Class: AWSCDK::IAM::Grant

Inherits:
Jsii::Object
  • Object
show all
Includes:
Constructs::IDependable
Defined in:
iam/grant.rb

Overview

Result of a grant() operation.

This class is not instantiable by consumers on purpose, so that they will be required to call the Grant factory functions.

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(*args) ⇒ Grant

Returns a new instance of Grant.

Raises:

  • (NoMethodError)


12
13
14
# File 'iam/grant.rb', line 12

def initialize(*args)
  raise NoMethodError, "aws-cdk-lib.aws_iam.Grant does not have a visible constructor; use the provided factory methods"
end

Class Method Details

.add_statement_to_resource_policy(options) ⇒ AWSCDK::IAM::Grant

Add a pre-constructed policy statement to the resource's policy.

This method provides direct, low-level control over the initial policy statement being added. It is useful when you need to:

  • Add complex policy statements that can't be expressed through other grant methods
  • Specify the initial structure of the policy statement
  • Add statements with custom conditions or other advanced IAM features

Important differences from other grant methods:

  • Only modifies the resource policy, never modifies any principal's policy
  • Takes a complete PolicyStatement rather than constructing one from parameters
  • Always attempts to add the statement, regardless of principal type or account
  • Does not attempt any automatic principal/resource policy selection logic

Note: The final form of the policy statement in the resource's policy may differ from the provided statement, depending on the resource's implementation of addToResourcePolicy.

Examples:

grantee = nil # AWSCDK::IAM::IGrantable
actions = []
resource_arns = []
bucket = nil # AWSCDK::S3::Bucket

statement = AWSCDK::IAM::PolicyStatement.new({
    effect: AWSCDK::IAM::Effect::ALLOW,
    actions: actions,
    principals: [AWSCDK::IAM::ServicePrincipal.new("lambda.amazonaws.com")],
    conditions: {
        StringEquals: {
            "aws:SourceAccount" => AWSCDK::Stack.of(self).,
        },
    },
})
AWSCDK::IAM::Grant.add_statement_to_resource_policy({
    grantee: grantee,
    actions: actions,
    resource_arns: resource_arns,
    resource: bucket,
    statement: statement,
})

Parameters:

Returns:

  • (AWSCDK::IAM::Grant)

    A Grant object representing the result of the operation



75
76
77
78
79
# File 'iam/grant.rb', line 75

def self.add_statement_to_resource_policy(options)
  options = options.is_a?(Hash) ? ::AWSCDK::IAM::GrantPolicyWithResourceOptions.new(**options.transform_keys(&:to_sym)) : options
  Jsii::Type.check_type(options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLkdyYW50UG9saWN5V2l0aFJlc291cmNlT3B0aW9ucyJ9")), "options")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Grant", "addStatementToResourcePolicy", [options])
end

.add_to_principal(options) ⇒ AWSCDK::IAM::Grant

Try to grant the given permissions to the given principal.

Absence of a principal leads to a warning, but failing to add the permissions to a present principal is not an error.

Parameters:

Returns:

  • (AWSCDK::IAM::Grant)


88
89
90
91
92
# File 'iam/grant.rb', line 88

def self.add_to_principal(options)
  options = options.is_a?(Hash) ? ::AWSCDK::IAM::GrantOnPrincipalOptions.new(**options.transform_keys(&:to_sym)) : options
  Jsii::Type.check_type(options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLkdyYW50T25QcmluY2lwYWxPcHRpb25zIn0=")), "options")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Grant", "addToPrincipal", [options])
end

.add_to_principal_and_resource(options) ⇒ AWSCDK::IAM::Grant

Add a grant both on the principal and on the resource.

As long as any principal is given, granting on the principal may fail (in case of a non-identity principal), but granting on the resource will never fail.

Statement will be the resource statement.

Parameters:

Returns:

  • (AWSCDK::IAM::Grant)


104
105
106
107
108
# File 'iam/grant.rb', line 104

def self.add_to_principal_and_resource(options)
  options = options.is_a?(Hash) ? ::AWSCDK::IAM::GrantOnPrincipalAndResourceOptions.new(**options.transform_keys(&:to_sym)) : options
  Jsii::Type.check_type(options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLkdyYW50T25QcmluY2lwYWxBbmRSZXNvdXJjZU9wdGlvbnMifQ==")), "options")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Grant", "addToPrincipalAndResource", [options])
end

.add_to_principal_or_resource(options) ⇒ AWSCDK::IAM::Grant

Grant the given permissions to the principal.

The permissions will be added to the principal policy primarily, falling back to the resource policy if necessary. The permissions must be granted somewhere.

