UNPKG

576 kBPlain TextView Raw
1{
2 "author": {
3 "name": "Amazon Web Services",
4 "organization": true,
5 "roles": [
6 "author"
7 ],
8 "url": "https://aws.amazon.com"
9 },
10 "dependencies": {
11 "@aws-cdk/core": "1.156.1",
12 "@aws-cdk/cx-api": "1.156.1",
13 "@aws-cdk/region-info": "1.156.1",
14 "constructs": "^3.3.69"
15 },
16 "dependencyClosure": {
17 "@aws-cdk/cloud-assembly-schema": {
18 "targets": {
19 "dotnet": {
20 "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png",
21 "namespace": "Amazon.CDK.CloudAssembly.Schema",
22 "packageId": "Amazon.CDK.CloudAssembly.Schema"
23 },
24 "java": {
25 "maven": {
26 "artifactId": "cdk-cloud-assembly-schema",
27 "groupId": "software.amazon.awscdk"
28 },
29 "package": "software.amazon.awscdk.cloudassembly.schema"
30 },
31 "js": {
32 "npm": "@aws-cdk/cloud-assembly-schema"
33 },
34 "python": {
35 "classifiers": [
36 "Framework :: AWS CDK",
37 "Framework :: AWS CDK :: 1"
38 ],
39 "distName": "aws-cdk.cloud-assembly-schema",
40 "module": "aws_cdk.cloud_assembly_schema"
41 }
42 }
43 },
44 "@aws-cdk/core": {
45 "targets": {
46 "dotnet": {
47 "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png",
48 "namespace": "Amazon.CDK",
49 "packageId": "Amazon.CDK"
50 },
51 "java": {
52 "maven": {
53 "artifactId": "core",
54 "groupId": "software.amazon.awscdk"
55 },
56 "package": "software.amazon.awscdk.core"
57 },
58 "js": {
59 "npm": "@aws-cdk/core"
60 },
61 "python": {
62 "classifiers": [
63 "Framework :: AWS CDK",
64 "Framework :: AWS CDK :: 1"
65 ],
66 "distName": "aws-cdk.core",
67 "module": "aws_cdk.core"
68 }
69 }
70 },
71 "@aws-cdk/cx-api": {
72 "targets": {
73 "dotnet": {
74 "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png",
75 "namespace": "Amazon.CDK.CXAPI",
76 "packageId": "Amazon.CDK.CXAPI"
77 },
78 "java": {
79 "maven": {
80 "artifactId": "cdk-cx-api",
81 "groupId": "software.amazon.awscdk"
82 },
83 "package": "software.amazon.awscdk.cxapi"
84 },
85 "js": {
86 "npm": "@aws-cdk/cx-api"
87 },
88 "python": {
89 "classifiers": [
90 "Framework :: AWS CDK",
91 "Framework :: AWS CDK :: 1"
92 ],
93 "distName": "aws-cdk.cx-api",
94 "module": "aws_cdk.cx_api"
95 }
96 }
97 },
98 "@aws-cdk/region-info": {
99 "targets": {
100 "dotnet": {
101 "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png",
102 "namespace": "Amazon.CDK.RegionInfo",
103 "packageId": "Amazon.CDK.RegionInfo"
104 },
105 "java": {
106 "maven": {
107 "artifactId": "cdk-region-info",
108 "groupId": "software.amazon.awscdk"
109 },
110 "package": "software.amazon.awscdk.regioninfo"
111 },
112 "js": {
113 "npm": "@aws-cdk/region-info"
114 },
115 "python": {
116 "classifiers": [
117 "Framework :: AWS CDK",
118 "Framework :: AWS CDK :: 1"
119 ],
120 "distName": "aws-cdk.region-info",
121 "module": "aws_cdk.region_info"
122 }
123 }
124 },
125 "constructs": {
126 "targets": {
127 "dotnet": {
128 "namespace": "Constructs",
129 "packageId": "Constructs"
130 },
131 "go": {
132 "moduleName": "github.com/aws/constructs-go"
133 },
134 "java": {
135 "maven": {
136 "artifactId": "constructs",
137 "groupId": "software.constructs"
138 },
139 "package": "software.constructs"
140 },
141 "js": {
142 "npm": "constructs"
143 },
144 "python": {
145 "distName": "constructs",
146 "module": "constructs"
147 }
148 }
149 }
150 },
151 "description": "CDK routines for easily assigning correct and minimal IAM permissions",
152 "docs": {
153 "stability": "stable"
154 },
155 "homepage": "https://github.com/aws/aws-cdk",
156 "jsiiVersion": "1.58.0 (build f8ba112)",
157 "keywords": [
158 "aws",
159 "cdk",
160 "constructs",
161 "iam"
162 ],
163 "license": "Apache-2.0",
164 "metadata": {
165 "jsii": {
166 "compiledWithDeprecationWarnings": true,
167 "pacmak": {
168 "hasDefaultInterfaces": true
169 },
170 "rosetta": {
171 "strict": true
172 }
173 }
174 },
175 "name": "@aws-cdk/aws-iam",
176 "readme": {
177 "markdown": "# AWS Identity and Access Management Construct Library\n<!--BEGIN STABILITY BANNER-->\n\n---\n\n![cfn-resources: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge)\n\n![cdk-constructs: Stable](https://img.shields.io/badge/cdk--constructs-stable-success.svg?style=for-the-badge)\n\n---\n\n<!--END STABILITY BANNER-->\n\nDefine a role and add permissions to it. This will automatically create and\nattach an IAM policy to the role:\n\n```ts lit=test/example.role.lit.ts\n const role = new Role(this, 'MyRole', {\n assumedBy: new ServicePrincipal('sns.amazonaws.com'),\n });\n\n role.addToPolicy(new PolicyStatement({\n resources: ['*'],\n actions: ['lambda:InvokeFunction'],\n }));\n```\n\nDefine a policy and attach it to groups, users and roles. Note that it is possible to attach\nthe policy either by calling `xxx.attachInlinePolicy(policy)` or `policy.attachToXxx(xxx)`.\n\n```ts lit=test/example.attaching.lit.ts\n const user = new User(this, 'MyUser', { password: cdk.SecretValue.unsafePlainText('1234') });\n const group = new Group(this, 'MyGroup');\n\n const policy = new Policy(this, 'MyPolicy');\n policy.attachToUser(user);\n group.attachInlinePolicy(policy);\n```\n\nManaged policies can be attached using `xxx.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`:\n\n```ts lit=test/example.managedpolicy.lit.ts\nconst group = new Group(this, 'MyGroup');\ngroup.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'));\n```\n\n## Granting permissions to resources\n\nMany of the AWS CDK resources have `grant*` methods that allow you to grant other resources access to that resource. As an example, the following code gives a Lambda function write permissions (Put, Update, Delete) to a DynamoDB table.\n\n```ts\ndeclare const fn: lambda.Function;\ndeclare const table: dynamodb.Table;\n\ntable.grantWriteData(fn);\n```\n\nThe more generic `grant` method allows you to give specific permissions to a resource:\n\n```ts\ndeclare const fn: lambda.Function;\ndeclare const table: dynamodb.Table;\n\ntable.grant(fn, 'dynamodb:PutItem');\n```\n\nThe `grant*` methods accept an `IGrantable` object. This interface is implemented by IAM principlal resources (groups, users and roles) and resources that assume a role such as a Lambda function, EC2 instance or a Codebuild project.\n\nYou can find which `grant*` methods exist for a resource in the [AWS CDK API Reference](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-construct-library.html).\n\n## Roles\n\nMany AWS resources require *Roles* to operate. These Roles define the AWS API\ncalls an instance or other AWS service is allowed to make.\n\nCreating Roles and populating them with the right permissions *Statements* is\na necessary but tedious part of setting up AWS infrastructure. In order to\nhelp you focus on your business logic, CDK will take care of creating\nroles and populating them with least-privilege permissions automatically.