UNPKG

@aws-cdk/aws-lambda/lib/permission.d.ts

Version:

2.97 kBTypeScriptView Raw

1import * as iam from '@aws-cdk/aws-iam';
2import { FunctionUrlAuthType } from './function-url';
3import { Construct } from '@aws-cdk/core';
4/**
* Represents a permission statement that can be added to a Lambda function's
* resource policy via the `addPermission()` method.
*/
8export interface Permission {
  /**
   * The Lambda actions that you want to allow in this statement. For example,
   * you can specify lambda:CreateFunction to specify a certain action, or use
   * a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a
   * list of actions, see Actions and Condition Context Keys for AWS Lambda in
   * the IAM User Guide.
   *
   * @default 'lambda:InvokeFunction'
   */
  readonly action?: string;
  /**
   * A unique token that must be supplied by the principal invoking the
   * function.
   *
   * @default The caller would not need to present a token.
   */
  readonly eventSourceToken?: string;
  /**
   * The entity for which you are granting permission to invoke the Lambda
   * function. This entity can be any valid AWS service principal, such as
   * s3.amazonaws.com or sns.amazonaws.com, or, if you are granting
   * cross-account permission, an AWS account ID. For example, you might want
   * to allow a custom application in another AWS account to push events to
   * Lambda by invoking your function.
   *
   * The principal can be either an AccountPrincipal or a ServicePrincipal.
   */
  readonly principal: iam.IPrincipal;
  /**
   * The scope to which the permission constructs be attached. The default is
   * the Lambda function construct itself, but this would need to be different
   * in cases such as cross-stack references where the Permissions would need
   * to sit closer to the consumer of this permission (i.e., the caller).
   *
   * @default - The instance of lambda.IFunction
   */
  readonly scope?: Construct;
  /**
   * The AWS account ID (without hyphens) of the source owner. For example, if
   * you specify an S3 bucket in the SourceArn property, this value is the
   * bucket owner's account ID. You can use this property to ensure that all
   * source principals are owned by a specific account.
   */
  readonly sourceAccount?: string;
  /**
   * The ARN of a resource that is invoking your function. When granting
   * Amazon Simple Storage Service (Amazon S3) permission to invoke your
   * function, specify this property with the bucket ARN as its value. This
   * ensures that events generated only from the specified bucket, not just
   * any bucket from any AWS account that creates a mapping to your function,
   * can invoke the function.
   */
  readonly sourceArn?: string;
  /**
   * The authType for the function URL that you are granting permissions for.
   *
   * @default - No functionUrlAuthType
   */
  readonly functionUrlAuthType?: FunctionUrlAuthType;
68}

1	`import * as iam from '@aws-cdk/aws-iam';`
2	`import { FunctionUrlAuthType } from './function-url';`
3	`import { Construct } from '@aws-cdk/core';`
4	`/**`
5	`* Represents a permission statement that can be added to a Lambda function's`
6	* resource policy via the `addPermission()` method.
7	`*/`
8	`export interface Permission {`
9	`/**`
10	`* The Lambda actions that you want to allow in this statement. For example,`
11	`* you can specify lambda:CreateFunction to specify a certain action, or use`
12	* a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a
13	`* list of actions, see Actions and Condition Context Keys for AWS Lambda in`
14	`* the IAM User Guide.`
15	`*`
16	`* @default 'lambda:InvokeFunction'`
17	`*/`
18	`readonly action?: string;`
19	`/**`
20	`* A unique token that must be supplied by the principal invoking the`
21	`* function.`
22	`*`
23	`* @default The caller would not need to present a token.`
24	`*/`
25	`readonly eventSourceToken?: string;`
26	`/**`
27	`* The entity for which you are granting permission to invoke the Lambda`
28	`* function. This entity can be any valid AWS service principal, such as`
29	`* s3.amazonaws.com or sns.amazonaws.com, or, if you are granting`
30	`* cross-account permission, an AWS account ID. For example, you might want`
31	`* to allow a custom application in another AWS account to push events to`
32	`* Lambda by invoking your function.`
33	`*`
34	`* The principal can be either an AccountPrincipal or a ServicePrincipal.`
35	`*/`
36	`readonly principal: iam.IPrincipal;`
37	`/**`
38	`* The scope to which the permission constructs be attached. The default is`
39	`* the Lambda function construct itself, but this would need to be different`
40	`* in cases such as cross-stack references where the Permissions would need`
41	`* to sit closer to the consumer of this permission (i.e., the caller).`
42	`*`
43	`* @default - The instance of lambda.IFunction`
44	`*/`
45	`readonly scope?: Construct;`
46	`/**`
47	`* The AWS account ID (without hyphens) of the source owner. For example, if`
48	`* you specify an S3 bucket in the SourceArn property, this value is the`
49	`* bucket owner's account ID. You can use this property to ensure that all`
50	`* source principals are owned by a specific account.`
51	`*/`
52	`readonly sourceAccount?: string;`
53	`/**`
54	`* The ARN of a resource that is invoking your function. When granting`
55	`* Amazon Simple Storage Service (Amazon S3) permission to invoke your`
56	`* function, specify this property with the bucket ARN as its value. This`
57	`* ensures that events generated only from the specified bucket, not just`
58	`* any bucket from any AWS account that creates a mapping to your function,`
59	`* can invoke the function.`
60	`*/`
61	`readonly sourceArn?: string;`
62	`/**`
63	`* The authType for the function URL that you are granting permissions for.`
64	`*`
65	`* @default - No functionUrlAuthType`
66	`*/`
67	`readonly functionUrlAuthType?: FunctionUrlAuthType;`
68	`}`