Class: AWSCDK::IAM::PolicyStatement

Inherits:
Jsii::Object
  • Object
show all
Defined in:
iam/policy_statement.rb

Overview

Represents a statement in an IAM policy document.

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(props = nil) ⇒ PolicyStatement

Returns a new instance of PolicyStatement.

Parameters:



9
10
11
12
13
# File 'iam/policy_statement.rb', line 9

def initialize(props = nil)
  props = props.is_a?(Hash) ? ::AWSCDK::IAM::PolicyStatementProps.new(**props.transform_keys(&:to_sym)) : props
  Jsii::Type.check_type(props, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLlBvbGljeVN0YXRlbWVudFByb3BzIn0=")), "props") unless props.nil?
  Jsii::Object.instance_method(:initialize).bind(self).call(props)
end

Class Method Details

.from_json(obj) ⇒ AWSCDK::IAM::PolicyStatement

Creates a new PolicyStatement based on the object provided.

This will accept an object created from the .toJSON() call

Parameters:

  • obj (Object)

    the PolicyStatement in object form.

Returns:

  • (AWSCDK::IAM::PolicyStatement)


65
66
67
68
# File 'iam/policy_statement.rb', line 65

def self.from_json(obj)
  Jsii::Type.check_type(obj, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "obj")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.PolicyStatement", "fromJson", [obj])
end

.jsii_overridable_methodsObject



15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'iam/policy_statement.rb', line 15

def self.jsii_overridable_methods
  {
    :actions => { kind: :property, name: "actions", is_optional: false },
    :conditions => { kind: :property, name: "conditions", is_optional: false },
    :frozen => { kind: :property, name: "frozen", is_optional: false },
    :has_principal => { kind: :property, name: "hasPrincipal", is_optional: false },
    :has_resource => { kind: :property, name: "hasResource", is_optional: false },
    :not_actions => { kind: :property, name: "notActions", is_optional: false },
    :not_principals => { kind: :property, name: "notPrincipals", is_optional: false },
    :not_resources => { kind: :property, name: "notResources", is_optional: false },
    :principals => { kind: :property, name: "principals", is_optional: false },
    :resources => { kind: :property, name: "resources", is_optional: false },
    :effect => { kind: :property, name: "effect", is_optional: false },
    :sid => { kind: :property, name: "sid", is_optional: true },
    :add_account_condition => { kind: :method, name: "addAccountCondition", is_optional: false },
    :add_account_root_principal => { kind: :method, name: "addAccountRootPrincipal", is_optional: false },
    :add_actions => { kind: :method, name: "addActions", is_optional: false },
    :add_all_resources => { kind: :method, name: "addAllResources", is_optional: false },
    :add_any_principal => { kind: :method, name: "addAnyPrincipal", is_optional: false },
    :add_arn_principal => { kind: :method, name: "addArnPrincipal", is_optional: false },
    :add_aws_account_principal => { kind: :method, name: "addAwsAccountPrincipal", is_optional: false },
    :add_canonical_user_principal => { kind: :method, name: "addCanonicalUserPrincipal", is_optional: false },
    :add_condition => { kind: :method, name: "addCondition", is_optional: false },
    :add_conditions => { kind: :method, name: "addConditions", is_optional: false },
    :add_federated_principal => { kind: :method, name: "addFederatedPrincipal", is_optional: false },
    :add_not_actions => { kind: :method, name: "addNotActions", is_optional: false },
    :add_not_principals => { kind: :method, name: "addNotPrincipals", is_optional: false },
    :add_not_resources => { kind: :method, name: "addNotResources", is_optional: false },
    :add_principals => { kind: :method, name: "addPrincipals", is_optional: false },
    :add_resources => { kind: :method, name: "addResources", is_optional: false },
    :add_service_principal => { kind: :method, name: "addServicePrincipal", is_optional: false },
    :add_source_account_condition => { kind: :method, name: "addSourceAccountCondition", is_optional: false },
    :add_source_arn_condition => { kind: :method, name: "addSourceArnCondition", is_optional: false },
    :copy => { kind: :method, name: "copy", is_optional: false },
    :freeze => { kind: :method, name: "freeze", is_optional: false },
    :to_json => { kind: :method, name: "toJSON", is_optional: false },
    :to_statement_json => { kind: :method, name: "toStatementJson", is_optional: false },
    :to_string => { kind: :method, name: "toString", is_optional: false },
    :validate_for_any_policy => { kind: :method, name: "validateForAnyPolicy", is_optional: false },
    :validate_for_identity_policy => { kind: :method, name: "validateForIdentityPolicy", is_optional: false },
    :validate_for_resource_policy => { kind: :method, name: "validateForResourcePolicy", is_optional: false },
  }
end