\n\nAll constructs that require Roles will create one for you if don't specify\none at construction time. Permissions will be added to that role\nautomatically if you associate the construct with other constructs from the\nAWS Construct Library (for example, if you tell an *AWS CodePipeline* to trigger\nan *AWS Lambda Function*, the Pipeline's Role will automatically get\n`lambda:InvokeFunction` permissions on that particular Lambda Function),\nor if you explicitly grant permissions using `grant` functions (see the\nprevious section).\n\n### Opting out of automatic permissions management\n\nYou may prefer to manage a Role's permissions yourself instead of having the\nCDK automatically manage them for you. This may happen in one of the\nfollowing cases:\n\n* You don't like the permissions that CDK automatically generates and\n want to substitute your own set.\n* The least-permissions policy that the CDK generates is becoming too\n big for IAM to store, and you need to add some wildcards to keep the\n policy size down.\n\nTo prevent constructs from updating your Role's policy, pass the object\nreturned by `myRole.withoutPolicyUpdates()` instead of `myRole` itself.\n\nFor example, to have an AWS CodePipeline *not* automatically add the required\npermissions to trigger the expected targets, do the following:\n\n```ts\nconst role = new iam.Role(this, 'Role', {\n assumedBy: new iam.ServicePrincipal('codepipeline.amazonaws.com'),\n // custom description if desired\n description: 'This is a custom role...',\n});\n\nnew codepipeline.Pipeline(this, 'Pipeline', {\n // Give the Pipeline an immutable view of the Role\n role: role.withoutPolicyUpdates(),\n});\n\n// You now have to manage the Role policies yourself\nrole.addToPolicy(new iam.PolicyStatement({\n actions: [/* whatever actions you want */],\n resources: [/* whatever resources you intend to touch */],\n}));\n```\n\n### Using existing roles\n\nIf there are Roles in your account that have already been created which you\nwould like to use in your CDK application, you can use `Role.fromRoleArn` to\nimport them, as follows:\n\n```ts\nconst role = iam.Role.fromRoleArn(this, 'Role', 'arn:aws:iam::123456789012:role/MyExistingRole', {\n // Set 'mutable' to 'false' to use the role as-is and prevent adding new\n // policies to it. The default is 'true', which means the role may be\n // modified as part of the deployment.\n mutable: false,\n});\n```\n\n## Configuring an ExternalId\n\nIf you need to create Roles that will be assumed by third parties, it is generally a good idea to [require an `ExternalId`\nto assume them](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html). Configuring\nan `ExternalId` works like this:\n\n```ts lit=test/example.external-id.lit.ts\nconst role = new iam.Role(this, 'MyRole', {\n assumedBy: new iam.AccountPrincipal('123456789012'),\n externalIds: ['SUPPLY-ME'],\n});\n```\n\n## Principals vs Identities\n\nWhen we say *Principal*, we mean an entity you grant permissions to. This\nentity can be an AWS Service, a Role, or something more abstract such as \"all\nusers in this account\" or even \"all users in this organization\". An\n*Identity* is an IAM representing a single IAM entity that can have\na policy attached, one of `Role`, `User`, or `Group`.\n\n## IAM Principals\n\nWhen defining policy statements as part of an AssumeRole policy or as part of a\nresource policy, statements would usually refer to a specific IAM principal\nunder `Principal`.\n\nIAM principals are modeled as classes that derive from the `iam.PolicyPrincipal`\nabstract class. Principal objects include principal type (string) and value\n(array of string), optional set of conditions and the action that this principal\nrequires when it is used in an assume role policy document.\n\nTo add a principal to a policy statement you can either use the abstract\n`statement.addPrincipal`, one of the concrete `addXxxPrincipal` methods:\n\n* `addAwsPrincipal`, `addArnPrincipal` or `new ArnPrincipal(arn)` for `{ \"AWS\": arn }`\n* `addAwsAccountPrincipal` or `new AccountPrincipal(accountId)` for `{ \"AWS\": account-arn }`\n* `addServicePrincipal` or `new ServicePrincipal(service)` for `{ \"Service\": service }`\n* `addAccountRootPrincipal` or `new AccountRootPrincipal()` for `{ \"AWS\": { \"Ref: \"AWS::AccountId\" } }`\n* `addCanonicalUserPrincipal` or `new CanonicalUserPrincipal(id)` for `{ \"CanonicalUser\": id }`\n* `addFederatedPrincipal` or `new FederatedPrincipal(federated, conditions, assumeAction)` for\n `{ \"Federated\": arn }` and a set of optional conditions and the assume role action to use.\n* `addAnyPrincipal` or `new AnyPrincipal` for `{ \"AWS\": \"*\" }`\n\nIf multiple principals are added to the policy statement, they will be merged together:\n\n```ts\nconst statement = new iam.PolicyStatement();\nstatement.addServicePrincipal('cloudwatch.amazonaws.com');\nstatement.addServicePrincipal('ec2.amazonaws.com');\nstatement.addArnPrincipal('arn:aws:boom:boom');\n```\n\nWill result in:\n\n```json\n{\n \"Principal\": {\n \"Service\": [ \"cloudwatch.amazonaws.com\", \"ec2.amazonaws.com\" ],\n \"AWS\": \"arn:aws:boom:boom\"\n }\n}\n```\n\nThe `CompositePrincipal` class can also be used to define complex principals, for example:\n\n```ts\nconst role = new iam.Role(this, 'MyRole', {\n assumedBy: new iam.CompositePrincipal(\n new iam.ServicePrincipal('ec2.amazonaws.com'),\n new iam.AccountPrincipal('1818188181818187272')\n ),\n});\n```\n\nThe `PrincipalWithConditions` class can be used to add conditions to a\nprincipal, especially those that don't take a `conditions` parameter in their\nconstructor. The `principal.withConditions()` method can be used to create a\n`PrincipalWithConditions` from an existing principal, for example:\n\n```ts\nconst principal = new iam.AccountPrincipal('123456789000')\n .withConditions({ StringEquals: { foo: \"baz\" } });\n```\n\n> NOTE: If you need to define an IAM condition that uses a token (such as a\n> deploy-time attribute of another resource) in a JSON map key, use `CfnJson` to\n> render this condition. See [this test](./test/integ.condition-with-ref.ts) for\n> an example.\n\nThe `WebIdentityPrincipal` class can be used as a principal for web identities like\nCognito, Amazon, Google or Facebook, for example:\n\n```ts\nconst principal = new iam.WebIdentityPrincipal('cognito-identity.amazonaws.com', {\n 'StringEquals': { 'cognito-identity.amazonaws.com:aud': 'us-east-2:12345678-abcd-abcd-abcd-123456' },\n 'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'unauthenticated' },\n});\n```\n\nIf your identity provider is configured to assume a Role with [session\ntags](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html), you\nneed to call `.withSessionTags()` to add the required permissions to the Role's\npolicy document:\n\n```ts\nnew iam.Role(this, 'Role', {\n assumedBy: new iam.WebIdentityPrincipal('cognito-identity.amazonaws.com', {\n 'StringEquals': {\n 'cognito-identity.amazonaws.com:aud': 'us-east-2:12345678-abcd-abcd-abcd-123456',\n },\n 'ForAnyValue:StringLike': {\n 'cognito-identity.amazonaws.com:amr': 'unauthenticated',\n },\n }).withSessionTags(),\n});\n```\n\n\n## Parsing JSON Policy Documents\n\nThe `PolicyDocument.fromJson` and `PolicyStatement.fromJson` static methods can be used to parse JSON objects. For example:\n\n```ts\nconst policyDocument = {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FirstStatement\",\n \"Effect\": \"Allow\",\n \"Action\": [\"iam:ChangePassword\"],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"SecondStatement\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListAllMyBuckets\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"ThirdStatement\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:List*\",\n \"s3:Get*\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::confidential-data\",\n \"arn:aws:s3:::confidential-data/*\"\n ],\n \"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": \"true\"}}\n }\n ]\n};\n\nconst customPolicyDocument = iam.PolicyDocument.fromJson(policyDocument);\n\n// You can pass this document as an initial document to a ManagedPolicy\n// or inline Policy.