import { AccessLevelList } from '../../shared/access-level'; import { PolicyStatement, Operator } from '../../shared'; import { aws_iam as iam } from "aws-cdk-lib"; /** * Statement provider for service [identitystore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html). * * @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement */ export declare class Identitystore extends PolicyStatement { servicePrefix: string; /** * Grants permission to add a region to an IdentityStore * * Access Level: Write * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toAddRegion(): this; /** * Grants permission to create a group in the specified IdentityStore * * Access Level: Write * * Possible conditions: * - .ifPrimaryRegion() * - .ifGroupExternalIdIssuers() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroup.html */ toCreateGroup(): this; /** * Grants permission to create a member to a group in the specified IdentityStore * * Access Level: Write * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateGroupMembership.html */ toCreateGroupMembership(): this; /** * Grants permission to create a new IdentityStore in an AWS account * * Access Level: Write * * Dependent actions: * - kms:Decrypt * - kms:DescribeKey * - kms:Encrypt * - kms:GenerateDataKeyWithoutPlaintext * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toCreateIdentityStore(): this; /** * Grants permission to create a user in the specified IdentityStore * * Access Level: Write * * Possible conditions: * - .ifPrimaryRegion() * - .ifUserExternalIdIssuers() * - .ifReservedUserId() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html */ toCreateUser(): this; /** * Grants permission to delete a group in the specified IdentityStore * * Access Level: Write * * Possible conditions: * - .ifPrimaryRegion() * - .ifGroupExternalIdIssuers() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroup.html */ toDeleteGroup(): this; /** * Grants permission to remove a member that is part of a group in the specified IdentityStore * * Access Level: Write * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteGroupMembership.html */ toDeleteGroupMembership(): this; /** * Grants permission to delete an IdentityStore * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDeleteIdentityStore(): this; /** * Grants permission to delete a user in the specified IdentityStore * * Access Level: Write * * Possible conditions: * - .ifPrimaryRegion() * - .ifUserExternalIdIssuers() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DeleteUser.html */ toDeleteUser(): this; /** * Grants permission to retrieve information about a group in the specified IdentityStore * * Access Level: Read * * Possible conditions: * - .ifPrimaryRegion() * - .ifGroupExternalIdIssuers() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroup.html */ toDescribeGroup(): this; /** * Grants permission to retrieve information about a member that is part of a group in the specified IdentityStore * * Access Level: Read * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroupMembership.html */ toDescribeGroupMembership(): this; /** * Grants permission to retrieve configuration details for a specific IdentityStore region * * Access Level: Read * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDescribeRegion(): this; /** * Grants permission to retrieve information about user in the specified IdentityStore * * Access Level: Read * * Possible conditions: * - .ifPrimaryRegion() * - .ifUserExternalIdIssuers() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html */ toDescribeUser(): this; /** * Grants permission to retrieve ID information about group in the specified IdentityStore * * Access Level: Read * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupId.html */ toGetGroupId(): this; /** * Grants permission to retrieve ID information of a member which is part of a group in the specified IdentityStore * * Access Level: Read * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetGroupMembershipId.html */ toGetGroupMembershipId(): this; /** * Grants permission to retrieves ID information about user in the specified IdentityStore * * Access Level: Read * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html */ toGetUserId(): this; /** * Grants permission to check if a member is a part of groups in the specified IdentityStore * * Access Level: Read * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_IsMemberInGroups.html */ toIsMemberInGroups(): this; /** * Grants permission to retrieve all members that are part of a group in the specified IdentityStore * * Access Level: List * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMemberships.html */ toListGroupMemberships(): this; /** * Grants permission to list groups of the target member in the specified IdentityStore * * Access Level: List * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroupMembershipsForMember.html */ toListGroupMembershipsForMember(): this; /** * Grants permission to search for groups within the specified IdentityStore * * Access Level: List * * Possible conditions: * - .ifPrimaryRegion() * - .ifGroupExternalIdIssuers() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.html */ toListGroups(): this; /** * Grants permission to list all regions configured for an IdentityStore * * Access Level: List * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toListRegions(): this; /** * Grants permission to search for users in the specified IdentityStore * * Access Level: List * * Possible conditions: * - .ifPrimaryRegion() * - .ifUserExternalIdIssuers() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.html */ toListUsers(): this; /** * Grants permission to remove a region from an IdentityStore * * Access Level: Write * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toRemoveRegion(): this; /** * Grants permission to reserve a user by getting