| 1 | import * as cdk from '@aws-cdk/core';
|
| 2 | import { IOpenIdConnectProvider } from './oidc-provider';
|
| 3 | import { PolicyDocument } from './policy-document';
|
| 4 | import { Condition, Conditions, PolicyStatement } from './policy-statement';
|
| 5 | import { ISamlProvider } from './saml-provider';
|
| 6 | /**
|
| 7 | * Any object that has an associated principal that a permission can be granted to
|
| 8 | */
|
| 9 | export interface IGrantable {
|
| 10 | /**
|
| 11 | * The principal to grant permissions to
|
| 12 | */
|
| 13 | readonly grantPrincipal: IPrincipal;
|
| 14 | }
|
| 15 | /**
|
| 16 | * Represents a logical IAM principal.
|
| 17 | *
|
| 18 | * An IPrincipal describes a logical entity that can perform AWS API calls
|
| 19 | * against sets of resources, optionally under certain conditions.
|
| 20 | *
|
| 21 | * Examples of simple principals are IAM objects that you create, such
|
| 22 | * as Users or Roles.
|
| 23 | *
|
| 24 | * An example of a more complex principals is a `ServicePrincipal` (such as
|
| 25 | * `new ServicePrincipal("sns.amazonaws.com")`, which represents the Simple
|
| 26 | * Notifications Service).
|
| 27 | *
|
| 28 | * A single logical Principal may also map to a set of physical principals.
|
| 29 | * For example, `new OrganizationPrincipal('o-1234')` represents all
|
| 30 | * identities that are part of the given AWS Organization.
|
| 31 | */
|
| 32 | export interface IPrincipal extends IGrantable {
|
| 33 | /**
|
| 34 | * When this Principal is used in an AssumeRole policy, the action to use.
|
| 35 | */
|
| 36 | readonly assumeRoleAction: string;
|
| 37 | /**
|
| 38 | * Return the policy fragment that identifies this principal in a Policy.
|
| 39 | */
|
| 40 | readonly policyFragment: PrincipalPolicyFragment;
|
| 41 | /**
|
| 42 | * The AWS account ID of this principal.
|
| 43 | * Can be undefined when the account is not known
|
| 44 | * (for example, for service principals).
|
| 45 | * Can be a Token - in that case,
|
| 46 | * it's assumed to be AWS::AccountId.
|
| 47 | */
|
| 48 | readonly principalAccount?: string;
|
| 49 | /**
|
| 50 | * Add to the policy of this principal.
|
| 51 | *
|
| 52 | * @returns true if the statement was added, false if the principal in
|
| 53 | * question does not have a policy document to add the statement to.
|
| 54 | *
|
| 55 | * @deprecated Use `addToPrincipalPolicy` instead.
|
| 56 | */
|
| 57 | addToPolicy(statement: PolicyStatement): boolean;
|
| 58 | /**
|
| 59 | * Add to the policy of this principal.
|
| 60 | */
|
| 61 | addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult;
|
| 62 | }
|
| 63 | /**
|
| 64 | * Interface for principals that can be compared.
|
| 65 | *
|
| 66 | * This only needs to be implemented for principals that could potentially be value-equal.
|
| 67 | * Identity-equal principals will be handled correctly by default.
|
| 68 | */
|
| 69 | export interface IComparablePrincipal extends IPrincipal {
|
| 70 | /**
|
| 71 | * Return a string format of this principal which should be identical if the two
|
| 72 | * principals are the same.
|
| 73 | */
|
| 74 | dedupeString(): string | undefined;
|
| 75 | }
|
| 76 | /**
|
| 77 | * Helper class for working with `IComparablePrincipal`s
|
| 78 | */
|
| 79 | export declare class ComparablePrincipal {
|
| 80 | /**
|
| 81 | * Whether or not the given principal is a comparable principal
|
| 82 | */
|
| 83 | static isComparablePrincipal(x: IPrincipal): x is IComparablePrincipal;
|
| 84 | /**
|
| 85 | * Return the dedupeString of the given principal, if available
|
| 86 | */
|
| 87 | static dedupeStringFor(x: IPrincipal): string | undefined;
|
| 88 | }
|
| 89 | /**
|
| 90 | * A type of principal that has more control over its own representation in AssumeRolePolicyDocuments
|
| 91 | *
|
| 92 | * More complex types of identity providers need more control over Role's policy documents
|
| 93 | * than simply `{ Effect: 'Allow', Action: 'AssumeRole', Principal: <Whatever> }`.
