Class: AWSCDK::PermissionsBoundary

Inherits:
Jsii::Object
  • Object
show all
Defined in:
permissions_boundary.rb

Overview

Apply a permissions boundary to all IAM Roles and Users within a specific scope.

A permissions boundary is typically applied at the Stage scope. This allows setting different permissions boundaries per Stage. For example, you may not apply a boundary to the Dev stage which deploys to a personal dev account, but you do apply the default boundary to the Prod stage.

It is possible to apply different permissions boundaries to different scopes within your app. In this case the most specifically applied one wins

Examples:

# no permissions boundary for dev stage
AWSCDK::Stage.new(app, "DevStage")

# default boundary for prod stage
prod_stage = AWSCDK::Stage.new(app, "ProdStage", {
    permissions_boundary: AWSCDK::PermissionsBoundary.from_name("prod-pb"),
})

# overriding the pb applied for this stack
AWSCDK::Stack.new(prod_stage, "ProdStack1", {
    permissions_boundary: AWSCDK::PermissionsBoundary.from_name("stack-pb"),
})

# will inherit the permissions boundary from the stage
AWSCDK::Stack.new(prod_stage, "ProdStack2")

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(*args) ⇒ PermissionsBoundary

Returns a new instance of PermissionsBoundary.

Raises:

  • (NoMethodError)


34
35
36
# File 'permissions_boundary.rb', line 34

def initialize(*args)
  raise NoMethodError, "aws-cdk-lib.PermissionsBoundary does not have a visible constructor; use the provided factory methods"
end

Class Method Details

.from_arn(arn) ⇒ AWSCDK::PermissionsBoundary

Apply a permissions boundary with the given ARN to all IAM Roles and Users created within a scope.

The arn can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.

  • '$AWS::Partition'
  • '$AWS::Region'
  • '$AWS::AccountId'
  • '$Qualifier'

Examples:

AWSCDK::Stage.new(app, "ProdStage", {
    permissions_boundary: AWSCDK::PermissionsBoundary.from_arn("arn:aws:iam::${AWS::AccountId}:policy/my-custom-permissions-boundary"),
})

Parameters:

  • arn (String)

    the ARN of the permissions boundary policy.

Returns:

  • (AWSCDK::PermissionsBoundary)


61
62
63
64
# File 'permissions_boundary.rb', line 61

def self.from_arn(arn)
  Jsii::Type.check_type(arn, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "arn")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.PermissionsBoundary", "fromArn", [arn])
end

.from_name(name) ⇒ AWSCDK::PermissionsBoundary

Apply a permissions boundary with the given name to all IAM Roles and Users created within a scope.

The name can include placeholders for the partition, region, qualifier, and account These placeholders will be replaced with the actual values if available. This requires that the Stack has the environment specified, it does not work with environment agnostic stacks.

  • '$AWS::Partition'
  • '$AWS::Region'
  • '$AWS::AccountId'
  • '$Qualifier'

Examples:

AWSCDK::Stage.new(app, "ProdStage", {
    permissions_boundary: AWSCDK::PermissionsBoundary.from_name("my-custom-permissions-boundary"),
})

Parameters:

  • name (String)

    the name of the permissions boundary policy.

Returns:

  • (AWSCDK::PermissionsBoundary)


84
85
86
87
# File 'permissions_boundary.rb', line 84

def self.from_name(name)
  Jsii::Type.check_type(name, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "name")
  Jsii::Kernel.instance.call_static("aws-cdk-lib.PermissionsBoundary", "fromName", [name])
end

.jsii_overridable_methodsObject



38
39
40
41
# File 'permissions_boundary.rb', line 38

def self.jsii_overridable_methods
  {
  }
end