Class: AWSCDK::Lambda::Permission

Inherits:
Jsii::Struct
  • Object
show all
Defined in:
lambda/permission.rb

Overview

Represents a permission statement that can be added to a Lambda function's resource policy via the addPermission() method.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(principal:, action: nil, event_source_token: nil, function_url_auth_type: nil, invoked_via_function_url: nil, organization_id: nil, scope: nil, source_account: nil, source_arn: nil) ⇒ Permission

Returns a new instance of Permission.

Parameters:

  • principal (AWSCDK::IAM::IPrincipal)

    The entity for which you are granting permission to invoke the Lambda function.

  • action (String, nil) (defaults to: nil)

    The Lambda actions that you want to allow in this statement.

  • event_source_token (String, nil) (defaults to: nil)

    A unique token that must be supplied by the principal invoking the function.

  • function_url_auth_type (AWSCDK::Lambda::FunctionURLAuthType, nil) (defaults to: nil)

    The authType for the function URL that you are granting permissions for.

  • invoked_via_function_url (Boolean, nil) (defaults to: nil)

    The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only.

  • organization_id (String, nil) (defaults to: nil)

    The organization you want to grant permissions to.

  • scope (Constructs::Construct, nil) (defaults to: nil)

    The scope to which the permission constructs be attached.

  • source_account (String, nil) (defaults to: nil)

    The AWS account ID (without hyphens) of the source owner.

  • source_arn (String, nil) (defaults to: nil)

    The ARN of a resource that is invoking your function.



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# File 'lambda/permission.rb', line 16

def initialize(principal:, action: nil, event_source_token: nil, function_url_auth_type: nil, invoked_via_function_url: nil, organization_id: nil, scope: nil, source_account: nil, source_arn: nil)
  @principal = principal
  Jsii::Type.check_type(@principal, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfaWFtLklQcmluY2lwYWwifQ==")), "principal")
  @action = action
  Jsii::Type.check_type(@action, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "action") unless @action.nil?
  @event_source_token = event_source_token
  Jsii::Type.check_type(@event_source_token, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "eventSourceToken") unless @event_source_token.nil?
  @function_url_auth_type = function_url_auth_type
  Jsii::Type.check_type(@function_url_auth_type, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJhd3MtY2RrLWxpYi5hd3NfbGFtYmRhLkZ1bmN0aW9uVXJsQXV0aFR5cGUifQ==")), "functionUrlAuthType") unless @function_url_auth_type.nil?
  @invoked_via_function_url = invoked_via_function_url
  Jsii::Type.check_type(@invoked_via_function_url, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJib29sZWFuIn0=")), "invokedViaFunctionUrl") unless @invoked_via_function_url.nil?
  @organization_id = organization_id
  Jsii::Type.check_type(@organization_id, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "organizationId") unless @organization_id.nil?
  @scope = scope
  Jsii::Type.check_type(@scope, JSON.parse(Base64.strict_decode64("eyJmcW4iOiJjb25zdHJ1Y3RzLkNvbnN0cnVjdCJ9")), "scope") unless @scope.nil?
  @source_account = 
  Jsii::Type.check_type(@source_account, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "sourceAccount") unless @source_account.nil?
  @source_arn = source_arn
  Jsii::Type.check_type(@source_arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "sourceArn") unless @source_arn.nil?
end

Instance Attribute Details

#actionString? (readonly)

Note:

Default: 'lambda:InvokeFunction'

The Lambda actions that you want to allow in this statement.

For example, you can specify lambda:CreateFunction to specify a certain action, or use a wildcard (lambda:*) to grant permission to all Lambda actions. For a list of actions, see Actions and Condition Context Keys for AWS Lambda in the IAM User Guide.

Returns:

  • (String, nil)


62
63
64
# File 'lambda/permission.rb', line 62

def action
  @action
end

#event_source_tokenString? (readonly)

Note:

Default: - The caller would not need to present a token.

