primitive": "string" } }, { "docs": { "summary": "options for adding the service principal (such as specifying a principal in a different region)." }, "name": "opts", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.ServicePrincipalOpts" } } ] }, { "docs": { "stability": "stable", "summary": "Create a new `PolicyStatement` with the same exact properties as this one, except for the overrides." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 364 }, "name": "copy", "parameters": [ { "name": "overrides", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatementProps" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } }, { "docs": { "remarks": "Used when JSON.stringify() is called", "stability": "stable", "summary": "JSON-ify the statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 412 }, "name": "toJSON", "returns": { "type": { "primitive": "any" } } }, { "docs": { "remarks": "Used when JSON.stringify() is called", "stability": "stable", "summary": "JSON-ify the policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 384 }, "name": "toStatementJson", "returns": { "type": { "primitive": "any" } } }, { "docs": { "stability": "stable", "summary": "String representation of this policy statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 401 }, "name": "toString", "returns": { "type": { "primitive": "string" } } }, { "docs": { "stability": "stable", "summary": "Validate that the policy statement satisfies base requirements for a policy." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 446 }, "name": "validateForAnyPolicy", "returns": { "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } }, { "docs": { "stability": "stable", "summary": "Validate that the policy statement satisfies all requirements for an identity-based policy." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 468 }, "name": "validateForIdentityPolicy", "returns": { "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } }, { "docs": { "stability": "stable", "summary": "Validate that the policy statement satisfies all requirements for a resource-based policy." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 457 }, "name": "validateForResourcePolicy", "returns": { "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } } ], "name": "PolicyStatement", "properties": [ { "docs": { "stability": "stable", "summary": "Indicates if this permission has a \"Principal\" section." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 139 }, "name": "hasPrincipal", "type": { "primitive": "boolean" } }, { "docs": { "stability": "stable", "summary": "Indicates if this permission has at least one resource associated with it." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 303 }, "name": "hasResource", "type": { "primitive": "boolean" } }, { "docs": { "stability": "stable", "summary": "Expose principals to allow their ARNs to be replaced by account ID strings in policy statements for resources policies that don't allow full account ARNs, such as AWS::Logs::ResourcePolicy." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 168 }, "name": "principals", "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IPrincipal" }, "kind": "array" } } }, { "docs": { "stability": "stable", "summary": "Whether to allow or deny the actions in this statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 62 }, "name": "effect", "type": { "fqn": "@aws-cdk/aws-iam.Effect" } }, { "docs": { "stability": "stable", "summary": "Statement ID for this statement." }, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 58 }, "name": "sid", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/policy-statement:PolicyStatement" }, "@aws-cdk/aws-iam.PolicyStatementProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "lit=test/integ.vpc-endpoint.lit.ts infused" }, "example": " // Add gateway endpoints when creating the VPC\n const vpc = new ec2.Vpc(this, 'MyVpc', {\n gatewayEndpoints: {\n S3: {\n service: ec2.GatewayVpcEndpointAwsService.S3,\n },\n },\n });\n\n // Alternatively gateway endpoints can be added on the VPC\n const dynamoDbEndpoint = vpc.addGatewayEndpoint('DynamoDbEndpoint', {\n service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,\n });\n\n // This allows to customize the endpoint policy\n dynamoDbEndpoint.addToPolicy(\n new iam.PolicyStatement({ // Restrict to listing and describing tables\n principals: [new iam.AnyPrincipal()],\n actions: ['dynamodb:DescribeTable', 'dynamodb:ListTables'],\n resources: ['*'],\n }));\n\n // Add an interface endpoint\n vpc.addInterfaceEndpoint('EcrDockerEndpoint', {\n service: ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,\n\n // Uncomment the following to allow more fine-grained control over\n // who can access the endpoint via the '.connections' object.\n // open: false\n });", "stability": "stable", "summary": "Interface for creating a policy statement." }, "fqn": "@aws-cdk/aws-iam.PolicyStatementProps", "kind": "interface", "locationInModule": { "filename": "lib/policy-statement.ts", "line": 532 }, "name": "PolicyStatementProps", "properties": [ { "abstract": true, "docs": { "default": "- no actions", "stability": "stable", "summary": "List of actions to add to the statement." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 549 }, "name": "actions", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- no condition", "stability": "stable", "summary": "Conditions to add to the statement." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 591 }, "name": "conditions", "optional": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "abstract": true, "docs": { "default": "Effect.ALLOW", "stability": "stable", "summary": "Whether to allow or deny the actions in this statement." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 598 }, "name": "effect", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.Effect" } }, { "abstract": true, "docs": { "default": "- no not-actions", "stability": "stable", "summary": "List of not actions to add to the statement." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 556 }, "name": "notActions", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- no not principals", "stability": "stable", "summary": "List of not principals to add to the statement." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 570 }, "name": "notPrincipals", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IPrincipal" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- no not-resources", "stability": "stable", "summary": "NotResource ARNs to add to the statement." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 584 }, "name": "notResources", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- no principals", "stability": "stable", "summary": "List of principals to add to the statement." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 563 }, "name": "principals", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IPrincipal" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- no resources", "stability": "stable", "summary": "Resource ARNs to add to the statement." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 577 }, "name": "resources", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- no sid", "remarks": "You can assign a Sid value to each statement in a\nstatement array. In services that let you specify an ID element, such as\nSQS and SNS, the Sid value is just a sub-ID of the policy document's ID. In\nIAM, the Sid value must be unique within a JSON policy.", "stability": "stable", "summary": "The Sid (statement ID) is an optional identifier that you provide for the policy statement." }, "immutable": true, "locationInModule": { "filename": "lib/policy-statement.ts", "line": 542 }, "name": "sid", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/policy-statement:PolicyStatementProps" }, "@aws-cdk/aws-iam.PrincipalBase": { "abstract": true, "assembly": "@aws-cdk/aws-iam", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const tagParam = new CfnParameter(this, 'TagName');\n\nconst stringEquals = new CfnJson(this, 'ConditionJson', {\n value: {\n [`aws:PrincipalTag/${tagParam.valueAsString}`]: true,\n },\n});\n\nconst principal = new iam.AccountRootPrincipal().withConditions({\n StringEquals: stringEquals,\n});\n\nnew iam.Role(this, 'MyRole', { assumedBy: principal });", "stability": "stable", "summary": "Base class for policy principals." }, "fqn": "@aws-cdk/aws-iam.PrincipalBase", "initializer": { "docs": { "stability": "stable" } }, "interfaces": [ "@aws-cdk/aws-iam.IAssumeRolePrincipal" ], "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 113 }, "methods": [ { "docs": { "remarks": "Add the statements to the AssumeRolePolicyDocument necessary to give this principal\npermissions to assume the given role.", "stability": "stable", "summary": "Add the princpial to the AssumeRolePolicyDocument." }, "locationInModule": { "filename": "lib/principals.ts", "line": 137 }, "name": "addToAssumeRolePolicy", "overrides": "@aws-cdk/aws-iam.IAssumeRolePrincipal", "parameters": [ { "name": "document", "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } } ] }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 127 }, "name": "addToPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "primitive": "boolean" } } }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 131 }, "name": "addToPrincipalPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "_statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult" } } }, { "docs": { "remarks": "Used when JSON.stringify() is called", "stability": "stable", "summary": "JSON-ify the principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 156 }, "name": "toJSON", "returns": { "type": { "collection": { "elementtype": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } }, "kind": "map" } } } }, { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 145 }, "name": "toString", "returns": { "type": { "primitive": "string" } } }, { "docs": { "remarks": "When there is a value for the same operator and key in both the principal and the\nconditions parameter, the value from the conditions parameter will be used.", "returns": "a new PrincipalWithConditions object.", "stability": "stable", "summary": "Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added." }, "locationInModule": { "filename": "lib/principals.ts", "line": 170 }, "name": "withConditions", "parameters": [ { "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.PrincipalBase" } } }, { "docs": { "returns": "a new SessionTagsPrincipal object.", "stability": "stable", "summary": "Returns a new principal using this principal as the base, with session tags enabled." }, "locationInModule": { "filename": "lib/principals.ts", "line": 179 }, "name": "withSessionTags", "returns": { "type": { "fqn": "@aws-cdk/aws-iam.PrincipalBase" } } } ], "name": "PrincipalBase", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 125 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The principal to grant permissions to." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 114 }, "name": "grantPrincipal", "overrides": "@aws-cdk/aws-iam.IGrantable", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "abstract": true, "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 120 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } }, { "docs": { "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.", "stability": "stable", "summary": "The AWS account ID of this principal." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 115 }, "name": "principalAccount", "optional": true, "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } } ], "symbolId": "lib/principals:PrincipalBase" }, "@aws-cdk/aws-iam.PrincipalPolicyFragment": { "assembly": "@aws-cdk/aws-iam", "docs": { "remarks": "This consists of the JSON used in the \"Principal\" field, and optionally a\nset of \"Condition\"s that need to be applied to the policy.\n\nGenerally, a principal looks like:\n\n { '': ['ID', 'ID', ...] }\n\nAnd this is also the type of the field `principalJson`. However, there is a\nspecial type of principal that is just the string '*', which is treated\ndifferently by some services. To represent that principal, `principalJson`\nshould contain `{ 'LiteralString': ['*'] }`.", "stability": "stable", "summary": "A collection of the fields in a PolicyStatement that can be used to identify a principal.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const conditions: any;\nconst principalPolicyFragment = new iam.PrincipalPolicyFragment({\n principalJsonKey: ['principalJson'],\n}, /* all optional props */ {\n conditionsKey: conditions,\n});", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 338 }, "parameters": [ { "docs": { "summary": "JSON of the \"Principal\" section in a policy statement." }, "name": "principalJson", "type": { "collection": { "elementtype": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } }, "kind": "map" } } }, { "docs": { "remarks": "See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).\nconditions that need to be applied to this policy", "summary": "The conditions under which the policy is in effect." }, "name": "conditions", "optional": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 332 }, "name": "PrincipalPolicyFragment", "properties": [ { "docs": { "remarks": "See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).\nconditions that need to be applied to this policy", "stability": "stable", "summary": "The conditions under which the policy is in effect." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 344 }, "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "stability": "stable", "summary": "JSON of the \"Principal\" section in a policy statement." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 339 }, "name": "principalJson", "type": { "collection": { "elementtype": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } }, "kind": "map" } } } ], "symbolId": "lib/principals:PrincipalPolicyFragment" }, "@aws-cdk/aws-iam.PrincipalWithConditions": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.PrincipalBase", "docs": { "remarks": "For more information about conditions, see:\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html", "stability": "stable", "summary": "An IAM principal with additional conditions specifying when the policy is in effect.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const conditions: any;\ndeclare const principal: iam.IPrincipal;\nconst principalWithConditions = new iam.PrincipalWithConditions(principal, {\n conditionsKey: conditions,\n});", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.PrincipalWithConditions", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 214 }, "parameters": [ { "name": "principal", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 211 }, "methods": [ { "docs": { "stability": "stable", "summary": "Add a condition to the principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 222 }, "name": "addCondition", "parameters": [ { "name": "key", "type": { "primitive": "string" } }, { "name": "value", "type": { "primitive": "any" } } ] }, { "docs": { "remarks": "Values from the conditions parameter will overwrite existing values with the same operator\nand key.", "stability": "stable", "summary": "Adds multiple conditions to the principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 233 }, "name": "addConditions", "parameters": [ { "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ] }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 197 }, "name": "addToPolicy", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "primitive": "boolean" } } }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 200 }, "name": "addToPrincipalPolicy", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult" } } }, { "docs": { "remarks": "Used when JSON.stringify() is called", "stability": "stable", "summary": "JSON-ify the principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 260 }, "name": "toJSON", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "returns": { "type": { "collection": { "elementtype": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } }, "kind": "map" } } } }, { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 251 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "returns": { "type": { "primitive": "string" } } } ], "name": "PrincipalWithConditions", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 188 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "primitive": "string" } }, { "docs": { "remarks": "See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).", "stability": "stable", "summary": "The conditions under which the policy is in effect." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 243 }, "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 247 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } }, { "docs": { "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.", "stability": "stable", "summary": "The AWS account ID of this principal." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 189 }, "name": "principalAccount", "optional": true, "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "primitive": "string" } } ], "symbolId": "lib/principals:PrincipalWithConditions" }, "@aws-cdk/aws-iam.Role": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.Resource", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const lambdaRole = new iam.Role(this, 'Role', {\n assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),\n description: 'Example role...',\n});\n\nconst stream = new kinesis.Stream(this, 'MyEncryptedStream', {\n encryption: kinesis.StreamEncryption.KMS,\n});\n\n// give lambda permissions to read stream\nstream.grantRead(lambdaRole);", "remarks": "Defines an IAM role. The role is created with an assume policy document associated with\nthe specified AWS service principal defined in `serviceAssumeRole`.", "stability": "stable", "summary": "IAM Role." }, "fqn": "@aws-cdk/aws-iam.Role", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/role.ts", "line": 336 }, "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.RoleProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.IRole" ], "kind": "class", "locationInModule": { "filename": "lib/role.ts", "line": 170 }, "methods": [ { "docs": { "remarks": "If the imported Role ARN is a Token (such as a\n`CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced\nrole has a `path` (like `arn:...:role/AdminRoles/Alice`), the\n`roleName` property will not resolve to the correct value. Instead it\nwill resolve to the first path component. We unfortunately cannot express\nthe correct calculation of the full path name as a CloudFormation\nexpression. In this scenario the Role ARN should be supplied without the\n`path` in order to resolve the correct role resource.", "stability": "stable", "summary": "Import an external role by ARN." }, "locationInModule": { "filename": "lib/role.ts", "line": 188 }, "name": "fromRoleArn", "parameters": [ { "docs": { "summary": "construct scope." }, "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "docs": { "summary": "construct id." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "the ARN of the role to import." }, "name": "roleArn", "type": { "primitive": "string" } }, { "docs": { "summary": "allow customizing the behavior of the returned role." }, "name": "options", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.FromRoleArnOptions" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IRole" } }, "static": true }, { "docs": { "remarks": "The imported role is assumed to exist in the same account as the account\nthe scope's containing Stack is being deployed to.", "stability": "stable", "summary": "Import an external role by name." }, "locationInModule": { "filename": "lib/role.ts", "line": 283 }, "name": "fromRoleName", "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "roleName", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IRole" } }, "static": true }, { "docs": { "stability": "stable", "summary": "Attaches a managed policy to this role." }, "locationInModule": { "filename": "lib/role.ts", "line": 415 }, "name": "addManagedPolicy", "overrides": "@aws-cdk/aws-iam.IIdentity", "parameters": [ { "docs": { "summary": "The the managed policy to attach." }, "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } } ] }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/role.ts", "line": 407 }, "name": "addToPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "primitive": "boolean" } } }, { "docs": { "remarks": "If there is no default policy attached to this role, it will be created.", "stability": "stable", "summary": "Adds a permission to the role's default policy document." }, "locationInModule": { "filename": "lib/role.ts", "line": 398 }, "name": "addToPrincipalPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "docs": { "summary": "The permission statement to add to the policy document." }, "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult" } } }, { "docs": { "stability": "stable", "summary": "Attaches a policy to this role." }, "locationInModule": { "filename": "lib/role.ts", "line": 424 }, "name": "attachInlinePolicy", "overrides": "@aws-cdk/aws-iam.IIdentity", "parameters": [ { "docs": { "summary": "The policy to attach." }, "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.Policy" } } ] }, { "docs": { "stability": "stable", "summary": "Grant the actions defined in actions to the identity Principal on this resource." }, "locationInModule": { "filename": "lib/role.ts", "line": 432 }, "name": "grant", "overrides": "@aws-cdk/aws-iam.IRole", "parameters": [ { "name": "grantee", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "name": "actions", "type": { "primitive": "string" }, "variadic": true } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } }, "variadic": true }, { "docs": { "stability": "stable", "summary": "Grant permissions to the given principal to pass this role." }, "locationInModule": { "filename": "lib/role.ts", "line": 444 }, "name": "grantPassRole", "overrides": "@aws-cdk/aws-iam.IRole", "parameters": [ { "name": "identity", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.Grant" } } }, { "docs": { "remarks": "This method can be implemented by derived constructs in order to perform\nvalidation logic. It is called on all constructs before synthesis.", "stability": "stable", "summary": "Validate the current construct." }, "locationInModule": { "filename": "lib/role.ts", "line": 465 }, "name": "validate", "overrides": "@aws-cdk/core.Construct", "protected": true, "returns": { "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } } }, { "docs": { "remarks": "Use the object returned by this method if you want this Role to be used by\na construct without it automatically updating the Role's Policies.\n\nIf you do, you are responsible for adding the correct statements to the\nRole's policies yourself.", "stability": "stable", "summary": "Return a copy of this Role object whose Policies will not be updated." }, "locationInModule": { "filename": "lib/role.ts", "line": 457 }, "name": "withoutPolicyUpdates", "parameters": [ { "name": "options", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.WithoutPolicyUpdatesOptions" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IRole" } } } ], "name": "Role", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 295 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The principal to grant permissions to." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 292 }, "name": "grantPrincipal", "overrides": "@aws-cdk/aws-iam.IGrantable", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "docs": { "stability": "stable", "summary": "Returns the role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 323 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } }, { "docs": { "stability": "stable", "summary": "Returns the ARN of this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 305 }, "name": "roleArn", "overrides": "@aws-cdk/aws-iam.IRole", "type": { "primitive": "string" } }, { "docs": { "custom": { "attribute": "true" }, "remarks": "For example,\nAIDAJQABLZS4A3QDU576Q.", "stability": "stable", "summary": "Returns the stable and unique string identifying the role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 313 }, "name": "roleId", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Returns the name of the role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 318 }, "name": "roleName", "overrides": "@aws-cdk/aws-iam.IRole", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The assume role policy document associated with this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 300 }, "name": "assumeRolePolicy", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } }, { "docs": { "stability": "stable", "summary": "Returns the permissions boundary attached to this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 328 }, "name": "permissionsBoundary", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } }, { "docs": { "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.", "stability": "stable", "summary": "The AWS account ID of this principal." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 293 }, "name": "principalAccount", "optional": true, "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } } ], "symbolId": "lib/role:Role" }, "@aws-cdk/aws-iam.RoleProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const lambdaRole = new iam.Role(this, 'Role', {\n assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),\n description: 'Example role...',\n});\n\nconst stream = new kinesis.Stream(this, 'MyEncryptedStream', {\n encryption: kinesis.StreamEncryption.KMS,\n});\n\n// give lambda permissions to read stream\nstream.grantRead(lambdaRole);", "stability": "stable", "summary": "Properties for defining an IAM Role." }, "fqn": "@aws-cdk/aws-iam.RoleProps", "kind": "interface", "locationInModule": { "filename": "lib/role.ts", "line": 19 }, "name": "RoleProps", "properties": [ { "abstract": true, "docs": { "remarks": "You can later modify the assume role policy document by accessing it via\nthe `assumeRolePolicy` property.", "stability": "stable", "summary": "The IAM principal (i.e. `new ServicePrincipal('sns.amazonaws.com')`) which can assume this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 27 }, "name": "assumedBy", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "abstract": true, "docs": { "default": "- No description.", "remarks": "It can be up to 1000 characters long.", "stability": "stable", "summary": "A description of the role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 137 }, "name": "description", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "default": "No external ID required", "deprecated": "see {@link externalIds}", "remarks": "If the configured and provided external IDs do not match, the\nAssumeRole operation will fail.", "stability": "deprecated", "summary": "ID that the role assumer needs to provide when assuming this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 39 }, "name": "externalId", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "default": "No external ID required", "remarks": "If the configured and provided external IDs do not match, the\nAssumeRole operation will fail.", "stability": "stable", "summary": "List of IDs that the role assumer needs to provide one of when assuming this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 49 }, "name": "externalIds", "optional": true, "type": { "collection": { "elementtype": { "primitive": "string" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- No policy is inlined in the Role resource.", "remarks": "These policies will be\ncreated with the role, whereas those added by ``addToPolicy`` are added\nusing a separate CloudFormation resource (allowing a way around circular\ndependencies that could otherwise be introduced).", "stability": "stable", "summary": "A list of named policies to inline into this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 69 }, "name": "inlinePolicies", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" }, "kind": "map" } } }, { "abstract": true, "docs": { "default": "- No managed policies.", "remarks": "You can add managed policies later using\n`addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.", "stability": "stable", "summary": "A list of managed policies associated with this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 59 }, "name": "managedPolicies", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" }, "kind": "array" } } }, { "abstract": true, "docs": { "custom": { "link": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html" }, "default": "Duration.hours(1)", "remarks": "This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.\n\nAnyone who assumes the role from the AWS CLI or API can use the\nDurationSeconds API parameter or the duration-seconds CLI parameter to\nrequest a longer session. The MaxSessionDuration setting determines the\nmaximum duration that can be requested using the DurationSeconds\nparameter.\n\nIf users don't specify a value for the DurationSeconds parameter, their\nsecurity credentials are valid for one hour by default. This applies when\nyou use the AssumeRole* API operations or the assume-role* CLI operations\nbut does not apply when you use those operations to create a console URL.", "stability": "stable", "summary": "The maximum session duration that you want to set for the specified role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 130 }, "name": "maxSessionDuration", "optional": true, "type": { "fqn": "@aws-cdk/core.Duration" } }, { "abstract": true, "docs": { "default": "/", "remarks": "For information about IAM paths, see\nFriendly Names and Paths in IAM User Guide.", "stability": "stable", "summary": "The path associated with this role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 77 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html" }, "default": "- No permissions boundary.", "remarks": "A permissions boundary is an advanced feature for using a managed policy\nto set the maximum permissions that an identity-based policy can grant to\nan IAM entity. An entity's permissions boundary allows it to perform only\nthe actions that are allowed by both its identity-based policies and its\npermissions boundaries.", "stability": "stable", "summary": "AWS supports permissions boundaries for IAM entities (users or roles)." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 92 }, "name": "permissionsBoundary", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } }, { "abstract": true, "docs": { "default": "- AWS CloudFormation generates a unique physical ID and uses that ID\nfor the role name.", "remarks": "For valid values, see the RoleName parameter for\nthe CreateRole action in the IAM API Reference.\n\nIMPORTANT: If you specify a name, you cannot perform updates that require\nreplacement of this resource. You can perform updates that require no or\nsome interruption. If you must replace the resource, specify a new name.