1 | import { IPrincipal, ServicePrincipalOpts } from './principals';
|
2 | /**
|
3 | * Represents a statement in an IAM policy document.
|
4 | */
|
5 | export declare class PolicyStatement {
|
6 | /**
|
7 | * Creates a new PolicyStatement based on the object provided.
|
8 | * This will accept an object created from the `.toJSON()` call
|
9 | * @param obj the PolicyStatement in object form.
|
10 | */
|
11 | static fromJson(obj: any): PolicyStatement;
|
12 | /**
|
13 | * Statement ID for this statement
|
14 | */
|
15 | sid?: string;
|
16 | /**
|
17 | * Whether to allow or deny the actions in this statement
|
18 | */
|
19 | effect: Effect;
|
20 | private readonly action;
|
21 | private readonly notAction;
|
22 | private readonly principal;
|
23 | private readonly notPrincipal;
|
24 | private readonly resource;
|
25 | private readonly notResource;
|
26 | private readonly condition;
|
27 | private principalConditionsJson?;
|
28 | private readonly _principals;
|
29 | constructor(props?: PolicyStatementProps);
|
30 | /**
|
31 | * Specify allowed actions into the "Action" section of the policy statement.
|
32 | *
|
33 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
|
34 | *
|
35 | * @param actions actions that will be allowed.
|
36 | */
|
37 | addActions(...actions: string[]): void;
|
38 | /**
|
39 | * Explicitly allow all actions except the specified list of actions into the "NotAction" section
|
40 | * of the policy document.
|
41 | *
|
42 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html
|
43 | *
|
44 | * @param notActions actions that will be denied. All other actions will be permitted.
|
45 | */
|
46 | addNotActions(...notActions: string[]): void;
|
47 | /**
|
48 | * Indicates if this permission has a "Principal" section.
|
49 | */
|
50 | get hasPrincipal(): boolean;
|
51 | /**
|
52 | * Adds principals to the "Principal" section of a policy statement.
|
53 | *
|
54 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
|
55 | *
|
56 | * @param principals IAM principals that will be added
|
57 | */
|
58 | addPrincipals(...principals: IPrincipal[]): void;
|
59 | /**
|
60 | * Expose principals to allow their ARNs to be replaced by account ID strings
|
61 | * in policy statements for resources policies that don't allow full account ARNs,
|
62 | * such as AWS::Logs::ResourcePolicy.
|
63 | */
|
64 | get principals(): IPrincipal[];
|
65 | /**
|
66 | * Specify principals that is not allowed or denied access to the "NotPrincipal" section of
|
67 | * a policy statement.
|
68 | *
|
69 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html
|
70 | *
|
71 | * @param notPrincipals IAM principals that will be denied access
|
72 | */
|
73 | addNotPrincipals(...notPrincipals: IPrincipal[]): void;
|
74 | private validatePolicyPrincipal;
|
75 | /**
|
76 | * Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
|
77 | */
|
78 | addAwsAccountPrincipal(accountId: string): void;
|
79 | /**
|
80 | * Specify a principal using the ARN identifier of the principal.
|
81 | * You cannot specify IAM groups and instance profiles as principals.
|
82 | *
|
83 | * @param arn ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name)
|
84 | */
|
85 | addArnPrincipal(arn: string): void;
|
86 | /**
|
87 | * Adds a service principal to this policy statement.
|
88 | *
|
89 | * @param service the service name for which a service principal is requested (e.g: `s3.amazonaws.com`).
|
90 | * @param opts options for adding the service principal (such as specifying a principal in a different region)
|
91 | */
|
92 | addServicePrincipal(service: string, opts?: ServicePrincipalOpts): void;
|
93 | /**
|
94 | * Adds a federated identity provider such as Amazon Cognito to this policy statement.
|
95 | *
|
96 | * @param federated federated identity provider (i.e. 'cognito-identity.amazonaws.com')
|
97 | * @param conditions The conditions under which the policy is in effect.