\nconst newManagedPolicy = new iam.ManagedPolicy(this, 'MyNewManagedPolicy', {\n document: customPolicyDocument,\n});\nconst newPolicy = new iam.Policy(this, 'MyNewPolicy', {\n document: customPolicyDocument,\n});\n```\n\n## Permissions Boundaries\n\n[Permissions\nBoundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)\ncan be used as a mechanism to prevent privilege esclation by creating new\n`Role`s. Permissions Boundaries are a Managed Policy, attached to Roles or\nUsers, that represent the *maximum* set of permissions they can have. The\neffective set of permissions of a Role (or User) will be the intersection of\nthe Identity Policy and the Permissions Boundary attached to the Role (or\nUser). Permissions Boundaries are typically created by account\nAdministrators, and their use on newly created `Role`s will be enforced by\nIAM policies.\n\nIt is possible to attach Permissions Boundaries to all Roles created in a construct\ntree all at once:\n\n```ts\n// This imports an existing policy.\nconst boundary = iam.ManagedPolicy.fromManagedPolicyArn(this, 'Boundary', 'arn:aws:iam::123456789012:policy/boundary');\n\n// This creates a new boundary\nconst boundary2 = new iam.ManagedPolicy(this, 'Boundary2', {\n statements: [\n new iam.PolicyStatement({\n effect: iam.Effect.DENY,\n actions: ['iam:*'],\n resources: ['*'],\n }),\n ],\n});\n\n// Directly apply the boundary to a Role you create\ndeclare const role: iam.Role;\niam.PermissionsBoundary.of(role).apply(boundary);\n\n// Apply the boundary to an Role that was implicitly created for you\ndeclare const fn: lambda.Function;\niam.PermissionsBoundary.of(fn).apply(boundary);\n\n// Apply the boundary to all Roles in a stack\niam.PermissionsBoundary.of(this).apply(boundary);\n\n// Remove a Permissions Boundary that is inherited, for example from the Stack level\ndeclare const customResource: CustomResource;\niam.PermissionsBoundary.of(customResource).clear();\n```\n\n## OpenID Connect Providers\n\nOIDC identity providers are entities in IAM that describe an external identity\nprovider (IdP) service that supports the [OpenID Connect] (OIDC) standard, such\nas Google or Salesforce. You use an IAM OIDC identity provider when you want to\nestablish trust between an OIDC-compatible IdP and your AWS account. This is\nuseful when creating a mobile app or web application that requires access to AWS\nresources, but you don't want to create custom sign-in code or manage your own\nuser identities. For more information about this scenario, see [About Web\nIdentity Federation] and the relevant documentation in the [Amazon Cognito\nIdentity Pools Developer Guide].\n\n[OpenID Connect]: http://openid.net/connect\n[About Web Identity Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html\n[Amazon Cognito Identity Pools Developer Guide]: https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html\n\nThe following examples defines an OpenID Connect provider. Two client IDs\n(audiences) are will be able to send authentication requests to\n<https://openid/connect>.\n\n```ts\nconst provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {\n url: 'https://openid/connect',\n clientIds: [ 'myclient1', 'myclient2' ],\n});\n```\n\nYou can specify an optional list of `thumbprints`. If not specified, the\nthumbprint of the root certificate authority (CA) will automatically be obtained\nfrom the host as described\n[here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html).\n\nOnce you define an OpenID connect provider, you can use it with AWS services\nthat expect an IAM OIDC provider. For example, when you define an [Amazon\nCognito identity\npool](https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html)\nyou can reference the provider's ARN as follows:\n\n```ts\nimport * as cognito from '@aws-cdk/aws-cognito';\n\ndeclare const myProvider: iam.OpenIdConnectProvider;\nnew cognito.CfnIdentityPool(this, 'IdentityPool', {\n openIdConnectProviderArns: [myProvider.openIdConnectProviderArn],\n // And the other properties for your identity pool\n allowUnauthenticatedIdentities: false,\n});\n```\n\nThe `OpenIdConnectPrincipal` class can be used as a principal used with a `OpenIdConnectProvider`, for example:\n\n```ts\nconst provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {\n url: 'https://openid/connect',\n clientIds: [ 'myclient1', 'myclient2' ],\n});\nconst principal = new iam.OpenIdConnectPrincipal(provider);\n```\n\n## SAML provider\n\nAn IAM SAML 2.0 identity provider is an entity in IAM that describes an external\nidentity provider (IdP) service that supports the SAML 2.0 (Security Assertion\nMarkup Language 2.0) standard. You use an IAM identity provider when you want\nto establish trust between a SAML-compatible IdP such as Shibboleth or Active\nDirectory Federation Services and AWS, so that users in your organization can\naccess AWS resources. IAM SAML identity providers are used as principals in an\nIAM trust policy.\n\n```ts\nnew iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\n```\n\nThe `SamlPrincipal` class can be used as a principal with a `SamlProvider`:\n\n```ts\nconst provider = new iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\nconst principal = new iam.SamlPrincipal(provider, {\n StringEquals: {\n 'SAML:iss': 'issuer',\n },\n});\n```\n\nWhen creating a role for programmatic and AWS Management Console access, use the `SamlConsolePrincipal`\nclass:\n\n```ts\nconst provider = new iam.SamlProvider(this, 'Provider', {\n metadataDocument: iam.SamlMetadataDocument.fromFile('/path/to/saml-metadata-document.xml'),\n});\nnew iam.Role(this, 'Role', {\n assumedBy: new iam.SamlConsolePrincipal(provider),\n});\n```\n\n## Users\n\nIAM manages users for your AWS account. To create a new user:\n\n```ts\nconst user = new iam.User(this, 'MyUser');\n```\n\nTo import an existing user by name [with path](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names):\n\n```ts\nconst user = iam.User.fromUserName(this, 'MyImportedUserByName', 'johnsmith');\n```\n\nTo import an existing user by ARN:\n\n```ts\nconst user = iam.User.fromUserArn(this, 'MyImportedUserByArn', 