Readonly
assumeWhen this Principal is used in an AssumeRole policy, the action to use.
Optional
Readonly
assumeThe assume role policy document associated with this role.
Readonly
envThe environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
Readonly
grantThe principal to grant permissions to
Readonly
idThe ID of the construct with the App suffix.
This should be used in place of id
when trying to reference the construct.
Readonly
nodeThe tree node.
Optional
Readonly
permissionsReturns the permissions boundary attached to this role
Protected
Readonly
physicalReturns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
This value will resolve to one of the following:
"my-awesome-bucket"
)undefined
, when a name should be generated by CloudFormationReadonly
policyReturns the role.
Readonly
principalThe AWS account ID of this principal. Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.
Readonly
roleReturns the ARN of this role.
Readonly
roleReturns the name of the role.
Readonly
stackThe stack in which this resource is defined.
Returns the stable and unique string identifying the role. For example, AIDAJQABLZS4A3QDU576Q.
Adds a permission to the role's default policy document. If there is no default policy attached to this role, it will be created.
The permission statement to add to the policy document
Protected
generateProtected
getReturns an environment-sensitive token that should be used for the
resource's "ARN" attribute (e.g. bucket.bucketArn
).
Normally, this token will resolve to arnAttr
, but if the resource is
referenced across environments, arnComponents
will be used to synthesize
a concrete ARN with the resource's physical name. Make sure to reference
this.physicalName
in arnComponents
.
The CFN attribute which resolves to the ARN of the resource.
Commonly it will be called "Arn" (e.g. resource.attrArn
), but sometimes
it's the CFN resource's ref
.
The format of the ARN of this resource. You must
reference this.physicalName
somewhere within the ARN in order for
cross-environment references to work.
Protected
getReturns an environment-sensitive token that should be used for the
resource's "name" attribute (e.g. bucket.bucketName
).
Normally, this token will resolve to nameAttr
, but if the resource is
referenced across environments, it will be resolved to this.physicalName
,
which will be a concrete name.
The CFN attribute which resolves to the resource's name.
Commonly this is the resource's ref
.
Return a copy of this Role object whose Policies will not be updated
Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.
If you do, you are responsible for adding the correct statements to the Role's policies yourself.
Optional
options: WithoutPolicyUpdatesOptionsStatic
customizeCustomize the creation of IAM roles within the given scope
It is recommended that you do not use this method and instead allow CDK to manage role creation. This should only be used in environments where CDK applications are not allowed to created IAM roles.
This can be used to prevent the CDK application from creating roles
within the given scope and instead replace the references to the roles with
precreated role names. A report will be synthesized in the cloud assembly (i.e. cdk.out)
that will contain the list of IAM roles that would have been created along with the
IAM policy statements that the role should contain. This report can then be used
to create the IAM roles outside of CDK and then the created role names can be provided
in usePrecreatedRoles
.
construct scope to customize role creation
Optional
options: CustomizeRolesOptionsoptions for configuring role creation
Static
fromImport an external role by ARN.
If the imported Role ARN is a Token (such as a
CfnParameter.valueAsString
or a Fn.importValue()
) and the referenced
role has a path
(like arn:...:role/AdminRoles/Alice
), the
roleName
property will not resolve to the correct value. Instead it
will resolve to the first path component. We unfortunately cannot express
the correct calculation of the full path name as a CloudFormation
expression. In this scenario the Role ARN should be supplied without the
path
in order to resolve the correct role resource.
construct scope
construct id
the ARN of the role to import
Optional
options: FromRoleArnOptionsallow customizing the behavior of the returned role
Static
fromImport an external role by name.
The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.
construct scope
construct id
the name of the role to import
Optional
options: FromRoleNameOptionsallow customizing the behavior of the returned role
Static
isChecks if x
is a construct.
Use this method instead of instanceof
to properly detect Construct
instances, even when the construct library is symlinked.
Explanation: in JavaScript, multiple copies of the constructs
library on
disk are seen as independent, completely different libraries. As a
consequence, the class Construct
in each copy of the constructs
library
is seen as a different class, and an instance of one class will not test as
instanceof
the other class. npm install
will not create installations
like this, but users may manually symlink construct libraries together or
use a monorepo tool: in those cases, multiple copies of the constructs
library can be accidentally installed, and instanceof
will behave
unpredictably. It is safest to avoid using instanceof
, and using
this type-testing method instead.
Any object
true if x
is an object created from a class which extends Construct
.
Static
isStatic
isStatic
is
Creates an IAM role with common policies that are needed by most Guardian applications.
More specifically:
ssh
access to an EC2 instance via ssm-scala (instead of standardssh
).GuParameterStoreReadPolicy
]] for specific details.If additional IAM permissions are required, create custom policies and pass them in via the
additionalPolicies
prop.If log shipping is not required, opt out by setting the
withoutLogShipping
prop totrue
.