Class Group
An IAM Group (collection of IAM users) lets you specify permissions for multiple users, which can make it easier to manage permissions for those users.
public class Group : Resource, IGroup, IIdentity, IPrincipal, IGrantable, IResource, IConstruct, IConstruct, IDependable- Inheritance
-
Group
- Implements
-
IResourceIConstructIConstructIDependable
Examples
var user = new User(this, "MyUser"); // or User.fromUserName(stack, 'User', 'johnsmith');
var group = new Group(this, "MyGroup"); // or Group.fromGroupArn(stack, 'Group', 'arn:aws:iam::account-id:group/group-name');
user.AddToGroup(group);
// or
group.AddUser(user);Remarks
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html
ExampleMetadata: infused
Constructors
Group(Construct, string, IGroupProps?)
public Group(Construct scope, string id, IGroupProps? props = null)Parameters
scopeConstructidstringpropsIGroupProps
Properties
AssumeRoleAction
When this Principal is used in an AssumeRole policy, the action to use.
public virtual string AssumeRoleAction { get; }Property Value
GrantPrincipal
The principal to grant permissions to.
public virtual IPrincipal GrantPrincipal { get; }Property Value
GroupArn
Returns the IAM Group ARN.
public virtual string GroupArn { get; }Property Value
GroupName
Returns the IAM Group Name.
public virtual string GroupName { get; }Property Value
PolicyFragment
Return the policy fragment that identifies this principal in a Policy.
public virtual PrincipalPolicyFragment PolicyFragment { get; }Property Value
PrincipalAccount
The AWS account ID of this principal.
public virtual string? PrincipalAccount { get; }Property Value
Remarks
Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.
Methods
AddManagedPolicy(IManagedPolicy)
Attaches a managed policy to this group.
public virtual void AddManagedPolicy(IManagedPolicy policy)Parameters
policyIManagedPolicyThe managed policy to attach.
AddToPolicy(PolicyStatement)
Add to the policy of this principal.
public virtual bool AddToPolicy(PolicyStatement statement)Parameters
statementPolicyStatement
Returns
AddToPrincipalPolicy(PolicyStatement)
Adds an IAM statement to the default policy.
public virtual IAddToPrincipalPolicyResult AddToPrincipalPolicy(PolicyStatement statement)Parameters
statementPolicyStatement
Returns
AddUser(IUser)
Adds a user to this group.
public virtual void AddUser(IUser user)Parameters
userIUser
AttachInlinePolicy(Policy)
Attaches a policy to this group.
public virtual void AttachInlinePolicy(Policy policy)Parameters
policyPolicyThe policy to attach.
FromGroupArn(Construct, string, string)
Import an external group by ARN.
public static IGroup FromGroupArn(Construct scope, string id, string groupArn)Parameters
scopeConstructconstruct scope.
idstringconstruct id.
groupArnstringthe ARN of the group to import (e.g.
arn:aws:iam::account-id:group/group-name).
Returns
Remarks
If the imported Group ARN is a Token (such as a
CfnParameter.valueAsString or a Fn.importValue()) and the referenced
group has a path (like arn:...:group/AdminGroup/NetworkAdmin), the
groupName property will not resolve to the correct value. Instead it
will resolve to the first path component. We unfortunately cannot express
the correct calculation of the full path name as a CloudFormation
expression. In this scenario the Group ARN should be supplied without the
path in order to resolve the correct group resource.
FromGroupName(Construct, string, string)
Import an existing group by given name (with path).
public static IGroup FromGroupName(Construct scope, string id, string groupName)Parameters
scopeConstructconstruct scope.
idstringconstruct id.
groupNamestringthe groupName (path included) of the existing group to import.
Returns
Remarks
This method has same caveats of fromGroupArn