Class: AWSCDK::IAM::Role

Inherits:
Resource
  • Object
show all
Includes:
IRole
Defined in:
iam/role.rb

Overview

IAM Role.

Defines an IAM role. The role is created with an assume policy document associated with the specified AWS service principal defined in service_assume_role.

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(scope, id, props) ⇒ Role

Returns a new instance of Role.

Parameters:



15
16
17
18
19
20
21
# File 'iam/role.rb', line 15

def initialize(scope, id, props)
  props = props.is_a?(Hash) ? ::AWSCDK::IAM::RoleProps.new(**props.transform_keys(&:to_sym)) : props
  Jsii::Type.check_type(scope, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLkNvbnN0cnVjdCJ9")), "scope")
  Jsii::Type.check_type(id, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "id")
  Jsii::Type.check_type(props, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLlJvbGVQcm9wcyJ9")), "props")
  Jsii::Object.instance_method(:initialize).bind(self).call(scope, id, props)
end

Class Method Details

.customize_roles(scope, options = nil) ⇒ void

This method returns an undefined value.

Customize the creation of IAM roles within the given scope.

It is recommended that you do not use this method and instead allow CDK to manage role creation. This should only be used in environments where CDK applications are not allowed to created IAM roles.

This can be used to prevent the CDK application from creating roles within the given scope and instead replace the references to the roles with precreated role names. A report will be synthesized in the cloud assembly (i.e. cdk.out) that will contain the list of IAM roles that would have been created along with the IAM policy statements that the role should contain. This report can then be used to create the IAM roles outside of CDK and then the created role names can be provided in use_precreated_roles.

Examples:

app = nil # AWSCDK::App

AWSCDK::IAM::Role.customize_roles(app, {
    use_precreated_roles: {
        "ConstructPath/To/Role" => "my-precreated-role-name",
    },
})

Parameters:

  • scope (Constructs::Construct)

    construct scope to customize role creation.

  • options (AWSCDK::IAM::CustomizeRolesOptions, nil) (defaults to: nil)

    options for configuring role creation.



83
84
85
86
87
88
# File 'iam/role.rb', line 83

def self.customize_roles(scope, options = nil)
  Jsii::Type.check_type(scope, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLkNvbnN0cnVjdCJ9")), "scope")
  options = options.is_a?(Hash) ? ::AWSCDK::IAM::CustomizeRolesOptions.new(**options.transform_keys(&:to_sym)) : options
  Jsii::Type.check_type(options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLkN1c3RvbWl6ZVJvbGVzT3B0aW9ucyJ9")), "options") unless options.nil?
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Role", "customizeRoles", [scope, options])
end

.from_lookup(scope, id, options) ⇒ AWSCDK::IAM::IRole

Lookup an existing Role.

Parameters:

Returns:



96
97
98
99
100
101
102
# File 'iam/role.rb', line 96

def self.from_lookup(scope, id, options)
  Jsii::Type.check_type(scope, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLkNvbnN0cnVjdCJ9")), "scope")
  Jsii::Type.check_type(id, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "id")
  options = options.is_a?(Hash) ? ::AWSCDK::IAM::RoleLookupOptions.new(**options.transform_keys(&:to_sym)) : options
  Jsii::Type.check_type(options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLlJvbGVMb29rdXBPcHRpb25zIn0=")), "options")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Role", "fromLookup", [scope, id, options])
end

.from_role_arn(scope, id, role_arn, options = nil) ⇒ AWSCDK::IAM::IRole

Import an external role by ARN.

If the imported Role ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) and the referenced role has a path (like arn:...:role/AdminRoles/Alice), the role_name property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the path in order to resolve the correct role resource.

Parameters:

  • scope (Constructs::Construct)

    construct scope.

  • id (String)

    construct id.

  • role_arn (String)

    the ARN of the role to import.

  • options (AWSCDK::IAM::FromRoleARNOptions, nil) (defaults to: nil)

    allow customizing the behavior of the returned role.