'arn:aws:iam::123456789012:user/johnsmith');\n```\n\nTo import an existing user by attributes:\n\n```ts\nconst user = iam.User.fromUserAttributes(this, 'MyImportedUserByAttributes', {\n userArn: 'arn:aws:iam::123456789012:user/johnsmith',\n});\n```\n\n### Access Keys\n\nThe ability for a user to make API calls via the CLI or an SDK is enabled by the user having an\naccess key pair. To create an access key:\n\n```ts\nconst user = new iam.User(this, 'MyUser');\nconst accessKey = new iam.AccessKey(this, 'MyAccessKey', { user: user });\n```\n\nYou can force CloudFormation to rotate the access key by providing a monotonically increasing `serial`\nproperty. Simply provide a higher serial value than any number used previously:\n\n```ts\nconst user = new iam.User(this, 'MyUser');\nconst accessKey = new iam.AccessKey(this, 'MyAccessKey', { user: user, serial: 1 });\n```\n\nAn access key may only be associated with a single user and cannot be \"moved\" between users. Changing\nthe user associated with an access key replaces the access key (and its ID and secret value).\n\n## Groups\n\nAn IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users.\n\n```ts\nconst group = new iam.Group(this, 'MyGroup');\n```\n\nTo import an existing group by ARN:\n\n```ts\nconst group = iam.Group.fromGroupArn(this, 'MyImportedGroupByArn', 'arn:aws:iam::account-id:group/group-name');\n```\n\nTo import an existing group by name [with path](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names):\n\n```ts\nconst group = iam.Group.fromGroupName(this, 'MyImportedGroupByName', 'group-name');\n```\n\nTo add a user to a group (both for a new and imported user/group):\n\n```ts\nconst user = new iam.User(this, 'MyUser'); // or User.fromUserName(stack, 'User', 'johnsmith');\nconst group = new iam.Group(this, 'MyGroup'); // or Group.fromGroupArn(stack, 'Group', 'arn:aws:iam::account-id:group/group-name');\n\nuser.addToGroup(group);\n// or\ngroup.addUser(user);\n```\n\n## Features\n\n* Policy name uniqueness is enforced. If two policies by the same name are attached to the same\n principal, the attachment will fail.\n* Policy names are not required - the CDK logical ID will be used and ensured to be unique.\n* Policies are validated during synthesis to ensure that they have actions, and that policies\n attached to IAM principals specify relevant resources, while policies attached to resources\n specify which IAM principals they apply to.\n"
178 },
179 "repository": {
180 "directory": "packages/@aws-cdk/aws-iam",
181 "type": "git",
182 "url": "https://github.com/aws/aws-cdk.git"
183 },
184 "schema": "jsii/0.10.0",
185 "targets": {
186 "dotnet": {
187 "iconUrl": "https://raw.githubusercontent.com/aws/aws-cdk/master/logo/default-256-dark.png",
188 "namespace": "Amazon.CDK.AWS.IAM",
189 "packageId": "Amazon.CDK.AWS.IAM"
190 },
191 "java": {
192 "maven": {
193 "artifactId": "iam",
194 "groupId": "software.amazon.awscdk"
195 },
196 "package": "software.amazon.awscdk.services.iam"
197 },
198 "js": {
199 "npm": "@aws-cdk/aws-iam"
200 },
201 "python": {
202 "classifiers": [
203 "Framework :: AWS CDK",
204 "Framework :: AWS CDK :: 1"
205 ],
206 "distName": "aws-cdk.aws-iam",
207 "module": "aws_cdk.aws_iam"
208 }
209 },
210 "types": {
211 "@aws-cdk/aws-iam.AccessKey": {
212 "assembly": "@aws-cdk/aws-iam",
213 "base": "@aws-cdk/core.Resource",
214 "docs": {
215 "custom": {
216 "exampleMetadata": "infused"
217 },
218 "example": "// Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret.\nconst user = new iam.User(this, 'User');\nconst accessKey = new iam.AccessKey(this, 'AccessKey', { user });\nconst secretValue = secretsmanager.SecretStringValueBeta1.fromToken(accessKey.secretAccessKey.toString());\nnew secretsmanager.Secret(this, 'Secret', {\n secretStringBeta1: secretValue,\n});",
219 "stability": "stable",
220 "summary": "Define a new IAM Access Key."
221 },
222 "fqn": "@aws-cdk/aws-iam.AccessKey",
223 "initializer": {
224 "docs": {
225 "stability": "stable"
226 },
227 "locationInModule": {
228 "filename": "lib/access-key.ts",
229 "line": 80
230 },
231 "parameters": [
232 {
233 "name": "scope",
234 "type": {
235 "fqn": "constructs.Construct"
236 }
237 },
238 {
239 "name": "id",
240 "type": {
241 "primitive": "string"
242 }
243 },
244 {
245 "name": "props",
246 "type": {
247 "fqn": "@aws-cdk/aws-iam.AccessKeyProps"
248 }
249 }
250 ]
251 },
252 "interfaces": [
253 "@aws-cdk/aws-iam.IAccessKey"
254 ],
255 "kind": "class",
256 "locationInModule": {
257 "filename": "lib/access-key.ts",
258 "line": 76
259 },
260 "name": "AccessKey",
261 "properties": [
262 {
263 "docs": {
264 "stability": "stable",
265 "summary": "The Access Key ID."
266 },
267 "immutable": true,
268 "locationInModule": {
269 "filename": "lib/access-key.ts",
270 "line": 77
271 },
272 "name": "accessKeyId",
273 "overrides": "@aws-cdk/aws-iam.IAccessKey",
274 "type": {
275 "primitive": "string"
276 }
277 },
278 {
279 "docs": {
280 "stability": "stable",
281 "summary": "The Secret Access Key."
282 },
283 "immutable": true,
284 "locationInModule": {
285 "filename": "lib/access-key.ts",
286 "line": 78
287 },
288 "name": "secretAccessKey",
289 "overrides": "@aws-cdk/aws-iam.IAccessKey",
290 "type": {
291 "fqn": "@aws-cdk/core.SecretValue"
292 }
293 }
294 ],
295 "symbolId": "lib/access-key:AccessKey"
296 },
297 "@aws-cdk/aws-iam.AccessKeyProps": {
298 "assembly": "@aws-cdk/aws-iam",
299 "datatype": true,
300 "docs": {
301 "custom": {
302 "exampleMetadata": "infused"
303 },
304 "example": "// Creates a new IAM user, access and secret keys, and stores the secret access key in a Secret.\nconst user = new iam.User(this, 'User');\nconst accessKey = new iam.AccessKey(this, 'AccessKey', { user });\nconst secretValue = secretsmanager.SecretStringValueBeta1.fromToken(accessKey.secretAccessKey.toString());\nnew secretsmanager.Secret(this, 'Secret', {\n secretStringBeta1: secretValue,\n});",
305 "stability": "stable",
306 "summary": "Properties for defining an IAM access key."
307 },
308 "fqn": "@aws-cdk/aws-iam.AccessKeyProps",
309 "kind": "interface",
310 "locationInModule": {
311 "filename": "lib/access-key.ts",
312 "line": 45
313 },
314 "name": "AccessKeyProps",
315 "properties": [
316 {
317 "abstract": true,
318 "docs": {
319 "remarks": "Changing this value will result in the access key being deleted and a new\naccess key (with a different ID and secret value) being assigned to the new\nuser.",
320 "stability": "stable",
321 "summary": "The IAM user this key will belong to."
322 },
323 "immutable": true,
324 "locationInModule": {
325 "filename": "lib/access-key.ts",
326 "line": 70
327 },
328 "name": "user",
329 "type": {
330 "fqn": "@aws-cdk/aws-iam.IUser"
331 }
332 },
333 {
334 "abstract": true,
335 "docs": {
336 "default": "- No serial value",
337 "remarks": "This value can only be incremented. Incrementing this\nvalue will cause CloudFormation to replace the Access Key resource.",
338 "stability": "stable",
339 "summary": "A CloudFormation-specific value that signifies the access key should be replaced/rotated."
