import { AccessLevelList } from '../../shared/access-level'; import { PolicyStatement, Operator } from '../../shared'; import { aws_iam as iam } from "aws-cdk-lib"; /** * Statement provider for service [iam](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html). * * @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement */ export declare class Iam extends PolicyStatement { servicePrefix: string; /** * Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddClientIDToOpenIDConnectProvider.html */ toAddClientIDToOpenIDConnectProvider(): this; /** * Grants permission to add an IAM role to the specified instance profile * * Access Level: Write * * Dependent actions: * - iam:PassRole * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddRoleToInstanceProfile.html */ toAddRoleToInstanceProfile(): this; /** * Grants permission to add an IAM user to the specified IAM group * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html */ toAddUserToGroup(): this; /** * Grants permission to attach a managed policy to the specified IAM group * * Access Level: Permissions management * * Possible conditions: * - .ifPolicyARN() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html */ toAttachGroupPolicy(): this; /** * Grants permission to attach a managed policy to the specified IAM role * * Access Level: Permissions management * * Possible conditions: * - .ifPolicyARN() * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html */ toAttachRolePolicy(): this; /** * Grants permission to attach a managed policy to the specified IAM user * * Access Level: Permissions management * * Possible conditions: * - .ifPolicyARN() * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html */ toAttachUserPolicy(): this; /** * Grants permission to an IAM user to change their own password * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html */ toChangePassword(): this; /** * Grants permission to create access key and secret access key for the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html */ toCreateAccessKey(): this; /** * Grants permission to create an alias for your AWS account * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccountAlias.html */ toCreateAccountAlias(): this; /** * Grants permission to create a new group * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html */ toCreateGroup(): this; /** * Grants permission to create a new instance profile * * Access Level: Write * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateInstanceProfile.html */ toCreateInstanceProfile(): this; /** * Grants permission to create a password for the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html */ toCreateLoginProfile(): this; /** * Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC) * * Access Level: Write * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html */ toCreateOpenIDConnectProvider(): this; /** * Grants permission to create a new managed policy * * Access Level: Permissions management * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html */ toCreatePolicy(): this; /** * Grants permission to create a new version of the specified managed policy * * Access Level: Permissions management * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html */ toCreatePolicyVersion(): this; /** * Grants permission to create a new role * * Access Level: Write * * Possible conditions: * - .ifPermissionsBoundary() * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html */ toCreateRole(): this; /** * Grants permission to create an IAM resource that describes an identity provider (IdP) that supports SAML 2.0 * * Access Level: Write * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateSAMLProvider.html */ toCreateSAMLProvider(): this; /** * Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf * * Access Level: Write * * Possible conditions: * - .ifAWSServiceName() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html */ toCreateServiceLinkedRole(): this; /** * Grants permission to create a new service-specific credential for an IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceSpecificCredential.html */ toCreateServiceSpecificCredential(): this; /** * Grants permission to create a new IAM user * * Access Level: Write * * Possible conditions: * - .ifPermissionsBoundary() * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html */ toCreateUser(): this; /** * Grants permission to create a new virtual MFA device * * Access Level: Write * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateVirtualMFADevice.html */ toCreateVirtualMFADevice(): this; /** * Grants permission to deactivate the specified MFA device and remove its association with the IAM user for which it was originally enabled * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html */ toDeactivateMFADevice(): this; /** * Grants permission to delete the access key pair that is associated with the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccessKey.html */ toDeleteAccessKey(): this; /** * Grants permission to delete the specified AWS account alias * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountAlias.html */ toDeleteAccountAlias(): this; /** * Grants permission to delete the password policy for the AWS account * * Access Level: Permissions management * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountPasswordPolicy.html */ toDeleteAccountPasswordPolicy(): this; /** * Grants permission to delete an existing CloudFront public key * * Access Level: Write * * https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html */ toDeleteCloudFrontPublicKey(): this; /** * Grants permission to delete the specified IAM group * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html */ toDeleteGroup(): this; /** * Grants permission to delete the specified inline policy from its group * * Access Level: Permissions management * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html */ toDeleteGroupPolicy(): this; /** * Grants permission to delete the specified instance