|
| 94 | *
|
| 95 | * If that control is necessary, they can implement `IAssumeRolePrincipal` to get full
|
| 96 | * access to a Role's AssumeRolePolicyDocument.
|
| 97 | */
|
| 98 | export interface IAssumeRolePrincipal extends IPrincipal {
|
| 99 | /**
|
| 100 | * Add the princpial to the AssumeRolePolicyDocument
|
| 101 | *
|
| 102 | * Add the statements to the AssumeRolePolicyDocument necessary to give this principal
|
| 103 | * permissions to assume the given role.
|
| 104 | */
|
| 105 | addToAssumeRolePolicy(document: PolicyDocument): void;
|
| 106 | }
|
| 107 | /**
|
| 108 | * Result of calling `addToPrincipalPolicy`
|
| 109 | */
|
| 110 | export interface AddToPrincipalPolicyResult {
|
| 111 | /**
|
| 112 | * Whether the statement was added to the identity's policies.
|
| 113 | *
|
| 114 | */
|
| 115 | readonly statementAdded: boolean;
|
| 116 | /**
|
| 117 | * Dependable which allows depending on the policy change being applied
|
| 118 | *
|
| 119 | * @default - Required if `statementAdded` is true.
|
| 120 | */
|
| 121 | readonly policyDependable?: cdk.IDependable;
|
| 122 | }
|
| 123 | /**
|
| 124 | * Base class for policy principals
|
| 125 | */
|
| 126 | export declare abstract class PrincipalBase implements IAssumeRolePrincipal, IComparablePrincipal {
|
| 127 | readonly grantPrincipal: IPrincipal;
|
| 128 | readonly principalAccount: string | undefined;
|
| 129 | /**
|
| 130 | * Return the policy fragment that identifies this principal in a Policy.
|
| 131 | */
|
| 132 | abstract readonly policyFragment: PrincipalPolicyFragment;
|
| 133 | /**
|
| 134 | * When this Principal is used in an AssumeRole policy, the action to use.
|
| 135 | */
|
| 136 | readonly assumeRoleAction: string;
|
| 137 | addToPolicy(statement: PolicyStatement): boolean;
|
| 138 | addToPrincipalPolicy(_statement: PolicyStatement): AddToPrincipalPolicyResult;
|
| 139 | addToAssumeRolePolicy(document: PolicyDocument): void;
|
| 140 | toString(): string;
|
| 141 | /**
|
| 142 | * JSON-ify the principal
|
| 143 | *
|
| 144 | * Used when JSON.stringify() is called
|
| 145 | */
|
| 146 | toJSON(): {
|
| 147 | [key: string]: string[];
|
| 148 | };
|
| 149 | /**
|
| 150 | * Returns a new PrincipalWithConditions using this principal as the base, with the
|
| 151 | * passed conditions added.
|
| 152 | *
|
| 153 | * When there is a value for the same operator and key in both the principal and the
|
| 154 | * conditions parameter, the value from the conditions parameter will be used.
|
| 155 | *
|
| 156 | * @returns a new PrincipalWithConditions object.
|
| 157 | */
|
| 158 | withConditions(conditions: Conditions): PrincipalBase;
|
| 159 | /**
|
| 160 | * Returns a new principal using this principal as the base, with session tags enabled.
|
| 161 | *
|
| 162 | * @returns a new SessionTagsPrincipal object.
