Class Role
IAM Role.
public class Role : Resource, IRole, IIdentity, IPrincipal, IGrantable, IResource, IConstruct, IConstruct, IDependable- Inheritance
-
Role
- Implements
-
IResourceIConstructIConstructIDependable
Examples
var lambdaRole = new Role(this, "Role", new RoleProps {
AssumedBy = new ServicePrincipal("lambda.amazonaws.com"),
Description = "Example role..."
});
var stream = new Stream(this, "MyEncryptedStream", new StreamProps {
Encryption = StreamEncryption.KMS
});
// give lambda permissions to read stream
stream.GrantRead(lambdaRole);Remarks
Defines an IAM role. The role is created with an assume policy document associated with
the specified AWS service principal defined in serviceAssumeRole.
ExampleMetadata: infused
Constructors
Role(Construct, string, IRoleProps)
public Role(Construct scope, string id, IRoleProps props)Parameters
scopeConstructidstringpropsIRoleProps
Properties
AssumeRoleAction
When this Principal is used in an AssumeRole policy, the action to use.
public virtual string AssumeRoleAction { get; }Property Value
AssumeRolePolicy
The assume role policy document associated with this role.
public virtual PolicyDocument? AssumeRolePolicy { get; }Property Value
GrantPrincipal
The principal to grant permissions to.
public virtual IPrincipal GrantPrincipal { get; }Property Value
PermissionsBoundary
Returns the permissions boundary attached to this role.
public virtual IManagedPolicy? PermissionsBoundary { get; }Property Value
PolicyFragment
Returns the role.
public virtual PrincipalPolicyFragment PolicyFragment { get; }Property Value
PrincipalAccount
The AWS account ID of this principal.
public virtual string? PrincipalAccount { get; }Property Value
Remarks
Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.
RoleArn
Returns the ARN of this role.
public virtual string RoleArn { get; }Property Value
RoleId
Returns the stable and unique string identifying the role.
public virtual string RoleId { get; }Property Value
Remarks
For example, AIDAJQABLZS4A3QDU576Q.
Attribute: true
RoleName
Returns the name of the role.
public virtual string RoleName { get; }Property Value
Methods
AddManagedPolicy(IManagedPolicy)
Attaches a managed policy to this role.
public virtual void AddManagedPolicy(IManagedPolicy policy)Parameters
policyIManagedPolicyThe the managed policy to attach.
AddToPolicy(PolicyStatement)
Add to the policy of this principal.
public virtual bool AddToPolicy(PolicyStatement statement)Parameters
statementPolicyStatement
Returns
AddToPrincipalPolicy(PolicyStatement)
Adds a permission to the role's default policy document.
public virtual IAddToPrincipalPolicyResult AddToPrincipalPolicy(PolicyStatement statement)Parameters
statementPolicyStatementThe permission statement to add to the policy document.
Returns
Remarks
If there is no default policy attached to this role, it will be created.
AttachInlinePolicy(Policy)
Attaches a policy to this role.
public virtual void AttachInlinePolicy(Policy policy)Parameters
policyPolicyThe policy to attach.
FromRoleArn(Construct, string, string, IFromRoleArnOptions?)
Import an external role by ARN.
public static IRole FromRoleArn(Construct scope, string id, string roleArn, IFromRoleArnOptions? options = null)Parameters
scopeConstructconstruct scope.
idstringconstruct id.
roleArnstringthe ARN of the role to import.
optionsIFromRoleArnOptionsallow customizing the behavior of the returned role.
Returns
Remarks
If the imported Role ARN is a Token (such as a
CfnParameter.valueAsString or a Fn.importValue()) and the referenced
role has a path (like arn:...:role/AdminRoles/Alice), the
roleName property will not resolve to the correct value. Instead it
will resolve to the first path component. We unfortunately cannot express
the correct calculation of the full path name as a CloudFormation
expression. In this scenario the Role ARN should be supplied without the
path in order to resolve the correct role resource.
FromRoleName(Construct, string, string)
Import an external role by name.
public static IRole FromRoleName(Construct scope, string id, string roleName)Parameters
Returns
Remarks
The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.
Grant(IPrincipal, params string[])
Grant the actions defined in actions to the identity Principal on this resource.
public virtual Grant Grant(IPrincipal grantee, params string[] actions)Parameters
granteeIPrincipalactionsstring[]
Returns
GrantAssumeRole(IPrincipal)
Grant permissions to the given principal to assume this role.
public virtual Grant GrantAssumeRole(IPrincipal identity)Parameters
identityIPrincipal
Returns
GrantPassRole(IPrincipal)
Grant permissions to the given principal to pass this role.
public virtual Grant GrantPassRole(IPrincipal identity)Parameters
identityIPrincipal
Returns
Validate()
Validate the current construct.
protected override string[] Validate()Returns
- string[]
Remarks
This method can be implemented by derived constructs in order to perform validation logic. It is called on all constructs before synthesis.
WithoutPolicyUpdates(IWithoutPolicyUpdatesOptions?)
Return a copy of this Role object whose Policies will not be updated.
public virtual IRole WithoutPolicyUpdates(IWithoutPolicyUpdatesOptions? options = null)Parameters
optionsIWithoutPolicyUpdatesOptions
Returns
Remarks
Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.
If you do, you are responsible for adding the correct statements to the Role's policies yourself.