Hierarchy

  • PolicyStatement
    • GuGetDistributablePolicyStatement

Constructors

Accessors

  • get actions(): string[]
  • The Actions added to this statement

    Returns string[]

  • get conditions(): any
  • The conditions added to this statement

    Returns any

  • get effect(): Effect
  • Whether to allow or deny the actions in this statement

    Returns Effect

  • set effect(effect): void
  • Set effect for this statement

    Parameters

    • effect: Effect

    Returns void

  • get frozen(): boolean
  • Whether the PolicyStatement has been frozen

    The statement object is frozen when freeze() is called.

    Returns boolean

  • get hasPrincipal(): boolean
  • Indicates if this permission has a "Principal" section.

    Returns boolean

  • get hasResource(): boolean
  • Indicates if this permission has at least one resource associated with it.

    Returns boolean

  • get notActions(): string[]
  • The NotActions added to this statement

    Returns string[]

  • get notPrincipals(): IPrincipal[]
  • The NotPrincipals added to this statement

    Returns IPrincipal[]

  • get notResources(): string[]
  • The NotResources added to this statement

    Returns string[]

  • get principals(): IPrincipal[]
  • The Principals added to this statement

    Returns IPrincipal[]

  • get resources(): string[]
  • The Resources added to this statement

    Returns string[]

  • get sid(): undefined | string
  • Statement ID for this statement

    Returns undefined | string

  • set sid(sid): void
  • Set Statement ID for this statement

    Parameters

    • sid: undefined | string

    Returns void

Methods

  • Internal

    Estimate the size of this policy statement

    By necessity, this will not be accurate. We'll do our best to overestimate so we won't have nasty surprises.

    Parameters

    • options: EstimateSizeOptions

    Returns number

  • Add a StringEquals condition that limits to a given account from sts:ExternalId.

    This method can only be called once: subsequent calls will overwrite earlier calls.

    Parameters

    • accountId: string

    Returns void

  • Adds an AWS account root user principal to this policy statement

    Returns void

  • Adds a "*" resource to this statement.

    Returns void

  • Adds all identities in all accounts ("*") to this policy statement

    Returns void

  • Specify a principal using the ARN identifier of the principal. You cannot specify IAM groups and instance profiles as principals.

    Parameters

    • arn: string

      ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name)

    Returns void

  • Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.

    Parameters

    • accountId: string

    Returns void

  • Adds a canonical user ID principal to this policy document

    Parameters

    • canonicalUserId: string

      unique identifier assigned by AWS for every account

    Returns void

  • Add a condition to the Policy

    If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:

    declare const stmt: iam.PolicyStatement;

    stmt.addCondition('StringEquals', { 'aws:SomeField': '1' });
    stmt.addCondition('StringEquals', { 'aws:SomeField': '2' });

    Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.

    If you meant to add a condition to say that the field can be either 1 or 2, write this:

    declare const stmt: iam.PolicyStatement;

    stmt.addCondition('StringEquals', { 'aws:SomeField': ['1', '2'] });

    Parameters

    • key: string
    • value: unknown

    Returns void

  • Add multiple conditions to the Policy

    See the addCondition function for a caveat on calling this method multiple times.

    Parameters

    • conditions: Conditions

    Returns void

  • Adds a federated identity provider such as Amazon Cognito to this policy statement.

    Parameters

    • federated: any

      federated identity provider (i.e. 'cognito-identity.amazonaws.com')

    • conditions: Conditions

      The conditions under which the policy is in effect. See the IAM documentation.

    Returns void

  • Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.

    Parameters

    • Rest ...notActions: string[]

      actions that will be denied. All other actions will be permitted.

    Returns void

  • Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement. All resources except the specified list will be matched.

    Parameters

    • Rest ...arns: string[]

      Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to

    Returns void

  • Specify resources that this policy statement applies into the "Resource" section of this policy statement.

    Parameters

    • Rest ...arns: string[]

      Amazon Resource Names (ARNs) of the resources that this policy statement applies to

    Returns void

  • Adds a service principal to this policy statement.

    Parameters

    • service: string

      the service name for which a service principal is requested (e.g: s3.amazonaws.com).

    • Optional opts: ServicePrincipalOpts

      options for adding the service principal (such as specifying a principal in a different region)

    Returns void

  • Create a new PolicyStatement with the same exact properties as this one, except for the overrides

    Parameters

    • Optional overrides: PolicyStatementProps

    Returns PolicyStatement

  • Make the PolicyStatement immutable

    After calling this, any of the addXxx() methods will throw an exception.

    Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.

    Returns PolicyStatement

  • JSON-ify the statement

    Used when JSON.stringify() is called

    Returns any

  • JSON-ify the policy statement

    Used when JSON.stringify() is called

    Returns any

  • String representation of this policy statement

    Returns string

  • Validate that the policy statement satisfies base requirements for a policy.

    Returns string[]

    An array of validation error messages, or an empty array if the statement is valid.

  • Validate that the policy statement satisfies all requirements for an identity-based policy.

    Returns string[]

    An array of validation error messages, or an empty array if the statement is valid.

  • Validate that the policy statement satisfies all requirements for a resource-based policy.

    Returns string[]

    An array of validation error messages, or an empty array if the statement is valid.

  • Creates a new PolicyStatement based on the object provided. This will accept an object created from the .toJSON() call

    Parameters

    • obj: any

      the PolicyStatement in object form.

    Returns PolicyStatement