Returns:



120
121
122
123
124
125
126
127
# File 'iam/role.rb', line 120

def self.from_role_arn(scope, id, role_arn, options = nil)
  Jsii::Type.check_type(scope, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLkNvbnN0cnVjdCJ9")), "scope")
  Jsii::Type.check_type(id, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "id")
  Jsii::Type.check_type(role_arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "roleArn")
  options = options.is_a?(Hash) ? ::AWSCDK::IAM::FromRoleARNOptions.new(**options.transform_keys(&:to_sym)) : options
  Jsii::Type.check_type(options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLkZyb21Sb2xlQXJuT3B0aW9ucyJ9")), "options") unless options.nil?
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Role", "fromRoleArn", [scope, id, role_arn, options])
end

.from_role_name(scope, id, role_name, options = nil) ⇒ AWSCDK::IAM::IRole

Import an external role by name.

The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.

Parameters:

  • scope (Constructs::Construct)

    construct scope.

  • id (String)

    construct id.

  • role_name (String)

    the name of the role to import.

  • options (AWSCDK::IAM::FromRoleNameOptions, nil) (defaults to: nil)

    allow customizing the behavior of the returned role.

Returns:



139
140
141
142
143
144
145
146
# File 'iam/role.rb', line 139

def self.from_role_name(scope, id, role_name, options = nil)
  Jsii::Type.check_type(scope, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLkNvbnN0cnVjdCJ9")), "scope")
  Jsii::Type.check_type(id, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "id")
  Jsii::Type.check_type(role_name, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "roleName")
  options = options.is_a?(Hash) ? ::AWSCDK::IAM::FromRoleNameOptions.new(**options.transform_keys(&:to_sym)) : options
  Jsii::Type.check_type(options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLkZyb21Sb2xlTmFtZU9wdGlvbnMifQ==")), "options") unless options.nil?
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Role", "fromRoleName", [scope, id, role_name, options])
end

.is_role(x) ⇒ Boolean

Return whether the given object is a Role.

Parameters:

  • x (Object)

Returns:

  • (Boolean)


152
153
154
155
# File 'iam/role.rb', line 152

def self.is_role(x)
  Jsii::Type.check_type(x, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJhbnkifQ==")), "x")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.aws_iam.Role", "isRole", [x])
end

.jsii_overridable_methodsObject



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# File 'iam/role.rb', line 23

def self.jsii_overridable_methods
  {
    :node => { kind: :property, name: "node", is_optional: false },
    :env => { kind: :property, name: "env", is_optional: false },
    :physical_name => { kind: :property, name: "physicalName", is_optional: false },
    :stack => { kind: :property, name: "stack", is_optional: false },
    :assume_role_action => { kind: :property, name: "assumeRoleAction", is_optional: false },
    :grant_principal => { kind: :property, name: "grantPrincipal", is_optional: false },
    :grants => { kind: :property, name: "grants", is_optional: false },
    :policy_fragment => { kind: :property, name: "policyFragment", is_optional: false },
    :role_arn => { kind: :property, name: "roleArn", is_optional: false },
    :role_id => { kind: :property, name: "roleId", is_optional: false },
    :role_name => { kind: :property, name: "roleName", is_optional: false },
    :role_ref => { kind: :property, name: "roleRef", is_optional: false },
    :assume_role_policy => { kind: :property, name: "assumeRolePolicy", is_optional: true },
    :permissions_boundary => { kind: :property, name: "permissionsBoundary", is_optional: true },
    :principal_account => { kind: :property, name: "principalAccount", is_optional: true },
    :to_string => { kind: :method, name: "toString", is_optional: false },
    :with => { kind: :method, name: "with", is_optional: false },
    :apply_cross_stack_reference_strength => { kind: :method, name: "applyCrossStackReferenceStrength", is_optional: false },
    :apply_removal_policy => { kind: :method, name: "applyRemovalPolicy", is_optional: false },
    :generate_physical_name => { kind: :method, name: "generatePhysicalName", is_optional: false },
    :get_resource_arn_attribute => { kind: :method, name: "getResourceArnAttribute", is_optional: false },
    :get_resource_name_attribute => { kind: :method, name: "getResourceNameAttribute", is_optional: false },
    :add_managed_policy => { kind: :method, name: "addManagedPolicy", is_optional: false },
    :add_to_policy => { kind: :method, name: "addToPolicy", is_optional: false },
    :add_to_principal_policy => { kind: :method, name: "addToPrincipalPolicy", is_optional: false },
    :attach_inline_policy => { kind: :method, name: "attachInlinePolicy", is_optional: false },
    :grant => { kind: :method, name: "grant", is_optional: false },
    :grant_assume_role => { kind: :method, name: "grantAssumeRole", is_optional: false },
    :grant_pass_role => { kind: :method, name: "grantPassRole", is_optional: false },
    :without_policy_updates => { kind: :method, name: "withoutPolicyUpdates", is_optional: false },
  }
end

