1 | import * as cdk from '@aws-cdk/core';
|
2 | import { IOpenIdConnectProvider } from './oidc-provider';
|
3 | import { PolicyDocument } from './policy-document';
|
4 | import { Condition, Conditions, PolicyStatement } from './policy-statement';
|
5 | import { ISamlProvider } from './saml-provider';
|
6 | /**
|
7 | * Any object that has an associated principal that a permission can be granted to
|
8 | */
|
9 | export interface IGrantable {
|
10 | /**
|
11 | * The principal to grant permissions to
|
12 | */
|
13 | readonly grantPrincipal: IPrincipal;
|
14 | }
|
15 | /**
|
16 | * Represents a logical IAM principal.
|
17 | *
|
18 | * An IPrincipal describes a logical entity that can perform AWS API calls
|
19 | * against sets of resources, optionally under certain conditions.
|
20 | *
|
21 | * Examples of simple principals are IAM objects that you create, such
|
22 | * as Users or Roles.
|
23 | *
|
24 | * An example of a more complex principals is a `ServicePrincipal` (such as
|
25 | * `new ServicePrincipal("sns.amazonaws.com")`, which represents the Simple
|
26 | * Notifications Service).
|
27 | *
|
28 | * A single logical Principal may also map to a set of physical principals.
|
29 | * For example, `new OrganizationPrincipal('o-1234')` represents all
|
30 | * identities that are part of the given AWS Organization.
|
31 | */
|
32 | export interface IPrincipal extends IGrantable {
|
33 | /**
|
34 | * When this Principal is used in an AssumeRole policy, the action to use.
|
35 | */
|
36 | readonly assumeRoleAction: string;
|
37 | /**
|
38 | * Return the policy fragment that identifies this principal in a Policy.
|
39 | */
|
40 | readonly policyFragment: PrincipalPolicyFragment;
|
41 | /**
|
42 | * The AWS account ID of this principal.
|
43 | * Can be undefined when the account is not known
|
44 | * (for example, for service principals).
|
45 | * Can be a Token - in that case,
|
46 | * it's assumed to be AWS::AccountId.
|
47 | */
|
48 | readonly principalAccount?: string;
|
49 | /**
|
50 | * Add to the policy of this principal.
|
51 | *
|
52 | * @returns true if the statement was added, false if the principal in
|
53 | * question does not have a policy document to add the statement to.
|
54 | *
|
55 | * @deprecated Use `addToPrincipalPolicy` instead.
|
56 | */
|
57 | addToPolicy(statement: PolicyStatement): boolean;
|
58 | /**
|
59 | * Add to the policy of this principal.
|
60 | */
|
61 | addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult;
|
62 | }
|
63 | /**
|
64 | * A type of principal that has more control over its own representation in AssumeRolePolicyDocuments
|
65 | *
|
66 | * More complex types of identity providers need more control over Role's policy documents
|
67 | * than simply `{ Effect: 'Allow', Action: 'AssumeRole', Principal: <Whatever> }`.
|
68 | *
|
69 | * If that control is necessary, they can implement `IAssumeRolePrincipal` to get full
|
70 | * access to a Role's AssumeRolePolicyDocument.
|
71 | */
|
72 | export interface IAssumeRolePrincipal extends IPrincipal {
|
73 | /**
|
74 | * Add the princpial to the AssumeRolePolicyDocument
|
75 | *
|
76 | * Add the statements to the AssumeRolePolicyDocument necessary to give this principal
|
77 | * permissions to assume the given role.
|
78 | */
|
79 | addToAssumeRolePolicy(document: PolicyDocument): void;
|
80 | }
|
81 | /**
|
82 | * Result of calling `addToPrincipalPolicy`
|
83 | */
|
84 | export interface AddToPrincipalPolicyResult {
|
85 | /**
|
86 | * Whether the statement was added to the identity's policies.
