@aws-cdk/aws-iam

@aws-cdk/aws-iam

Version 1.204.0
Published 9 months ago
2.37 MB
4 dependencies
Apache-2.0 license

Install

npm i @aws-cdk/aws-iam

yarn add @aws-cdk/aws-iam

pnpm add @aws-cdk/aws-iam

Overview

CDK routines for easily assigning correct and minimal IAM permissions

Index

Classes

class AccessKey

class AccessKey extends Resource implements IAccessKey {}

Define a new IAM Access Key.

constructor

constructor(scope: Construct, id: string, props: AccessKeyProps);

property accessKeyId

readonly accessKeyId: string;

property secretAccessKey

readonly secretAccessKey: SecretValue;

class AccountPrincipal

class AccountPrincipal extends ArnPrincipal {}

Specify AWS account ID as the principal entity in a policy to delegate authority to the account.

constructor

constructor(accountId: any);

Parameter accountId
AWS account ID (i.e. 123456789012)

property accountId

readonly accountId: any;

property principalAccount

readonly principalAccount: string;

method toString

toString: () => string;

class AccountRootPrincipal

class AccountRootPrincipal extends AccountPrincipal {}

Use the AWS account into which a stack is deployed as the principal entity in a policy

constructor

constructor();

method toString

toString: () => string;

class Anyone

class Anyone extends AnyPrincipal {}

A principal representing all identities in all accounts
Deprecated
use AnyPrincipal

class AnyPrincipal

class AnyPrincipal extends ArnPrincipal {}

A principal representing all AWS identities in all accounts
Some services behave differently when you specify Principal: '*' or Principal: { AWS: "*" } in their resource policy.
AnyPrincipal renders to Principal: { AWS: "*" }. This is correct most of the time, but in cases where you need the other principal, use StarPrincipal instead.

constructor

constructor();

method toString

toString: () => string;

class ArnPrincipal

class ArnPrincipal extends PrincipalBase {}

Specify a principal by the Amazon Resource Name (ARN). You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions. You cannot specify IAM groups or instance profiles as principals
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

constructor

constructor(arn: string);

Parameter arn
Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name)

property arn

readonly arn: string;

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method dedupeString

dedupeString: () => string | undefined;

method inOrganization

inOrganization: (organizationId: string) => PrincipalBase;

A convenience method for adding a condition that the principal is part of the specified AWS Organization.

method toString

toString: () => string;

class CanonicalUserPrincipal

class CanonicalUserPrincipal extends PrincipalBase {}

A policy principal for canonicalUserIds - useful for S3 bucket policies that use Origin Access identities.
See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html
and
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
for more details.

constructor

constructor(canonicalUserId: string);

Parameter canonicalUserId
unique identifier assigned by AWS for every account. root user and IAM users for an account all see the same ID. (i.e. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be)

property canonicalUserId

readonly canonicalUserId: string;

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method dedupeString

dedupeString: () => string | undefined;

method toString

toString: () => string;

class CfnAccessKey

class CfnAccessKey extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::AccessKey
Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active .
For information about quotas on the number of keys you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
> To ensure the security of your AWS account , the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can rotate access keys by increasing the value of the serial property.
AWS::IAM::AccessKey external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html

constructor

constructor(scope: cdk.Construct, id: string, props: CfnAccessKeyProps);

Create a new AWS::IAM::AccessKey.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property attrSecretAccessKey

readonly attrSecretAccessKey: string;

Returns the secret access key for the specified AWS::IAM::AccessKey resource. For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY. SecretAccessKey

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property serial

serial: number;

This value is specific to CloudFormation and can only be *incremented* . Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-serial

property status

status: string;

The status of the access key. Active means that the key is valid for API calls, while Inactive means it is not.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-status

property userName

userName: string;

The name of the IAM user that the new key will belong to.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-username

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnGroup

class CfnGroup extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::Group
Creates a new group.
For information about the number of groups you can create, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
AWS::IAM::Group external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html

constructor

constructor(scope: cdk.Construct, id: string, props?: CfnGroupProps);

Create a new AWS::IAM::Group.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property attrArn

readonly attrArn: string;

Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::Group resource. For example: arn:aws:iam::123456789012:group/mystack-mygroup-1DZETITOWEKVO . Arn

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property groupName

groupName: string;

The name of the group to create. Do not include the path in this value.
The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name.
> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .
> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-groupname

property managedPolicyArns

managedPolicyArns: string[];

The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-managepolicyarns

property path

path: string;

The path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-path

property policies

policies: any;

Adds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see [Declaring an IAM Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group) .
> The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.
For information about limits on the number of inline policies that you can embed in a group, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-policies

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnInstanceProfile

class CfnInstanceProfile extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::InstanceProfile
Creates a new instance profile. For information about instance profiles, see [Using instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) .
For information about the number of instance profiles you can create, see [IAM object quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
AWS::IAM::InstanceProfile external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html

constructor

constructor(scope: cdk.Construct, id: string, props: CfnInstanceProfileProps);

Create a new AWS::IAM::InstanceProfile.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property attrArn

readonly attrArn: string;

Returns the Amazon Resource Name (ARN) for the instance profile. For example:
{"Fn::GetAtt" : ["MyProfile", "Arn"] }
This returns a value such as arn:aws:iam::1234567890:instance-profile/MyProfile-ASDNSDLKJ . Arn

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property instanceProfileName

instanceProfileName: string;

The name of the instance profile to create.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-instanceprofilename

property path

path: string;

The path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-path

property roles

roles: string[];

The name of the role to associate with the instance profile. Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-roles

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnManagedPolicy

class CfnManagedPolicy extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::ManagedPolicy
Creates a new managed policy for your AWS account .
This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version. For more information about policy versions, see [Versioning for managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-versions.html) in the *IAM User Guide* .
As a best practice, you can validate your IAM policies. To learn more, see [Validating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html) in the *IAM User Guide* .
For more information about managed policies in general, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
AWS::IAM::ManagedPolicy external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html

constructor

constructor(scope: cdk.Construct, id: string, props: CfnManagedPolicyProps);

Create a new AWS::IAM::ManagedPolicy.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property description

description: string;

A friendly description of the policy.
Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables."
The policy description is immutable. After a value is assigned, it cannot be changed.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-description

property groups

groups: string[];

The name (friendly name, not ARN) of the group to attach the policy to.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups

property managedPolicyName

managedPolicyName: string;

The friendly name of the policy.
> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .
> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-managedpolicyname

property path

path: string;

The path for the policy.
For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
> You cannot use an asterisk (*) in the path name.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-ec2-dhcpoptions-path

property policyDocument

policyDocument: any;

The JSON policy document that you want to use as the content for the new policy.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and AWS STS character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length) .
To learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide* .
The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:
- Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-policydocument

property roles

roles: string[];

The name (friendly name, not ARN) of the role to attach the policy to.
This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
> If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles

property users

users: string[];

The name (friendly name, not ARN) of the IAM user to attach the policy to.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-users

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnOIDCProvider

class CfnOIDCProvider extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::OIDCProvider
Creates or updates an IAM entity to describe an identity provider (IdP) that supports [OpenID Connect (OIDC)](https://docs.aws.amazon.com/http://openid.net/connect/) .
The OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.
When you create the IAM OIDC provider, you specify the following:
- The URL of the OIDC identity provider (IdP) to trust - A list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider - A list of tags that are attached to the specified IAM OIDC provider - A list of thumbprints of one or more server certificates that the IdP uses
You get all of this information from the OIDC IdP that you want to use to access AWS .
When you update the IAM OIDC provider, you specify the following:
- The URL of the OIDC identity provider (IdP) to trust - A list of client IDs (also known as audiences) that replaces the existing list of client IDs associated with the OIDC IdP - A list of tags that replaces the existing list of tags attached to the specified IAM OIDC provider - A list of thumbprints that replaces the existing list of server certificates thumbprints that the IdP uses
> The trust for the OIDC provider is derived from the IAM provider that this operation creates. Therefore, it is best to limit access to the [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) operation to highly privileged users.
AWS::IAM::OIDCProvider external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html

constructor

constructor(scope: cdk.Construct, id: string, props: CfnOIDCProviderProps);

Create a new AWS::IAM::OIDCProvider.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property attrArn

readonly attrArn: string;

Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::OIDCProvider resource. Arn