340 },
341 "immutable": true,
342 "locationInModule": {
343 "filename": "lib/access-key.ts",
344 "line": 53
345 },
346 "name": "serial",
347 "optional": true,
348 "type": {
349 "primitive": "number"
350 }
351 },
352 {
353 "abstract": true,
354 "docs": {
355 "default": "- The access key is active",
356 "remarks": "An Active access key is allowed to be used\nto make API calls; An Inactive key cannot.",
357 "stability": "stable",
358 "summary": "The status of the access key."
359 },
360 "immutable": true,
361 "locationInModule": {
362 "filename": "lib/access-key.ts",
363 "line": 61
364 },
365 "name": "status",
366 "optional": true,
367 "type": {
368 "fqn": "@aws-cdk/aws-iam.AccessKeyStatus"
369 }
370 }
371 ],
372 "symbolId": "lib/access-key:AccessKeyProps"
373 },
374 "@aws-cdk/aws-iam.AccessKeyStatus": {
375 "assembly": "@aws-cdk/aws-iam",
376 "docs": {
377 "stability": "stable",
378 "summary": "Valid statuses for an IAM Access Key."
379 },
380 "fqn": "@aws-cdk/aws-iam.AccessKeyStatus",
381 "kind": "enum",
382 "locationInModule": {
383 "filename": "lib/access-key.ts",
384 "line": 9
385 },
386 "members": [
387 {
388 "docs": {
389 "remarks": "An active key can be used to make API calls.",
390 "stability": "stable",
391 "summary": "An active access key."
392 },
393 "name": "ACTIVE"
394 },
395 {
396 "docs": {
397 "remarks": "An inactive key cannot be used to make API calls.",
398 "stability": "stable",
399 "summary": "An inactive access key."
400 },
401 "name": "INACTIVE"
402 }
403 ],
404 "name": "AccessKeyStatus",
405 "symbolId": "lib/access-key:AccessKeyStatus"
406 },
407 "@aws-cdk/aws-iam.AccountPrincipal": {
408 "assembly": "@aws-cdk/aws-iam",
409 "base": "@aws-cdk/aws-iam.ArnPrincipal",
410 "docs": {
411 "custom": {
412 "exampleMetadata": "infused"
413 },
414 "example": "const cluster = new neptune.DatabaseCluster(this, 'Cluster', {\n vpc,\n instanceType: neptune.InstanceType.R5_LARGE,\n iamAuthentication: true, // Optional - will be automatically set if you call grantConnect().\n});\nconst role = new iam.Role(this, 'DBRole', { assumedBy: new iam.AccountPrincipal(this.account) });\ncluster.grantConnect(role); // Grant the role connection access to the DB.",
415 "stability": "stable",
416 "summary": "Specify AWS account ID as the principal entity in a policy to delegate authority to the account."
417 },
418 "fqn": "@aws-cdk/aws-iam.AccountPrincipal",
419 "initializer": {
420 "docs": {
421 "stability": "stable"
422 },
423 "locationInModule": {
424 "filename": "lib/principals.ts",
425 "line": 395
426 },
427 "parameters": [
428 {
429 "docs": {
430 "summary": "AWS account ID (i.e. 123456789012)."
431 },
432 "name": "accountId",
433 "type": {
434 "primitive": "any"
435 }
436 }
437 ]
438 },
439 "kind": "class",
440 "locationInModule": {
441 "filename": "lib/principals.ts",
442 "line": 388
443 },
444 "methods": [
445 {
446 "docs": {
447 "stability": "stable",
448 "summary": "Returns a string representation of an object."
449 },
450 "locationInModule": {
451 "filename": "lib/principals.ts",
452 "line": 400
453 },
454 "name": "toString",
455 "overrides": "@aws-cdk/aws-iam.ArnPrincipal",
456 "returns": {
457 "type": {
458 "primitive": "string"
459 }
460 }
461 }
462 ],
463 "name": "AccountPrincipal",
464 "properties": [
465 {
466 "docs": {
467 "stability": "stable",
468 "summary": "AWS account ID (i.e. 123456789012)."
469 },
470 "immutable": true,
471 "locationInModule": {
472 "filename": "lib/principals.ts",
473 "line": 395
474 },
475 "name": "accountId",
476 "type": {
477 "primitive": "any"
478 }
479 },
480 {
481 "docs": {
482 "remarks": "Can be undefined when the account is not known\n(for example, for service principals).\nCan be a Token - in that case,\nit's assumed to be AWS::AccountId.",
483 "stability": "stable",
484 "summary": "The AWS account ID of this principal."
485 },
486 "immutable": true,
487 "locationInModule": {
488 "filename": "lib/principals.ts",
489 "line": 389
490 },
491 "name": "principalAccount",
492 "optional": true,
493 "overrides": "@aws-cdk/aws-iam.PrincipalBase",
494 "type": {
495 "primitive": "string"
496 }
497 }
498 ],
499 "symbolId": "lib/principals:AccountPrincipal"
500 },
501 "@aws-cdk/aws-iam.AccountRootPrincipal": {
502 "assembly": "@aws-cdk/aws-iam",
503 "base": "@aws-cdk/aws-iam.AccountPrincipal",
504 "docs": {
505 "custom": {
506 "exampleMetadata": "infused"
507 },
508 "example": "const bucket = new s3.Bucket(this, 'MyBucket');\nconst result = bucket.addToResourcePolicy(new iam.PolicyStatement({\n actions: ['s3:GetObject'],\n resources: [bucket.arnForObjects('file.txt')],\n principals: [new iam.AccountRootPrincipal()],\n}));",
509 "stability": "stable",
510 "summary": "Use the AWS account into which a stack is deployed as the principal entity in a policy."
511 },
512 "fqn": "@aws-cdk/aws-iam.AccountRootPrincipal",
513 "initializer": {
514 "docs": {
515 "stability": "stable"
516 },
517 "locationInModule": {
518 "filename": "lib/principals.ts",
519 "line": 629
520 }
521 },
522 "kind": "class",
523 "locationInModule": {
524 "filename": "lib/principals.ts",
525 "line": 628
526 },
527 "methods": [
528 {
529 "docs": {
530 "stability": "stable",
531 "summary": "Returns a string representation of an object."
532 },
533 "locationInModule": {
534 "filename": "lib/principals.ts",
535 "line": 633
536 },
537 "name": "toString",
538 "overrides": "@aws-cdk/aws-iam.AccountPrincipal",
539 "returns": {
540 "type": {
541 "primitive": "string"
542 }
543 }
544 }
545 ],
546 "name": "AccountRootPrincipal",
547 "symbolId": "lib/principals:AccountRootPrincipal"
548 },
549 "@aws-cdk/aws-iam.AddToPrincipalPolicyResult": {
550 "assembly": "@aws-cdk/aws-iam",
551 "datatype": true,
552 "docs": {
553 "stability": "stable",
554 "summary": "Result of calling `addToPrincipalPolicy`.",
555 "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nimport * as cdk from '@aws-cdk/core';\n\ndeclare const dependable: cdk.IDependable;\nconst addToPrincipalPolicyResult: iam.AddToPrincipalPolicyResult = {\n statementAdded: false,\n\n // the properties below are optional\n policyDependable: dependable,\n};",
556 "custom": {
557 "exampleMetadata": "fixture=_generated"
558 }
559 },
560 "fqn": "@aws-cdk/aws-iam.AddToPrincipalPolicyResult",
561 "kind": "interface",
562 "locationInModule": {
563 "filename": "lib/principals.ts",
564 "line": 95
565 },
566 "name": "AddToPrincipalPolicyResult",
567 "properties": [
568 {
569 "abstract": true,
570 "docs": {
571 "stability": "stable",
572 "summary": "Whether the statement was added to the identity's policies."