|
| 163 | */
|
| 164 | withSessionTags(): PrincipalBase;
|
| 165 | /**
|
| 166 | * Return whether or not this principal is equal to the given principal
|
| 167 | */
|
| 168 | abstract dedupeString(): string | undefined;
|
| 169 | }
|
| 170 | /**
|
| 171 | * Base class for Principals that wrap other principals
|
| 172 | */
|
| 173 | declare abstract class PrincipalAdapter extends PrincipalBase {
|
| 174 | protected readonly wrapped: IPrincipal;
|
| 175 | readonly assumeRoleAction: string;
|
| 176 | readonly principalAccount: string | undefined;
|
| 177 | constructor(wrapped: IPrincipal);
|
| 178 | get policyFragment(): PrincipalPolicyFragment;
|
| 179 | addToPolicy(statement: PolicyStatement): boolean;
|
| 180 | addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult;
|
| 181 | /**
|
| 182 | * Append the given string to the wrapped principal's dedupe string (if available)
|
| 183 | */
|
| 184 | protected appendDedupe(append: string): string | undefined;
|
| 185 | }
|
| 186 | /**
|
| 187 | * An IAM principal with additional conditions specifying when the policy is in effect.
|
| 188 | *
|
| 189 | * For more information about conditions, see:
|
| 190 | * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
|
| 191 | */
|
| 192 | export declare class PrincipalWithConditions extends PrincipalAdapter {
|
| 193 | private additionalConditions;
|
| 194 | constructor(principal: IPrincipal, conditions: Conditions);
|
| 195 | /**
|
| 196 | * Add a condition to the principal
|
| 197 | */
|
| 198 | addCondition(key: string, value: Condition): void;
|
| 199 | /**
|
| 200 | * Adds multiple conditions to the principal
|
| 201 | *
|
| 202 | * Values from the conditions parameter will overwrite existing values with the same operator
|
| 203 | * and key.
|
| 204 | */
|
| 205 | addConditions(conditions: Conditions): void;
|
| 206 | /**
|
| 207 | * The conditions under which the policy is in effect.
|
| 208 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
| 209 | */
|
| 210 | get conditions(): Record<string, any>;
|
| 211 | get policyFragment(): PrincipalPolicyFragment;
|
| 212 | toString(): string;
|
| 213 | /**
|
| 214 | * JSON-ify the principal
|
| 215 | *
|
| 216 | * Used when JSON.stringify() is called
|
| 217 | */
|
| 218 | toJSON(): {
|
| 219 | [key: string]: string[];
|
| 220 | };
|
| 221 | dedupeString(): string | undefined;
|
| 222 | private mergeConditions;
|
| 223 | }
|
| 224 | /**
|
| 225 | * Enables session tags on role assumptions from a principal
|
| 226 | *
|
| 227 | * For more information on session tags, see:
|
| 228 | * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
| 229 | */
|
| 230 | export declare class SessionTagsPrincipal extends PrincipalAdapter {
|
| 231 | constructor(principal: IPrincipal);
|
| 232 | addToAssumeRolePolicy(doc: PolicyDocument): void;
|
| 233 | dedupeString(): string | undefined;
|
| 234 | }
|
| 235 | /**
|
| 236 | * A collection of the fields in a PolicyStatement that can be used to identify a principal.
|
| 237 | *
|
| 238 | * This consists of the JSON used in the "Principal" field, and optionally a
|
| 239 | * set of "Condition"s that need to be applied to the policy.
|
| 240 | *
|
| 241 | * Generally, a principal looks like:
|
| 242 | *
|
| 243 | * { '<TYPE>': ['ID', 'ID', ...] }
|
| 244 | *
|
| 245 | * And this is also the type of the field `principalJson`. However, there is a
|
| 246 | * special type of principal that is just the string '*', which is treated
|
| 247 | * differently by some services. To represent that principal, `principalJson`
|
| 248 | * should contain `{ 'LiteralString': ['*'] }`.
|
| 249 | */
|
| 250 | export declare class PrincipalPolicyFragment {
|
| 251 | readonly principalJson: {
|
| 252 | [key: string]: string[];
|
| 253 | };
|
| 254 | /**
|
| 255 | * The conditions under which the policy is in effect.