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property clientIdList

clientIdList: string[];

A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-clientidlist

property tags

readonly tags: cdk.TagManager;

A list of tags that are attached to the specified IAM OIDC provider. The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-tags

property thumbprintList

thumbprintList: string[];

A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-thumbprintlist

property url

url: string;

The URL that the IAM OIDC provider resource object is associated with. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-url

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnPolicy

class CfnPolicy extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::Policy
Adds or updates an inline policy document that is embedded in the specified IAM user, group, or role.
An IAM user can also have a managed policy attached to it. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.
For information about policy documents see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide* .
For information about limits on the number of inline policies that you can embed in an identity, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
AWS::IAM::Policy external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html

constructor

constructor(scope: cdk.Construct, id: string, props: CfnPolicyProps);

Create a new AWS::IAM::Policy.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property groups

groups: string[];

The name of the group to associate the policy with.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-groups

property policyDocument

policyDocument: any;

The policy document.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:
- Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument

property policyName

policyName: string;

The name of the policy document.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policyname

property roles

roles: string[];

The name of the role to associate the policy with.
This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
> If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles

property users

users: string[];

The name of the user to associate the policy with.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-users

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnRole

class CfnRole extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::Role
Creates a new role for your AWS account . For more information about roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html) . For information about quotas for role names and the number of roles you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
AWS::IAM::Role external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

constructor

constructor(scope: cdk.Construct, id: string, props: CfnRoleProps);

Create a new AWS::IAM::Role.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property assumeRolePolicyDocument

assumeRolePolicyDocument: any;

The trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples) . For more information about the elements that you can use in an IAM policy, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument

property attrArn

readonly attrArn: string;

Returns the Amazon Resource Name (ARN) for the role. For example:
{"Fn::GetAtt" : ["MyRole", "Arn"] }
This will return a value such as arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF . Arn

property attrRoleId

readonly attrRoleId: string;

Returns the stable and unique string identifying the role. For example, AIDAJQABLZS4A3QDU576Q .
For more information about IDs, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in the *IAM User Guide* . RoleId

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property description

description: string;

A description of the role that you provide.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-description

property managedPolicyArns

managedPolicyArns: string[];

A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role.
For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-managepolicyarns

property maxSessionDuration

maxSessionDuration: number;

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default value of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Anyone who assumes the role from the AWS CLI or API can use the DurationSeconds API parameter or the duration-seconds AWS CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* AWS CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-maxsessionduration

property path

path: string;

The path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-path

property permissionsBoundary

permissionsBoundary: string;

The ARN of the policy used to set the permissions boundary for the role.
For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary

property policies

policies: any;

Adds or updates an inline policy document that is embedded in the specified IAM role.
When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) .
A role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
For information about limits on the number of inline policies that you can embed with a role, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
> If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-policies

property roleName

roleName: string;

A name for the IAM role, up to 64 characters in length. For valid values, see the RoleName parameter for the [CreateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *IAM User Guide* .
This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both "Role1" and "role1".
If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the role name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .
> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename

property tags

readonly tags: cdk.TagManager;

A list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-tags

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnSAMLProvider

class CfnSAMLProvider extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::SAMLProvider
Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.
The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS .
When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.
> This operation requires [Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) .
For more information, see [Enabling SAML 2.0 federated users to access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) and [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide* .
AWS::IAM::SAMLProvider external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html

constructor

constructor(scope: cdk.Construct, id: string, props: CfnSAMLProviderProps);

Create a new AWS::IAM::SAMLProvider.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property attrArn

readonly attrArn: string;

Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::SAMLProvider resource. Arn

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property name

name: string;

The name of the provider to create.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-name

property samlMetadataDocument

samlMetadataDocument: string;

An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.
For more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide*
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-samlmetadatadocument

property tags

readonly tags: cdk.TagManager;

A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-tags

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnServerCertificate

class CfnServerCertificate extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::ServerCertificate
Uploads a server certificate entity for the AWS account . The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.
We recommend that you use [AWS Certificate Manager](https://docs.aws.amazon.com/acm/) to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the [AWS Certificate Manager User Guide](https://docs.aws.amazon.com/acm/latest/userguide/) .
For more information about working with server certificates, see [Working with server certificates](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) in the *IAM User Guide* . This topic includes a list of AWS services that can use the server certificates that you manage with IAM.
For information about the number of server certificates you can upload, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
> Because the body of the public key certificate, private key, and the certificate chain can be large, you should use POST rather than GET when calling UploadServerCertificate . For information about setting up signatures and authorization through the API, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the *AWS General Reference* . For general information about using the Query API with IAM, see [Calling the API by making HTTP query requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/programming.html) in the *IAM User Guide* .
AWS::IAM::ServerCertificate external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html

constructor

constructor(scope: cdk.Construct, id: string, props?: CfnServerCertificateProps);

Create a new AWS::IAM::ServerCertificate.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property attrArn

readonly attrArn: string;

Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::ServerCertificate resource. Arn

property certificateBody

certificateBody: string;

The contents of the public key certificate.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatebody

property certificateChain

certificateChain: string;

The contents of the public key certificate chain.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatechain

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property path

path: string;

The path for the server certificate. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
> If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the path parameter. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/ ).
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-path

property privateKey

privateKey: string;

The contents of the private key in PEM-encoded format.
The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:
- Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-privatekey

property serverCertificateName

serverCertificateName: string;

The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-servercertificatename

property tags

readonly tags: cdk.TagManager;

A list of tags that are attached to the server certificate. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-tags

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnServiceLinkedRole

class CfnServiceLinkedRole extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::ServiceLinkedRole
Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state. Allowing the service to control the role helps improve service stability and proper cleanup when a service and its role are no longer needed. For more information, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the *IAM User Guide* .
To attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role.
AWS::IAM::ServiceLinkedRole external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html

constructor

constructor(scope: cdk.Construct, id: string, props: CfnServiceLinkedRoleProps);

Create a new AWS::IAM::ServiceLinkedRole.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property awsServiceName

awsServiceName: string;

The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com .
Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-awsservicename

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property customSuffix

customSuffix: string;

A string that you provide, which is combined with the service-provided prefix to form the complete role name. If you make multiple requests for the same service, then you must supply a different CustomSuffix for each request. Otherwise the request fails with a duplicate role name error. For example, you could add -1 or -debug to the suffix.
Some services do not support the CustomSuffix parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-customsuffix

property description

description: string;

The description of the role.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-description

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnUser

class CfnUser extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::User
Creates a new IAM user for your AWS account .
For information about quotas for the number of IAM users you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
AWS::IAM::User external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html

constructor

constructor(scope: cdk.Construct, id: string, props?: CfnUserProps);

Create a new AWS::IAM::User.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property attrArn

readonly attrArn: string;

Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::User resource. For example: arn:aws:iam::123456789012:user/mystack-myuser-1CCXAFG2H2U4D . Arn

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property groups

groups: string[];

A list of group names to which you want to add the user.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-groups

property loginProfile

loginProfile: any;

Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console .
You can use the AWS CLI , the AWS API, or the *Users* page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the *My Security Credentials* page in the AWS Management Console .
For more information about managing passwords, see [Managing passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-loginprofile

property managedPolicyArns

managedPolicyArns: string[];

A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user.
For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-managepolicyarns

property path

path: string;

The path for the user name. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-path

property permissionsBoundary

permissionsBoundary: string;

The ARN of the managed policy that is used to set the permissions boundary for the user.
A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide* .
For more information about policy types, see [Policy types](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-permissionsboundary

property policies

policies: any;

Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see [Declaring an IAM User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) .
> The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.
For information about limits on the number of inline policies that you can embed in a user, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-policies

property tags

readonly tags: cdk.TagManager;

A list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-tags

property userName

userName: string;

The name of the user to create. Do not include the path in this value.
This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john".
If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .
> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-username

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnUserToGroupAddition

class CfnUserToGroupAddition extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::UserToGroupAddition
Adds the specified user to the specified group.
AWS::IAM::UserToGroupAddition external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html

constructor

constructor(
    scope: cdk.Construct,
    id: string,
    props: CfnUserToGroupAdditionProps
);

Create a new AWS::IAM::UserToGroupAddition.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property groupName

groupName: string;

The name of the group to update.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-groupname

property users

users: string[];

A list of the names of the users that you want to add to the group.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-users