profile * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteInstanceProfile.html */ toDeleteInstanceProfile(): this; /** * Grants permission to delete the password for the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteLoginProfile.html */ toDeleteLoginProfile(): this; /** * Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteOpenIDConnectProvider.html */ toDeleteOpenIDConnectProvider(): this; /** * Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached * * Access Level: Permissions management * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html */ toDeletePolicy(): this; /** * Grants permission to delete a version from the specified managed policy * * Access Level: Permissions management * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html */ toDeletePolicyVersion(): this; /** * Grants permission to delete the specified role * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRole.html */ toDeleteRole(): this; /** * Grants permission to remove the permissions boundary from a role * * Access Level: Permissions management * * Possible conditions: * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePermissionsBoundary.html */ toDeleteRolePermissionsBoundary(): this; /** * Grants permission to delete the specified inline policy from the specified role * * Access Level: Permissions management * * Possible conditions: * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html */ toDeleteRolePolicy(): this; /** * Grants permission to delete a SAML provider resource in IAM * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html */ toDeleteSAMLProvider(): this; /** * Grants permission to delete the specified SSH public key * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSSHPublicKey.html */ toDeleteSSHPublicKey(): this; /** * Grants permission to delete the specified server certificate * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteServerCertificate.html */ toDeleteServerCertificate(): this; /** * Grants permission to delete an IAM role that is linked to a specific AWS service, if the service is no longer using it * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteServiceLinkedRole.html */ toDeleteServiceLinkedRole(): this; /** * Grants permission to delete the specified service-specific credential for an IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteServiceSpecificCredential.html */ toDeleteServiceSpecificCredential(): this; /** * Grants permission to delete a signing certificate that is associated with the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSigningCertificate.html */ toDeleteSigningCertificate(): this; /** * Grants permission to delete the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUser.html */ toDeleteUser(): this; /** * Grants permission to remove the permissions boundary from the specified IAM user * * Access Level: Permissions management * * Possible conditions: * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPermissionsBoundary.html */ toDeleteUserPermissionsBoundary(): this; /** * Grants permission to delete the specified inline policy from an IAM user * * Access Level: Permissions management * * Possible conditions: * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html */ toDeleteUserPolicy(): this; /** * Grants permission to delete a virtual MFA device * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteVirtualMFADevice.html */ toDeleteVirtualMFADevice(): this; /** * Grants permission to detach a managed policy from the specified IAM group * * Access Level: Permissions management * * Possible conditions: * - .ifPolicyARN() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html */ toDetachGroupPolicy(): this; /** * Grants permission to detach a managed policy from the specified role * * Access Level: Permissions management * * Possible conditions: * - .ifPolicyARN() * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html */ toDetachRolePolicy(): this; /** * Grants permission to detach a managed policy from the specified IAM user * * Access Level: Permissions management * * Possible conditions: * - .ifPolicyARN() * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html */ toDetachUserPolicy(): this; /** * Grants permission to disable the management of member account root user credentials for an organization managed under the current account * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DisableOrganizationsRootCredentialsManagement.html */ toDisableOrganizationsRootCredentialsManagement(): this; /** * Grants permission to disable privileged root actions in member accounts for an organization managed under the current account * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_DisableOrganizationsRootSessions.html */ toDisableOrganizationsRootSessions(): this; /** * Grants permission to enable an MFA device and associate it with the specified IAM user * * Access Level: Write * * Possible conditions: * - .ifRegisterSecurityKey() * - .ifFIDOFIPS1402Certification() * - .ifFIDOFIPS1403Certification() * - .ifFIDOCertification() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableMFADevice.html */ toEnableMFADevice(): this; /** * Grants permission to enable the management of member account root user credentials for an organization managed under the current account * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableOrganizationsRootCredentialsManagement.html */ toEnableOrganizationsRootCredentialsManagement(): this; /** * Grants permission to enable privileged root actions in member accounts for an organization managed under the current account * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableOrganizationsRootSessions.html */ toEnableOrganizationsRootSessions(): this; /** * Grants permission to generate a credential report for the AWS account * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateCredentialReport.html */ toGenerateCredentialReport(): this; /** * Grants permission to generate an access report for an AWS Organizations entity * * Access Level: Read * * Possible conditions: * - .ifOrganizationsPolicyId() * * Dependent actions: * - organizations:DescribePolicy * - organizations:ListChildren * - organizations:ListParents * - organizations:ListPoliciesForTarget * - organizations:ListRoots * - organizations:ListTargetsForPolicy * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateOrganizationsAccessReport.html */ toGenerateOrganizationsAccessReport(): this; /** * Grants permission to generate a service last accessed data report for an IAM resource * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateServiceLastAccessedDetails.html */ toGenerateServiceLastAccessedDetails(): this; /** * Grants permission to retrieve information about when the specified access key was last used * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccessKeyLastUsed.html */ toGetAccessKeyLastUsed(): this; /** * Grants permission to retrieve information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html */ toGetAccountAuthorizationDetails(): this; /** * Grants permission to retrieve the email address that is associated with the account * * Access Level: Read * * https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html */ toGetAccountEmailAddress(): this; /** * Grants permission to retrieve the account name that is associated with the account * * Access Level: Read * * https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html */ toGetAccountName(): this; /** * Grants permission to retrieve the password policy for the AWS account * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html */ toGetAccountPasswordPolicy(): this; /** * Grants permission to retrieve information about IAM entity usage and IAM quotas in the AWS account * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html */ toGetAccountSummary(): this; /** * Grants permission to retrieve information about the specified CloudFront public key * * Access Level: Read * * https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html */ toGetCloudFrontPublicKey(): this; /** * Grants permission to retrieve a list of all of the context keys that are referenced in the specified policy * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForCustomPolicy.html */ toGetContextKeysForCustomPolicy(): this; /** * Grants permission to retrieve a list of all context keys that are referenced in all IAM policies that are attached to the specified IAM identity (user, group, or role) * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForPrincipalPolicy.html */ toGetContextKeysForPrincipalPolicy(): this; /** * Grants permission to retrieve a credential report for the AWS account * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetCredentialReport.html */ toGetCredentialReport(): this; /** * Grants permission to retrieve a list of IAM users in the specified IAM group * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetGroup.html */ toGetGroup(): this; /** * Grants permission to retrieve an inline policy document that is embedded in the specified IAM group * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetGroupPolicy.html */ toGetGroupPolicy(): this; /** * Grants permission to retrieve information about the specified instance profile, including the instance profile's path, GUID, ARN, and role * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetInstanceProfile.html */ toGetInstanceProfile(): this; /** * Grants permission to retrieve the user name and password creation date for the specified IAM user * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetLoginProfile.html */ toGetLoginProfile(): this; /** * Grants permission to retrieve information about an MFA device for the specified user * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetMFADevice.html */ toGetMFADevice(): this; /** * Grants permission to retrieve information about the specified OpenID Connect (OIDC) provider resource in IAM * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetOpenIDConnectProvider.html */ toGetOpenIDConnectProvider(): this; /** * Grants permission to retrieve an AWS Organizations access report * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetOrganizationsAccessReport.html */ toGetOrganizationsAccessReport(): this; /** * Grants permission to retrieve information about the specified managed policy, including the policy's default version and the total number of identities to which the policy is attached * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html */ toGetPolicy(): this; /** * Grants permission to retrieve information about a version of the specified managed policy, including the policy document * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicyVersion.html */ toGetPolicyVersion(): this; /** * Grants permission to retrieve information about the specified role, including the role's path, GUID, ARN, and the role's trust policy * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html */ toGetRole(): this; /** * Grants permission to retrieve an inline policy document that is embedded with the specified IAM role * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html */ toGetRolePolicy(): this; /** * Grants permission to retrieve the SAML provider metadocument that was uploaded when the IAM SAML provider resource was created or updated * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetSAMLProvider.html */ toGetSAMLProvider(): this; /** * Grants permission to retrieve the specified SSH public key, including metadata about the key * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetSSHPublicKey.html */ toGetSSHPublicKey(): this; /** * Grants permission to retrieve information about the specified server certificate stored in IAM * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServerCertificate.html */ toGetServerCertificate(): this; /** * Grants permission to retrieve information about the service last accessed data report * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetails.html */ toGetServiceLastAccessedDetails(): this; /** * Grants permission to retrieve information about the entities from the service last accessed data report * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetailsWithEntities.html */ toGetServiceLastAccessedDetailsWithEntities(): this; /** * Grants permission to retrieve an IAM service-linked role deletion status * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLinkedRoleDeletionStatus.html */ toGetServiceLinkedRoleDeletionStatus(): this; /** * Grants permission to retrieve information about the specified IAM user, including the user's creation date, path, unique ID, and ARN * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html */ toGetUser(): this; /** * Grants permission to retrieve an inline policy document that is embedded in the specified IAM user * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html */ toGetUserPolicy(): this; /** * Grants permission to list information about the access key IDs that are associated with the specified IAM user * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html */ toListAccessKeys(): this; /** * Grants permission to list the account alias that is associated with the AWS account * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccountAliases.html */ toListAccountAliases(): this; /** * Grants permission to list all managed policies that are attached to the specified IAM group * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedGroupPolicies.html */ toListAttachedGroupPolicies(): this; /** * Grants permission to list all managed policies that are attached to the specified IAM role * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html */ toListAttachedRolePolicies(): this; /** * Grants permission to list all managed policies that are attached to the specified IAM user * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedUserPolicies.html */ toListAttachedUserPolicies(): this; /** * Grants permission to list all current CloudFront public keys for the account * * Access Level: List * * https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html */ toListCloudFrontPublicKeys(): this; /** * Grants permission to list all IAM identities to which the specified managed policy is attached * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListEntitiesForPolicy.html */ toListEntitiesForPolicy(): this; /** * Grants permission to list the names of the inline policies that are embedded in the specified IAM group * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupPolicies.html */ toListGroupPolicies(): this; /** * Grants permission to list the IAM groups that have the specified path prefix * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroups.html */ toListGroups(): this; /** * Grants permission to list the IAM groups that the specified IAM user belongs to * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupsForUser.html */ toListGroupsForUser(): this; /** * Grants permission to list the tags that are attached to the specified instance profile * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfileTags.html */ toListInstanceProfileTags(): this; /** * Grants permission to list the instance profiles that have the specified path prefix * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfiles.html */ toListInstanceProfiles(): this; /** * Grants permission to list the instance profiles that have the specified associated IAM role * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfilesForRole.html */ toListInstanceProfilesForRole(): this; /** * Grants permission to list the tags that are attached to the specified virtual mfa device * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListMFADeviceTags.html */ toListMFADeviceTags(): this; /** * Grants permission to list the MFA devices for an IAM user * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListMFADevices.html */ toListMFADevices(): this; /** * Grants permission to list the tags that are attached to the specified OpenID Connect provider * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListOpenIDConnectProviderTags.html */ toListOpenIDConnectProviderTags(): this; /** * Grants permission to list information about the IAM OpenID Connect (OIDC) provider resource objects that are defined in the AWS account * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListOpenIDConnectProviders.html */ toListOpenIDConnectProviders(): this; /** * Grants permission to list the centralized root access features enabled for your organization * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListOrganizationsFeatures.html */ toListOrganizationsFeatures(): this; /** * Grants permission to list all managed policies * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html */ toListPolicies(): this; /** * Grants permission to list information about the policies that grant an entity access to a specific service * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPoliciesGrantingServiceAccess.html */ toListPoliciesGrantingServiceAccess(): this; /** * Grants permission to list the tags that are attached to the specified managed policy * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicyTags.html */ toListPolicyTags(): this; /** * Grants permission to list information about the versions of the specified managed policy, including the version that is currently set as the policy's default version * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicyVersions.html */ toListPolicyVersions(): this; /** * Grants permission to list the names of the inline policies that are embedded in the specified IAM role * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html */ toListRolePolicies(): this; /** * Grants permission to list the tags that are attached to the specified IAM role * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRoleTags.html */ toListRoleTags(): this; /** * Grants permission to list the IAM roles that have the specified path prefix * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRoles.html */ toListRoles(): this; /** * Grants permission to list the tags that are attached to the specified SAML provider * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListSAMLProviderTags.html */ toListSAMLProviderTags(): this; /** * Grants permission to list the SAML provider resources in IAM * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListSAMLProviders.html */ toListSAMLProviders(): this; /** * Grants permission to list information about the SSH public keys that are associated with the specified IAM user * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListSSHPublicKeys.html */ toListSSHPublicKeys(): this; /** * Grants permission to list the status of all active STS regional endpoints * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html */ toListSTSRegionalEndpointsStatus(): this; /** * Grants permission to list the tags that are attached to the specified server certificate * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListServerCertificateTags.html */ toListServerCertificateTags(): this; /** * Grants permission to list the server certificates that have the specified path prefix * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListServerCertificates.html */ toListServerCertificates(): this; /** * Grants permission to list the service-specific credentials that are associated with the specified IAM user * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListServiceSpecificCredentials.html */ toListServiceSpecificCredentials(): this; /** * Grants permission to list information about the signing certificates that are associated with the specified IAM user * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListSigningCertificates.html */ toListSigningCertificates(): this; /** * Grants permission to list the names of the inline policies that are embedded in the specified IAM user * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html */ toListUserPolicies(): this; /** * Grants permission to list the tags that are attached to the specified IAM user * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserTags.html */ toListUserTags(): this; /** * Grants permission to list the IAM users that have the specified path prefix * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html */ toListUsers(): this; /** * Grants permission to list virtual MFA devices by assignment status * * Access Level: List * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListVirtualMFADevices.html */ toListVirtualMFADevices(): this; /** * Grants permission to pass a role to a service * * Access Level: Write * * Possible conditions: * - .ifAssociatedResourceArn() * - .ifPassedToService() * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html */ toPassRole(): this; /** * Grants permission to create or update an inline policy document that is embedded in the specified IAM group * * Access Level: Permissions management * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html */ toPutGroupPolicy(): this; /** * Grants permission to set a managed policy as a permissions boundary for a role * * Access Level: Permissions management * * Possible conditions: * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePermissionsBoundary.html */ toPutRolePermissionsBoundary(): this; /** * Grants permission to create or update an inline policy document that is embedded in the specified IAM role * * Access Level: Permissions management * * Possible conditions: * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html */ toPutRolePolicy(): this; /** * Grants permission to set a managed policy as a permissions boundary for an IAM user * * Access Level: Permissions management * * Possible conditions: * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPermissionsBoundary.html */ toPutUserPermissionsBoundary(): this; /** * Grants permission to create or update an inline policy document that is embedded in the specified IAM user * * Access Level: Permissions management * * Possible conditions: * - .ifPermissionsBoundary() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html */ toPutUserPolicy(): this; /** * Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveClientIDFromOpenIDConnectProvider.html */ toRemoveClientIDFromOpenIDConnectProvider(): this; /** * Grants permission to remove an IAM role from the specified EC2 instance profile * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveRoleFromInstanceProfile.html */ toRemoveRoleFromInstanceProfile(): this; /** * Grants permission to remove an IAM user from the specified group * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveUserFromGroup.html */ toRemoveUserFromGroup(): this; /** * Grants permission to reset the password for an existing service-specific credential for an IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ResetServiceSpecificCredential.html */ toResetServiceSpecificCredential(): this; /** * Grants permission to synchronize the specified MFA device with its IAM entity (user or role) * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_ResyncMFADevice.html */ toResyncMFADevice(): this; /** * Grants permission to set the version of the specified policy as the policy's default version * * Access Level: Permissions management * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html */ toSetDefaultPolicyVersion(): this; /** * Grants permission to activate or deactivate an STS regional endpoint * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html */ toSetSTSRegionalEndpointStatus(): this; /** * Grants permission to set the STS global endpoint token version * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetSecurityTokenServicePreferences.html */ toSetSecurityTokenServicePreferences(): this; /** * Grants permission to simulate whether an identity-based policy or resource-based policy provides permissions for specific API operations and resources * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulateCustomPolicy.html */ toSimulateCustomPolicy(): this; /** * Grants permission