@guardian/cdk
    Preparing search index...

    Class GuGithubActionsRole

    A construct to create an IAM role for GitHub Actions to assume via AssumeRoleWithWebIdentity.

    An Output will be added to the stack with the Role's ARN for use with https://github.com/aws-actions/configure-aws-credentials.

    See:

    Hierarchy (View Summary)

    Index

    Constructors

    constructor

    Properties

    assumeRoleAction assumeRolePolicy? env grantPrincipal node permissionsBoundary? physicalName policyFragment principalAccount roleArn roleName stack PROPERTY_INJECTION_ID

    Accessors

    roleId roleRef

    Methods

    _enableCrossEnvironment addManagedPolicy addToPolicy addToPrincipalPolicy applyRemovalPolicy attachInlinePolicy generatePhysicalName getResourceArnAttribute getResourceNameAttribute grant grantAssumeRole grantPassRole toString withoutPolicyUpdates customizeRoles fromLookup fromRoleArn fromRoleName isConstruct isOwnedResource isResource isRole

    Constructors

    Properties

    assumeRoleAction: string

    When this Principal is used in an AssumeRole policy, the action to use.

    assumeRolePolicy?: PolicyDocument

    The assume role policy document associated with this role.

    env: ResourceEnvironment

    The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

    grantPrincipal: IPrincipal

    The principal to grant permissions to

    node: Node

    The tree node.

    permissionsBoundary?: IManagedPolicy

    Returns the permissions boundary attached to this role

    physicalName: string

    Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

    This value will resolve to one of the following:

    • a concrete value (e.g. "my-awesome-bucket")
    • undefined, when a name should be generated by CloudFormation
    • a concrete name generated automatically during synthesis, in cross-environment scenarios.
    policyFragment: PrincipalPolicyFragment

    Returns the role.

    principalAccount: undefined | string

    The AWS account ID of this principal. Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

    roleArn: string

    Returns the ARN of this role.

    roleName: string

    Returns the name of the role.

    stack: Stack

    The stack in which this resource is defined.

    PROPERTY_INJECTION_ID: string

    Uniquely identifies this class.

    Accessors

    • get roleId(): string

      Returns the stable and unique string identifying the role. For example, AIDAJQABLZS4A3QDU576Q.

      Returns string

    • get roleRef(): RoleReference

      A reference to a Role resource.

      Returns RoleReference

    Methods

    _enableCrossEnvironment

    • _enableCrossEnvironment(): void
      Internal

      Called when this resource is referenced across environments (account/region) to order to request that a physical name will be generated for this resource during synthesis, so the resource can be referenced through its absolute name/arn.

      Returns void

    • Attaches a managed policy to this role.

      Parameters

      • policy: IManagedPolicy

        The the managed policy to attach.

      Returns void

    • Parameters

      • statement: PolicyStatement

      Returns boolean

    • Adds a permission to the role's default policy document. If there is no default policy attached to this role, it will be created.

      Parameters

      • statement: PolicyStatement

        The permission statement to add to the policy document

      Returns AddToPrincipalPolicyResult

    • Skip applyRemovalPolicy if role synthesis is prevented by customizeRoles. Because in this case, this construct does not have a CfnResource in the tree.

      Parameters

      • policy: RemovalPolicy

        RemovalPolicy

      Returns void

    • Attaches a policy to this role.

      Parameters

      • policy: Policy

        The policy to attach

      Returns void

    • Returns string

    • Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. bucket.bucketArn).

      Normally, this token will resolve to arnAttr, but if the resource is referenced across environments, arnComponents will be used to synthesize a concrete ARN with the resource's physical name. Make sure to reference this.physicalName in arnComponents.

      Parameters

      • arnAttr: string

        The CFN attribute which resolves to the ARN of the resource. Commonly it will be called "Arn" (e.g. resource.attrArn), but sometimes it's the CFN resource's ref.

      • arnComponents: ArnComponents

        The format of the ARN of this resource. You must reference this.physicalName somewhere within the ARN in order for cross-environment references to work.

      Returns string

    • Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. bucket.bucketName).

      Normally, this token will resolve to nameAttr, but if the resource is referenced across environments, it will be resolved to this.physicalName, which will be a concrete name.

      Parameters

      • nameAttr: string

        The CFN attribute which resolves to the resource's name. Commonly this is the resource's ref.

      Returns string

    • Grant the actions defined in actions to the identity Principal on this resource.

      Parameters

      • grantee: IPrincipal
      • ...actions: string[]

      Returns Grant

    • Grant permissions to the given principal to assume this role.

      Parameters

      • identity: IPrincipal

      Returns Grant

    • Grant permissions to the given principal to pass this role.

      Parameters

      • identity: IPrincipal

      Returns Grant

    • Returns a string representation of this construct.

      Returns string

    • Return a copy of this Role object whose Policies will not be updated

      Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.

      If you do, you are responsible for adding the correct statements to the Role's policies yourself.

      Parameters

      • Optionaloptions: WithoutPolicyUpdatesOptions

      Returns IRole

    • Customize the creation of IAM roles within the given scope

      It is recommended that you do not use this method and instead allow CDK to manage role creation. This should only be used in environments where CDK applications are not allowed to created IAM roles.

      This can be used to prevent the CDK application from creating roles within the given scope and instead replace the references to the roles with precreated role names. A report will be synthesized in the cloud assembly (i.e. cdk.out) that will contain the list of IAM roles that would have been created along with the IAM policy statements that the role should contain. This report can then be used to create the IAM roles outside of CDK and then the created role names can be provided in usePrecreatedRoles.

      Parameters

      • scope: Construct

        construct scope to customize role creation

      • Optionaloptions: CustomizeRolesOptions

        options for configuring role creation

      Returns void

      declare const app: App;
      iam.Role.customizeRoles(app, {
        usePrecreatedRoles: {
          'ConstructPath/To/Role': 'my-precreated-role-name',
        },
      });

    • Lookup an existing Role.

      Parameters

      • scope: Construct
      • id: string
      • options: RoleLookupOptions

      Returns IRole

    • Import an external role by ARN.

      If the imported Role ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) and the referenced role has a path (like arn:...:role/AdminRoles/Alice), the roleName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the path in order to resolve the correct role resource.

      Parameters

      • scope: Construct

        construct scope

      • id: string

        construct id

      • roleArn: string

        the ARN of the role to import

      • Optionaloptions: FromRoleArnOptions

        allow customizing the behavior of the returned role

      Returns IRole

    • Import an external role by name.

      The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.

      Parameters

      • scope: Construct

        construct scope

      • id: string

        construct id

      • roleName: string

        the name of the role to import

      • Optionaloptions: FromRoleNameOptions

        allow customizing the behavior of the returned role

      Returns IRole

    • Checks if x is a construct.

      Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

      Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

      Parameters

      • x: any

        Any object

      Returns x is Construct

      true if x is an object created from a class which extends Construct.

    • Returns true if the construct was created by CDK, and false otherwise

      Parameters

      • construct: IConstruct

      Returns boolean

    • Check whether the given construct is a Resource

      Parameters

      • construct: IConstruct

      Returns construct is Resource

    • Return whether the given object is a Role

      Parameters

      • x: any

      Returns x is Role

    Settings

    Member Visibility

    On This Page

    Constructors
    Properties
    Accessors
    Methods