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class CfnVirtualMFADevice

class CfnVirtualMFADevice extends cdk.CfnResource implements cdk.IInspectable {}

A CloudFormation AWS::IAM::VirtualMFADevice
Creates a new virtual MFA device for the AWS account . After creating the virtual MFA, use [EnableMFADevice](https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableMFADevice.html) to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, see [Using a virtual MFA device](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_VirtualMFA.html) in the *IAM User Guide* .
For information about the maximum number of MFA devices you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .
> The seed information contained in the QR code and the Base32 string should be treated like any other secret access information. In other words, protect the seed information as you would your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.
AWS::IAM::VirtualMFADevice external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html

constructor

constructor(scope: cdk.Construct, id: string, props: CfnVirtualMFADeviceProps);

Create a new AWS::IAM::VirtualMFADevice.
Parameter scope
scope in which this resource is defined
Parameter id
scoped id of the resource
Parameter props
resource properties

property attrSerialNumber

readonly attrSerialNumber: string;

Returns the serial number for the specified AWS::IAM::VirtualMFADevice resource. SerialNumber

property CFN_RESOURCE_TYPE_NAME

static readonly CFN_RESOURCE_TYPE_NAME: string;

The CloudFormation resource type name for this resource class.

property cfnProperties

readonly cfnProperties: { [key: string]: any };

property path

path: string;

The path for the virtual MFA device. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-path

property tags

readonly tags: cdk.TagManager;

A list of tags that you want to attach to the new IAM virtual MFA device. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-tags

property users

users: string[];

The IAM user associated with this virtual MFA device.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-users

property virtualMfaDeviceName

virtualMfaDeviceName: string;

The name of the virtual MFA device, which must be unique. Use with path to uniquely identify a virtual MFA device.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-virtualmfadevicename

method inspect

inspect: (inspector: cdk.TreeInspector) => void;

Examines the CloudFormation resource and discloses attributes.
Parameter inspector
tree inspector to collect and process attributes

method renderProperties

protected renderProperties: (props: { [key: string]: any }) => {
    [key: string]: any;
};

class ComparablePrincipal

class ComparablePrincipal {}

Helper class for working with IComparablePrincipals

method dedupeStringFor

static dedupeStringFor: (x: IPrincipal) => string | undefined;

Return the dedupeString of the given principal, if available

method isComparablePrincipal

static isComparablePrincipal: (x: IPrincipal) => x is IComparablePrincipal;

Whether or not the given principal is a comparable principal

class CompositeDependable

class CompositeDependable implements cdk.IDependable {}

Composite dependable
Not as simple as eagerly getting the dependency roots from the inner dependables, as they may be mutable so we need to defer the query.

constructor

constructor(...dependables: cdk.IDependable[]);

class CompositePrincipal

class CompositePrincipal extends PrincipalBase {}

Represents a principal that has multiple types of principals. A composite principal cannot have conditions. i.e. multiple ServicePrincipals that form a composite principal

constructor

constructor(...principals: IPrincipal[]);

property assumeRoleAction

readonly assumeRoleAction: string;

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method addPrincipals

addPrincipals: (...principals: IPrincipal[]) => this;

Adds IAM principals to the composite principal. Composite principals cannot have conditions.
Parameter principals
IAM principals that will be added to the composite principal

method addToAssumeRolePolicy

addToAssumeRolePolicy: (doc: PolicyDocument) => void;

method dedupeString

dedupeString: () => string | undefined;

method toString

toString: () => string;

class FederatedPrincipal

class FederatedPrincipal extends PrincipalBase {}

Principal entity that represents a federated identity provider such as Amazon Cognito, that can be used to provide temporary security credentials to users who have been authenticated. Additional condition keys are available when the temporary security credentials are used to make a request. You can use these keys to write policies that limit the access of federated users.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif

constructor

constructor(
    federated: string,
    conditions: Conditions,
    assumeRoleAction?: string
);

Parameter federated
federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
Parameter conditions
The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
Parameter sessionTags
Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)

property assumeRoleAction

readonly assumeRoleAction: string;

property conditions

readonly conditions: Conditions;

property federated

readonly federated: string;

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method dedupeString

dedupeString: () => string | undefined;

method toString

toString: () => string;

class Grant

class Grant implements cdk.IDependable {}

Result of a grant() operation
This class is not instantiable by consumers on purpose, so that they will be required to call the Grant factory functions.

property principalStatement

readonly principalStatement?: PolicyStatement;

The statement that was added to the principal's policy
Can be accessed to (e.g.) add additional conditions to the statement.

property resourceStatement

readonly resourceStatement?: PolicyStatement;

The statement that was added to the resource policy
Can be accessed to (e.g.) add additional conditions to the statement.

property success

readonly success: boolean;

Whether the grant operation was successful

method addToPrincipal

static addToPrincipal: (options: GrantOnPrincipalOptions) => Grant;

Try to grant the given permissions to the given principal
Absence of a principal leads to a warning, but failing to add the permissions to a present principal is not an error.

method addToPrincipalAndResource

static addToPrincipalAndResource: (
    options: GrantOnPrincipalAndResourceOptions
) => Grant;

Add a grant both on the principal and on the resource
As long as any principal is given, granting on the principal may fail (in case of a non-identity principal), but granting on the resource will never fail.
Statement will be the resource statement.

method addToPrincipalOrResource

static addToPrincipalOrResource: (options: GrantWithResourceOptions) => Grant;

Grant the given permissions to the principal
The permissions will be added to the principal policy primarily, falling back to the resource policy if necessary. The permissions must be granted somewhere.
- Trying to grant permissions to a principal that does not admit adding to the principal policy while not providing a resource with a resource policy is an error. - Trying to grant permissions to an absent principal (possible in the case of imported resources) leads to a warning being added to the resource construct.

method applyBefore

applyBefore: (...constructs: cdk.IConstruct[]) => void;

Make sure this grant is applied before the given constructs are deployed
The same as construct.node.addDependency(grant), but slightly nicer to read.

method assertSuccess

assertSuccess: () => void;

Throw an error if this grant wasn't successful

method drop

static drop: (grantee: IGrantable, _intent: string) => Grant;

Returns a "no-op" Grant object which represents a "dropped grant".
This can be used for e.g. imported resources where you may not be able to modify the resource's policy or some underlying policy which you don't know about.
Parameter grantee
The intended grantee
Parameter _intent
The user's intent (will be ignored at the moment)

class Group

class Group extends GroupBase {}

An IAM Group (collection of IAM users) lets you specify permissions for multiple users, which can make it easier to manage permissions for those users.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

constructor

constructor(scope: Construct, id: string, props?: GroupProps);

property groupArn

readonly groupArn: string;

property groupName

readonly groupName: string;

method addManagedPolicy

addManagedPolicy: (policy: IManagedPolicy) => void;

Attaches a managed policy to this group.
Parameter policy
The managed policy to attach.

method fromGroupArn

static fromGroupArn: (scope: Construct, id: string, groupArn: string) => IGroup;

Import an external group by ARN.
If the imported Group ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) *and* the referenced group has a path (like arn:...:group/AdminGroup/NetworkAdmin), the groupName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Group ARN should be supplied without the path in order to resolve the correct group resource.
Parameter scope
construct scope
Parameter id
construct id
Parameter groupArn
the ARN of the group to import (e.g. arn:aws:iam::account-id:group/group-name)

method fromGroupName

static fromGroupName: (
    scope: Construct,
    id: string,
    groupName: string
) => IGroup;

Import an existing group by given name (with path). This method has same caveats of fromGroupArn
Parameter scope
construct scope
Parameter id
construct id
Parameter groupName
the groupName (path included) of the existing group to import

class LazyRole

class LazyRole extends cdk.Resource implements IRole {}

An IAM role that only gets attached to the construct tree once it gets used, not before
This construct can be used to simplify logic in other constructs which need to create a role but only if certain configurations occur (such as when AutoScaling is configured). The role can be configured in one place, but if it never gets used it doesn't get instantiated and will not be synthesized or deployed.
AWS::IAM::Role

constructor

constructor(scope: Construct, id: string, props: LazyRoleProps);

property assumeRoleAction

readonly assumeRoleAction: string;

property grantPrincipal

readonly grantPrincipal: IPrincipal;

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

property principalAccount

readonly principalAccount: string;

property roleArn

readonly roleArn: string;