to simulate whether an identity-based policy that is attached to a specified IAM entity (user or role) provides permissions for specific API operations and resources * * Access Level: Read * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html */ toSimulatePrincipalPolicy(): this; /** * Grants permission to add tags to an instance profile * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html */ toTagInstanceProfile(): this; /** * Grants permission to add tags to a virtual mfa device * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagMFADevice.html */ toTagMFADevice(): this; /** * Grants permission to add tags to an OpenID Connect provider * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagOpenIDConnectProvider.html */ toTagOpenIDConnectProvider(): this; /** * Grants permission to add tags to a managed policy * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagPolicy.html */ toTagPolicy(): this; /** * Grants permission to add tags to an IAM role * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagRole.html */ toTagRole(): this; /** * Grants permission to add tags to a SAML Provider * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagSAMLProvider.html */ toTagSAMLProvider(): this; /** * Grants permission to add tags to a server certificate * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagServerCertificate.html */ toTagServerCertificate(): this; /** * Grants permission to add tags to an IAM user * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagUser.html */ toTagUser(): this; /** * Grants permission to remove the specified tags from the instance profile * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UntagInstanceProfile.html */ toUntagInstanceProfile(): this; /** * Grants permission to remove the specified tags from the virtual mfa device * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UntagMFADevice.html */ toUntagMFADevice(): this; /** * Grants permission to remove the specified tags from the OpenID Connect provider * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UntagOpenIDConnectProvider.html */ toUntagOpenIDConnectProvider(): this; /** * Grants permission to remove the specified tags from the managed policy * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UntagPolicy.html */ toUntagPolicy(): this; /** * Grants permission to remove the specified tags from the role * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UntagRole.html */ toUntagRole(): this; /** * Grants permission to remove the specified tags from the SAML Provider * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UntagSAMLProvider.html */ toUntagSAMLProvider(): this; /** * Grants permission to remove the specified tags from the server certificate * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UntagServerCertificate.html */ toUntagServerCertificate(): this; /** * Grants permission to remove the specified tags from the user * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UntagUser.html */ toUntagUser(): this; /** * Grants permission to update the status of the specified access key as Active or Inactive * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html */ toUpdateAccessKey(): this; /** * Grants permission to update the email address that is associated with the account * * Access Level: Write * * https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html */ toUpdateAccountEmailAddress(): this; /** * Grants permission to update the account name that is associated with the account * * Access Level: Write * * https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-root-user.html */ toUpdateAccountName(): this; /** * Grants permission to update the password policy settings for the AWS account * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccountPasswordPolicy.html */ toUpdateAccountPasswordPolicy(): this; /** * Grants permission to update the policy that grants an IAM entity permission to assume a role * * Access Level: Permissions management * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAssumeRolePolicy.html */ toUpdateAssumeRolePolicy(): this; /** * Grants permission to update an existing CloudFront public key * * Access Level: Write * * https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html */ toUpdateCloudFrontPublicKey(): this; /** * Grants permission to update the name or path of the specified IAM group * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateGroup.html */ toUpdateGroup(): this; /** * Grants permission to change the password for the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateLoginProfile.html */ toUpdateLoginProfile(): this; /** * Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateOpenIDConnectProviderThumbprint.html */ toUpdateOpenIDConnectProviderThumbprint(): this; /** * Grants permission to update the description or maximum session duration setting of a role * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateRole.html */ toUpdateRole(): this; /** * Grants permission to update only the description of a role * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateRoleDescription.html */ toUpdateRoleDescription(): this; /** * Grants permission to update the metadata document for an existing SAML provider resource * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html */ toUpdateSAMLProvider(): this; /** * Grants permission to update the status of an IAM user's SSH public key to active or inactive * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSSHPublicKey.html */ toUpdateSSHPublicKey(): this; /** * Grants permission to update the name or the path of the specified server certificate stored in IAM * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateServerCertificate.html */ toUpdateServerCertificate(): this; /** * Grants permission to update the status of a service-specific credential to active or inactive for an IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateServiceSpecificCredential.html */ toUpdateServiceSpecificCredential(): this; /** * Grants