.PROPERTY_INJECTION_IDString

Uniquely identifies this class.

Returns:

  • (String)


73
74
75
# File 'iam/policy_statement.rb', line 73

def self.PROPERTY_INJECTION_ID()
  Jsii::Kernel.instance.get_static("aws-cdk-lib.aws_iam.PolicyStatement", "PROPERTY_INJECTION_ID")
end

Instance Method Details

#actionsArray<String>

The Actions added to this statement.

Returns:

  • (Array<String>)


80
81
82
# File 'iam/policy_statement.rb', line 80

def actions()
  jsii_get_property("actions")
end

#add_account_condition(account_id) ⇒ void

This method returns an undefined value.

Add a StringEquals condition that limits to a given account from sts:ExternalId.

This method can only be called once: subsequent calls will overwrite earlier calls.



180
181
182
183
# File 'iam/policy_statement.rb', line 180

def ()
  Jsii::Type.check_type(, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "accountId")
  jsii_call_method("addAccountCondition", [])
end

#add_account_root_principalvoid

This method returns an undefined value.

Adds an AWS account root user principal to this policy statement.



188
189
190
# File 'iam/policy_statement.rb', line 188

def ()
  jsii_call_method("addAccountRootPrincipal", [])
end

#add_actions(*actions) ⇒ void

This method returns an undefined value.

Specify allowed actions into the "Action" section of the policy statement.

Parameters:

  • actions (Array<String>)

    actions that will be allowed.

See Also:



197
198
199
200
201
202
# File 'iam/policy_statement.rb', line 197

def add_actions(*actions)
  actions.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "actions[#{index}]")
  end
  jsii_call_method("addActions", [*actions])
end

#add_all_resourcesvoid

This method returns an undefined value.

Adds a "*" resource to this statement.



207
208
209
# File 'iam/policy_statement.rb', line 207

def add_all_resources()
  jsii_call_method("addAllResources", [])
end

#add_any_principalvoid

This method returns an undefined value.

Adds all identities in all accounts ("*") to this policy statement.



214
215
216
# File 'iam/policy_statement.rb', line 214

def add_any_principal()
  jsii_call_method("addAnyPrincipal", [])
end

#add_arn_principal(arn) ⇒ void

This method returns an undefined value.

Specify a principal using the ARN identifier of the principal.

You cannot specify IAM groups and instance profiles as principals.

Parameters:

  • arn (String)

    ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).



224
225
226
227
# File 'iam/policy_statement.rb', line 224

def add_arn_principal(arn)
  Jsii::Type.check_type(arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "arn")
  jsii_call_method("addArnPrincipal", [arn])
end

#add_aws_account_principal(account_id) ⇒ void

This method returns an undefined value.

Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.

Parameters:

  • account_id (String)


233
234
235
236
# File 'iam/policy_statement.rb', line 233

def ()
  Jsii::Type.check_type(, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "accountId")
  jsii_call_method("addAwsAccountPrincipal", [])
end

#add_canonical_user_principal(canonical_user_id) ⇒ void

This method returns an undefined value.

Adds a canonical user ID principal to this policy document.

Parameters:

  • canonical_user_id (String)

    unique identifier assigned by AWS for every account.



242
243
244
245
# File 'iam/policy_statement.rb', line 242

def add_canonical_user_principal(canonical_user_id)
  Jsii::Type.check_type(canonical_user_id, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "canonicalUserId")
  jsii_call_method("addCanonicalUserPrincipal", [canonical_user_id])
end

#add_condition(key, value) ⇒ void

This method returns an undefined value.