Returns the ARN of this role.

property roleId

readonly roleId: string;

Returns the stable and unique string identifying the role (i.e. AIDAJQABLZS4A3QDU576Q)

property roleName

readonly roleName: string;

method addManagedPolicy

addManagedPolicy: (policy: IManagedPolicy) => void;

Attaches a managed policy to this role.
Parameter policy
The managed policy to attach.

method addToPolicy

addToPolicy: (statement: PolicyStatement) => boolean;

method addToPrincipalPolicy

addToPrincipalPolicy: (statement: PolicyStatement) => AddToPrincipalPolicyResult;

Adds a permission to the role's default policy document. If there is no default policy attached to this role, it will be created.
Parameter statement
The permission statement to add to the policy document

method attachInlinePolicy

attachInlinePolicy: (policy: Policy) => void;

Attaches a policy to this role.
Parameter policy
The policy to attach

method grant

grant: (identity: IPrincipal, ...actions: string[]) => Grant;

Grant the actions defined in actions to the identity Principal on this resource.

method grantAssumeRole

grantAssumeRole: (identity: IPrincipal) => Grant;

Grant permissions to the given principal to assume this role.

method grantPassRole

grantPassRole: (identity: IPrincipal) => Grant;

Grant permissions to the given principal to pass this role.

class ManagedPolicy

class ManagedPolicy extends Resource implements IManagedPolicy {}

Managed policy

constructor

constructor(scope: Construct, id: string, props?: ManagedPolicyProps);

property description

readonly description: string;

The description of this policy.

property document

readonly document: PolicyDocument;

The policy document.

property managedPolicyArn

readonly managedPolicyArn: string;

Returns the ARN of this managed policy.

property managedPolicyName

readonly managedPolicyName: string;

The name of this policy.

property path

readonly path: string;

The path of this policy.

method addStatements

addStatements: (...statement: PolicyStatement[]) => void;

Adds a statement to the policy document.

method attachToGroup

attachToGroup: (group: IGroup) => void;

Attaches this policy to a group.

method attachToRole

attachToRole: (role: IRole) => void;

Attaches this policy to a role.

method attachToUser

attachToUser: (user: IUser) => void;

Attaches this policy to a user.

method fromAwsManagedPolicyName

static fromAwsManagedPolicyName: (managedPolicyName: string) => IManagedPolicy;

Import a managed policy from one of the policies that AWS manages.
For this managed policy, you only need to know the name to be able to use it.
Some managed policy names start with "service-role/", some start with "job-function/", and some don't start with anything. Include the prefix when constructing this object.

method fromManagedPolicyArn

static fromManagedPolicyArn: (
    scope: Construct,
    id: string,
    managedPolicyArn: string
) => IManagedPolicy;

Import an external managed policy by ARN.
For this managed policy, you only need to know the ARN to be able to use it. This can be useful if you got the ARN from a CloudFormation Export.
If the imported Managed Policy ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) *and* the referenced managed policy has a path (like arn:...:policy/AdminPolicy/AdminAllow), the managedPolicyName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Managed Policy ARN should be supplied without the path in order to resolve the correct managed policy resource.
Parameter scope
construct scope
Parameter id
construct id
Parameter managedPolicyArn
the ARN of the managed policy to import

method fromManagedPolicyName

static fromManagedPolicyName: (
    scope: Construct,
    id: string,
    managedPolicyName: string
) => IManagedPolicy;

Import a customer managed policy from the managedPolicyName.
For this managed policy, you only need to know the name to be able to use it.

method validate

protected validate: () => string[];

class OpenIdConnectPrincipal

class OpenIdConnectPrincipal extends WebIdentityPrincipal {}

A principal that represents a federated identity provider as from a OpenID Connect provider.

constructor

constructor(
    openIdConnectProvider: IOpenIdConnectProvider,
    conditions?: Conditions
);

Parameter openIdConnectProvider
OpenID Connect provider
Parameter conditions
The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method toString

toString: () => string;

class OpenIdConnectProvider

class OpenIdConnectProvider extends Resource implements IOpenIdConnectProvider {}

IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce. You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities.
See Also
- http://openid.net/connect
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
  AWS::CloudFormation::CustomResource

constructor

constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps);

Defines an OpenID Connect provider.
Parameter scope
The definition scope
Parameter id
Construct ID
Parameter props
Initialization properties

property openIdConnectProviderArn

readonly openIdConnectProviderArn: string;

The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.

property openIdConnectProviderIssuer

readonly openIdConnectProviderIssuer: string;

property openIdConnectProviderthumbprints

readonly openIdConnectProviderthumbprints: string;

The thumbprints configured for this provider.

method fromOpenIdConnectProviderArn

static fromOpenIdConnectProviderArn: (
    scope: Construct,
    id: string,
    openIdConnectProviderArn: string
) => IOpenIdConnectProvider;

Imports an Open ID connect provider from an ARN.
Parameter scope
The definition scope
Parameter id
ID of the construct
Parameter openIdConnectProviderArn
the ARN to import

class OrganizationPrincipal

class OrganizationPrincipal extends PrincipalBase {}

A principal that represents an AWS Organization

constructor

constructor(organizationId: string);

Parameter organizationId
The unique identifier (ID) of an organization (i.e. o-12345abcde)

property organizationId

readonly organizationId: string;

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method dedupeString

dedupeString: () => string | undefined;

method toString

toString: () => string;

class PermissionsBoundary

class PermissionsBoundary {}

Modify the Permissions Boundaries of Users and Roles in a construct tree

const policy = iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess');
iam.PermissionsBoundary.of(this).apply(policy);

method apply

apply: (boundaryPolicy: IManagedPolicy) => void;

Apply the given policy as Permissions Boundary to all Roles and Users in the scope.
Will override any Permissions Boundaries configured previously; in case a Permission Boundary is applied in multiple scopes, the Boundary applied closest to the Role wins.

method clear

clear: () => void;

Remove previously applied Permissions Boundaries

method of

static of: (scope: IConstruct) => PermissionsBoundary;

Access the Permissions Boundaries of a construct tree

class Policy

class Policy extends Resource implements IPolicy {}

The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles, or groups. For more information about IAM policies, see [Overview of IAM Policies](http://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html) in the IAM User Guide guide.

constructor

constructor(scope: Construct, id: string, props?: PolicyProps);

property document

readonly document: PolicyDocument;

The policy document.

property policyName

readonly policyName: string;

The name of this policy.

method addStatements

addStatements: (...statement: PolicyStatement[]) => void;

Adds a statement to the policy document.

method attachToGroup

attachToGroup: (group: IGroup) => void;

Attaches this policy to a group.

method attachToRole

attachToRole: (role: IRole) => void;

Attaches this policy to a role.

method attachToUser

attachToUser: (user: IUser) => void;

Attaches this policy to a user.

method fromPolicyName

static fromPolicyName: (
    scope: Construct,
    id: string,
    policyName: string
) => IPolicy;

Import a policy in this app based on its name

method validate

protected validate: () => string[];

class PolicyDocument

class PolicyDocument implements cdk.IResolvable {}

A PolicyDocument is a collection of statements

constructor

constructor(props?: PolicyDocumentProps);

property creationStack

readonly creationStack: string[];

property isEmpty

readonly isEmpty: boolean;

Whether the policy document contains any statements.

property statementCount

readonly statementCount: number;

The number of statements already added to this policy. Can be used, for example, to generate unique "sid"s within the policy.

method addStatements

addStatements: (...statement: PolicyStatement[]) => void;

Adds a statement to the policy document.
Parameter statement
the statement to add.

method fromJson

static fromJson: (obj: any) => PolicyDocument;

Creates a new PolicyDocument based on the object provided. This will accept an object created from the .toJSON() call
Parameter obj
the PolicyDocument in object form.

method resolve

resolve: (context: cdk.IResolveContext) => any;

method toJSON

toJSON: () => any;

JSON-ify the document
Used when JSON.stringify() is called

method toString

toString: () => string;

Encode the policy document as a string

method validateForAnyPolicy

validateForAnyPolicy: () => string[];

Validate that all policy statements in the policy document satisfies the requirements for any policy.
Returns
An array of validation error messages, or an empty array if the document is valid.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

method validateForIdentityPolicy

validateForIdentityPolicy: () => string[];