|
87 | *
|
88 | */
|
89 | readonly statementAdded: boolean;
|
90 | /**
|
91 | * Dependable which allows depending on the policy change being applied
|
92 | *
|
93 | * @default - Required if `statementAdded` is true.
|
94 | */
|
95 | readonly policyDependable?: cdk.IDependable;
|
96 | }
|
97 | /**
|
98 | * Base class for policy principals
|
99 | */
|
100 | export declare abstract class PrincipalBase implements IAssumeRolePrincipal {
|
101 | readonly grantPrincipal: IPrincipal;
|
102 | readonly principalAccount: string | undefined;
|
103 | /**
|
104 | * Return the policy fragment that identifies this principal in a Policy.
|
105 | */
|
106 | abstract readonly policyFragment: PrincipalPolicyFragment;
|
107 | /**
|
108 | * When this Principal is used in an AssumeRole policy, the action to use.
|
109 | */
|
110 | readonly assumeRoleAction: string;
|
111 | addToPolicy(statement: PolicyStatement): boolean;
|
112 | addToPrincipalPolicy(_statement: PolicyStatement): AddToPrincipalPolicyResult;
|
113 | addToAssumeRolePolicy(document: PolicyDocument): void;
|
114 | toString(): string;
|
115 | /**
|
116 | * JSON-ify the principal
|
117 | *
|
118 | * Used when JSON.stringify() is called
|
119 | */
|
120 | toJSON(): {
|
121 | [key: string]: string[];
|
122 | };
|
123 | /**
|
124 | * Returns a new PrincipalWithConditions using this principal as the base, with the
|
125 | * passed conditions added.
|
126 | *
|
127 | * When there is a value for the same operator and key in both the principal and the
|
128 | * conditions parameter, the value from the conditions parameter will be used.
|
129 | *
|
130 | * @returns a new PrincipalWithConditions object.
|
131 | */
|
132 | withConditions(conditions: Conditions): PrincipalBase;
|
133 | /**
|
134 | * Returns a new principal using this principal as the base, with session tags enabled.
|
135 | *
|
136 | * @returns a new SessionTagsPrincipal object.
|
137 | */
|
138 | withSessionTags(): PrincipalBase;
|
139 | }
|
140 | /**
|
141 | * Base class for Principals that wrap other principals
|
142 | */
|
143 | declare class PrincipalAdapter extends PrincipalBase {
|
144 | protected readonly wrapped: IPrincipal;
|
145 | readonly assumeRoleAction: string;
|
146 | readonly principalAccount: string | undefined;
|
147 | constructor(wrapped: IPrincipal);
|
148 | get policyFragment(): PrincipalPolicyFragment;
|
149 | addToPolicy(statement: PolicyStatement): boolean;
|
150 | addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult;
|
151 | }
|
152 | /**
|
153 | * An IAM principal with additional conditions specifying when the policy is in effect.
|
154 | *
|
155 | * For more information about conditions, see:
|
156 | * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
|
157 | */
|
158 | export declare class PrincipalWithConditions extends PrincipalAdapter {
|
159 | private additionalConditions;
|
160 | constructor(principal: IPrincipal, conditions: Conditions);
|
161 | /**
|
162 | * Add a condition to the principal
|
163 | */
|
164 | addCondition(key: string, value: Condition): void;
|
165 | /**
|
166 | * Adds multiple conditions to the principal
|
167 | *
|
168 | * Values from the conditions parameter will overwrite existing values with the same operator
|
169 | * and key.
|
170 | */
|
171 | addConditions(conditions: Conditions): void;
|
172 | /**
|
173 | * The conditions under which the policy is in effect.