|
| 256 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
| 257 | */
|
| 258 | readonly conditions: Conditions;
|
| 259 | /**
|
| 260 | *
|
| 261 | * @param principalJson JSON of the "Principal" section in a policy statement
|
| 262 | * @param conditions conditions that need to be applied to this policy
|
| 263 | */
|
| 264 | constructor(principalJson: {
|
| 265 | [key: string]: string[];
|
| 266 | },
|
| 267 | /**
|
| 268 | * The conditions under which the policy is in effect.
|
| 269 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
| 270 | */
|
| 271 | conditions?: Conditions);
|
| 272 | }
|
| 273 | /**
|
| 274 | * Specify a principal by the Amazon Resource Name (ARN).
|
| 275 | * You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions.
|
| 276 | * You cannot specify IAM groups or instance profiles as principals
|
| 277 | *
|
| 278 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
|
| 279 | */
|
| 280 | export declare class ArnPrincipal extends PrincipalBase {
|
| 281 | readonly arn: string;
|
| 282 | /**
|
| 283 | *
|
| 284 | * @param arn Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name)
|
| 285 | */
|
| 286 | constructor(arn: string);
|
| 287 | get policyFragment(): PrincipalPolicyFragment;
|
| 288 | toString(): string;
|
| 289 | /**
|
| 290 | * A convenience method for adding a condition that the principal is part of the specified
|
| 291 | * AWS Organization.
|
| 292 | */
|
| 293 | inOrganization(organizationId: string): PrincipalBase;
|
| 294 | dedupeString(): string | undefined;
|
| 295 | }
|
| 296 | /**
|
| 297 | * Specify AWS account ID as the principal entity in a policy to delegate authority to the account.
|
| 298 | */
|
| 299 | export declare class AccountPrincipal extends ArnPrincipal {
|
| 300 | readonly accountId: any;
|
| 301 | readonly principalAccount: string | undefined;
|
| 302 | /**
|
| 303 | *
|
| 304 | * @param accountId AWS account ID (i.e. 123456789012)
|
| 305 | */
|
| 306 | constructor(accountId: any);
|
| 307 | toString(): string;
|
| 308 | }
|
| 309 | /**
|
| 310 | * Options for a service principal.
|
| 311 | */
|
| 312 | export interface ServicePrincipalOpts {
|
| 313 | /**
|
| 314 | * The region in which the service is operating.
|
| 315 | *
|
| 316 | * @default - the current Stack's region.
|
| 317 | * @deprecated You should not need to set this. The stack's region is always correct.
|
| 318 | */
|
| 319 | readonly region?: string;
|
| 320 | /**
|
| 321 | * Additional conditions to add to the Service Principal
|
| 322 | *
|
| 323 | * @default - No conditions
|
| 324 | */
|
| 325 | readonly conditions?: {
|
| 326 | [key: string]: any;
|
| 327 | };
|
| 328 | }
|
| 329 | /**
|
| 330 | * An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).
|
| 331 | */
|
| 332 | export declare class ServicePrincipal extends PrincipalBase {
|
| 333 | readonly service: string;
|
| 334 | private readonly opts;
|
| 335 | /**
|
| 336 | * Translate the given service principal name based on the region it's used in.
|
| 337 | *
|
| 338 | * For example, for Chinese regions this may (depending on whether that's necessary
|
| 339 | * for the given service principal) append `.cn` to the name.
|
| 340 | *
|
| 341 | * The `region-info` module is used to obtain this information.
|
| 342 | *
|
| 343 | * @example
|
| 344 | * const principalName = iam.ServicePrincipal.servicePrincipalName('ec2.amazonaws.com');
|
| 345 | */
|
| 346 | static servicePrincipalName(service: string): string;
|
| 347 | /**
|
| 348 | *
|
| 349 | * @param service AWS service (i.e. sqs.amazonaws.com)
|
| 350 | */
|
| 351 | constructor(service: string, opts?: ServicePrincipalOpts);
|
| 352 | get policyFragment(): PrincipalPolicyFragment;
|
| 353 | toString(): string;
|
| 354 | dedupeString(): string | undefined;
|
| 355 | }
|
| 356 | /**
|
| 357 | * A principal that represents an AWS Organization
|
| 358 | */
|
| 359 | export declare class OrganizationPrincipal extends PrincipalBase {
|
| 360 | readonly organizationId: string;
|
| 361 | /**
|
| 362 | *
|
| 363 | * @param organizationId The unique identifier (ID) of an organization (i.e. o-12345abcde)
|
| 364 | */
|
| 365 | constructor(organizationId: string);
|
| 366 | get policyFragment(): PrincipalPolicyFragment;
|
| 367 | toString(): string;
|
| 368 | dedupeString(): string | undefined;
|
| 369 | }
|
| 370 | /**
|
| 371 | * A policy principal for canonicalUserIds - useful for S3 bucket policies that use
|
| 372 | * Origin Access identities.