573 },
574 "immutable": true,
575 "locationInModule": {
576 "filename": "lib/principals.ts",
577 "line": 100
578 },
579 "name": "statementAdded",
580 "type": {
581 "primitive": "boolean"
582 }
583 },
584 {
585 "abstract": true,
586 "docs": {
587 "default": "- Required if `statementAdded` is true.",
588 "stability": "stable",
589 "summary": "Dependable which allows depending on the policy change being applied."
590 },
591 "immutable": true,
592 "locationInModule": {
593 "filename": "lib/principals.ts",
594 "line": 107
595 },
596 "name": "policyDependable",
597 "optional": true,
598 "type": {
599 "fqn": "@aws-cdk/core.IDependable"
600 }
601 }
602 ],
603 "symbolId": "lib/principals:AddToPrincipalPolicyResult"
604 },
605 "@aws-cdk/aws-iam.AddToResourcePolicyResult": {
606 "assembly": "@aws-cdk/aws-iam",
607 "datatype": true,
608 "docs": {
609 "custom": {
610 "exampleMetadata": "infused"
611 },
612 "example": "const bucket = s3.Bucket.fromBucketName(this, 'existingBucket', 'bucket-name');\n\n// No policy statement will be added to the resource\nconst result = bucket.addToResourcePolicy(new iam.PolicyStatement({\n actions: ['s3:GetObject'],\n resources: [bucket.arnForObjects('file.txt')],\n principals: [new iam.AccountRootPrincipal()],\n}));",
613 "stability": "stable",
614 "summary": "Result of calling addToResourcePolicy."
615 },
616 "fqn": "@aws-cdk/aws-iam.AddToResourcePolicyResult",
617 "kind": "interface",
618 "locationInModule": {
619 "filename": "lib/grant.ts",
620 "line": 316
621 },
622 "name": "AddToResourcePolicyResult",
623 "properties": [
624 {
625 "abstract": true,
626 "docs": {
627 "stability": "stable",
628 "summary": "Whether the statement was added."
629 },
630 "immutable": true,
631 "locationInModule": {
632 "filename": "lib/grant.ts",
633 "line": 320
634 },
635 "name": "statementAdded",
636 "type": {
637 "primitive": "boolean"
638 }
639 },
640 {
641 "abstract": true,
642 "docs": {
643 "default": "- If `statementAdded` is true, the resource object itself.\nOtherwise, no dependable.",
644 "stability": "stable",
645 "summary": "Dependable which allows depending on the policy change being applied."
646 },
647 "immutable": true,
648 "locationInModule": {
649 "filename": "lib/grant.ts",
650 "line": 328
651 },
652 "name": "policyDependable",
653 "optional": true,
654 "type": {
655 "fqn": "@aws-cdk/core.IDependable"
656 }
657 }
658 ],
659 "symbolId": "lib/grant:AddToResourcePolicyResult"
660 },
661 "@aws-cdk/aws-iam.AnyPrincipal": {
662 "assembly": "@aws-cdk/aws-iam",
663 "base": "@aws-cdk/aws-iam.ArnPrincipal",
664 "docs": {
665 "custom": {
666 "exampleMetadata": "infused"
667 },
668 "example": "const topic = new sns.Topic(this, 'Topic');\nconst topicPolicy = new sns.TopicPolicy(this, 'TopicPolicy', {\n topics: [topic],\n});\n\ntopicPolicy.document.addStatements(new iam.PolicyStatement({\n actions: [\"sns:Subscribe\"],\n principals: [new iam.AnyPrincipal()],\n resources: [topic.topicArn],\n}));",
669 "remarks": "Some services behave differently when you specify `Principal: '*'`\nor `Principal: { AWS: \"*\" }` in their resource policy.\n\n`AnyPrincipal` renders to `Principal: { AWS: \"*\" }`. This is correct\nmost of the time, but in cases where you need the other principal,\nuse `StarPrincipal` instead.",
670 "stability": "stable",
671 "summary": "A principal representing all AWS identities in all accounts."
672 },
673 "fqn": "@aws-cdk/aws-iam.AnyPrincipal",
674 "initializer": {
675 "docs": {
676 "stability": "stable"
677 },
678 "locationInModule": {
679 "filename": "lib/principals.ts",
680 "line": 649
681 }
682 },
683 "kind": "class",
684 "locationInModule": {
685 "filename": "lib/principals.ts",
686 "line": 648
687 },
688 "methods": [
689 {
690 "docs": {
691 "stability": "stable",
692 "summary": "Returns a string representation of an object."
693 },
694 "locationInModule": {
695 "filename": "lib/principals.ts",
696 "line": 653
697 },
698 "name": "toString",
699 "overrides": "@aws-cdk/aws-iam.ArnPrincipal",
700 "returns": {
701 "type": {
702 "primitive": "string"
703 }
704 }
705 }
706 ],
707 "name": "AnyPrincipal",
708 "symbolId": "lib/principals:AnyPrincipal"
709 },
710 "@aws-cdk/aws-iam.Anyone": {
711 "assembly": "@aws-cdk/aws-iam",
712 "base": "@aws-cdk/aws-iam.AnyPrincipal",
713 "docs": {
714 "deprecated": "use `AnyPrincipal`",
715 "stability": "deprecated",
716 "summary": "A principal representing all identities in all accounts.",
717 "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst anyone = new iam.Anyone();",
718 "custom": {
719 "exampleMetadata": "fixture=_generated"
720 }
721 },
722 "fqn": "@aws-cdk/aws-iam.Anyone",
723 "initializer": {
724 "docs": {
725 "stability": "stable"
726 },
727 "locationInModule": {
728 "filename": "lib/principals.ts",
729 "line": 649
730 }
731 },
732 "kind": "class",
733 "locationInModule": {
734 "filename": "lib/principals.ts",
735 "line": 662
736 },
737 "name": "Anyone",
738 "symbolId": "lib/principals:Anyone"
739 },
740 "@aws-cdk/aws-iam.ArnPrincipal": {
741 "assembly": "@aws-cdk/aws-iam",
742 "base": "@aws-cdk/aws-iam.PrincipalBase",
743 "docs": {
744 "custom": {
745 "exampleMetadata": "infused"
746 },
747 "example": "declare const networkLoadBalancer1: elbv2.NetworkLoadBalancer;\ndeclare const networkLoadBalancer2: elbv2.NetworkLoadBalancer;\n\nnew ec2.VpcEndpointService(this, 'EndpointService', {\n vpcEndpointServiceLoadBalancers: [networkLoadBalancer1, networkLoadBalancer2],\n acceptanceRequired: true,\n allowedPrincipals: [new iam.ArnPrincipal('arn:aws:iam::123456789012:root')]\n});",
748 "remarks": "You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions.\nYou cannot specify IAM groups or instance profiles as principals",
749 "see": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html",
750 "stability": "stable",
751 "summary": "Specify a principal by the Amazon Resource Name (ARN)."
752 },
753 "fqn": "@aws-cdk/aws-iam.ArnPrincipal",
754 "initializer": {
755 "docs": {
756 "stability": "stable"
757 },
758 "locationInModule": {
759 "filename": "lib/principals.ts",
760 "line": 360
761 },
762 "parameters": [
763 {
764 "docs": {
765 "summary": "Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name)."