|
174 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
175 | */
|
176 | get conditions(): Record<string, any>;
|
177 | get policyFragment(): PrincipalPolicyFragment;
|
178 | toString(): string;
|
179 | /**
|
180 | * JSON-ify the principal
|
181 | *
|
182 | * Used when JSON.stringify() is called
|
183 | */
|
184 | toJSON(): {
|
185 | [key: string]: string[];
|
186 | };
|
187 | private mergeConditions;
|
188 | }
|
189 | /**
|
190 | * Enables session tags on role assumptions from a principal
|
191 | *
|
192 | * For more information on session tags, see:
|
193 | * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
194 | */
|
195 | export declare class SessionTagsPrincipal extends PrincipalAdapter {
|
196 | constructor(principal: IPrincipal);
|
197 | addToAssumeRolePolicy(doc: PolicyDocument): void;
|
198 | }
|
199 | /**
|
200 | * A collection of the fields in a PolicyStatement that can be used to identify a principal.
|
201 | *
|
202 | * This consists of the JSON used in the "Principal" field, and optionally a
|
203 | * set of "Condition"s that need to be applied to the policy.
|
204 | *
|
205 | * Generally, a principal looks like:
|
206 | *
|
207 | * { '<TYPE>': ['ID', 'ID', ...] }
|
208 | *
|
209 | * And this is also the type of the field `principalJson`. However, there is a
|
210 | * special type of principal that is just the string '*', which is treated
|
211 | * differently by some services. To represent that principal, `principalJson`
|
212 | * should contain `{ 'LiteralString': ['*'] }`.
|
213 | */
|
214 | export declare class PrincipalPolicyFragment {
|
215 | readonly principalJson: {
|
216 | [key: string]: string[];
|
217 | };
|
218 | /**
|
219 | * The conditions under which the policy is in effect.
|
220 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
221 | */
|
222 | readonly conditions: Conditions;
|
223 | /**
|
224 | *
|
225 | * @param principalJson JSON of the "Principal" section in a policy statement
|
226 | * @param conditions conditions that need to be applied to this policy
|
227 | */
|
228 | constructor(principalJson: {
|
229 | [key: string]: string[];
|
230 | },
|
231 | /**
|
232 | * The conditions under which the policy is in effect.
|
233 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
234 | */
|
235 | conditions?: Conditions);
|
236 | }
|
237 | /**
|
238 | * Specify a principal by the Amazon Resource Name (ARN).
|
239 | * You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions.
|
240 | * You cannot specify IAM groups or instance profiles as principals
|
241 | *
|
242 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
|
243 | */
|
244 | export declare class ArnPrincipal extends PrincipalBase {
|
245 | readonly arn: string;
|
246 | /**
|
247 | *
|
248 | * @param arn Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name)
|
249 | */
|
250 | constructor(arn: string);
|
251 | get policyFragment(): PrincipalPolicyFragment;
|
252 | toString(): string;
|
253 | /**
|
254 | * A convenience method for adding a condition that the principal is part of the specified
|
255 | * AWS Organization.
|
256 | */
|
257 | inOrganization(organizationId: string): PrincipalBase;
|
258 | }
|
259 | /**
|
260 | * Specify AWS account ID as the principal entity in a policy to delegate authority to the account.
|
261 | */
|
262 | export declare class AccountPrincipal extends ArnPrincipal {
|
263 | readonly accountId: any;
|
264 | readonly principalAccount: string | undefined;
|
265 | /**
|
266 | *
|
267 | * @param accountId AWS account ID (i.e. 123456789012)
|
268 | */
|
269 | constructor(accountId: any);
|
270 | toString(): string;
|
271 | }
|
272 | /**
|
273 | * Options for a service principal.
|
274 | */
|
275 | export interface ServicePrincipalOpts {
|
276 | /**
|
277 | * The region in which the service is operating.
|
278 | *
|
279 | * @default - the current Stack's region.
|
280 | * @deprecated You should not need to set this. The stack's region is always correct.