  • Trying to grant permissions to a principal that does not admit adding to the principal policy while not providing a resource with a resource policy is an error.
  • Trying to grant permissions to an absent principal (possible in the case of imported resources) leads to a warning being added to the resource construct.

Parameters:

Returns:

  • (AWSCDK::IAM::Grant)


125
126
127
128
129
# File 'iam/grant.rb', line 125

def self.add_to_principal_or_resource(options)
  options = options.is_a?(Hash) ? ::AWSCDK::IAM::GrantWithResourceOptions.new(**options.transform_keys(&:to_sym)) : options
  Jsii::Type.check_type(options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLkdyYW50V2l0aFJlc291cmNlT3B0aW9ucyJ9")), "options")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Grant", "addToPrincipalOrResource", [options])
end

.drop(grantee, _intent) ⇒ AWSCDK::IAM::Grant

Returns a "no-op" Grant object which represents a "dropped grant".

This can be used for e.g. imported resources where you may not be able to modify the resource's policy or some underlying policy which you don't know about.

Parameters:

  • grantee (AWSCDK::IAM::IGrantable)

    The intended grantee.

  • _intent (String)

    The user's intent (will be ignored at the moment).

Returns:

  • (AWSCDK::IAM::Grant)


139
140
141
142
143
# File 'iam/grant.rb', line 139

def self.drop(grantee, _intent)
  Jsii::Type.check_type(grantee, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklHcmFudGFibGUifQ==")), "grantee")
  Jsii::Type.check_type(_intent, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "_intent")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Grant", "drop", [grantee, _intent])
end

.jsii_overridable_methodsObject



16
17
18
19
20
21
22
23
24
25
26
27
# File 'iam/grant.rb', line 16

def self.jsii_overridable_methods
  {
    :principal_statements => { kind: :property, name: "principalStatements", is_optional: false },
    :resource_statements => { kind: :property, name: "resourceStatements", is_optional: false },
    :success => { kind: :property, name: "success", is_optional: false },
    :principal_statement => { kind: :property, name: "principalStatement", is_optional: true },
    :resource_statement => { kind: :property, name: "resourceStatement", is_optional: true },
    :apply_before => { kind: :method, name: "applyBefore", is_optional: false },
    :assert_success => { kind: :method, name: "assertSuccess", is_optional: false },
    :combine => { kind: :method, name: "combine", is_optional: false },
  }
end

Instance Method Details

#apply_before(*constructs) ⇒ void

This method returns an undefined value.

Make sure this grant is applied before the given constructs are deployed.

The same as construct.node.addDependency(grant), but slightly nicer to read.

Parameters:

  • constructs (Array<Constructs::IConstruct>)


188
189
190
191
192
193
# File 'iam/grant.rb', line 188

def apply_before(*constructs)
  constructs.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLklDb25zdHJ1Y3QifQ==")), "constructs[#{index}]")
  end
  jsii_call_method("applyBefore", [*constructs])
end

#assert_successvoid

This method returns an undefined value.

Throw an error if this grant wasn't successful.



198
199
200
# File 'iam/grant.rb', line 198

def assert_success()
  jsii_call_method("assertSuccess", [])
end

#combine(rhs) ⇒ AWSCDK::IAM::Grant

Combine two grants into a new one.

Parameters:

  • rhs (AWSCDK::IAM::Grant)

Returns:

  • (AWSCDK::IAM::Grant)


206
207
208
209
# File 'iam/grant.rb', line 206

def combine(rhs)
  Jsii::Type.check_type(rhs, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLkdyYW50In0=")), "rhs")
  jsii_call_method("combine", [rhs])
end

#principal_statementAWSCDK::IAM::PolicyStatement?

Deprecated.

Use principalStatements instead

The statement that was added to the principal's policy.



170
171
172
# File 'iam/grant.rb', line 170

def principal_statement()
  jsii_get_property("principalStatement")
end

#principal_statementsArray<AWSCDK::IAM::PolicyStatement>

The statements that were added to the principal's policy.

Returns:



148
149
150
# File 'iam/grant.rb', line 148

def principal_statements()
  jsii_get_property("principalStatements")
end

#resource_statementAWSCDK::IAM::PolicyStatement?

Deprecated.

Use resourceStatements instead

The statement that was added to the resource policy.



178
179
180
# File 'iam/grant.rb', line 178

def resource_statement()
  jsii_get_property("resourceStatement")
end

#resource_statementsArray<AWSCDK::IAM::PolicyStatement>

The statements that were added to the resource policy.

Returns:



155
156
157
# File 'iam/grant.rb', line 155

def resource_statements()
  jsii_get_property("resourceStatements")
end

#successBoolean

Whether the grant operation was successful.

Returns:

  • (Boolean)


162
163
164
# File 'iam/grant.rb', line 162

def success()
  jsii_get_property("success")
end