Validate that all policy statements in the policy document satisfies the requirements for an identity-based policy.
Returns
An array of validation error messages, or an empty array if the document is valid.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

method validateForResourcePolicy

validateForResourcePolicy: () => string[];

Validate that all policy statements in the policy document satisfies the requirements for a resource-based policy.
Returns
An array of validation error messages, or an empty array if the document is valid.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

class PolicyStatement

class PolicyStatement {}

Represents a statement in an IAM policy document.

constructor

constructor(props?: PolicyStatementProps);

property actions

readonly actions: string[];

The Actions added to this statement

property conditions

readonly conditions: any;

The conditions added to this statement

property effect

effect: Effect;

Whether to allow or deny the actions in this statement

property hasPrincipal

readonly hasPrincipal: boolean;

Indicates if this permission has a "Principal" section.

property hasResource

readonly hasResource: boolean;

Indicates if this permission has at least one resource associated with it.

property notActions

readonly notActions: string[];

The NotActions added to this statement

property notPrincipals

readonly notPrincipals: IPrincipal[];

The NotPrincipals added to this statement

property notResources

readonly notResources: string[];

The NotResources added to this statement

property principals

readonly principals: IPrincipal[];

The Principals added to this statement

property resources

readonly resources: string[];

The Resources added to this statement

property sid

sid?: string;

Statement ID for this statement

method addAccountCondition

addAccountCondition: (accountId: string) => void;

Add a condition that limits to a given account
This method can only be called once: subsequent calls will overwrite earlier calls.

method addAccountRootPrincipal

addAccountRootPrincipal: () => void;

Adds an AWS account root user principal to this policy statement

method addActions

addActions: (...actions: string[]) => void;

Specify allowed actions into the "Action" section of the policy statement.
Parameter actions
actions that will be allowed.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

method addAllResources

addAllResources: () => void;

Adds a ``"*"`` resource to this statement.

method addAnyPrincipal

addAnyPrincipal: () => void;

Adds all identities in all accounts ("*") to this policy statement

method addArnPrincipal

addArnPrincipal: (arn: string) => void;

Specify a principal using the ARN identifier of the principal. You cannot specify IAM groups and instance profiles as principals.
Parameter arn
ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name)

method addAwsAccountPrincipal

addAwsAccountPrincipal: (accountId: string) => void;

Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.

method addCanonicalUserPrincipal

addCanonicalUserPrincipal: (canonicalUserId: string) => void;

Adds a canonical user ID principal to this policy document
Parameter canonicalUserId
unique identifier assigned by AWS for every account

method addCondition

addCondition: (key: string, value: Condition) => void;

Add a condition to the Policy
If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:
declare const stmt: iam.PolicyStatement; stmt.addCondition('StringEquals', { 'aws:SomeField': '1' }); stmt.addCondition('StringEquals', { 'aws:SomeField': '2' });
Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.
If you meant to add a condition to say that the field can be *either* 1 or 2, write this:
declare const stmt: iam.PolicyStatement; stmt.addCondition('StringEquals', { 'aws:SomeField': ['1', '2'] });

method addConditions

addConditions: (conditions: Conditions) => void;

Add multiple conditions to the Policy
See the addCondition function for a caveat on calling this method multiple times.

method addFederatedPrincipal

addFederatedPrincipal: (federated: any, conditions: Conditions) => void;

Adds a federated identity provider such as Amazon Cognito to this policy statement.
Parameter federated
federated identity provider (i.e. 'cognito-identity.amazonaws.com')
Parameter conditions
The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

method addNotActions

addNotActions: (...notActions: string[]) => void;

Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.
Parameter notActions
actions that will be denied. All other actions will be permitted.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

method addNotPrincipals

addNotPrincipals: (...notPrincipals: IPrincipal[]) => void;

Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.
Parameter notPrincipals
IAM principals that will be denied access
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

method addNotResources

addNotResources: (...arns: string[]) => void;

Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement. All resources except the specified list will be matched.
Parameter arns
Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

method addPrincipals

addPrincipals: (...principals: IPrincipal[]) => void;

Adds principals to the "Principal" section of a policy statement.
Parameter principals
IAM principals that will be added
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

method addResources

addResources: (...arns: string[]) => void;

Specify resources that this policy statement applies into the "Resource" section of this policy statement.
Parameter arns
Amazon Resource Names (ARNs) of the resources that this policy statement applies to
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

method addServicePrincipal

addServicePrincipal: (service: string, opts?: ServicePrincipalOpts) => void;

Adds a service principal to this policy statement.
Parameter service
the service name for which a service principal is requested (e.g: s3.amazonaws.com).
Parameter opts
options for adding the service principal (such as specifying a principal in a different region)

method copy

copy: (overrides?: PolicyStatementProps) => PolicyStatement;

Create a new PolicyStatement with the same exact properties as this one, except for the overrides

method fromJson

static fromJson: (obj: any) => PolicyStatement;

Creates a new PolicyStatement based on the object provided. This will accept an object created from the .toJSON() call
Parameter obj
the PolicyStatement in object form.

method toJSON

toJSON: () => any;

JSON-ify the statement
Used when JSON.stringify() is called

method toStatementJson

toStatementJson: () => any;

JSON-ify the policy statement
Used when JSON.stringify() is called

method toString

toString: () => string;

String representation of this policy statement

method validateForAnyPolicy

validateForAnyPolicy: () => string[];

Validate that the policy statement satisfies base requirements for a policy.
Returns
An array of validation error messages, or an empty array if the statement is valid.

method validateForIdentityPolicy

validateForIdentityPolicy: () => string[];

Validate that the policy statement satisfies all requirements for an identity-based policy.
Returns
An array of validation error messages, or an empty array if the statement is valid.

method validateForResourcePolicy

validateForResourcePolicy: () => string[];

Validate that the policy statement satisfies all requirements for a resource-based policy.
Returns
An array of validation error messages, or an empty array if the statement is valid.

class PrincipalBase

abstract class PrincipalBase implements IAssumeRolePrincipal, IComparablePrincipal {}

Base class for policy principals

property assumeRoleAction

readonly assumeRoleAction: string;

When this Principal is used in an AssumeRole policy, the action to use.

property grantPrincipal

readonly grantPrincipal: IPrincipal;

property policyFragment

abstract readonly policyFragment: PrincipalPolicyFragment;

Return the policy fragment that identifies this principal in a Policy.

property principalAccount

readonly principalAccount: string;

method addToAssumeRolePolicy

addToAssumeRolePolicy: (document: PolicyDocument) => void;

method addToPolicy

addToPolicy: (statement: PolicyStatement) => boolean;

method addToPrincipalPolicy

addToPrincipalPolicy: (
    _statement: PolicyStatement
) => AddToPrincipalPolicyResult;

method dedupeString

abstract dedupeString: () => string | undefined;

Return whether or not this principal is equal to the given principal

method toJSON

toJSON: () => { [key: string]: string[] };

JSON-ify the principal
Used when JSON.stringify() is called

method toString

toString: () => string;

method withConditions

withConditions: (conditions: Conditions) => PrincipalBase;

Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added.
When there is a value for the same operator and key in both the principal and the conditions parameter, the value from the conditions parameter will be used.
Returns
a new PrincipalWithConditions object.

method withSessionTags

withSessionTags: () => PrincipalBase;

Returns a new principal using this principal as the base, with session tags enabled.
Returns
a new SessionTagsPrincipal object.

class PrincipalPolicyFragment

class PrincipalPolicyFragment {}

A collection of the fields in a PolicyStatement that can be used to identify a principal.
This consists of the JSON used in the "Principal" field, and optionally a set of "Condition"s that need to be applied to the policy.
Generally, a principal looks like:
{ '': ['ID', 'ID', ...] }
And this is also the type of the field principalJson. However, there is a special type of principal that is just the string '*', which is treated differently by some services. To represent that principal, principalJson should contain { 'LiteralString': ['*'] }.

constructor

constructor(principalJson: { [key: string]: string[] }, conditions?: Conditions);

Parameter principalJson
JSON of the "Principal" section in a policy statement
Parameter conditions
conditions that need to be applied to this policy

property conditions

readonly conditions: Conditions;

The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

property principalJson

readonly principalJson: { [key: string]: string[] };

class PrincipalWithConditions

class PrincipalWithConditions extends PrincipalAdapter {}

An IAM principal with additional conditions specifying when the policy is in effect.
For more information about conditions, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html

constructor

constructor(principal: IPrincipal, conditions: Conditions);

property conditions

readonly conditions: Record<string, any>;