|
281 | */
|
282 | readonly region?: string;
|
283 | /**
|
284 | * Additional conditions to add to the Service Principal
|
285 | *
|
286 | * @default - No conditions
|
287 | */
|
288 | readonly conditions?: {
|
289 | [key: string]: any;
|
290 | };
|
291 | }
|
292 | /**
|
293 | * An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).
|
294 | */
|
295 | export declare class ServicePrincipal extends PrincipalBase {
|
296 | readonly service: string;
|
297 | private readonly opts;
|
298 | /**
|
299 | *
|
300 | * @param service AWS service (i.e. sqs.amazonaws.com)
|
301 | */
|
302 | constructor(service: string, opts?: ServicePrincipalOpts);
|
303 | get policyFragment(): PrincipalPolicyFragment;
|
304 | toString(): string;
|
305 | }
|
306 | /**
|
307 | * A principal that represents an AWS Organization
|
308 | */
|
309 | export declare class OrganizationPrincipal extends PrincipalBase {
|
310 | readonly organizationId: string;
|
311 | /**
|
312 | *
|
313 | * @param organizationId The unique identifier (ID) of an organization (i.e. o-12345abcde)
|
314 | */
|
315 | constructor(organizationId: string);
|
316 | get policyFragment(): PrincipalPolicyFragment;
|
317 | toString(): string;
|
318 | }
|
319 | /**
|
320 | * A policy principal for canonicalUserIds - useful for S3 bucket policies that use
|
321 | * Origin Access identities.
|
322 | *
|
323 | * See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
|
324 | *
|
325 | * and
|
326 | *
|
327 | * https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
|
328 | *
|
329 | * for more details.
|
330 | *
|
331 | */
|
332 | export declare class CanonicalUserPrincipal extends PrincipalBase {
|
333 | readonly canonicalUserId: string;
|
334 | /**
|
335 | *
|
336 | * @param canonicalUserId unique identifier assigned by AWS for every account.
|
337 | * root user and IAM users for an account all see the same ID.
|
338 | * (i.e. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be)
|
339 | */
|
340 | constructor(canonicalUserId: string);
|
341 | get policyFragment(): PrincipalPolicyFragment;
|
342 | toString(): string;
|
343 | }
|
344 | /**
|
345 | * Principal entity that represents a federated identity provider such as Amazon Cognito,
|
346 | * that can be used to provide temporary security credentials to users who have been authenticated.
|
347 | * Additional condition keys are available when the temporary security credentials are used to make a request.
|
348 | * You can use these keys to write policies that limit the access of federated users.
|
349 | *
|
350 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif
|
351 | */
|
352 | export declare class FederatedPrincipal extends PrincipalBase {
|
353 | readonly federated: string;
|
354 | readonly conditions: Conditions;
|
355 | readonly assumeRoleAction: string;
|
356 | /**
|
357 | *
|
358 | * @param federated federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
|
359 | * @param conditions The conditions under which the policy is in effect.
|
360 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
361 | * @param sessionTags Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
|
362 | */
|
363 | constructor(federated: string, conditions: Conditions, assumeRoleAction?: string);
|
364 | get policyFragment(): PrincipalPolicyFragment;
|
365 | toString(): string;
|
366 | }
|
367 | /**
|
368 | * A principal that represents a federated identity provider as Web Identity such as Cognito, Amazon,
|
369 | * Facebook, Google, etc.
|
370 | */
|
371 | export declare class WebIdentityPrincipal extends FederatedPrincipal {
|
372 | /**
|
373 | *
|
374 | * @param identityProvider identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
|
375 | * @param conditions The conditions under which the policy is in effect.
|
376 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
377 | * @param sessionTags Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
|
378 | */
|
379 | constructor(identityProvider: string, conditions?: Conditions);
|
380 | get policyFragment(): PrincipalPolicyFragment;
|
381 | toString(): string;
|
382 | }
|
383 | /**
|
384 | * A principal that represents a federated identity provider as from a OpenID Connect provider.