.PROPERTY_INJECTION_IDString

Uniquely identifies this class.

Returns:

  • (String)


203
204
205
# File 'iam/role.rb', line 203

def self.PROPERTY_INJECTION_ID()
  Jsii::Kernel.instance.get_static("aws-cdk-lib.aws_iam.Role", "PROPERTY_INJECTION_ID")
end

Instance Method Details

#add_managed_policy(policy) ⇒ void

This method returns an undefined value.

Attaches a managed policy to this role.

Parameters:



380
381
382
383
# File 'iam/role.rb', line 380

def add_managed_policy(policy)
  Jsii::Type.check_type(policy, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklNYW5hZ2VkUG9saWN5In0=")), "policy")
  jsii_call_method("addManagedPolicy", [policy])
end

#add_to_policy(statement) ⇒ Boolean

Add to the policy of this principal.

Parameters:

Returns:

  • (Boolean)


389
390
391
392
# File 'iam/role.rb', line 389

def add_to_policy(statement)
  Jsii::Type.check_type(statement, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLlBvbGljeVN0YXRlbWVudCJ9")), "statement")
  jsii_call_method("addToPolicy", [statement])
end

#add_to_principal_policy(statement) ⇒ AWSCDK::IAM::AddToPrincipalPolicyResult

Adds a permission to the role's default policy document.

If there is no default policy attached to this role, it will be created.

Parameters:

Returns:



400
401
402
403
# File 'iam/role.rb', line 400

def add_to_principal_policy(statement)
  Jsii::Type.check_type(statement, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLlBvbGljeVN0YXRlbWVudCJ9")), "statement")
  jsii_call_method("addToPrincipalPolicy", [statement])
end

#apply_cross_stack_reference_strength(strength) ⇒ void

This method returns an undefined value.

Override the cross-stack reference strength for this resource.

When set, any cross-stack reference to this resource will use the specified mechanism instead of the global default determined by the @aws-cdk/core:defaultCrossStackReferences context key. This is useful for selectively weakening specific references to avoid the "deadly embrace" problem without changing the app-wide default.

Parameters:



325
326
327
328
# File 'iam/role.rb', line 325

def apply_cross_stack_reference_strength(strength)
  Jsii::Type.check_type(strength, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5SZWZlcmVuY2VTdHJlbmd0aCJ9")), "strength")
  jsii_call_method("applyCrossStackReferenceStrength", [strength])
end

#apply_removal_policy(policy) ⇒ void

This method returns an undefined value.

Skip applyRemovalPolicy if role synthesis is prevented by customizeRoles.

Because in this case, this construct does not have a CfnResource in the tree.

Parameters:



336
337
338
339
# File 'iam/role.rb', line 336

def apply_removal_policy(policy)
  Jsii::Type.check_type(policy, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5SZW1vdmFsUG9saWN5In0=")), "policy")
  jsii_call_method("applyRemovalPolicy", [policy])
end

#assume_role_actionString

When this Principal is used in an AssumeRole policy, the action to use.

Returns:

  • (String)


210
211
212
# File 'iam/role.rb', line 210

def assume_role_action()
  jsii_get_property("assumeRoleAction")
end

#assume_role_policyAWSCDK::IAM::PolicyDocument?

The assume role policy document associated with this role.

Returns:



269
270
271
# File 'iam/role.rb', line 269

def assume_role_policy()
  jsii_get_property("assumeRolePolicy")
end

#attach_inline_policy(policy) ⇒ void

This method returns an undefined value.