The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method addCondition

addCondition: (key: string, value: Condition) => void;

Add a condition to the principal

method addConditions

addConditions: (conditions: Conditions) => void;

Adds multiple conditions to the principal
Values from the conditions parameter will overwrite existing values with the same operator and key.

method dedupeString

dedupeString: () => string | undefined;

method toJSON

toJSON: () => { [key: string]: string[] };

JSON-ify the principal
Used when JSON.stringify() is called

method toString

toString: () => string;

class Role

class Role extends Resource implements IRole {}

IAM Role
Defines an IAM role. The role is created with an assume policy document associated with the specified AWS service principal defined in serviceAssumeRole.

constructor

constructor(scope: Construct, id: string, props: RoleProps);

property assumeRoleAction

readonly assumeRoleAction: string;

property assumeRolePolicy

readonly assumeRolePolicy?: PolicyDocument;

The assume role policy document associated with this role.

property grantPrincipal

readonly grantPrincipal: IPrincipal;

property permissionsBoundary

readonly permissionsBoundary?: IManagedPolicy;

Returns the permissions boundary attached to this role

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

Returns the role.

property principalAccount

readonly principalAccount: string;

property roleArn

readonly roleArn: string;

Returns the ARN of this role.

property roleId

readonly roleId: string;

Returns the stable and unique string identifying the role. For example, AIDAJQABLZS4A3QDU576Q.

property roleName

readonly roleName: string;

Returns the name of the role.

method addManagedPolicy

addManagedPolicy: (policy: IManagedPolicy) => void;

Attaches a managed policy to this role.
Parameter policy
The the managed policy to attach.

method addToPolicy

addToPolicy: (statement: PolicyStatement) => boolean;

method addToPrincipalPolicy

addToPrincipalPolicy: (statement: PolicyStatement) => AddToPrincipalPolicyResult;

Adds a permission to the role's default policy document. If there is no default policy attached to this role, it will be created.
Parameter statement
The permission statement to add to the policy document

method attachInlinePolicy

attachInlinePolicy: (policy: Policy) => void;

Attaches a policy to this role.
Parameter policy
The policy to attach

method fromRoleArn

static fromRoleArn: (
    scope: Construct,
    id: string,
    roleArn: string,
    options?: FromRoleArnOptions
) => IRole;

Import an external role by ARN.
If the imported Role ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) *and* the referenced role has a path (like arn:...:role/AdminRoles/Alice), the roleName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the path in order to resolve the correct role resource.
Parameter scope
construct scope
Parameter id
construct id
Parameter roleArn
the ARN of the role to import
Parameter options
allow customizing the behavior of the returned role

method fromRoleName

static fromRoleName: (scope: Construct, id: string, roleName: string) => IRole;

Import an external role by name.
The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.

method grant

grant: (grantee: IPrincipal, ...actions: string[]) => Grant;

Grant the actions defined in actions to the identity Principal on this resource.

method grantAssumeRole

grantAssumeRole: (identity: IPrincipal) => Grant;

Grant permissions to the given principal to assume this role.

method grantPassRole

grantPassRole: (identity: IPrincipal) => Grant;

Grant permissions to the given principal to pass this role.

method validate

protected validate: () => string[];

method withoutPolicyUpdates

withoutPolicyUpdates: (options?: WithoutPolicyUpdatesOptions) => IRole;

Return a copy of this Role object whose Policies will not be updated
Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.
If you do, you are responsible for adding the correct statements to the Role's policies yourself.

class SamlConsolePrincipal

class SamlConsolePrincipal extends SamlPrincipal {}

Principal entity that represents a SAML federated identity provider for programmatic and AWS Management Console access.

constructor

constructor(samlProvider: ISamlProvider, conditions?: Conditions);

method toString

toString: () => string;

class SamlMetadataDocument

abstract class SamlMetadataDocument {}

A SAML metadata document

property xml

abstract readonly xml: string;

The XML content of the metadata document

method fromFile

static fromFile: (path: string) => SamlMetadataDocument;

Create a SAML metadata document from a XML file

method fromXml

static fromXml: (xml: string) => SamlMetadataDocument;

Create a SAML metadata document from a XML string

class SamlPrincipal

class SamlPrincipal extends FederatedPrincipal {}

Principal entity that represents a SAML federated identity provider

constructor

constructor(samlProvider: ISamlProvider, conditions: Conditions);

method toString

toString: () => string;

class SamlProvider

class SamlProvider extends Resource implements ISamlProvider {}

A SAML provider

constructor

constructor(scope: Construct, id: string, props: SamlProviderProps);

property samlProviderArn

readonly samlProviderArn: string;

method fromSamlProviderArn

static fromSamlProviderArn: (
    scope: Construct,
    id: string,
    samlProviderArn: string
) => ISamlProvider;

Import an existing provider

class ServicePrincipal

class ServicePrincipal extends PrincipalBase {}

An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).

constructor

constructor(service: string, opts?: ServicePrincipalOpts);

Parameter service
AWS service (i.e. sqs.amazonaws.com)

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

property service

readonly service: string;

method dedupeString

dedupeString: () => string | undefined;

method servicePrincipalName

static servicePrincipalName: (service: string) => string;

Translate the given service principal name based on the region it's used in.
For example, for Chinese regions this may (depending on whether that's necessary for the given service principal) append .cn to the name.
The region-info module is used to obtain this information.
Example 1
const principalName = iam.ServicePrincipal.servicePrincipalName('ec2.amazonaws.com');

method toString

toString: () => string;

class SessionTagsPrincipal

class SessionTagsPrincipal extends PrincipalAdapter {}

Enables session tags on role assumptions from a principal
For more information on session tags, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html

constructor

constructor(principal: IPrincipal);

method addToAssumeRolePolicy

addToAssumeRolePolicy: (doc: PolicyDocument) => void;

method dedupeString

dedupeString: () => string | undefined;

class StarPrincipal

class StarPrincipal extends PrincipalBase {}

A principal that uses a literal '*' in the IAM JSON language
Some services behave differently when you specify Principal: "*" or Principal: { AWS: "*" } in their resource policy.
StarPrincipal renders to Principal: *. Most of the time, you should use AnyPrincipal instead.

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method dedupeString

dedupeString: () => string | undefined;

method toString

toString: () => string;

class UnknownPrincipal

class UnknownPrincipal implements IPrincipal {}

A principal for use in resources that need to have a role but it's unknown
Some resources have roles associated with them which they assume, such as Lambda Functions, CodeBuild projects, StepFunctions machines, etc.
When those resources are imported, their actual roles are not always imported with them. When that happens, we use an instance of this class instead, which will add user warnings when statements are attempted to be added to it.

constructor

constructor(props: UnknownPrincipalProps);

property assumeRoleAction

readonly assumeRoleAction: string;

property grantPrincipal

readonly grantPrincipal: IPrincipal;

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method addToPolicy

addToPolicy: (statement: PolicyStatement) => boolean;

method addToPrincipalPolicy

addToPrincipalPolicy: (statement: PolicyStatement) => AddToPrincipalPolicyResult;

class User

class User extends Resource implements IIdentity, IUser {}

Define a new IAM user

constructor

constructor(scope: Construct, id: string, props?: UserProps);

property assumeRoleAction

readonly assumeRoleAction: string;

property grantPrincipal

readonly grantPrincipal: IPrincipal;

property permissionsBoundary

readonly permissionsBoundary?: IManagedPolicy;

Returns the permissions boundary attached to this user

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

property principalAccount

readonly principalAccount: string;

property userArn

readonly userArn: string;

An attribute that represents the user's ARN.

property userName

readonly userName: string;

An attribute that represents the user name.

method addManagedPolicy

addManagedPolicy: (policy: IManagedPolicy) => void;

Attaches a managed policy to the user.
Parameter policy
The managed policy to attach.

method addToGroup

addToGroup: (group: IGroup) => void;

Adds this user to a group.

method addToPolicy

addToPolicy: (statement: PolicyStatement) => boolean;

method addToPrincipalPolicy

addToPrincipalPolicy: (statement: PolicyStatement) => AddToPrincipalPolicyResult;

