Class PolicyStatement
Represents a statement in an IAM policy document.
public class PolicyStatement : DeputyBase- Inheritance
-
PolicyStatement
Examples
// Add gateway endpoints when creating the VPC
var vpc = new Vpc(this, "MyVpc", new VpcProps {
GatewayEndpoints = new Dictionary<string, GatewayVpcEndpointOptions> {
{ "S3", new GatewayVpcEndpointOptions {
Service = GatewayVpcEndpointAwsService.S3
} }
}
});
// Alternatively gateway endpoints can be added on the VPC
var dynamoDbEndpoint = vpc.AddGatewayEndpoint("DynamoDbEndpoint", new GatewayVpcEndpointOptions {
Service = GatewayVpcEndpointAwsService.DYNAMODB
});
// This allows to customize the endpoint policy
dynamoDbEndpoint.AddToPolicy(
new PolicyStatement(new PolicyStatementProps { // Restrict to listing and describing tables
Principals = new [] { new AnyPrincipal() },
Actions = new [] { "dynamodb:DescribeTable", "dynamodb:ListTables" },
Resources = new [] { "*" } }));
// Add an interface endpoint
vpc.AddInterfaceEndpoint("EcrDockerEndpoint", new InterfaceVpcEndpointOptions {
Service = InterfaceVpcEndpointAwsService.ECR_DOCKER
});Remarks
ExampleMetadata: lit=test/integ.vpc-endpoint.lit.ts infused
Constructors
PolicyStatement(IPolicyStatementProps?)
public PolicyStatement(IPolicyStatementProps? props = null)Parameters
propsIPolicyStatementProps
Properties
Actions
The Actions added to this statement.
public virtual string[] Actions { get; }Property Value
- string[]
Conditions
The conditions added to this statement.
public virtual object Conditions { get; }Property Value
Effect
Whether to allow or deny the actions in this statement.
public virtual Effect Effect { get; set; }Property Value
HasPrincipal
Indicates if this permission has a "Principal" section.
public virtual bool HasPrincipal { get; }Property Value
HasResource
Indicates if this permission has at least one resource associated with it.
public virtual bool HasResource { get; }Property Value
NotActions
The NotActions added to this statement.
public virtual string[] NotActions { get; }Property Value
- string[]
NotPrincipals
The NotPrincipals added to this statement.
public virtual IPrincipal[] NotPrincipals { get; }Property Value
NotResources
The NotResources added to this statement.
public virtual string[] NotResources { get; }Property Value
- string[]
Principals
The Principals added to this statement.
public virtual IPrincipal[] Principals { get; }Property Value
Resources
The Resources added to this statement.
public virtual string[] Resources { get; }Property Value
- string[]
Sid
Statement ID for this statement.
public virtual string? Sid { get; set; }Property Value
Methods
AddAccountCondition(string)
Add a condition that limits to a given account.
public virtual void AddAccountCondition(string accountId)Parameters
accountIdstring
Remarks
This method can only be called once: subsequent calls will overwrite earlier calls.
AddAccountRootPrincipal()
Adds an AWS account root user principal to this policy statement.
public virtual void AddAccountRootPrincipal()AddActions(params string[])
Specify allowed actions into the "Action" section of the policy statement.
public virtual void AddActions(params string[] actions)Parameters
actionsstring[]actions that will be allowed.
Remarks
AddAllResources()
Adds a "*" resource to this statement.
public virtual void AddAllResources()AddAnyPrincipal()
Adds all identities in all accounts ("*") to this policy statement.
public virtual void AddAnyPrincipal()AddArnPrincipal(string)
Specify a principal using the ARN identifier of the principal.
public virtual void AddArnPrincipal(string arn)Parameters
arnstringARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name).
Remarks
You cannot specify IAM groups and instance profiles as principals.
AddAwsAccountPrincipal(string)
Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.
public virtual void AddAwsAccountPrincipal(string accountId)Parameters
accountIdstring
AddCanonicalUserPrincipal(string)
Adds a canonical user ID principal to this policy document.
public virtual void AddCanonicalUserPrincipal(string canonicalUserId)Parameters
canonicalUserIdstringunique identifier assigned by AWS for every account.
