Table of Contents

Class LazyRoleProps

Namespace
Amazon.CDK.AWS.IAM
Assembly
Amazon.CDK.AWS.IAM.dll

Properties for defining a LazyRole.

public class LazyRoleProps : ILazyRoleProps, IRoleProps
Inheritance
LazyRoleProps
Implements
Inherited Members

Examples

// The code below shows an example of how to instantiate this type.
            // The values are placeholders you should change.
            using Amazon.CDK.AWS.IAM;
            using Amazon.CDK;

            ManagedPolicy managedPolicy;
            PolicyDocument policyDocument;
            IPrincipal principal;
            var lazyRoleProps = new LazyRoleProps {
                AssumedBy = principal,

                // the properties below are optional
                Description = "description",
                ExternalId = "externalId",
                ExternalIds = new [] { "externalIds" },
                InlinePolicies = new Dictionary<string, PolicyDocument> {
                    { "inlinePoliciesKey", policyDocument }
                },
                ManagedPolicies = new [] { managedPolicy },
                MaxSessionDuration = Duration.Minutes(30),
                Path = "path",
                PermissionsBoundary = managedPolicy,
                RoleName = "roleName"
            };

Remarks

ExampleMetadata: fixture=_generated

Constructors

LazyRoleProps() 

public LazyRoleProps()

Properties

AssumedBy

The IAM principal (i.e. new ServicePrincipal('sns.amazonaws.com')) which can assume this role.

public IPrincipal AssumedBy { get; set; }

Property Value

IPrincipal

Remarks

You can later modify the assume role policy document by accessing it via the assumeRolePolicy property.

Description

A description of the role.

public string? Description { get; set; }

Property Value

string

Remarks

It can be up to 1000 characters long.

Default: - No description.

ExternalId

(deprecated) ID that the role assumer needs to provide when assuming this role.

[Obsolete("see {@link externalIds}")]
public string? ExternalId { get; set; }

Property Value

string

Remarks

If the configured and provided external IDs do not match, the AssumeRole operation will fail.

Default: No external ID required

Stability: Deprecated

ExternalIds

List of IDs that the role assumer needs to provide one of when assuming this role.

public string[]? ExternalIds { get; set; }

Property Value

string[]

Remarks

If the configured and provided external IDs do not match, the AssumeRole operation will fail.

Default: No external ID required

InlinePolicies

A list of named policies to inline into this role.

public IDictionary<string, PolicyDocument>? InlinePolicies { get; set; }

Property Value

IDictionary<string, PolicyDocument>

Remarks

These policies will be created with the role, whereas those added by addToPolicy are added using a separate CloudFormation resource (allowing a way around circular dependencies that could otherwise be introduced).

Default: - No policy is inlined in the Role resource.

ManagedPolicies

A list of managed policies associated with this role.

public IManagedPolicy[]? ManagedPolicies { get; set; }

Property Value

IManagedPolicy[]

Remarks

You can add managed policies later using addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName)).

Default: - No managed policies.

MaxSessionDuration

The maximum session duration that you want to set for the specified role.

public Duration? MaxSessionDuration { get; set; }

Property Value

Duration

Remarks

This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.

Anyone who assumes the role from the AWS CLI or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter.

If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL.

Default: Duration.hours(1)

Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html

Path

The path associated with this role.

public string? Path { get; set; }

Property Value

string

Remarks

For information about IAM paths, see Friendly Names and Paths in IAM User Guide.

Default: /

PermissionsBoundary

AWS supports permissions boundaries for IAM entities (users or roles).

public IManagedPolicy? PermissionsBoundary { get; set; }

Property Value

IManagedPolicy

Remarks

A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

Default: - No permissions boundary.

Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

RoleName

A name for the IAM role.

public string? RoleName { get; set; }

Property Value

string

Remarks

For valid values, see the RoleName parameter for the CreateRole action in the IAM API Reference.

IMPORTANT: If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.

Default: - AWS CloudFormation generates a unique physical ID and uses that ID for the role name.