\n\nIf you specify a name, you must specify the CAPABILITY_NAMED_IAM value to\nacknowledge your template's capabilities. For more information, see\nAcknowledging IAM Resources in AWS CloudFormation Templates.", "stability": "stable", "summary": "A name for the IAM role." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 109 }, "name": "roleName", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/role:RoleProps" }, "@aws-cdk/aws-iam.SamlConsolePrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.SamlPrincipal", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const provider = new iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\nnew iam.Role(this, 'Role', {\n assumedBy: new iam.SamlConsolePrincipal(provider),\n});", "stability": "stable", "summary": "Principal entity that represents a SAML federated identity provider for programmatic and AWS Management Console access." }, "fqn": "@aws-cdk/aws-iam.SamlConsolePrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 611 }, "parameters": [ { "name": "samlProvider", "type": { "fqn": "@aws-cdk/aws-iam.ISamlProvider" } }, { "name": "conditions", "optional": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 610 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 620 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.SamlPrincipal", "returns": { "type": { "primitive": "string" } } } ], "name": "SamlConsolePrincipal", "symbolId": "lib/principals:SamlConsolePrincipal" }, "@aws-cdk/aws-iam.SamlMetadataDocument": { "abstract": true, "assembly": "@aws-cdk/aws-iam", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const provider = new iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\nconst principal = new iam.SamlPrincipal(provider, {\n StringEquals: {\n 'SAML:iss': 'issuer',\n },\n});", "stability": "stable", "summary": "A SAML metadata document." }, "fqn": "@aws-cdk/aws-iam.SamlMetadataDocument", "initializer": { "docs": { "stability": "stable" } }, "kind": "class", "locationInModule": { "filename": "lib/saml-provider.ts", "line": 49 }, "methods": [ { "docs": { "stability": "stable", "summary": "Create a SAML metadata document from a XML file." }, "locationInModule": { "filename": "lib/saml-provider.ts", "line": 60 }, "name": "fromFile", "parameters": [ { "name": "path", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.SamlMetadataDocument" } }, "static": true }, { "docs": { "stability": "stable", "summary": "Create a SAML metadata document from a XML string." }, "locationInModule": { "filename": "lib/saml-provider.ts", "line": 53 }, "name": "fromXml", "parameters": [ { "name": "xml", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.SamlMetadataDocument" } }, "static": true } ], "name": "SamlMetadataDocument", "properties": [ { "abstract": true, "docs": { "stability": "stable", "summary": "The XML content of the metadata document." }, "immutable": true, "locationInModule": { "filename": "lib/saml-provider.ts", "line": 67 }, "name": "xml", "type": { "primitive": "string" } } ], "symbolId": "lib/saml-provider:SamlMetadataDocument" }, "@aws-cdk/aws-iam.SamlPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.FederatedPrincipal", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const provider = new iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\nconst principal = new iam.SamlPrincipal(provider, {\n StringEquals: {\n 'SAML:iss': 'issuer',\n },\n});", "stability": "stable", "summary": "Principal entity that represents a SAML federated identity provider." }, "fqn": "@aws-cdk/aws-iam.SamlPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 597 }, "parameters": [ { "name": "samlProvider", "type": { "fqn": "@aws-cdk/aws-iam.ISamlProvider" } }, { "name": "conditions", "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 596 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 601 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.FederatedPrincipal", "returns": { "type": { "primitive": "string" } } } ], "name": "SamlPrincipal", "symbolId": "lib/principals:SamlPrincipal" }, "@aws-cdk/aws-iam.SamlProvider": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.Resource", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const provider = new iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\nnew iam.Role(this, 'Role', {\n assumedBy: new iam.SamlConsolePrincipal(provider),\n});", "stability": "stable", "summary": "A SAML provider." }, "fqn": "@aws-cdk/aws-iam.SamlProvider", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/saml-provider.ts", "line": 86 }, "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.SamlProviderProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.ISamlProvider" ], "kind": "class", "locationInModule": { "filename": "lib/saml-provider.ts", "line": 73 }, "methods": [ { "docs": { "stability": "stable", "summary": "Import an existing provider." }, "locationInModule": { "filename": "lib/saml-provider.ts", "line": 77 }, "name": "fromSamlProviderArn", "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "samlProviderArn", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.ISamlProvider" } }, "static": true } ], "name": "SamlProvider", "properties": [ { "docs": { "stability": "stable", "summary": "The Amazon Resource Name (ARN) of the provider." }, "immutable": true, "locationInModule": { "filename": "lib/saml-provider.ts", "line": 84 }, "name": "samlProviderArn", "overrides": "@aws-cdk/aws-iam.ISamlProvider", "type": { "primitive": "string" } } ], "symbolId": "lib/saml-provider:SamlProvider" }, "@aws-cdk/aws-iam.SamlProviderProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const provider = new iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\nnew iam.Role(this, 'Role', {\n assumedBy: new iam.SamlConsolePrincipal(provider),\n});", "stability": "stable", "summary": "Properties for a SAML provider." }, "fqn": "@aws-cdk/aws-iam.SamlProviderProps", "kind": "interface", "locationInModule": { "filename": "lib/saml-provider.ts", "line": 21 }, "name": "SamlProviderProps", "properties": [ { "abstract": true, "docs": { "stability": "stable", "summary": "An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP." }, "immutable": true, "locationInModule": { "filename": "lib/saml-provider.ts", "line": 43 }, "name": "metadataDocument", "type": { "fqn": "@aws-cdk/aws-iam.SamlMetadataDocument" } }, { "abstract": true, "docs": { "default": "- a CloudFormation generated name", "remarks": "This parameter allows a string of characters consisting of upper and\nlowercase alphanumeric characters with no spaces. You can also include\nany of the following characters: _+=,.@-\n\nLength must be between 1 and 128 characters.", "stability": "stable", "summary": "The name of the provider to create." }, "immutable": true, "locationInModule": { "filename": "lib/saml-provider.ts", "line": 33 }, "name": "name", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/saml-provider:SamlProviderProps" }, "@aws-cdk/aws-iam.ServicePrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.PrincipalBase", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const lambdaRole = new iam.Role(this, 'Role', {\n assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),\n description: 'Example role...',\n});\n\nconst stream = new kinesis.Stream(this, 'MyEncryptedStream', {\n encryption: kinesis.StreamEncryption.KMS,\n});\n\n// give lambda permissions to read stream\nstream.grantRead(lambdaRole);", "stability": "stable", "summary": "An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com)." }, "fqn": "@aws-cdk/aws-iam.ServicePrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 433 }, "parameters": [ { "docs": { "summary": "AWS service (i.e. sqs.amazonaws.com)." }, "name": "service", "type": { "primitive": "string" } }, { "name": "opts", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.ServicePrincipalOpts" } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 428 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 445 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "returns": { "type": { "primitive": "string" } } } ], "name": "ServicePrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 437 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } }, { "docs": { "stability": "stable", "summary": "AWS service (i.e. sqs.amazonaws.com)." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 433 }, "name": "service", "type": { "primitive": "string" } } ], "symbolId": "lib/principals:ServicePrincipal" }, "@aws-cdk/aws-iam.ServicePrincipalOpts": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Options for a service principal.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const conditions: any;\nconst servicePrincipalOpts: iam.ServicePrincipalOpts = {\n conditions: {\n conditionsKey: conditions,\n },\n region: 'region',\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.ServicePrincipalOpts", "kind": "interface", "locationInModule": { "filename": "lib/principals.ts", "line": 408 }, "name": "ServicePrincipalOpts", "properties": [ { "abstract": true, "docs": { "default": "- No conditions", "stability": "stable", "summary": "Additional conditions to add to the Service Principal." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 422 }, "name": "conditions", "optional": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } }, { "abstract": true, "docs": { "default": "- the current Stack's region.", "deprecated": "You should not need to set this. The stack's region is always correct.", "stability": "deprecated", "summary": "The region in which the service is operating." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 415 }, "name": "region", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/principals:ServicePrincipalOpts" }, "@aws-cdk/aws-iam.SessionTagsPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.PrincipalBase", "docs": { "remarks": "For more information on session tags, see:\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html", "stability": "stable", "summary": "Enables session tags on role assumptions from a principal.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\n\ndeclare const principal: iam.IPrincipal;\nconst sessionTagsPrincipal = new iam.SessionTagsPrincipal(principal);", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.SessionTagsPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 300 }, "parameters": [ { "name": "principal", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 299 }, "methods": [ { "docs": { "remarks": "Add the statements to the AssumeRolePolicyDocument necessary to give this principal\npermissions to assume the given role.", "stability": "stable", "summary": "Add the princpial to the AssumeRolePolicyDocument." }, "locationInModule": { "filename": "lib/principals.ts", "line": 304 }, "name": "addToAssumeRolePolicy", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "parameters": [ { "name": "doc", "type": { "fqn": "@aws-cdk/aws-iam.PolicyDocument" } } ] }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 197 }, "name": "addToPolicy", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "primitive": "boolean" } } }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/principals.ts", "line": 200 }, "name": "addToPrincipalPolicy", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult" } } } ], "name": "SessionTagsPrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 188 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 195 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } }, { "docs": { "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.", "stability": "stable", "summary": "The AWS account ID of this principal." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 189 }, "name": "principalAccount", "optional": true, "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "primitive": "string" } } ], "symbolId": "lib/principals:SessionTagsPrincipal" }, "@aws-cdk/aws-iam.StarPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.PrincipalBase", "docs": { "remarks": "Some services behave differently when you specify `Principal: \"*\"`\nor `Principal: { AWS: \"*\" }` in their resource policy.\n\n`StarPrincipal` renders to `Principal: *`. Most of the time, you\nshould use `AnyPrincipal` instead.", "stability": "stable", "summary": "A principal that uses a literal '*' in the IAM JSON language.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst starPrincipal = new iam.StarPrincipal();", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.StarPrincipal", "initializer": { "docs": { "stability": "stable" } }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 673 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 679 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "returns": { "type": { "primitive": "string" } } } ], "name": "StarPrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 674 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.PrincipalBase", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } } ], "symbolId": "lib/principals:StarPrincipal" }, "@aws-cdk/aws-iam.UnknownPrincipal": { "assembly": "@aws-cdk/aws-iam", "docs": { "remarks": "Some resources have roles associated with them which they assume, such as\nLambda Functions, CodeBuild projects, StepFunctions machines, etc.\n\nWhen those resources are imported, their actual roles are not always\nimported with them. When that happens, we use an instance of this class\ninstead, which will add user warnings when statements are attempted to be\nadded to it.", "stability": "stable", "summary": "A principal for use in resources that need to have a role but it's unknown.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nimport * as constructs from 'constructs';\n\ndeclare const construct: constructs.Construct;\nconst unknownPrincipal = new iam.UnknownPrincipal({\n resource: construct,\n});", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.UnknownPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/unknown-principal.ts", "line": 32 }, "parameters": [ { "name": "props", "type": { "fqn": "@aws-cdk/aws-iam.UnknownPrincipalProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.IPrincipal" ], "kind": "class", "locationInModule": { "filename": "lib/unknown-principal.ts", "line": 27 }, "methods": [ { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/unknown-principal.ts", "line": 49 }, "name": "addToPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "primitive": "boolean" } } }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/unknown-principal.ts", "line": 41 }, "name": "addToPrincipalPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult" } } } ], "name": "UnknownPrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/unknown-principal.ts", "line": 28 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The principal to grant permissions to." }, "immutable": true, "locationInModule": { "filename": "lib/unknown-principal.ts", "line": 29 }, "name": "grantPrincipal", "overrides": "@aws-cdk/aws-iam.IGrantable", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/unknown-principal.ts", "line": 37 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } } ], "symbolId": "lib/unknown-principal:UnknownPrincipal" }, "@aws-cdk/aws-iam.UnknownPrincipalProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Properties for an UnknownPrincipal.