permission to update the status of the specified user signing certificate to active or disabled * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSigningCertificate.html */ toUpdateSigningCertificate(): this; /** * Grants permission to update the name or the path of the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateUser.html */ toUpdateUser(): this; /** * Grants permission to upload a CloudFront public key * * Access Level: Write * * https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html */ toUploadCloudFrontPublicKey(): this; /** * Grants permission to upload an SSH public key and associate it with the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadSSHPublicKey.html */ toUploadSSHPublicKey(): this; /** * Grants permission to upload a server certificate entity for the AWS account * * Access Level: Write * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadServerCertificate.html */ toUploadServerCertificate(): this; /** * Grants permission to upload an X.509 signing certificate and associate it with the specified IAM user * * Access Level: Write * * https://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadSigningCertificate.html */ toUploadSigningCertificate(): this; protected accessLevelList: AccessLevelList; /** * Adds a resource of type access-report to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data-orgs.html * * @param entityPath - Identifier for the entityPath. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onAccessReport(entityPath: string, account?: string, partition?: string): this; /** * Adds a resource of type assumed-role to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html * * @param roleName - Identifier for the roleName. * @param roleSessionName - Identifier for the roleSessionName. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onAssumedRole(roleName: string, roleSessionName: string, account?: string, partition?: string): this; /** * Adds a resource of type federated-user to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html * * @param userName - Identifier for the userName. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onFederatedUser(userName: string, account?: string, partition?: string): this; /** * Adds a resource of type group to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html * * @param groupNameWithPath - Identifier for the groupNameWithPath. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onGroup(groupNameWithPath: string, account?: string, partition?: string): this; /** * Adds a resource of type instance-profile to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html * * @param instanceProfileNameWithPath - Identifier for the instanceProfileNameWithPath. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onInstanceProfile(instanceProfileNameWithPath: string, account?: string, partition?: string): this; /** * Adds a resource of type mfa to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html * * @param mfaTokenIdWithPath - Identifier for the mfaTokenIdWithPath. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onMfa(mfaTokenIdWithPath: string, account?: string, partition?: string): this; /** * Adds a resource of type oidc-provider to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html * * @param oidcProviderName - Identifier for the oidcProviderName. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onOidcProvider(oidcProviderName: string, account?: string, partition?: string): this; /** * Adds a resource of type policy to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html * * @param policyNameWithPath - Identifier for the policyNameWithPath. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onPolicy(policyNameWithPath: string, account?: string, partition?: string): this; /** * Adds a resource of type role to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html * * @param roleNameWithPath - Identifier for the roleNameWithPath. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() * - .ifResourceTag() */ onRole(roleNameWithPath: string, account?: string, partition?: string): this; /** * Adds a resource of type saml-provider to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html * * @param samlProviderName - Identifier for the samlProviderName. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onSamlProvider(samlProviderName: string, account?: string, partition?: string): this; /** * Adds a resource of type server-certificate to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html * * @param certificateNameWithPath - Identifier for the certificateNameWithPath. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onServerCertificate(certificateNameWithPath: string, account?: string, partition?: string): this; /** * Adds a resource of type sms-mfa to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html * * @param mfaTokenIdWithPath - Identifier for the mfaTokenIdWithPath. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onSmsMfa(mfaTokenIdWithPath: string, account?: string, partition?: string): this; /** * Adds a resource of type user to the statement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html * * @param userNameWithPath - Identifier for the userNameWithPath. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() * - .ifResourceTag() */ onUser(userNameWithPath: string, account?: string, partition?: string): this; /** * Filters access based on the tags that are passed in the request * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag * * Applies to actions: * - .toCreateInstanceProfile() * - .toCreateOpenIDConnectProvider() * - .toCreatePolicy() * - .toCreateRole() * - .toCreateSAMLProvider() * - .toCreateUser() * - .toCreateVirtualMFADevice() * - .toTagInstanceProfile() * - .toTagMFADevice() * - .toTagOpenIDConnectProvider() * - .toTagPolicy() * - .toTagRole() * - .toTagSAMLProvider() * - .toTagServerCertificate() * - .toTagUser() * - .toUploadServerCertificate() * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsRequestTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters access based on the tags associated with the resource * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag * * Applies to resource types: * - instance-profile * - mfa * - oidc-provider * - policy * - role * - saml-provider * - server-certificate * - user * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsResourceTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters access based on the tag keys that are passed in the request * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys * * Applies to actions: * - .toCreateInstanceProfile() * - .toCreateOpenIDConnectProvider() * - .toCreatePolicy() * - .toCreateRole() * - .toCreateSAMLProvider() * - .toCreateUser() * - .toCreateVirtualMFADevice() * - .toTagInstanceProfile() * - .toTagMFADevice() * - .toTagOpenIDConnectProvider() * - .toTagPolicy() * - .toTagRole() * - .toTagSAMLProvider() * - .toTagServerCertificate() * - .toTagUser() * - .toUntagInstanceProfile() * - .toUntagMFADevice() * - .toUntagOpenIDConnectProvider() * - .toUntagPolicy() * - .toUntagRole() * - .toUntagSAMLProvider() * - .toUntagServerCertificate() * - .toUntagUser() * - .toUploadServerCertificate() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsTagKeys(value: string | string[], operator?: Operator | string): this; /** * Filters access by the AWS service to which this role is attached * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_AWSServiceName * * Applies to actions: * - .toCreateServiceLinkedRole() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAWSServiceName(value: string | string[], operator?: Operator | string): this; /** * Filters access by the resource that the role will be used on behalf of * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_AssociatedResourceArn * * Applies to actions: * - .toPassRole() * * @param value The value(s) to check * @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike` */ ifAssociatedResourceArn(value: string | string[], operator?: Operator | string): this; /** * Filters access by the MFA device FIPS-140-2 validation certification level at the time of registration of a FIDO security key * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_FIDO-FIPS-140-2-certification * * Applies to actions: * - .toEnableMFADevice() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifFIDOFIPS1402Certification(value: string | string[], operator?: Operator | string): this; /** * Filters access by the MFA device FIPS-140-3 validation certification level at the time of registration of a FIDO security key * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_FIDO-FIPS-140-3-certification * * Applies to actions: * - .toEnableMFADevice() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifFIDOFIPS1403Certification(value: string | string[], operator?: Operator | string): this; /** * Filters access by the MFA device FIDO certification level at the time of registration of a FIDO security key * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_FIDO-certification * * Applies to actions: * - .toEnableMFADevice() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifFIDOCertification(value: string | string[], operator?: Operator | string): this; /** * Filters access by the ID of an AWS Organizations policy * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_OrganizationsPolicyId * * Applies to actions: * - .toGenerateOrganizationsAccessReport() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifOrganizationsPolicyId(value: string | string[], operator?: Operator | string): this; /** * Filters access by the AWS service to which this role is passed * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_PassedToService * * Applies to actions: * - .toPassRole() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifPassedToService(value: string | string[], operator?: Operator | string): this; /** * Filters access if the specified policy is set as the permissions boundary on the IAM entity (user or role) * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_PermissionsBoundary * * Applies to actions: * - .toAttachRolePolicy() * - .toAttachUserPolicy() * - .toCreateRole() * - .toCreateUser() * - .toDeleteRolePermissionsBoundary() * - .toDeleteRolePolicy() * - .toDeleteUserPermissionsBoundary() * - .toDeleteUserPolicy() * - .toDetachRolePolicy() * - .toDetachUserPolicy() * - .toPutRolePermissionsBoundary() * - .toPutRolePolicy() * - .toPutUserPermissionsBoundary() * - .toPutUserPolicy() * * @param value The value(s) to check * @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike` */ ifPermissionsBoundary(value: string | string[], operator?: Operator | string): this; /** * Filters access by the ARN of an IAM policy * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_PolicyARN * * Applies to actions: * - .toAttachGroupPolicy() * - .toAttachRolePolicy() * - .toAttachUserPolicy() * - .toDetachGroupPolicy() * - .toDetachRolePolicy() * - .toDetachUserPolicy() * * @param value The value(s) to check * @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike` */ ifPolicyARN(value: string | string[], operator?: Operator | string): this; /** * Filters access by the current state of MFA device enablement * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_RegisterSecurityKey * * Applies to actions: * - .toEnableMFADevice() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifRegisterSecurityKey(value: string | string[], operator?: Operator | string): this; /** * Filters access by the tags attached to an IAM entity (user or role) * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_ResourceTag * * Applies to resource types: * - role * - user * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifResourceTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Statement provider for service [iam](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html). * */ constructor(props?: iam.PolicyStatementProps); }