|
385 | */
|
386 | export declare class OpenIdConnectPrincipal extends WebIdentityPrincipal {
|
387 | /**
|
388 | *
|
389 | * @param openIdConnectProvider OpenID Connect provider
|
390 | * @param conditions The conditions under which the policy is in effect.
|
391 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
392 | */
|
393 | constructor(openIdConnectProvider: IOpenIdConnectProvider, conditions?: Conditions);
|
394 | get policyFragment(): PrincipalPolicyFragment;
|
395 | toString(): string;
|
396 | }
|
397 | /**
|
398 | * Principal entity that represents a SAML federated identity provider
|
399 | */
|
400 | export declare class SamlPrincipal extends FederatedPrincipal {
|
401 | constructor(samlProvider: ISamlProvider, conditions: Conditions);
|
402 | toString(): string;
|
403 | }
|
404 | /**
|
405 | * Principal entity that represents a SAML federated identity provider for
|
406 | * programmatic and AWS Management Console access.
|
407 | */
|
408 | export declare class SamlConsolePrincipal extends SamlPrincipal {
|
409 | constructor(samlProvider: ISamlProvider, conditions?: Conditions);
|
410 | toString(): string;
|
411 | }
|
412 | /**
|
413 | * Use the AWS account into which a stack is deployed as the principal entity in a policy
|
414 | */
|
415 | export declare class AccountRootPrincipal extends AccountPrincipal {
|
416 | constructor();
|
417 | toString(): string;
|
418 | }
|
419 | /**
|
420 | * A principal representing all AWS identities in all accounts
|
421 | *
|
422 | * Some services behave differently when you specify `Principal: '*'`
|
423 | * or `Principal: { AWS: "*" }` in their resource policy.
|
424 | *
|
425 | * `AnyPrincipal` renders to `Principal: { AWS: "*" }`. This is correct
|
426 | * most of the time, but in cases where you need the other principal,
|
427 | * use `StarPrincipal` instead.
|
428 | */
|
429 | export declare class AnyPrincipal extends ArnPrincipal {
|
430 | constructor();
|
431 | toString(): string;
|
432 | }
|
433 | /**
|
434 | * A principal representing all identities in all accounts
|
435 | * @deprecated use `AnyPrincipal`
|
436 | */
|
437 | export declare class Anyone extends AnyPrincipal {
|
438 | }
|
439 | /**
|
440 | * A principal that uses a literal '*' in the IAM JSON language
|
441 | *
|
442 | * Some services behave differently when you specify `Principal: "*"`
|
443 | * or `Principal: { AWS: "*" }` in their resource policy.
|
444 | *
|
445 | * `StarPrincipal` renders to `Principal: *`. Most of the time, you
|
446 | * should use `AnyPrincipal` instead.
|
447 | */
|
448 | export declare class StarPrincipal extends PrincipalBase {
|
449 | readonly policyFragment: PrincipalPolicyFragment;
|
450 | toString(): string;
|
451 | }
|
452 | /**
|
453 | * Represents a principal that has multiple types of principals. A composite principal cannot
|
454 | * have conditions. i.e. multiple ServicePrincipals that form a composite principal
|
455 | */
|
456 | export declare class CompositePrincipal extends PrincipalBase {
|
457 | readonly assumeRoleAction: string;
|
458 | private readonly principals;
|
459 | constructor(...principals: IPrincipal[]);
|
460 | /**
|
461 | * Adds IAM principals to the composite principal. Composite principals cannot have
|
462 | * conditions.
|
463 | *
|
464 | * @param principals IAM principals that will be added to the composite principal
|
465 | */
|
466 | addPrincipals(...principals: IPrincipal[]): this;
|
467 | addToAssumeRolePolicy(doc: PolicyDocument): void;
|
468 | get policyFragment(): PrincipalPolicyFragment;
|
469 | toString(): string;
|
470 | }
|
471 | export {};
|
472 |
|
\ | No newline at end of file |