|
| 373 | *
|
| 374 | * See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
|
| 375 | *
|
| 376 | * and
|
| 377 | *
|
| 378 | * https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
|
| 379 | *
|
| 380 | * for more details.
|
| 381 | *
|
| 382 | */
|
| 383 | export declare class CanonicalUserPrincipal extends PrincipalBase {
|
| 384 | readonly canonicalUserId: string;
|
| 385 | /**
|
| 386 | *
|
| 387 | * @param canonicalUserId unique identifier assigned by AWS for every account.
|
| 388 | * root user and IAM users for an account all see the same ID.
|
| 389 | * (i.e. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be)
|
| 390 | */
|
| 391 | constructor(canonicalUserId: string);
|
| 392 | get policyFragment(): PrincipalPolicyFragment;
|
| 393 | toString(): string;
|
| 394 | dedupeString(): string | undefined;
|
| 395 | }
|
| 396 | /**
|
| 397 | * Principal entity that represents a federated identity provider such as Amazon Cognito,
|
| 398 | * that can be used to provide temporary security credentials to users who have been authenticated.
|
| 399 | * Additional condition keys are available when the temporary security credentials are used to make a request.
|
| 400 | * You can use these keys to write policies that limit the access of federated users.
|
| 401 | *
|
| 402 | * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif
|
| 403 | */
|
| 404 | export declare class FederatedPrincipal extends PrincipalBase {
|
| 405 | readonly federated: string;
|
| 406 | readonly conditions: Conditions;
|
| 407 | readonly assumeRoleAction: string;
|
| 408 | /**
|
| 409 | *
|
| 410 | * @param federated federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
|
| 411 | * @param conditions The conditions under which the policy is in effect.
|
| 412 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
| 413 | * @param sessionTags Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
|
| 414 | */
|
| 415 | constructor(federated: string, conditions: Conditions, assumeRoleAction?: string);
|
| 416 | get policyFragment(): PrincipalPolicyFragment;
|
| 417 | toString(): string;
|
| 418 | dedupeString(): string | undefined;
|
| 419 | }
|
| 420 | /**
|
| 421 | * A principal that represents a federated identity provider as Web Identity such as Cognito, Amazon,
|
| 422 | * Facebook, Google, etc.
|
| 423 | */
|
| 424 | export declare class WebIdentityPrincipal extends FederatedPrincipal {
|
| 425 | /**
|
| 426 | *
|
| 427 | * @param identityProvider identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
|
| 428 | * @param conditions The conditions under which the policy is in effect.
|
| 429 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
| 430 | * @param sessionTags Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
|
| 431 | */
|
| 432 | constructor(identityProvider: string, conditions?: Conditions);
|
| 433 | get policyFragment(): PrincipalPolicyFragment;
|
| 434 | toString(): string;
|
| 435 | }
|
| 436 | /**
|
| 437 | * A principal that represents a federated identity provider as from a OpenID Connect provider.
|
| 438 | */
|
| 439 | export declare class OpenIdConnectPrincipal extends WebIdentityPrincipal {
|
| 440 | /**
|
| 441 | *
|
| 442 | * @param openIdConnectProvider OpenID Connect provider
|
| 443 | * @param conditions The conditions under which the policy is in effect.