Add a condition to the Policy.

If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:

stmt = nil # AWSCDK::IAM::PolicyStatement


stmt.add_condition("StringEquals", {"aws:SomeField" => "1"})
stmt.add_condition("StringEquals", {"aws:SomeField" => "2"})

Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.

If you meant to add a condition to say that the field can be either 1 or 2, write this:

stmt = nil # AWSCDK::IAM::PolicyStatement


stmt.add_condition("StringEquals", {"aws:SomeField" => ["1", "2"]})

Parameters:

  • key (String)
  • value (Object)


275
276
277
278
279
# File 'iam/policy_statement.rb', line 275

def add_condition(key, value)
  Jsii::Type.check_type(key, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "key")
  Jsii::Type.check_type(value, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "value")
  jsii_call_method("addCondition", [key, value])
end

#add_conditions(conditions) ⇒ void

This method returns an undefined value.

Add multiple conditions to the Policy.

See the add_condition function for a caveat on calling this method multiple times.

Parameters:

  • conditions (Hash{String => Object})


287
288
289
290
# File 'iam/policy_statement.rb', line 287

def add_conditions(conditions)
  Jsii::Type.check_type(conditions, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6ImFueSJ9LCJraW5kIjoibWFwIn19")), "conditions")
  jsii_call_method("addConditions", [conditions])
end

#add_federated_principal(federated, conditions) ⇒ void

This method returns an undefined value.

Adds a federated identity provider such as Amazon Cognito to this policy statement.

Parameters:

  • federated (Object)

    federated identity provider (i.e. 'cognito-identity.amazonaws.com').

  • conditions (Hash{String => Object})

    The conditions under which the policy is in effect.



297
298
299
300
301
# File 'iam/policy_statement.rb', line 297

def add_federated_principal(federated, conditions)
  Jsii::Type.check_type(federated, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "federated")
  Jsii::Type.check_type(conditions, JSON.parse(Base64.strict_decode64("eyJjb2xsZWN0aW9uIjp7ImVsZW1lbnR0eXBlIjp7InByaW1pdGl2ZSI6ImFueSJ9LCJraW5kIjoibWFwIn19")), "conditions")
  jsii_call_method("addFederatedPrincipal", [federated, conditions])
end

#add_not_actions(*not_actions) ⇒ void

This method returns an undefined value.

Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.

Parameters:

  • not_actions (Array<String>)

    actions that will be denied.

See Also:



308
309
310
311
312
313
# File 'iam/policy_statement.rb', line 308

def add_not_actions(*not_actions)
  not_actions.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "notActions[#{index}]")
  end
  jsii_call_method("addNotActions", [*not_actions])
end

#add_not_principals(*not_principals) ⇒ void

This method returns an undefined value.

Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.

Parameters:

See Also:



320
321
322
323
324
325
# File 'iam/policy_statement.rb', line 320

def add_not_principals(*not_principals)
  not_principals.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklQcmluY2lwYWwifQ==")), "notPrincipals[#{index}]")
  end
  jsii_call_method("addNotPrincipals", [*not_principals])
end

#add_not_resources(*arns) ⇒ void

This method returns an undefined value.

Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.

All resources except the specified list will be matched.

Parameters:

  • arns (Array<String>)

    Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.

See Also:



334
335
336
337
338
339
# File 'iam/policy_statement.rb', line 334

def add_not_resources(*arns)
  arns.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "arns[#{index}]")
  end
  jsii_call_method("addNotResources", [*arns])
end

#add_principals(*principals) ⇒ void

This method returns an undefined value.

Adds principals to the "Principal" section of a policy statement.

Parameters:

See Also:



346
347
348
349
350
351
# File 'iam/policy_statement.rb', line 346

def add_principals(*principals)
  principals.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklQcmluY2lwYWwifQ==")), "principals[#{index}]")
  end
  jsii_call_method("addPrincipals", [*principals])
end

#add_resources(*arns) ⇒ void

This method returns an undefined value.