A unique token that must be supplied by the principal invoking the function.

Returns:

  • (String, nil)


67
68
69
# File 'lambda/permission.rb', line 67

def event_source_token
  @event_source_token
end

#function_url_auth_typeAWSCDK::Lambda::FunctionURLAuthType? (readonly)

Note:

Default: - No functionUrlAuthType

The authType for the function URL that you are granting permissions for.



72
73
74
# File 'lambda/permission.rb', line 72

def function_url_auth_type
  @function_url_auth_type
end

#invoked_via_function_urlBoolean? (readonly)

Note:

Default: - false

The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only.

When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs.

Returns:

  • (Boolean, nil)


79
80
81
# File 'lambda/permission.rb', line 79

def invoked_via_function_url
  @invoked_via_function_url
end

#organization_idString? (readonly)

Note:

Default: - No organizationId

The organization you want to grant permissions to.

Use this ONLY if you need to grant permissions to a subset of the organization. If you want to grant permissions to the entire organization, sending the organization principal through the principal property will suffice.

You can use this property to ensure that all source principals are owned by a specific organization.

Returns:

  • (String, nil)


92
93
94
# File 'lambda/permission.rb', line 92

def organization_id
  @organization_id
end

#principalAWSCDK::IAM::IPrincipal (readonly)

The entity for which you are granting permission to invoke the Lambda function.

This entity can be any of the following:

  • a valid AWS service principal, such as s3.amazonaws.com or sns.amazonaws.com
  • an AWS account ID for cross-account permissions. For example, you might want to allow a custom application in another AWS account to push events to Lambda by invoking your function.
  • an AWS organization principal to grant permissions to an entire organization.

The principal can be an AccountPrincipal, an ArnPrincipal, a ServicePrincipal, or an OrganizationPrincipal.



51
52
53
# File 'lambda/permission.rb', line 51

def principal
  @principal
end

#scopeConstructs::Construct? (readonly)

Note:

Default: - The instance of lambda.IFunction

The scope to which the permission constructs be attached.

The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller).

Returns:

  • (Constructs::Construct, nil)


102
103
104
# File 'lambda/permission.rb', line 102

def scope
  @scope
end

#source_accountString? (readonly)

The AWS account ID (without hyphens) of the source owner.

For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.

Returns:

  • (String, nil)


111
112
113
# File 'lambda/permission.rb', line 111

def 
  @source_account
end

#source_arnString? (readonly)

The ARN of a resource that is invoking your function.

When granting Amazon Simple Storage Service (Amazon S3) permission to invoke your function, specify this property with the bucket ARN as its value. This ensures that events generated only from the specified bucket, not just any bucket from any AWS account that creates a mapping to your function, can invoke the function.

Returns:

  • (String, nil)


122
123
124
# File 'lambda/permission.rb', line 122

def source_arn
  @source_arn
end

Class Method Details

.jsii_propertiesObject



124
125
126
127
128
129
130
131
132
133
134
135
136
# File 'lambda/permission.rb', line 124

def self.jsii_properties
  {
    :principal => "principal",
    :action => "action",
    :event_source_token => "eventSourceToken",
    :function_url_auth_type => "functionUrlAuthType",
    :invoked_via_function_url => "invokedViaFunctionUrl",
    :organization_id => "organizationId",
    :scope => "scope",
    :source_account => "sourceAccount",
    :source_arn => "sourceArn",
  }
end

Instance Method Details

#to_jsiiObject



138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# File 'lambda/permission.rb', line 138

def to_jsii
  result = {}
  result.merge!({
    "principal" => @principal,
    "action" => @action,
    "eventSourceToken" => @event_source_token,
    "functionUrlAuthType" => @function_url_auth_type,
    "invokedViaFunctionUrl" => @invoked_via_function_url,
    "organizationId" => @organization_id,
    "scope" => @scope,
    "sourceAccount" => @source_account,
    "sourceArn" => @source_arn,
  })
  result.compact
end