Attaches a policy to this role.

Parameters:



409
410
411
412
# File 'iam/role.rb', line 409

def attach_inline_policy(policy)
  Jsii::Type.check_type(policy, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLlBvbGljeSJ9")), "policy")
  jsii_call_method("attachInlinePolicy", [policy])
end

#envAWSCDK::Interfaces::ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed in a Stack (those created by creating new class instances like new Role(), new Bucket(), etc.), this is always the same as the environment of the stack they belong to.

For referenced resources (those obtained from referencing methods like Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be different than the stack they were imported into.



175
176
177
# File 'iam/role.rb', line 175

def env()
  jsii_get_property("env")
end

#generate_physical_nameString

Returns:

  • (String)


342
343
344
# File 'iam/role.rb', line 342

def generate_physical_name()
  jsii_call_method("generatePhysicalName", [])
end

#get_resource_arn_attribute(arn_attr, arn_components) ⇒ String

Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. bucket.bucketArn).

Normally, this token will resolve to arn_attr, but if the resource is referenced across environments, arn_components will be used to synthesize a concrete ARN with the resource's physical name. Make sure to reference this.physicalName in arn_components.

Parameters:

  • arn_attr (String)

    The CFN attribute which resolves to the ARN of the resource.

  • arn_components (AWSCDK::ARNComponents)

    The format of the ARN of this resource.

Returns:

  • (String)


356
357
358
359
360
361
# File 'iam/role.rb', line 356

def get_resource_arn_attribute(arn_attr, arn_components)
  Jsii::Type.check_type(arn_attr, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "arnAttr")
  arn_components = arn_components.is_a?(Hash) ? ::AWSCDK::ARNComponents.new(**arn_components.transform_keys(&:to_sym)) : arn_components
  Jsii::Type.check_type(arn_components, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5Bcm5Db21wb25lbnRzIn0=")), "arnComponents")
  jsii_call_method("getResourceArnAttribute", [arn_attr, arn_components])
end

#get_resource_name_attribute(name_attr) ⇒ String

Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. bucket.bucketName).

Normally, this token will resolve to name_attr, but if the resource is referenced across environments, it will be resolved to this.physicalName, which will be a concrete name.

Parameters:

  • name_attr (String)

    The CFN attribute which resolves to the resource's name.

Returns:

  • (String)


371
372
373
374
# File 'iam/role.rb', line 371

def get_resource_name_attribute(name_attr)
  Jsii::Type.check_type(name_attr, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "nameAttr")
  jsii_call_method("getResourceNameAttribute", [name_attr])
end

#grant(grantee, *actions) ⇒ AWSCDK::IAM::Grant

Grant the actions defined in actions to the identity Principal on this resource.

Parameters:

Returns:



419
420
421
422
423
424
425
# File 'iam/role.rb', line 419

def grant(grantee, *actions)
  Jsii::Type.check_type(grantee, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklQcmluY2lwYWwifQ==")), "grantee")
  actions.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "actions[#{index}]")
  end
  jsii_call_method("grant", [grantee, *actions])
end

#grant_assume_role(identity) ⇒ AWSCDK::IAM::Grant

Grant permissions to the given principal to assume this role.

Parameters:

Returns:



431
432
433
434
# File 'iam/role.rb', line 431

def grant_assume_role(identity)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklQcmluY2lwYWwifQ==")), "identity")
  jsii_call_method("grantAssumeRole", [identity])
end

#grant_pass_role(identity) ⇒ AWSCDK::IAM::Grant

Grant permissions to the given principal to pass this role.

Parameters:

Returns:



440
441
442
443
# File 'iam/role.rb', line 440

def grant_pass_role(identity)
  Jsii::Type.check_type(identity, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklQcmluY2lwYWwifQ==")), "identity")
  jsii_call_method("grantPassRole", [identity])
end

#grant_principalAWSCDK::IAM::IPrincipal

The principal to grant permissions to.