Specify resources that this policy statement applies into the "Resource" section of this policy statement.

Parameters:

  • arns (Array<String>)

    Amazon Resource Names (ARNs) of the resources that this policy statement applies to.

See Also:



358
359
360
361
362
363
# File 'iam/policy_statement.rb', line 358

def add_resources(*arns)
  arns.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "arns[#{index}]")
  end
  jsii_call_method("addResources", [*arns])
end

#add_service_principal(service, opts = nil) ⇒ void

This method returns an undefined value.

Adds a service principal to this policy statement.

Parameters:

  • service (String)

    the service name for which a service principal is requested (e.g: s3.amazonaws.com).

  • opts (AWSCDK::IAM::ServicePrincipalOpts, nil) (defaults to: nil)

    options for adding the service principal (such as specifying a principal in a different region).



370
371
372
373
374
375
# File 'iam/policy_statement.rb', line 370

def add_service_principal(service, opts = nil)
  Jsii::Type.check_type(service, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "service")
  opts = opts.is_a?(Hash) ? ::AWSCDK::IAM::ServicePrincipalOpts.new(**opts.transform_keys(&:to_sym)) : opts
  Jsii::Type.check_type(opts, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLlNlcnZpY2VQcmluY2lwYWxPcHRzIn0=")), "opts") unless opts.nil?
  jsii_call_method("addServicePrincipal", [service, opts])
end

#add_source_account_condition(account_id) ⇒ void

This method returns an undefined value.

Add an StringEquals condition that limits to a given account from aws:SourceAccount.

This method can only be called once: subsequent calls will overwrite earlier calls.



384
385
386
387
# File 'iam/policy_statement.rb', line 384

def ()
  Jsii::Type.check_type(, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "accountId")
  jsii_call_method("addSourceAccountCondition", [])
end

#add_source_arn_condition(arn) ⇒ void

This method returns an undefined value.

Add an ArnEquals condition that limits to a given resource arn from aws:SourceArn.

This method can only be called once: subsequent calls will overwrite earlier calls.



396
397
398
399
# File 'iam/policy_statement.rb', line 396

def add_source_arn_condition(arn)
  Jsii::Type.check_type(arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "arn")
  jsii_call_method("addSourceArnCondition", [arn])
end

#conditionsObject

The conditions added to this statement.

Returns:

  • (Object)


87
88
89
# File 'iam/policy_statement.rb', line 87

def conditions()
  jsii_get_property("conditions")
end

#copy(overrides = nil) ⇒ AWSCDK::IAM::PolicyStatement

Create a new PolicyStatement with the same exact properties as this one, except for the overrides.

Parameters:

Returns:

  • (AWSCDK::IAM::PolicyStatement)


405
406
407
408
409
# File 'iam/policy_statement.rb', line 405

def copy(overrides = nil)
  overrides = overrides.is_a?(Hash) ? ::AWSCDK::IAM::PolicyStatementProps.new(**overrides.transform_keys(&:to_sym)) : overrides
  Jsii::Type.check_type(overrides, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLlBvbGljeVN0YXRlbWVudFByb3BzIn0=")), "overrides") unless overrides.nil?
  jsii_call_method("copy", [overrides])
end

#effectAWSCDK::IAM::Effect

Whether to allow or deny the actions in this statement Set effect for this statement.

Returns:



152
153
154
# File 'iam/policy_statement.rb', line 152

def effect()
  jsii_get_property("effect")
end

#effect=(value) ⇒ Object



156
157
158
159
# File 'iam/policy_statement.rb', line 156

def effect=(value)
  Jsii::Type.check_type(value, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLkVmZmVjdCJ9")), "effect")
  jsii_set_property("effect", value)
end

#freezeAWSCDK::IAM::PolicyStatement

Make the PolicyStatement immutable.

After calling this, any of the add_xxx() methods will throw an exception.

Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.

Returns:

  • (AWSCDK::IAM::PolicyStatement)


420
421
422
# File 'iam/policy_statement.rb', line 420

def freeze()
  jsii_call_method("freeze", [])
end

#frozenBoolean

Whether the PolicyStatement has been frozen.