Adds an IAM statement to the default policy.
Returns
true

method attachInlinePolicy

attachInlinePolicy: (policy: Policy) => void;

Attaches a policy to this user.

method fromUserArn

static fromUserArn: (scope: Construct, id: string, userArn: string) => IUser;

Import an existing user given a user ARN.
If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.
Parameter scope
construct scope
Parameter id
construct id
Parameter userArn
the ARN of an existing user to import

method fromUserAttributes

static fromUserAttributes: (
    scope: Construct,
    id: string,
    attrs: UserAttributes
) => IUser;

Import an existing user given user attributes.
If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.
Parameter scope
construct scope
Parameter id
construct id
Parameter attrs
the attributes of the user to import

method fromUserName

static fromUserName: (scope: Construct, id: string, userName: string) => IUser;

Import an existing user given a username.
Parameter scope
construct scope
Parameter id
construct id
Parameter userName
the username of the existing user to import

class WebIdentityPrincipal

class WebIdentityPrincipal extends FederatedPrincipal {}

A principal that represents a federated identity provider as Web Identity such as Cognito, Amazon, Facebook, Google, etc.

constructor

constructor(identityProvider: string, conditions?: Conditions);

Parameter identityProvider
identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
Parameter conditions
The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
Parameter sessionTags
Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

method toString

toString: () => string;

Interfaces

interface AccessKeyProps

interface AccessKeyProps {}

Properties for defining an IAM access key.

property serial

readonly serial?: number;

A CloudFormation-specific value that signifies the access key should be replaced/rotated. This value can only be incremented. Incrementing this value will cause CloudFormation to replace the Access Key resource.
- No serial value

property status

readonly status?: AccessKeyStatus;

The status of the access key. An Active access key is allowed to be used to make API calls; An Inactive key cannot.
- The access key is active

property user

readonly user: IUser;

The IAM user this key will belong to.
Changing this value will result in the access key being deleted and a new access key (with a different ID and secret value) being assigned to the new user.

interface AddToPrincipalPolicyResult

interface AddToPrincipalPolicyResult {}

Result of calling addToPrincipalPolicy

property policyDependable

readonly policyDependable?: cdk.IDependable;

Dependable which allows depending on the policy change being applied
- Required if statementAdded is true.

property statementAdded

readonly statementAdded: boolean;

Whether the statement was added to the identity's policies.

interface AddToResourcePolicyResult

interface AddToResourcePolicyResult {}

Result of calling addToResourcePolicy

property policyDependable

readonly policyDependable?: cdk.IDependable;

Dependable which allows depending on the policy change being applied
- If statementAdded is true, the resource object itself. Otherwise, no dependable.

property statementAdded

readonly statementAdded: boolean;

Whether the statement was added

interface CfnAccessKeyProps

interface CfnAccessKeyProps {}

Properties for defining a CfnAccessKey
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html

property serial

readonly serial?: number;

This value is specific to CloudFormation and can only be *incremented* . Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-serial

property status

readonly status?: string;

The status of the access key. Active means that the key is valid for API calls, while Inactive means it is not.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-status

property userName

readonly userName: string;

The name of the IAM user that the new key will belong to.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-username

interface CfnGroupProps

interface CfnGroupProps {}

Properties for defining a CfnGroup
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html

property groupName

readonly groupName?: string;

The name of the group to create. Do not include the path in this value.
The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name.
> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .
> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-groupname

property managedPolicyArns

readonly managedPolicyArns?: string[];

The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-managepolicyarns

property path

readonly path?: string;

The path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-path

property policies

readonly policies?:
    | Array<CfnGroup.PolicyProperty | cdk.IResolvable>
    | cdk.IResolvable;

Adds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see [Declaring an IAM Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group) .
> The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.
For information about limits on the number of inline policies that you can embed in a group, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-policies

interface CfnInstanceProfileProps

interface CfnInstanceProfileProps {}

Properties for defining a CfnInstanceProfile
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html

property instanceProfileName

readonly instanceProfileName?: string;

The name of the instance profile to create.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-instanceprofilename

property path

readonly path?: string;

The path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-path

property roles

readonly roles: string[];

The name of the role to associate with the instance profile. Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-roles

interface CfnManagedPolicyProps

interface CfnManagedPolicyProps {}

Properties for defining a CfnManagedPolicy
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html

property description

readonly description?: string;

A friendly description of the policy.
Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables."
The policy description is immutable. After a value is assigned, it cannot be changed.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-description

property groups

readonly groups?: string[];

The name (friendly name, not ARN) of the group to attach the policy to.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups

property managedPolicyName

readonly managedPolicyName?: string;

The friendly name of the policy.
> If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .
> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-managedpolicyname

property path

readonly path?: string;

The path for the policy.
For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
> You cannot use an asterisk (*) in the path name.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-ec2-dhcpoptions-path

property policyDocument

readonly policyDocument: any | cdk.IResolvable;

The JSON policy document that you want to use as the content for the new policy.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and AWS STS character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length) .
To learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide* .
The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:
- Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-policydocument

property roles

readonly roles?: string[];

The name (friendly name, not ARN) of the role to attach the policy to.
This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
> If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles

property users

readonly users?: string[];

The name (friendly name, not ARN) of the IAM user to attach the policy to.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-users

interface CfnOIDCProviderProps

interface CfnOIDCProviderProps {}

Properties for defining a CfnOIDCProvider
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html

property clientIdList

readonly clientIdList?: string[];

A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-clientidlist

property tags

readonly tags?: cdk.CfnTag[];

A list of tags that are attached to the specified IAM OIDC provider. The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-tags

property thumbprintList

readonly thumbprintList: string[];

A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-thumbprintlist

property url

readonly url?: string;

The URL that the IAM OIDC provider resource object is associated with. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-url

interface CfnPolicyProps

interface CfnPolicyProps {}

Properties for defining a CfnPolicy
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html

property groups

readonly groups?: string[];

The name of the group to associate the policy with.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-groups

property policyDocument

readonly policyDocument: any | cdk.IResolvable;

The policy document.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:
- Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument

property policyName

readonly policyName: string;

The name of the policy document.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policyname

property roles

readonly roles?: string[];

The name of the role to associate the policy with.
This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
> If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles

property users

readonly users?: string[];

The name of the user to associate the policy with.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-users

interface CfnRoleProps

interface CfnRoleProps {}

Properties for defining a CfnRole
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

property assumeRolePolicyDocument

readonly assumeRolePolicyDocument: any | cdk.IResolvable;

The trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples) . For more information about the elements that you can use in an IAM policy, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument

property description

readonly description?: string;

A description of the role that you provide.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-description

property managedPolicyArns

readonly managedPolicyArns?: string[];

A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role.
For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-managepolicyarns

property maxSessionDuration

readonly maxSessionDuration?: number;

The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default value of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Anyone who assumes the role from the AWS CLI or API can use the DurationSeconds API parameter or the duration-seconds AWS CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* AWS CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-maxsessionduration

property path

readonly path?: string;

The path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-path

property permissionsBoundary

readonly permissionsBoundary?: string;

The ARN of the policy used to set the permissions boundary for the role.
For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary

property policies

readonly policies?:
    | Array<CfnRole.PolicyProperty | cdk.IResolvable>
    | cdk.IResolvable;

Adds or updates an inline policy document that is embedded in the specified IAM role.
When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) .
A role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
For information about limits on the number of inline policies that you can embed with a role, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
> If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-policies

property roleName

readonly roleName?: string;

A name for the IAM role, up to 64 characters in length. For valid values, see the RoleName parameter for the [CreateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *IAM User Guide* .
This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both "Role1" and "role1".
If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the role name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .
> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename

property tags

readonly tags?: cdk.CfnTag[];

A list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-tags

interface CfnSAMLProviderProps

interface CfnSAMLProviderProps {}

Properties for defining a CfnSAMLProvider
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html

property name

readonly name?: string;

The name of the provider to create.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-name

property samlMetadataDocument

readonly samlMetadataDocument: string;

An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.
For more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide*
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-samlmetadatadocument

property tags

readonly tags?: cdk.CfnTag[];

A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-tags

interface CfnServerCertificateProps

interface CfnServerCertificateProps {}

Properties for defining a CfnServerCertificate
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html

property certificateBody

readonly certificateBody?: string;

The contents of the public key certificate.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatebody

property certificateChain

readonly certificateChain?: string;

