Creates an AWS::IAM::Policy to grant s3:GetObject permission to the account's distribution bucket. The permission is tightly scoped to the path to the app (bucket/stack/stage/app/*) and will look something like:

Type: AWS::IAM::Policy
Version: "2012-10-17"
- Action: s3:GetObject
Effect: Allow
- ""
- - 'arn:aws:s3:::'
- Ref: DistributionBucketName
- Ref: Stage
- /APP/*
PolicyName: GetDistributablePolicyTestingF9D43A3E

If necessary, an AWS::SSM::Parameter<String> parameter will be added to the template, with a default value of /account/services/artifact.bucket which is the recommended Parameter Store location.






document: PolicyDocument

The policy document.

env: ResourceEnvironment
grantPrincipal: IPrincipal
idWithApp: string

The ID of the construct with the App suffix. This should be used in place of id when trying to reference the construct.

node: Node

The tree node.

physicalName: string

Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

This value will resolve to one of the following:

  • a concrete value (e.g. "my-awesome-bucket")
  • undefined, when a name should be generated by CloudFormation
  • a concrete name generated automatically during synthesis, in cross-environment scenarios.
stack: Stack


  • get isAttached(): any
  • Whether the policy resource has been attached to any identity

    Returns any

  • get policyName(): string
  • The name of this policy.

    Returns string



  • Internal

    Called when this resource is referenced across environments (account/region) to order to request that a physical name will be generated for this resource during synthesis, so the resource can be referenced through its absolute name/arn.

    Returns void

  • Adds a statement to the policy document.


    • Rest ...statement: PolicyStatement[]

    Returns void

  • Apply the given removal policy to this resource

    The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

    The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


    • policy: RemovalPolicy

    Returns void

  • Attaches this policy to a group.


    • group: IGroup

    Returns void

  • Attaches this policy to a role.


    • role: IRole

    Returns void

  • Attaches this policy to a user.


    • user: IUser

    Returns void

  • Returns string

  • Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. bucket.bucketArn).

    Normally, this token will resolve to arnAttr, but if the resource is referenced across environments, arnComponents will be used to synthesize a concrete ARN with the resource's physical name. Make sure to reference this.physicalName in arnComponents.


    • arnAttr: string

      The CFN attribute which resolves to the ARN of the resource. Commonly it will be called "Arn" (e.g. resource.attrArn), but sometimes it's the CFN resource's ref.

    • arnComponents: ArnComponents

      The format of the ARN of this resource. You must reference this.physicalName somewhere within the ARN in order for cross-environment references to work.

    Returns string

  • Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. bucket.bucketName).

    Normally, this token will resolve to nameAttr, but if the resource is referenced across environments, it will be resolved to this.physicalName, which will be a concrete name.


    • nameAttr: string

      The CFN attribute which resolves to the resource's name. Commonly this is the resource's ref.

    Returns string

  • Returns a string representation of an object.

    Returns string

  • Import a policy in this app based on its name


    • scope: Construct
    • id: string
    • policyName: string

    Returns IPolicy

  • Checks if x is a construct.

    Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

    Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.


    • x: any

      Any object

    Returns x is Construct

    true if x is an object created from a class which extends Construct.

  • Returns true if the construct was created by CDK, and false otherwise


    • construct: IConstruct

    Returns boolean

  • Check whether the given construct is a Resource


    • construct: IConstruct

    Returns construct is Resource