766 },
767 "name": "arn",
768 "type": {
769 "primitive": "string"
770 }
771 }
772 ]
773 },
774 "kind": "class",
775 "locationInModule": {
776 "filename": "lib/principals.ts",
777 "line": 355
778 },
779 "methods": [
780 {
781 "docs": {
782 "stability": "stable",
783 "summary": "A convenience method for adding a condition that the principal is part of the specified AWS Organization."
784 },
785 "locationInModule": {
786 "filename": "lib/principals.ts",
787 "line": 376
788 },
789 "name": "inOrganization",
790 "parameters": [
791 {
792 "name": "organizationId",
793 "type": {
794 "primitive": "string"
795 }
796 }
797 ],
798 "returns": {
799 "type": {
800 "fqn": "@aws-cdk/aws-iam.PrincipalBase"
801 }
802 }
803 },
804 {
805 "docs": {
806 "stability": "stable",
807 "summary": "Returns a string representation of an object."
808 },
809 "locationInModule": {
810 "filename": "lib/principals.ts",
811 "line": 368
812 },
813 "name": "toString",
814 "overrides": "@aws-cdk/aws-iam.PrincipalBase",
815 "returns": {
816 "type": {
817 "primitive": "string"
818 }
819 }
820 }
821 ],
822 "name": "ArnPrincipal",
823 "properties": [
824 {
825 "docs": {
826 "stability": "stable",
827 "summary": "Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name)."
828 },
829 "immutable": true,
830 "locationInModule": {
831 "filename": "lib/principals.ts",
832 "line": 360
833 },
834 "name": "arn",
835 "type": {
836 "primitive": "string"
837 }
838 },
839 {
840 "docs": {
841 "stability": "stable",
842 "summary": "Return the policy fragment that identifies this principal in a Policy."
843 },
844 "immutable": true,
845 "locationInModule": {
846 "filename": "lib/principals.ts",
847 "line": 364
848 },
849 "name": "policyFragment",
850 "overrides": "@aws-cdk/aws-iam.PrincipalBase",
851 "type": {
852 "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment"
853 }
854 }
855 ],
856 "symbolId": "lib/principals:ArnPrincipal"
857 },
858 "@aws-cdk/aws-iam.CanonicalUserPrincipal": {
859 "assembly": "@aws-cdk/aws-iam",
860 "base": "@aws-cdk/aws-iam.PrincipalBase",
861 "docs": {
862 "remarks": "See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html\n\nand\n\nhttps://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html\n\nfor more details.",
863 "stability": "stable",
864 "summary": "A policy principal for canonicalUserIds - useful for S3 bucket policies that use Origin Access identities.",
865 "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst canonicalUserPrincipal = new iam.CanonicalUserPrincipal('canonicalUserId');",
866 "custom": {
867 "exampleMetadata": "fixture=_generated"
868 }
869 },
870 "fqn": "@aws-cdk/aws-iam.CanonicalUserPrincipal",
871 "initializer": {
872 "docs": {
873 "stability": "stable"
874 },
875 "locationInModule": {
876 "filename": "lib/principals.ts",
877 "line": 494
878 },
879 "parameters": [
880 {
881 "docs": {
882 "remarks": "root user and IAM users for an account all see the same ID.\n(i.e. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be)",
883 "summary": "unique identifier assigned by AWS for every account."
884 },
885 "name": "canonicalUserId",
886 "type": {
887 "primitive": "string"
888 }
889 }
890 ]
891 },
892 "kind": "class",
893 "locationInModule": {
894 "filename": "lib/principals.ts",
895 "line": 487
896 },
897 "methods": [
898 {
899 "docs": {
900 "stability": "stable",
901 "summary": "Returns a string representation of an object."
902 },
903 "locationInModule": {
904 "filename": "lib/principals.ts",
905 "line": 502
906 },
907 "name": "toString",
908 "overrides": "@aws-cdk/aws-iam.PrincipalBase",
909 "returns": {
910 "type": {
911 "primitive": "string"
912 }
913 }
914 }
915 ],
916 "name": "CanonicalUserPrincipal",
917 "properties": [
918 {
919 "docs": {
920 "remarks": "root user and IAM users for an account all see the same ID.\n(i.e. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be)",
921 "stability": "stable",
922 "summary": "unique identifier assigned by AWS for every account."
923 },
924 "immutable": true,
925 "locationInModule": {
926 "filename": "lib/principals.ts",
927 "line": 494
928 },
929 "name": "canonicalUserId",
930 "type": {
931 "primitive": "string"
932 }
933 },
934 {
935 "docs": {
936 "stability": "stable",
937 "summary": "Return the policy fragment that identifies this principal in a Policy."
938 },
939 "immutable": true,
940 "locationInModule": {
941 "filename": "lib/principals.ts",
942 "line": 498
943 },
944 "name": "policyFragment",
945 "overrides": "@aws-cdk/aws-iam.PrincipalBase",
946 "type": {
947 "fqn": "@aws-cdk/aws-iam.PrincipalPolicyFragment"
948 }
949 }
950 ],
951 "symbolId": "lib/principals:CanonicalUserPrincipal"
952 },
953 "@aws-cdk/aws-iam.CfnAccessKey": {
954 "assembly": "@aws-cdk/aws-iam",
955 "base": "@aws-cdk/core.CfnResource",
956 "docs": {
957 "custom": {
958 "cloudformationResource": "AWS::IAM::AccessKey",
959 "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html",
960 "exampleMetadata": "fixture=_generated"
961 },
962 "remarks": "Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is `Active` .\n\nIf you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account . Consequently, you can use this operation to manage AWS account root user credentials. This is true even if the AWS account has no associated users.\n\nFor information about quotas on the number of keys you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .\n\n> To ensure the security of your AWS account , the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.",
963 "stability": "external",
964 "summary": "A CloudFormation `AWS::IAM::AccessKey`.",
965 "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnAccessKey = new iam.CfnAccessKey(this, 'MyCfnAccessKey', {\n userName: 'userName',\n\n // the properties below are optional\n serial: 123,\n status: 'status',\n});"
966 },
967 "fqn": "@aws-cdk/aws-iam.CfnAccessKey",
968 "initializer": {
969 "docs": {
970 "stability": "external",
971 "summary": "Create a new `AWS::IAM::AccessKey`."
972 },
973 "locationInModule": {
974 "filename": "lib/iam.generated.ts",
975 "line": 174
976 },
977 "parameters": [
978 {
979 "docs": {
980 "summary": "- scope in which this resource is defined."
981 },
982 "name": "scope",
983 "type": {
984 "fqn": "@aws-cdk/core.Construct"
985 }
986 },
987 {
988 "docs": {
989 "summary": "- scoped id of the resource."
990 },
991 "name": "id",
992 "type": {
993 "primitive": "string"
994 }
995 },
996 {
997 "docs": {
998 "summary": "- resource properties."
999 },
1000 "name": "props",
1001 "type": {
1002 "fqn": "@aws-cdk/aws-iam.CfnAccessKeyProps"
1003 }
1004 }
1005 ]
1006 },
1007 "interfaces": [
1008 "@aws-cdk/core.IInspectable"
1009 ],
1010 "kind": "class",
1011 "locationInModule": {
1012 "filename": "lib/iam.generated.ts",
1013 "line": 113
1014 },
1015 "methods": [
1016 {
1017 "docs": {
1018 "stability": "external",
1019 "summary": "Examines the CloudFormation resource and discloses attributes."