AddCondition(string, object)
Add a condition to the Policy.
public virtual void AddCondition(string key, object value)Parameters
Remarks
If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
PolicyStatement stmt;
stmt.AddCondition("StringEquals", new Dictionary<string, string> { { "aws:SomeField", "1" } });
stmt.AddCondition("StringEquals", new Dictionary<string, string> { { "aws:SomeField", "2" } });Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.
If you meant to add a condition to say that the field can be either 1 or 2, write
this:
PolicyStatement stmt;
stmt.AddCondition("StringEquals", new Dictionary<string, string[]> { { "aws:SomeField", new [] { "1", "2" } } });AddConditions(IDictionary<string, object>)
Add multiple conditions to the Policy.
public virtual void AddConditions(IDictionary<string, object> conditions)Parameters
conditionsIDictionary<string, object>
Remarks
See the addCondition function for a caveat on calling this method multiple times.
AddFederatedPrincipal(object, IDictionary<string, object>)
Adds a federated identity provider such as Amazon Cognito to this policy statement.
public virtual void AddFederatedPrincipal(object federated, IDictionary<string, object> conditions)Parameters
federatedobjectfederated identity provider (i.e. 'cognito-identity.amazonaws.com').
conditionsIDictionary<string, object>The conditions under which the policy is in effect.
AddNotActions(params string[])
Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
public virtual void AddNotActions(params string[] notActions)Parameters
notActionsstring[]actions that will be denied.
Remarks
AddNotPrincipals(params IPrincipal[])
Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
public virtual void AddNotPrincipals(params IPrincipal[] notPrincipals)Parameters
notPrincipalsIPrincipal[]IAM principals that will be denied access.
Remarks
AddNotResources(params string[])
Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement.
public virtual void AddNotResources(params string[] arns)Parameters
arnsstring[]Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to.
Remarks
All resources except the specified list will be matched.
See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
AddPrincipals(params IPrincipal[])
Adds principals to the "Principal" section of a policy statement.
public virtual void AddPrincipals(params IPrincipal[] principals)Parameters
principalsIPrincipal[]IAM principals that will be added.
Remarks
AddResources(params string[])
Specify resources that this policy statement applies into the "Resource" section of this policy statement.
public virtual void AddResources(params string[] arns)Parameters
arnsstring[]Amazon Resource Names (ARNs) of the resources that this policy statement applies to.
Remarks
AddServicePrincipal(string, IServicePrincipalOpts?)
Adds a service principal to this policy statement.
public virtual void AddServicePrincipal(string service, IServicePrincipalOpts? opts = null)Parameters
servicestringthe service name for which a service principal is requested (e.g:
s3.amazonaws.com).optsIServicePrincipalOptsoptions for adding the service principal (such as specifying a principal in a different region).
Copy(IPolicyStatementProps?)
Create a new PolicyStatement with the same exact properties as this one, except for the overrides.
public virtual PolicyStatement Copy(IPolicyStatementProps? overrides = null)Parameters
overridesIPolicyStatementProps
Returns
FromJson(object)
Creates a new PolicyStatement based on the object provided.
public static PolicyStatement FromJson(object obj)Parameters
objobjectthe PolicyStatement in object form.
Returns
Remarks
This will accept an object created from the .toJSON() call
ToJSON()
JSON-ify the statement.
public virtual object ToJSON()Returns
Remarks
Used when JSON.stringify() is called
ToStatementJson()
JSON-ify the policy statement.
public virtual object ToStatementJson()Returns
Remarks
Used when JSON.stringify() is called
ToString()
String representation of this policy statement.
public override string ToString()Returns
ValidateForAnyPolicy()
Validate that the policy statement satisfies base requirements for a policy.
public virtual string[] ValidateForAnyPolicy()Returns
- string[]
An array of validation error messages, or an empty array if the statement is valid.
ValidateForIdentityPolicy()
Validate that the policy statement satisfies all requirements for an identity-based policy.
public virtual string[] ValidateForIdentityPolicy()Returns
- string[]
An array of validation error messages, or an empty array if the statement is valid.
ValidateForResourcePolicy()
Validate that the policy statement satisfies all requirements for a resource-based policy.
public virtual string[] ValidateForResourcePolicy()Returns
- string[]
An array of validation error messages, or an empty array if the statement is valid.