|
98 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
99 | */
|
100 | addFederatedPrincipal(federated: any, conditions: Conditions): void;
|
101 | /**
|
102 | * Adds an AWS account root user principal to this policy statement
|
103 | */
|
104 | addAccountRootPrincipal(): void;
|
105 | /**
|
106 | * Adds a canonical user ID principal to this policy document
|
107 | *
|
108 | * @param canonicalUserId unique identifier assigned by AWS for every account
|
109 | */
|
110 | addCanonicalUserPrincipal(canonicalUserId: string): void;
|
111 | /**
|
112 | * Adds all identities in all accounts ("*") to this policy statement
|
113 | */
|
114 | addAnyPrincipal(): void;
|
115 | /**
|
116 | * Specify resources that this policy statement applies into the "Resource" section of
|
117 | * this policy statement.
|
118 | *
|
119 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
|
120 | *
|
121 | * @param arns Amazon Resource Names (ARNs) of the resources that this policy statement applies to
|
122 | */
|
123 | addResources(...arns: string[]): void;
|
124 | /**
|
125 | * Specify resources that this policy statement will not apply to in the "NotResource" section
|
126 | * of this policy statement. All resources except the specified list will be matched.
|
127 | *
|
128 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
|
129 | *
|
130 | * @param arns Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to
|
131 | */
|
132 | addNotResources(...arns: string[]): void;
|
133 | /**
|
134 | * Adds a ``"*"`` resource to this statement.
|
135 | */
|
136 | addAllResources(): void;
|
137 | /**
|
138 | * Indicates if this permission has at least one resource associated with it.
|
139 | */
|
140 | get hasResource(): boolean;
|
141 | /**
|
142 | * Add a condition to the Policy
|
143 | *
|
144 | * If multiple calls are made to add a condition with the same operator and field, only
|
145 | * the last one wins. For example:
|
146 | *
|
147 | * ```ts
|
148 | * declare const stmt: iam.PolicyStatement;
|
149 | *
|
150 | * stmt.addCondition('StringEquals', { 'aws:SomeField': '1' });
|
151 | * stmt.addCondition('StringEquals', { 'aws:SomeField': '2' });
|
152 | * ```
|
153 | *
|
154 | * Will end up with the single condition `StringEquals: { 'aws:SomeField': '2' }`.
|
155 | *
|
156 | * If you meant to add a condition to say that the field can be *either* `1` or `2`, write
|
157 | * this:
|
158 | *
|
159 | * ```ts
|
160 | * declare const stmt: iam.PolicyStatement;
|
161 | *
|
162 | * stmt.addCondition('StringEquals', { 'aws:SomeField': ['1', '2'] });
|
163 | * ```
|
164 | */
|
165 | addCondition(key: string, value: Condition): void;
|
166 | /**
|
167 | * Add multiple conditions to the Policy
|
168 | *
|
169 | * See the `addCondition` function for a caveat on calling this method multiple times.
|
170 | */
|
171 | addConditions(conditions: Conditions): void;
|
172 | /**
|
173 | * Add a condition that limits to a given account
|
174 | *
|
175 | * This method can only be called once: subsequent calls will overwrite earlier calls.
|
176 | */
|
177 | addAccountCondition(accountId: string): void;
|
178 | /**
|
179 | * Create a new `PolicyStatement` with the same exact properties
|
180 | * as this one, except for the overrides
|
181 | */
|
182 | copy(overrides?: PolicyStatementProps): PolicyStatement;
|
183 | /**
|
184 | * JSON-ify the policy statement
|
185 | *
|
186 | * Used when JSON.stringify() is called
|
187 | */
|
188 | toStatementJson(): any;
|
189 | /**
|
190 | * String representation of this policy statement
|
191 | */
|
192 | toString(): string;
|
193 | /**
|
194 | * JSON-ify the statement
|
195 | *
|
196 | * Used when JSON.stringify() is called
|
197 | */
|
198 | toJSON(): any;
|
199 | /**
|
200 | * Add a principal's conditions
|
201 | *
|
202 | * For convenience, principals have been modeled as both a principal
|
203 | * and a set of conditions. This makes it possible to have a single
|
204 | * object represent e.g. an "SNS Topic" (SNS service principal + aws:SourcArn
|
205 | * condition) or an Organization member (* + aws:OrgId condition).