217
218
219
# File 'iam/role.rb', line 217

def grant_principal()
  jsii_get_property("grantPrincipal")
end

#grantsAWSCDK::IAM::RoleGrants

Collection of grant methods for a Role.



224
225
226
# File 'iam/role.rb', line 224

def grants()
  jsii_get_property("grants")
end

#nodeConstructs::Node

The tree node.

Returns:

  • (Constructs::Node)


160
161
162
# File 'iam/role.rb', line 160

def node()
  jsii_get_property("node")
end

#permissions_boundaryAWSCDK::IAM::IManagedPolicy?

Returns the permissions boundary attached to this role.

Returns:



276
277
278
# File 'iam/role.rb', line 276

def permissions_boundary()
  jsii_get_property("permissionsBoundary")
end

#physical_nameString

Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

This value will resolve to one of the following:

  • a concrete value (e.g. "my-awesome-bucket")
  • undefined, when a name should be generated by CloudFormation
  • a concrete name generated automatically during synthesis, in cross-environment scenarios.

Returns:

  • (String)


189
190
191
# File 'iam/role.rb', line 189

def physical_name()
  jsii_get_property("physicalName")
end

#policy_fragmentAWSCDK::IAM::PrincipalPolicyFragment

Returns the role.



231
232
233
# File 'iam/role.rb', line 231

def policy_fragment()
  jsii_get_property("policyFragment")
end

#principal_accountString?

The AWS account ID of this principal.

Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

Returns:

  • (String, nil)


288
289
290
# File 'iam/role.rb', line 288

def ()
  jsii_get_property("principalAccount")
end

#role_arnString

Returns the ARN of this role.

Returns:

  • (String)


238
239
240
# File 'iam/role.rb', line 238

def role_arn()
  jsii_get_property("roleArn")
end

#role_idString

Returns the stable and unique string identifying the role.

For example, AIDAJQABLZS4A3QDU576Q.

Returns:

  • (String)


248
249
250
# File 'iam/role.rb', line 248

def role_id()
  jsii_get_property("roleId")
end

#role_nameString

Returns the name of the role.

Returns:

  • (String)


255
256
257
# File 'iam/role.rb', line 255

def role_name()
  jsii_get_property("roleName")
end

#role_refAWSCDK::Interfaces::AWSIAM::RoleReference

A reference to a Role resource.



262
263
264
# File 'iam/role.rb', line 262

def role_ref()
  jsii_get_property("roleRef")
end

#stackAWSCDK::Stack

The stack in which this resource is defined.

Returns:



196
197
198
# File 'iam/role.rb', line 196

def stack()
  jsii_get_property("stack")
end

#to_stringString

Returns a string representation of this construct.

Returns:

  • (String)


295
296
297
# File 'iam/role.rb', line 295

def to_string()
  jsii_call_method("toString", [])
end

#with(*mixins) ⇒ Constructs::IConstruct

Applies one or more mixins to this construct.

Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited. Use multiple with() calls if subsequent mixins should apply to added constructs.

Parameters:

  • mixins (Array<Constructs::IMixin>)

Returns:

  • (Constructs::IConstruct)


308
309
310
311
312
313
# File 'iam/role.rb', line 308

def with(*mixins)
  mixins.each_with_index do |item, index|
    Jsii::Type.check_type(item, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLklNaXhpbiJ9")), "mixins[#{index}]")
  end
  jsii_call_method("with", [*mixins])
end

#without_policy_updates(options = nil) ⇒ AWSCDK::IAM::IRole

Return a copy of this Role object whose Policies will not be updated.

Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.

If you do, you are responsible for adding the correct statements to the Role's policies yourself.

Parameters:

Returns:



455
456
457
458
459
# File 'iam/role.rb', line 455

def without_policy_updates(options = nil)
  options = options.is_a?(Hash) ? ::AWSCDK::IAM::WithoutPolicyUpdatesOptions.new(**options.transform_keys(&:to_sym)) : options
  Jsii::Type.check_type(options, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLldpdGhvdXRQb2xpY3lVcGRhdGVzT3B0aW9ucyJ9")), "options") unless options.nil?
  jsii_call_method("withoutPolicyUpdates", [options])
end