1020 },
1021 "locationInModule": {
1022 "filename": "lib/iam.generated.ts",
1023 "line": 190
1024 },
1025 "name": "inspect",
1026 "overrides": "@aws-cdk/core.IInspectable",
1027 "parameters": [
1028 {
1029 "docs": {
1030 "summary": "- tree inspector to collect and process attributes."
1031 },
1032 "name": "inspector",
1033 "type": {
1034 "fqn": "@aws-cdk/core.TreeInspector"
1035 }
1036 }
1037 ]
1038 },
1039 {
1040 "docs": {
1041 "stability": "external"
1042 },
1043 "locationInModule": {
1044 "filename": "lib/iam.generated.ts",
1045 "line": 203
1046 },
1047 "name": "renderProperties",
1048 "overrides": "@aws-cdk/core.CfnResource",
1049 "parameters": [
1050 {
1051 "name": "props",
1052 "type": {
1053 "collection": {
1054 "elementtype": {
1055 "primitive": "any"
1056 },
1057 "kind": "map"
1058 }
1059 }
1060 }
1061 ],
1062 "protected": true,
1063 "returns": {
1064 "type": {
1065 "collection": {
1066 "elementtype": {
1067 "primitive": "any"
1068 },
1069 "kind": "map"
1070 }
1071 }
1072 }
1073 }
1074 ],
1075 "name": "CfnAccessKey",
1076 "properties": [
1077 {
1078 "const": true,
1079 "docs": {
1080 "stability": "external",
1081 "summary": "The CloudFormation resource type name for this resource class."
1082 },
1083 "immutable": true,
1084 "locationInModule": {
1085 "filename": "lib/iam.generated.ts",
1086 "line": 117
1087 },
1088 "name": "CFN_RESOURCE_TYPE_NAME",
1089 "static": true,
1090 "type": {
1091 "primitive": "string"
1092 }
1093 },
1094 {
1095 "docs": {
1096 "custom": {
1097 "cloudformationAttribute": "SecretAccessKey"
1098 },
1099 "remarks": "For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY.",
1100 "stability": "external",
1101 "summary": "Returns the secret access key for the specified AWS::IAM::AccessKey resource."
1102 },
1103 "immutable": true,
1104 "locationInModule": {
1105 "filename": "lib/iam.generated.ts",
1106 "line": 142
1107 },
1108 "name": "attrSecretAccessKey",
1109 "type": {
1110 "primitive": "string"
1111 }
1112 },
1113 {
1114 "docs": {
1115 "stability": "external"
1116 },
1117 "immutable": true,
1118 "locationInModule": {
1119 "filename": "lib/iam.generated.ts",
1120 "line": 195
1121 },
1122 "name": "cfnProperties",
1123 "overrides": "@aws-cdk/core.CfnResource",
1124 "protected": true,
1125 "type": {
1126 "collection": {
1127 "elementtype": {
1128 "primitive": "any"
1129 },
1130 "kind": "map"
1131 }
1132 }
1133 },
1134 {
1135 "docs": {
1136 "custom": {
1137 "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-username"
1138 },
1139 "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-",
1140 "stability": "external",
1141 "summary": "The name of the IAM user that the new key will belong to."
1142 },
1143 "locationInModule": {
1144 "filename": "lib/iam.generated.ts",
1145 "line": 151
1146 },
1147 "name": "userName",
1148 "type": {
1149 "primitive": "string"
1150 }
1151 },
1152 {
1153 "docs": {
1154 "custom": {
1155 "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-serial"
1156 },
1157 "remarks": "Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.",
1158 "stability": "external",
1159 "summary": "This value is specific to CloudFormation and can only be *incremented* ."
1160 },
1161 "locationInModule": {
1162 "filename": "lib/iam.generated.ts",
1163 "line": 158
1164 },
1165 "name": "serial",
1166 "optional": true,
1167 "type": {
1168 "primitive": "number"
1169 }
1170 },
1171 {
1172 "docs": {
1173 "custom": {
1174 "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-status"
1175 },
1176 "remarks": "`Active` means that the key is valid for API calls, while `Inactive` means it is not.",
1177 "stability": "external",
1178 "summary": "The status of the access key."
1179 },
1180 "locationInModule": {
1181 "filename": "lib/iam.generated.ts",
1182 "line": 165
1183 },
1184 "name": "status",
1185 "optional": true,
1186 "type": {
1187 "primitive": "string"
1188 }
1189 }
1190 ],
1191 "symbolId": "lib/iam.generated:CfnAccessKey"
1192 },
1193 "@aws-cdk/aws-iam.CfnAccessKeyProps": {
1194 "assembly": "@aws-cdk/aws-iam",
1195 "datatype": true,
1196 "docs": {
1197 "custom": {
1198 "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html",
1199 "exampleMetadata": "fixture=_generated"
1200 },
1201 "stability": "external",
1202 "summary": "Properties for defining a `CfnAccessKey`.",
1203 "example": "// The code below shows an example of how to instantiate this type.\n// The values are placeholders you should change.\nimport * as iam from '@aws-cdk/aws-iam';\nconst cfnAccessKeyProps: iam.CfnAccessKeyProps = {\n userName: 'userName',\n\n // the properties below are optional\n serial: 123,\n status: 'status',\n};"
1204 },
1205 "fqn": "@aws-cdk/aws-iam.CfnAccessKeyProps",
1206 "kind": "interface",
1207 "locationInModule": {
1208 "filename": "lib/iam.generated.ts",
1209 "line": 19
1210 },
1211 "name": "CfnAccessKeyProps",
1212 "properties": [
1213 {
1214 "abstract": true,
1215 "docs": {
1216 "custom": {
1217 "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-username"
1218 },
1219 "remarks": "This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-",
1220 "stability": "external",
1221 "summary": "The name of the IAM user that the new key will belong to."
1222 },
1223 "immutable": true,
1224 "locationInModule": {
1225 "filename": "lib/iam.generated.ts",
1226 "line": 28
1227 },
1228 "name": "userName",
1229 "type": {
1230 "primitive": "string"
1231 }
1232 },
1233 {
1234 "abstract": true,
1235 "docs": {
1236 "custom": {
1237 "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-serial"
1238 },
1239 "remarks": "Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.",
1240 "stability": "external",
1241 "summary": "This value is specific to CloudFormation and can only be *incremented* ."
1242 },
1243 "immutable": true,
1244 "locationInModule": {
1245 "filename": "lib/iam.generated.ts",
1246 "line": 35
1247 },
1248 "name": "serial",
1249 "optional": true,
1250 "type": {
1251 "primitive": "number"
1252 }
1253 },
1254 {
1255 "abstract": true,
1256 "docs": {
1257 "custom": {
1258 "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-status"
1259 },
1260 "remarks": "`Active` means that the key is valid for API calls, while `Inactive` means it is not.",
1261 "stability": "external",
1262 "summary": "The status of the access key."
1263 },
1264 "immutable": true,
1265 "locationInModule": {
1266 "filename": "lib/iam.generated.ts",
1267 "line": 42
1268 },
1269 "name": "status",
1270 "optional": true,
1271 "type": {
1272 "primitive": "string"
1273 }
1274 }
1275 ],
1276 "symbolId": "lib/iam.generated:CfnAccessKeyProps"
1277 },
1278 "@aws-cdk/aws-iam.CfnGroup": {
1279 "assembly": "@aws-cdk/aws-iam",
1280 "base": "@aws-cdk/core.CfnResource",
1281 "docs": {
1282 "custom": {
1283 "cloudformationResource": "AWS::IAM::Group",
1284 "link": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html",
1285 "exampleMetadata": "fixture=_generated"
1286