|
206 | *
|
207 | * However, when using multiple principals in the same policy statement,
|
208 | * they must all have the same conditions or the OR samentics
|
209 | * implied by a list of principals cannot be guaranteed (user needs to
|
210 | * add multiple statements in that case).
|
211 | */
|
212 | private addPrincipalConditions;
|
213 | /**
|
214 | * Validate that the policy statement satisfies base requirements for a policy.
|
215 | */
|
216 | validateForAnyPolicy(): string[];
|
217 | /**
|
218 | * Validate that the policy statement satisfies all requirements for a resource-based policy.
|
219 | */
|
220 | validateForResourcePolicy(): string[];
|
221 | /**
|
222 | * Validate that the policy statement satisfies all requirements for an identity-based policy.
|
223 | */
|
224 | validateForIdentityPolicy(): string[];
|
225 | }
|
226 | /**
|
227 | * The Effect element of an IAM policy
|
228 | *
|
229 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html
|
230 | */
|
231 | export declare enum Effect {
|
232 | /**
|
233 | * Allows access to a resource in an IAM policy statement. By default, access to resources are denied.
|
234 | */
|
235 | ALLOW = "Allow",
|
236 | /**
|
237 | * Explicitly deny access to a resource. By default, all requests are denied implicitly.
|
238 | *
|
239 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
|
240 | */
|
241 | DENY = "Deny"
|
242 | }
|
243 | /**
|
244 | * Condition for when an IAM policy is in effect. Maps from the keys in a request's context to
|
245 | * a string value or array of string values. See the Conditions interface for more details.
|
246 | */
|
247 | export declare type Condition = any;
|
248 | /**
|
249 | * Conditions for when an IAM Policy is in effect, specified in the following structure:
|
250 | *
|
251 | * `{ "Operator": { "keyInRequestContext": "value" } }`
|
252 | *
|
253 | * The value can be either a single string value or an array of string values.
|
254 | *
|
255 | * For more information, including which operators are supported, see [the IAM
|
256 | * documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
257 | */
|
258 | export declare type Conditions = Record<string, Condition>;
|
259 | /**
|
260 | * Interface for creating a policy statement
|
261 | */
|
262 | export interface PolicyStatementProps {
|
263 | /**
|
264 | * The Sid (statement ID) is an optional identifier that you provide for the
|
265 | * policy statement. You can assign a Sid value to each statement in a
|
266 | * statement array. In services that let you specify an ID element, such as
|
267 | * SQS and SNS, the Sid value is just a sub-ID of the policy document's ID. In
|
268 | * IAM, the Sid value must be unique within a JSON policy.
|
269 | *
|
270 | * @default - no sid
|
271 | */
|
272 | readonly sid?: string;
|
273 | /**
|
274 | * List of actions to add to the statement
|
275 | *
|
276 | * @default - no actions
|
277 | */
|
278 | readonly actions?: string[];
|
279 | /**
|
280 | * List of not actions to add to the statement
|
281 | *
|
282 | * @default - no not-actions
|
283 | */
|
284 | readonly notActions?: string[];
|
285 | /**
|
286 | * List of principals to add to the statement
|
287 | *
|
288 | * @default - no principals
|
289 | */
|
290 | readonly principals?: IPrincipal[];
|
291 | /**
|
292 | * List of not principals to add to the statement
|
293 | *
|
294 | * @default - no not principals
|
295 | */
|
296 | readonly notPrincipals?: IPrincipal[];
|
297 | /**
|
298 | * Resource ARNs to add to the statement
|
299 | *
|
300 | * @default - no resources
|
301 | */
|
302 | readonly resources?: string[];
|
303 | /**
|
304 | * NotResource ARNs to add to the statement
|
305 | *
|
306 | * @default - no not-resources
|
307 | */
|
308 | readonly notResources?: string[];
|
309 | /**
|
310 | * Conditions to add to the statement
|
311 | *
|
312 | * @default - no condition
|
313 | */
|
314 | readonly conditions?: {
|
315 | [key: string]: any;
|
316 | };
|
317 | /**
|
318 | * Whether to allow or deny the actions in this statement
|
319 | *
|
320 | * @default Effect.ALLOW
|
321 | */
|
322 | readonly effect?: Effect;
|
323 | }
|
324 |
|
\ | No newline at end of file |