The statement object is frozen when freeze() is called.

Returns:

  • (Boolean)


96
97
98
# File 'iam/policy_statement.rb', line 96

def frozen()
  jsii_get_property("frozen")
end

#has_principalBoolean

Indicates if this permission has a "Principal" section.

Returns:

  • (Boolean)


103
104
105
# File 'iam/policy_statement.rb', line 103

def has_principal()
  jsii_get_property("hasPrincipal")
end

#has_resourceBoolean

Indicates if this permission has at least one resource associated with it.

Returns:

  • (Boolean)


110
111
112
# File 'iam/policy_statement.rb', line 110

def has_resource()
  jsii_get_property("hasResource")
end

#not_actionsArray<String>

The NotActions added to this statement.

Returns:

  • (Array<String>)


117
118
119
# File 'iam/policy_statement.rb', line 117

def not_actions()
  jsii_get_property("notActions")
end

#not_principalsArray<AWSCDK::IAM::IPrincipal>

The NotPrincipals added to this statement.

Returns:



124
125
126
# File 'iam/policy_statement.rb', line 124

def not_principals()
  jsii_get_property("notPrincipals")
end

#not_resourcesArray<String>

The NotResources added to this statement.

Returns:

  • (Array<String>)


131
132
133
# File 'iam/policy_statement.rb', line 131

def not_resources()
  jsii_get_property("notResources")
end

#principalsArray<AWSCDK::IAM::IPrincipal>

The Principals added to this statement.

Returns:



138
139
140
# File 'iam/policy_statement.rb', line 138

def principals()
  jsii_get_property("principals")
end

#resourcesArray<String>

The Resources added to this statement.

Returns:

  • (Array<String>)


145
146
147
# File 'iam/policy_statement.rb', line 145

def resources()
  jsii_get_property("resources")
end

#sidString?

Statement ID for this statement Set Statement ID for this statement.

Returns:

  • (String, nil)


164
165
166
# File 'iam/policy_statement.rb', line 164

def sid()
  jsii_get_property("sid")
end

#sid=(value) ⇒ Object



168
169
170
171
# File 'iam/policy_statement.rb', line 168

def sid=(value)
  Jsii::Type.check_type(value, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "sid") unless value.nil?
  jsii_set_property("sid", value)
end

#to_jsonObject

JSON-ify the statement.

Used when JSON.stringify() is called

Returns:

  • (Object)


429
430
431
# File 'iam/policy_statement.rb', line 429

def to_json()
  jsii_call_method("toJSON", [])
end

#to_statement_jsonObject

JSON-ify the policy statement.

Used when JSON.stringify() is called

Returns:

  • (Object)


438
439
440
# File 'iam/policy_statement.rb', line 438

def to_statement_json()
  jsii_call_method("toStatementJson", [])
end

#to_stringString

String representation of this policy statement.

Returns:

  • (String)


445
446
447
# File 'iam/policy_statement.rb', line 445

def to_string()
  jsii_call_method("toString", [])
end

#validate_for_any_policyArray<String>

Validate that the policy statement satisfies base requirements for a policy.

Returns:

  • (Array<String>)

    An array of validation error messages, or an empty array if the statement is valid.



452
453
454
# File 'iam/policy_statement.rb', line 452

def validate_for_any_policy()
  jsii_call_method("validateForAnyPolicy", [])
end

#validate_for_identity_policyArray<String>

Validate that the policy statement satisfies all requirements for an identity-based policy.

Returns:

  • (Array<String>)

    An array of validation error messages, or an empty array if the statement is valid.



459
460
461
# File 'iam/policy_statement.rb', line 459

def validate_for_identity_policy()
  jsii_call_method("validateForIdentityPolicy", [])
end

#validate_for_resource_policyArray<String>

Validate that the policy statement satisfies all requirements for a resource-based policy.

Returns:

  • (Array<String>)

    An array of validation error messages, or an empty array if the statement is valid.



466
467
468
# File 'iam/policy_statement.rb', line 466

def validate_for_resource_policy()
  jsii_call_method("validateForResourcePolicy", [])
end