|
| 444 | * See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
|
| 445 | */
|
| 446 | constructor(openIdConnectProvider: IOpenIdConnectProvider, conditions?: Conditions);
|
| 447 | get policyFragment(): PrincipalPolicyFragment;
|
| 448 | toString(): string;
|
| 449 | }
|
| 450 | /**
|
| 451 | * Principal entity that represents a SAML federated identity provider
|
| 452 | */
|
| 453 | export declare class SamlPrincipal extends FederatedPrincipal {
|
| 454 | constructor(samlProvider: ISamlProvider, conditions: Conditions);
|
| 455 | toString(): string;
|
| 456 | }
|
| 457 | /**
|
| 458 | * Principal entity that represents a SAML federated identity provider for
|
| 459 | * programmatic and AWS Management Console access.
|
| 460 | */
|
| 461 | export declare class SamlConsolePrincipal extends SamlPrincipal {
|
| 462 | constructor(samlProvider: ISamlProvider, conditions?: Conditions);
|
| 463 | toString(): string;
|
| 464 | }
|
| 465 | /**
|
| 466 | * Use the AWS account into which a stack is deployed as the principal entity in a policy
|
| 467 | */
|
| 468 | export declare class AccountRootPrincipal extends AccountPrincipal {
|
| 469 | constructor();
|
| 470 | toString(): string;
|
| 471 | }
|
| 472 | /**
|
| 473 | * A principal representing all AWS identities in all accounts
|
| 474 | *
|
| 475 | * Some services behave differently when you specify `Principal: '*'`
|
| 476 | * or `Principal: { AWS: "*" }` in their resource policy.
|
| 477 | *
|
| 478 | * `AnyPrincipal` renders to `Principal: { AWS: "*" }`. This is correct
|
| 479 | * most of the time, but in cases where you need the other principal,
|
| 480 | * use `StarPrincipal` instead.
|
| 481 | */
|
| 482 | export declare class AnyPrincipal extends ArnPrincipal {
|
| 483 | constructor();
|
| 484 | toString(): string;
|
| 485 | }
|
| 486 | /**
|
| 487 | * A principal representing all identities in all accounts
|
| 488 | * @deprecated use `AnyPrincipal`
|
| 489 | */
|
| 490 | export declare class Anyone extends AnyPrincipal {
|
| 491 | }
|
| 492 | /**
|
| 493 | * A principal that uses a literal '*' in the IAM JSON language
|
| 494 | *
|
| 495 | * Some services behave differently when you specify `Principal: "*"`
|
| 496 | * or `Principal: { AWS: "*" }` in their resource policy.
|
| 497 | *
|
| 498 | * `StarPrincipal` renders to `Principal: *`. Most of the time, you
|
| 499 | * should use `AnyPrincipal` instead.
|
| 500 | */
|
| 501 | export declare class StarPrincipal extends PrincipalBase {
|
| 502 | readonly policyFragment: PrincipalPolicyFragment;
|
| 503 | toString(): string;
|
| 504 | dedupeString(): string | undefined;
|
| 505 | }
|
| 506 | /**
|
| 507 | * Represents a principal that has multiple types of principals. A composite principal cannot
|
| 508 | * have conditions. i.e. multiple ServicePrincipals that form a composite principal
|
| 509 | */
|
| 510 | export declare class CompositePrincipal extends PrincipalBase {
|
| 511 | readonly assumeRoleAction: string;
|
| 512 | private readonly principals;
|
| 513 | constructor(...principals: IPrincipal[]);
|
| 514 | /**
|
| 515 | * Adds IAM principals to the composite principal. Composite principals cannot have
|
| 516 | * conditions.
|
| 517 | *
|
| 518 | * @param principals IAM principals that will be added to the composite principal
|
| 519 | */
|
| 520 | addPrincipals(...principals: IPrincipal[]): this;
|
| 521 | addToAssumeRolePolicy(doc: PolicyDocument): void;
|
| 522 | get policyFragment(): PrincipalPolicyFragment;
|
| 523 | toString(): string;
|
| 524 | dedupeString(): string | undefined;
|
| 525 | }
|
| 526 | export {};
|
| 527 | |
| \ | No newline at end of file |