1 | import * as iam from '@aws-cdk/aws-iam';
|
2 | import { FunctionUrlAuthType } from './function-url';
|
3 | import { Construct } from '@aws-cdk/core';
|
4 | /**
|
5 | * Represents a permission statement that can be added to a Lambda function's
|
6 | * resource policy via the `addPermission()` method.
|
7 | */
|
8 | export interface Permission {
|
9 | /**
|
10 | * The Lambda actions that you want to allow in this statement. For example,
|
11 | * you can specify lambda:CreateFunction to specify a certain action, or use
|
12 | * a wildcard (``lambda:*``) to grant permission to all Lambda actions. For a
|
13 | * list of actions, see Actions and Condition Context Keys for AWS Lambda in
|
14 | * the IAM User Guide.
|
15 | *
|
16 | * @default 'lambda:InvokeFunction'
|
17 | */
|
18 | readonly action?: string;
|
19 | /**
|
20 | * A unique token that must be supplied by the principal invoking the
|
21 | * function.
|
22 | *
|
23 | * @default The caller would not need to present a token.
|
24 | */
|
25 | readonly eventSourceToken?: string;
|
26 | /**
|
27 | * The entity for which you are granting permission to invoke the Lambda
|
28 | * function. This entity can be any valid AWS service principal, such as
|
29 | * s3.amazonaws.com or sns.amazonaws.com, or, if you are granting
|
30 | * cross-account permission, an AWS account ID. For example, you might want
|
31 | * to allow a custom application in another AWS account to push events to
|
32 | * Lambda by invoking your function.
|
33 | *
|
34 | * The principal can be either an AccountPrincipal or a ServicePrincipal.
|
35 | */
|
36 | readonly principal: iam.IPrincipal;
|
37 | /**
|
38 | * The scope to which the permission constructs be attached. The default is
|
39 | * the Lambda function construct itself, but this would need to be different
|
40 | * in cases such as cross-stack references where the Permissions would need
|
41 | * to sit closer to the consumer of this permission (i.e., the caller).
|
42 | *
|
43 | * @default - The instance of lambda.IFunction
|
44 | */
|
45 | readonly scope?: Construct;
|
46 | /**
|
47 | * The AWS account ID (without hyphens) of the source owner. For example, if
|
48 | * you specify an S3 bucket in the SourceArn property, this value is the
|
49 | * bucket owner's account ID. You can use this property to ensure that all
|
50 | * source principals are owned by a specific account.
|
51 | */
|
52 | readonly sourceAccount?: string;
|
53 | /**
|
54 | * The ARN of a resource that is invoking your function. When granting
|
55 | * Amazon Simple Storage Service (Amazon S3) permission to invoke your
|
56 | * function, specify this property with the bucket ARN as its value. This
|
57 | * ensures that events generated only from the specified bucket, not just
|
58 | * any bucket from any AWS account that creates a mapping to your function,
|
59 | * can invoke the function.
|
60 | */
|
61 | readonly sourceArn?: string;
|
62 | /**
|
63 | * The authType for the function URL that you are granting permissions for.
|
64 | *
|
65 | * @default - No functionUrlAuthType
|
66 | */
|
67 | readonly functionUrlAuthType?: FunctionUrlAuthType;
|
68 | }
|