a userId * * Access Level: Write * * Possible conditions: * - .ifPrimaryRegion() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toReserveUser(): this; /** * Grants permission to update information about a group in the specified IdentityStore * * Access Level: Write * * Possible conditions: * - .ifPrimaryRegion() * - .ifGroupExternalIdIssuers() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateGroup.html */ toUpdateGroup(): this; /** * Grants permission to update the configuration of an IdentityStore * * Access Level: Write * * Dependent actions: * - kms:Decrypt * - kms:DescribeKey * - kms:Encrypt * - kms:GenerateDataKeyWithoutPlaintext * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateIdentityStore(): this; /** * Grants permission to update user information in the specified IdentityStore * * Access Level: Write * * Possible conditions: * - .ifPrimaryRegion() * - .ifUserExternalIdIssuers() * * Dependent actions: * - kms:Decrypt * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateUser.html */ toUpdateUser(): this; protected accessLevelList: AccessLevelList; /** * Adds a resource of type Identitystore to the statement * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/ * * @param identityStoreId - Identifier for the identityStoreId. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onIdentitystore(identityStoreId: string, account?: string, partition?: string): this; /** * Adds a resource of type User to the statement * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html * * @param userId - Identifier for the userId. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onUser(userId: string, partition?: string): this; /** * Adds a resource of type Group to the statement * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_Group.html * * @param groupId - Identifier for the groupId. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onGroup(groupId: string, partition?: string): this; /** * Adds a resource of type GroupMembership to the statement * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GroupMembership.html * * @param membershipId - Identifier for the membershipId. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onGroupMembership(membershipId: string, partition?: string): this; /** * Adds a resource of type AllUsers to the statement * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html * * @param resourceName - Identifier for the resourceName. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onAllUsers(resourceName: string, partition?: string): this; /** * Adds a resource of type AllGroups to the statement * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_Group.html * * @param resourceName - Identifier for the resourceName. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onAllGroups(resourceName: string, partition?: string): this; /** * Adds a resource of type AllGroupMemberships to the statement * * https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GroupMembership.html * * @param resourceName - Identifier for the resourceName. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onAllGroupMemberships(resourceName: string, partition?: string): this; /** * Filters access by Issuer present in ExternalIds for Group resources * * Applies to actions: * - .toCreateGroup() * - .toDeleteGroup() * - .toDescribeGroup() * - .toListGroups() * - .toUpdateGroup() * * @param value The value(s) to check * @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike` */ ifGroupExternalIdIssuers(value: string | string[], operator?: Operator | string): this; /** * Filters access by Identity Store ARN * * https://docs.aws.amazon.com/singlesignon/latest/userguide/condition-context-keys-sts-idc.html#condition-keys-identity-store-arn * * @param value The value(s) to check * @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike` */ ifIdentityStoreArn(value: string | string[], operator?: Operator | string): this; /** * Filters access by Primary Region of Identity Store * * Applies to actions: * - .toCreateGroup() * - .toCreateGroupMembership() * - .toCreateUser() * - .toDeleteGroup() * - .toDeleteGroupMembership() * - .toDeleteUser() * - .toDescribeGroup() * - .toDescribeGroupMembership() * - .toDescribeRegion() * - .toDescribeUser() * - .toGetGroupId() * - .toGetGroupMembershipId() * - .toGetUserId() * - .toIsMemberInGroups() * - .toListGroupMemberships() * - .toListGroupMembershipsForMember() * - .toListGroups() * - .toListRegions() * - .toListUsers() * - .toReserveUser() * - .toUpdateGroup() * - .toUpdateUser() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifPrimaryRegion(value: string | string[], operator?: Operator | string): this; /** * Filters access by a previously reserved User ID for CreateUser operation * * Applies to actions: * - .toCreateUser() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifReservedUserId(value: string | string[], operator?: Operator | string): this; /** * Filters access by Issuer present in ExternalIds for User resources * * Applies to actions: * - .toCreateUser() * - .toDeleteUser() * - .toDescribeUser() * - .toListUsers() * - .toUpdateUser() * * @param value The value(s) to check * @param operator Works with [arn operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN). **Default:** `ArnLike` */ ifUserExternalIdIssuers(value: string | string[], operator?: Operator | string): this; /** * Filters access by Identity Store User ID * * https://docs.aws.amazon.com/singlesignon/latest/userguide/condition-context-keys-sts-idc.html#condition-keys-identity-store-user-id * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifUserId(value: string | string[], operator?: Operator | string): this; /** * Statement provider for service [identitystore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html). * */ constructor(props?: iam.PolicyStatementProps); }