The Actions added to this statement
The conditions added to this statement
Whether to allow or deny the actions in this statement
Set effect for this statement
Whether the PolicyStatement has been frozen
The statement object is frozen when freeze()
is called.
Indicates if this permission has a "Principal" section.
Indicates if this permission has at least one resource associated with it.
The NotActions added to this statement
The NotPrincipals added to this statement
The NotResources added to this statement
The Principals added to this statement
The Resources added to this statement
Statement ID for this statement
Set Statement ID for this statement
Internal
Estimate the size of this policy statement
By necessity, this will not be accurate. We'll do our best to overestimate so we won't have nasty surprises.
Add a StringEquals
condition that limits to a given account from sts:ExternalId
.
This method can only be called once: subsequent calls will overwrite earlier calls.
Adds an AWS account root user principal to this policy statement
Specify allowed actions into the "Action" section of the policy statement.
actions that will be allowed.
Adds a "*"
resource to this statement.
Adds all identities in all accounts ("*") to this policy statement
Specify a principal using the ARN identifier of the principal. You cannot specify IAM groups and instance profiles as principals.
ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name)
Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
Adds a canonical user ID principal to this policy document
unique identifier assigned by AWS for every account
Add a condition to the Policy
If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
declare const stmt: iam.PolicyStatement;
stmt.addCondition('StringEquals', { 'aws:SomeField': '1' });
stmt.addCondition('StringEquals', { 'aws:SomeField': '2' });
Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }
.
If you meant to add a condition to say that the field can be either 1
or 2
, write
this:
declare const stmt: iam.PolicyStatement;
stmt.addCondition('StringEquals', { 'aws:SomeField': ['1', '2'] });
Add multiple conditions to the Policy
See the addCondition
function for a caveat on calling this method multiple times.
Adds a federated identity provider such as Amazon Cognito to this policy statement.
federated identity provider (i.e. 'cognito-identity.amazonaws.com')
The conditions under which the policy is in effect. See the IAM documentation.
Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
actions that will be denied. All other actions will be permitted.
Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
IAM principals that will be denied access
Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement. All resources except the specified list will be matched.
Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to
Adds principals to the "Principal" section of a policy statement.
IAM principals that will be added
Specify resources that this policy statement applies into the "Resource" section of this policy statement.
Amazon Resource Names (ARNs) of the resources that this policy statement applies to
Adds a service principal to this policy statement.
the service name for which a service principal is requested (e.g: s3.amazonaws.com
).
Optional
opts: ServicePrincipalOptsoptions for adding the service principal (such as specifying a principal in a different region)
Add an StringEquals
condition that limits to a given account from aws:SourceAccount
.
This method can only be called once: subsequent calls will overwrite earlier calls.
Add an ArnEquals
condition that limits to a given resource arn from aws:SourceArn
.
This method can only be called once: subsequent calls will overwrite earlier calls.
Create a new PolicyStatement
with the same exact properties
as this one, except for the overrides
Optional
overrides: PolicyStatementPropsMake the PolicyStatement immutable
After calling this, any of the addXxx()
methods will throw an exception.
Libraries that lazily generate statement bodies can override this method to fill the actual PolicyStatement fields. Be aware that this method may be called multiple times.
JSON-ify the statement
Used when JSON.stringify() is called
JSON-ify the policy statement
Used when JSON.stringify() is called
String representation of this policy statement
Validate that the policy statement satisfies base requirements for a policy.
An array of validation error messages, or an empty array if the statement is valid.
Validate that the policy statement satisfies all requirements for an identity-based policy.
An array of validation error messages, or an empty array if the statement is valid.
Validate that the policy statement satisfies all requirements for a resource-based policy.
An array of validation error messages, or an empty array if the statement is valid.
Static
fromCreates a new PolicyStatement based on the object provided.
This will accept an object created from the .toJSON()
call
the PolicyStatement in object form.
This is helpful for reading all private configuration for a given app. For example, the simple-configuration library requires these permissions.