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nimport * as constructs from 'constructs';\n\ndeclare const construct: constructs.Construct;\nconst unknownPrincipalProps: iam.UnknownPrincipalProps = {\n resource: construct,\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.UnknownPrincipalProps", "kind": "interface", "locationInModule": { "filename": "lib/unknown-principal.ts", "line": 9 }, "name": "UnknownPrincipalProps", "properties": [ { "abstract": true, "docs": { "stability": "stable", "summary": "The resource the role proxy is for." }, "immutable": true, "locationInModule": { "filename": "lib/unknown-principal.ts", "line": 13 }, "name": "resource", "type": { "fqn": "constructs.IConstruct" } } ], "symbolId": "lib/unknown-principal:UnknownPrincipalProps" }, "@aws-cdk/aws-iam.User": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/core.Resource", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const user = new iam.User(this, 'MyUser'); // or User.fromUserName(stack, 'User', 'johnsmith');\nconst group = new iam.Group(this, 'MyGroup'); // or Group.fromGroupArn(stack, 'Group', 'arn:aws:iam::account-id:group/group-name');\n\nuser.addToGroup(group);\n// or\ngroup.addUser(user);", "stability": "stable", "summary": "Define a new IAM user." }, "fqn": "@aws-cdk/aws-iam.User", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/user.ts", "line": 257 }, "parameters": [ { "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "name": "id", "type": { "primitive": "string" } }, { "name": "props", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.UserProps" } } ] }, "interfaces": [ "@aws-cdk/aws-iam.IIdentity", "@aws-cdk/aws-iam.IUser" ], "kind": "class", "locationInModule": { "filename": "lib/user.ts", "line": 137 }, "methods": [ { "docs": { "remarks": "If the ARN comes from a Token, the User cannot have a path; if so, any attempt\nto reference its username will fail.", "stability": "stable", "summary": "Import an existing user given a user ARN." }, "locationInModule": { "filename": "lib/user.ts", "line": 166 }, "name": "fromUserArn", "parameters": [ { "docs": { "summary": "construct scope." }, "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "docs": { "summary": "construct id." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "the ARN of an existing user to import." }, "name": "userArn", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IUser" } }, "static": true }, { "docs": { "remarks": "If the ARN comes from a Token, the User cannot have a path; if so, any attempt\nto reference its username will fail.", "stability": "stable", "summary": "Import an existing user given user attributes." }, "locationInModule": { "filename": "lib/user.ts", "line": 180 }, "name": "fromUserAttributes", "parameters": [ { "docs": { "summary": "construct scope." }, "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "docs": { "summary": "construct id." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "the attributes of the user to import." }, "name": "attrs", "type": { "fqn": "@aws-cdk/aws-iam.UserAttributes" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IUser" } }, "static": true }, { "docs": { "stability": "stable", "summary": "Import an existing user given a username." }, "locationInModule": { "filename": "lib/user.ts", "line": 145 }, "name": "fromUserName", "parameters": [ { "docs": { "summary": "construct scope." }, "name": "scope", "type": { "fqn": "constructs.Construct" } }, { "docs": { "summary": "construct id." }, "name": "id", "type": { "primitive": "string" } }, { "docs": { "summary": "the username of the existing user to import." }, "name": "userName", "type": { "primitive": "string" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.IUser" } }, "static": true }, { "docs": { "stability": "stable", "summary": "Attaches a managed policy to the user." }, "locationInModule": { "filename": "lib/user.ts", "line": 301 }, "name": "addManagedPolicy", "overrides": "@aws-cdk/aws-iam.IIdentity", "parameters": [ { "docs": { "summary": "The managed policy to attach." }, "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } } ] }, { "docs": { "stability": "stable", "summary": "Adds this user to a group." }, "locationInModule": { "filename": "lib/user.ts", "line": 293 }, "name": "addToGroup", "overrides": "@aws-cdk/aws-iam.IUser", "parameters": [ { "name": "group", "type": { "fqn": "@aws-cdk/aws-iam.IGroup" } } ] }, { "docs": { "stability": "stable", "summary": "Add to the policy of this principal." }, "locationInModule": { "filename": "lib/user.ts", "line": 329 }, "name": "addToPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "primitive": "boolean" } } }, { "docs": { "returns": "true", "stability": "stable", "summary": "Adds an IAM statement to the default policy." }, "locationInModule": { "filename": "lib/user.ts", "line": 319 }, "name": "addToPrincipalPolicy", "overrides": "@aws-cdk/aws-iam.IPrincipal", "parameters": [ { "name": "statement", "type": { "fqn": "@aws-cdk/aws-iam.PolicyStatement" } } ], "returns": { "type": { "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult" } } }, { "docs": { "stability": "stable", "summary": "Attaches a policy to this user." }, "locationInModule": { "filename": "lib/user.ts", "line": 309 }, "name": "attachInlinePolicy", "overrides": "@aws-cdk/aws-iam.IIdentity", "parameters": [ { "name": "policy", "type": { "fqn": "@aws-cdk/aws-iam.Policy" } } ] } ], "name": "User", "properties": [ { "docs": { "stability": "stable", "summary": "When this Principal is used in an AssumeRole policy, the action to use." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 231 }, "name": "assumeRoleAction", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "The principal to grant permissions to." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 229 }, "name": "grantPrincipal", "overrides": "@aws-cdk/aws-iam.IGrantable", "type": { "fqn": "@aws-cdk/aws-iam.IPrincipal" } }, { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 250 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } }, { "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "An attribute that represents the user's ARN." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 243 }, "name": "userArn", "overrides": "@aws-cdk/aws-iam.IUser", "type": { "primitive": "string" } }, { "docs": { "custom": { "attribute": "true" }, "stability": "stable", "summary": "An attribute that represents the user name." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 237 }, "name": "userName", "overrides": "@aws-cdk/aws-iam.IUser", "type": { "primitive": "string" } }, { "docs": { "stability": "stable", "summary": "Returns the permissions boundary attached to this user." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 248 }, "name": "permissionsBoundary", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } }, { "docs": { "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.", "stability": "stable", "summary": "The AWS account ID of this principal." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 230 }, "name": "principalAccount", "optional": true, "overrides": "@aws-cdk/aws-iam.IPrincipal", "type": { "primitive": "string" } } ], "symbolId": "lib/user:User" }, "@aws-cdk/aws-iam.UserAttributes": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const user = iam.User.fromUserAttributes(this, 'MyImportedUserByAttributes', {\n userArn: 'arn:aws:iam::123456789012:user/johnsmith',\n});", "stability": "stable", "summary": "Represents a user defined outside of this stack." }, "fqn": "@aws-cdk/aws-iam.UserAttributes", "kind": "interface", "locationInModule": { "filename": "lib/user.ts", "line": 125 }, "name": "UserAttributes", "properties": [ { "abstract": true, "docs": { "remarks": "Format: arn::iam:::user/", "stability": "stable", "summary": "The ARN of the user." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 131 }, "name": "userArn", "type": { "primitive": "string" } } ], "symbolId": "lib/user:UserAttributes" }, "@aws-cdk/aws-iam.UserProps": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "custom": { "exampleMetadata": "lit=test/example.attaching.lit.ts infused" }, "example": " const user = new User(this, 'MyUser', { password: cdk.SecretValue.unsafePlainText('1234') });\n const group = new Group(this, 'MyGroup');\n\n const policy = new Policy(this, 'MyPolicy');\n policy.attachToUser(user);\n group.attachInlinePolicy(policy);", "stability": "stable", "summary": "Properties for defining an IAM user." }, "fqn": "@aws-cdk/aws-iam.UserProps", "kind": "interface", "locationInModule": { "filename": "lib/user.ts", "line": 39 }, "name": "UserProps", "properties": [ { "abstract": true, "docs": { "default": "- No groups.", "remarks": "You can also use `addToGroup` to add this\nuser to a group.", "stability": "stable", "summary": "Groups to add this user to." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 46 }, "name": "groups", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IGroup" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- No managed policies.", "remarks": "You can add managed policies later using\n`addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.", "stability": "stable", "summary": "A list of managed policies associated with this role." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 56 }, "name": "managedPolicies", "optional": true, "type": { "collection": { "elementtype": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" }, "kind": "array" } } }, { "abstract": true, "docs": { "default": "- User won't be able to access the management console without a password.", "remarks": "You can use `SecretValue.unsafePlainText` to specify a password in plain text or\nuse `secretsmanager.Secret.fromSecretAttributes` to reference a secret in\nSecrets Manager.", "stability": "stable", "summary": "The password for the user. This is required so the user can access the AWS Management Console." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 109 }, "name": "password", "optional": true, "type": { "fqn": "@aws-cdk/core.SecretValue" } }, { "abstract": true, "docs": { "default": "false", "remarks": "If this is set to 'true', you must also specify \"initialPassword\".", "stability": "stable", "summary": "Specifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 119 }, "name": "passwordResetRequired", "optional": true, "type": { "primitive": "boolean" } }, { "abstract": true, "docs": { "default": "/", "remarks": "For more information about paths, see IAM\nIdentifiers in the IAM User Guide.", "stability": "stable", "summary": "The path for the user name." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 64 }, "name": "path", "optional": true, "type": { "primitive": "string" } }, { "abstract": true, "docs": { "custom": { "link": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html" }, "default": "- No permissions boundary.", "remarks": "A permissions boundary is an advanced feature for using a managed policy\nto set the maximum permissions that an identity-based policy can grant to\nan IAM entity. An entity's permissions boundary allows it to perform only\nthe actions that are allowed by both its identity-based policies and its\npermissions boundaries.", "stability": "stable", "summary": "AWS supports permissions boundaries for IAM entities (users or roles)." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 79 }, "name": "permissionsBoundary", "optional": true, "type": { "fqn": "@aws-cdk/aws-iam.IManagedPolicy" } }, { "abstract": true, "docs": { "default": "- Generated by CloudFormation (recommended)", "remarks": "For valid values, see the UserName parameter for\nthe CreateUser action in the IAM API Reference. If you don't specify a\nname, AWS CloudFormation generates a unique physical ID and uses that ID\nfor the user name.\n\nIf you specify a name, you cannot perform updates that require\nreplacement of this resource. You can perform updates that require no or\nsome interruption. If you must replace the resource, specify a new name.\n\nIf you specify a name, you must specify the CAPABILITY_NAMED_IAM value to\nacknowledge your template's capabilities. For more information, see\nAcknowledging IAM Resources in AWS CloudFormation Templates.", "stability": "stable", "summary": "A name for the IAM user." }, "immutable": true, "locationInModule": { "filename": "lib/user.ts", "line": 97 }, "name": "userName", "optional": true, "type": { "primitive": "string" } } ], "symbolId": "lib/user:UserProps" }, "@aws-cdk/aws-iam.WebIdentityPrincipal": { "assembly": "@aws-cdk/aws-iam", "base": "@aws-cdk/aws-iam.FederatedPrincipal", "docs": { "custom": { "exampleMetadata": "infused" }, "example": "const principal = new iam.WebIdentityPrincipal('cognito-identity.amazonaws.com', {\n 'StringEquals': { 'cognito-identity.amazonaws.com:aud': 'us-east-2:12345678-abcd-abcd-abcd-123456' },\n 'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'unauthenticated' },\n});", "stability": "stable", "summary": "A principal that represents a federated identity provider as Web Identity such as Cognito, Amazon, Facebook, Google, etc." }, "fqn": "@aws-cdk/aws-iam.WebIdentityPrincipal", "initializer": { "docs": { "stability": "stable" }, "locationInModule": { "filename": "lib/principals.ts", "line": 556 }, "parameters": [ { "docs": { "summary": "identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)." }, "name": "identityProvider", "type": { "primitive": "string" } }, { "docs": { "remarks": "See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).", "summary": "The conditions under which the policy is in effect." }, "name": "conditions", "optional": true, "type": { "collection": { "elementtype": { "primitive": "any" }, "kind": "map" } } } ] }, "kind": "class", "locationInModule": { "filename": "lib/principals.ts", "line": 547 }, "methods": [ { "docs": { "stability": "stable", "summary": "Returns a string representation of an object." }, "locationInModule": { "filename": "lib/principals.ts", "line": 564 }, "name": "toString", "overrides": "@aws-cdk/aws-iam.FederatedPrincipal", "returns": { "type": { "primitive": "string" } } } ], "name": "WebIdentityPrincipal", "properties": [ { "docs": { "stability": "stable", "summary": "Return the policy fragment that identifies this principal in a Policy." }, "immutable": true, "locationInModule": { "filename": "lib/principals.ts", "line": 560 }, "name": "policyFragment", "overrides": "@aws-cdk/aws-iam.FederatedPrincipal", "type": { "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment" } } ], "symbolId": "lib/principals:WebIdentityPrincipal" }, "@aws-cdk/aws-iam.WithoutPolicyUpdatesOptions": { "assembly": "@aws-cdk/aws-iam", "datatype": true, "docs": { "stability": "stable", "summary": "Options for the `withoutPolicyUpdates()` modifier of a Role.", "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst withoutPolicyUpdatesOptions: iam.WithoutPolicyUpdatesOptions = {\n addGrantsToResources: false,\n};", "custom": { "exampleMetadata": "fixture=_generated" } }, "fqn": "@aws-cdk/aws-iam.WithoutPolicyUpdatesOptions", "kind": "interface", "locationInModule": { "filename": "lib/role.ts", "line": 535 }, "name": "WithoutPolicyUpdatesOptions", "properties": [ { "abstract": true, "docs": { "default": "false", "remarks": "If this is `false` or not specified, grant permissions added to this role are ignored.\nIt is your own responsibility to make sure the role has the required permissions.\n\nIf this is `true`, any grant permissions will be added to the resource instead.", "stability": "stable", "summary": "Add grants to resources instead of dropping them." }, "immutable": true, "locationInModule": { "filename": "lib/role.ts", "line": 546 }, "name": "addGrantsToResources", "optional": true, "type": { "primitive": "boolean" } } ], "symbolId": "lib/role:WithoutPolicyUpdatesOptions" } }, "version": "1.156.1", "fingerprint": "**********" }