The contents of the public key certificate chain.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatechain

property path

readonly path?: string;

The path for the server certificate. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
> If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the path parameter. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/ ).
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-path

property privateKey

readonly privateKey?: string;

The contents of the private key in PEM-encoded format.
The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:
- Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-privatekey

property serverCertificateName

readonly serverCertificateName?: string;

The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-servercertificatename

property tags

readonly tags?: cdk.CfnTag[];

A list of tags that are attached to the server certificate. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-tags

interface CfnServiceLinkedRoleProps

interface CfnServiceLinkedRoleProps {}

Properties for defining a CfnServiceLinkedRole
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html

property awsServiceName

readonly awsServiceName: string;

The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com .
Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-awsservicename

property customSuffix

readonly customSuffix?: string;

A string that you provide, which is combined with the service-provided prefix to form the complete role name. If you make multiple requests for the same service, then you must supply a different CustomSuffix for each request. Otherwise the request fails with a duplicate role name error. For example, you could add -1 or -debug to the suffix.
Some services do not support the CustomSuffix parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-customsuffix

property description

readonly description?: string;

The description of the role.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-description

interface CfnUserProps

interface CfnUserProps {}

Properties for defining a CfnUser
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html

property groups

readonly groups?: string[];

A list of group names to which you want to add the user.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-groups

property loginProfile

readonly loginProfile?: CfnUser.LoginProfileProperty | cdk.IResolvable;

Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console .
You can use the AWS CLI , the AWS API, or the *Users* page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the *My Security Credentials* page in the AWS Management Console .
For more information about managing passwords, see [Managing passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-loginprofile

property managedPolicyArns

readonly managedPolicyArns?: string[];

A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user.
For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-managepolicyarns

property path

readonly path?: string;

The path for the user name. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-path

property permissionsBoundary

readonly permissionsBoundary?: string;

The ARN of the managed policy that is used to set the permissions boundary for the user.
A permissions boundary policy defines the maximum permissions that identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity. To learn more, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide* .
For more information about policy types, see [Policy types](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-permissionsboundary

property policies

readonly policies?:
    | Array<CfnUser.PolicyProperty | cdk.IResolvable>
    | cdk.IResolvable;

Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see [Declaring an IAM User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) .
> The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.
For information about limits on the number of inline policies that you can embed in a user, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-policies

property tags

readonly tags?: cdk.CfnTag[];

A list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-tags

property userName

readonly userName?: string;

The name of the user to create. Do not include the path in this value.
This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john".
If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .
> Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-username

interface CfnUserToGroupAdditionProps

interface CfnUserToGroupAdditionProps {}

Properties for defining a CfnUserToGroupAddition
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html

property groupName

readonly groupName: string;

The name of the group to update.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-groupname

property users

readonly users: string[];

A list of the names of the users that you want to add to the group.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-users

interface CfnVirtualMFADeviceProps

interface CfnVirtualMFADeviceProps {}

Properties for defining a CfnVirtualMFADevice
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html

property path

readonly path?: string;

The path for the virtual MFA device. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .
This parameter is optional. If it is not included, it defaults to a slash (/).
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-path

property tags

readonly tags?: cdk.CfnTag[];

A list of tags that you want to attach to the new IAM virtual MFA device. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .
> If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-tags

property users

readonly users: string[];

The IAM user associated with this virtual MFA device.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-users

property virtualMfaDeviceName

readonly virtualMfaDeviceName?: string;

The name of the virtual MFA device, which must be unique. Use with path to uniquely identify a virtual MFA device.
This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-virtualmfadevicename

interface CommonGrantOptions

interface CommonGrantOptions {}

Basic options for a grant operation

property actions

readonly actions: string[];

The actions to grant

property grantee

readonly grantee: IGrantable;

The principal to grant to
if principal is undefined, no work is done.

property resourceArns

readonly resourceArns: string[];

The resource ARNs to grant to

interface FromRoleArnOptions

interface FromRoleArnOptions {}

Options allowing customizing the behavior of Role.fromRoleArn.

property addGrantsToResources

readonly addGrantsToResources?: boolean;

For immutable roles: add grants to resources instead of dropping them
If this is false or not specified, grant permissions added to this role are ignored. It is your own responsibility to make sure the role has the required permissions.
If this is true, any grant permissions will be added to the resource instead.
false

property mutable

readonly mutable?: boolean;

Whether the imported role can be modified by attaching policy resources to it.
true

interface GrantOnPrincipalAndResourceOptions

interface GrantOnPrincipalAndResourceOptions extends CommonGrantOptions {}

Options for a grant operation to both identity and resource

property resource

readonly resource: IResourceWithPolicy;

The resource with a resource policy
The statement will always be added to the resource policy.

property resourcePolicyPrincipal

readonly resourcePolicyPrincipal?: IPrincipal;

The principal to use in the statement for the resource policy.
- the principal of the grantee will be used

property resourceSelfArns

readonly resourceSelfArns?: string[];

When referring to the resource in a resource policy, use this as ARN.
(Depending on the resource type, this needs to be '*' in a resource policy).
Same as regular resource ARNs

interface GrantOnPrincipalOptions

interface GrantOnPrincipalOptions extends CommonGrantOptions {}

Options for a grant operation that only applies to principals

property scope

readonly scope?: cdk.IConstruct;

Construct to report warnings on in case grant could not be registered
- the construct in which this construct is defined

interface GrantWithResourceOptions

interface GrantWithResourceOptions extends CommonGrantOptions {}

Options for a grant operation

property resource

readonly resource: IResourceWithPolicy;

The resource with a resource policy
The statement will be added to the resource policy if it couldn't be added to the principal policy.

property resourceSelfArns

readonly resourceSelfArns?: string[];

When referring to the resource in a resource policy, use this as ARN.
(Depending on the resource type, this needs to be '*' in a resource policy).
Same as regular resource ARNs

interface GroupProps

interface GroupProps {}

Properties for defining an IAM group

property groupName

readonly groupName?: string;

A name for the IAM group. For valid values, see the GroupName parameter for the CreateGroup action in the IAM API Reference. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.
Generated by CloudFormation (recommended)

property managedPolicies

readonly managedPolicies?: IManagedPolicy[];

A list of managed policies associated with this role.
You can add managed policies later using addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName)).
- No managed policies.

property path

readonly path?: string;

The path to the group. For more information about paths, see [IAM Identifiers](http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?Using_Identifiers.html) in the IAM User Guide.
/

interface IAccessKey

interface IAccessKey extends IResource {}

Represents an IAM Access Key.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

property accessKeyId

readonly accessKeyId: string;

The Access Key ID.

property secretAccessKey

readonly secretAccessKey: SecretValue;

The Secret Access Key.

interface IAssumeRolePrincipal

interface IAssumeRolePrincipal extends IPrincipal {}

A type of principal that has more control over its own representation in AssumeRolePolicyDocuments
More complex types of identity providers need more control over Role's policy documents than simply { Effect: 'Allow', Action: 'AssumeRole', Principal: <Whatever> }.
If that control is necessary, they can implement IAssumeRolePrincipal to get full access to a Role's AssumeRolePolicyDocument.

method addToAssumeRolePolicy

addToAssumeRolePolicy: (document: PolicyDocument) => void;

Add the princpial to the AssumeRolePolicyDocument
Add the statements to the AssumeRolePolicyDocument necessary to give this principal permissions to assume the given role.

interface IComparablePrincipal

interface IComparablePrincipal extends IPrincipal {}

Interface for principals that can be compared.
This only needs to be implemented for principals that could potentially be value-equal. Identity-equal principals will be handled correctly by default.

method dedupeString

dedupeString: () => string | undefined;

Return a string format of this principal which should be identical if the two principals are the same.

interface IGrantable

interface IGrantable {}

Any object that has an associated principal that a permission can be granted to

property grantPrincipal

readonly grantPrincipal: IPrincipal;

The principal to grant permissions to

interface IGroup

interface IGroup extends IIdentity {}

Represents an IAM Group.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

property groupArn

readonly groupArn: string;

Returns the IAM Group ARN

property groupName

readonly groupName: string;

Returns the IAM Group Name

interface IIdentity

interface IIdentity extends IPrincipal, IResource {}

A construct that represents an IAM principal, such as a user, group or role.

method addManagedPolicy

addManagedPolicy: (policy: IManagedPolicy) => void;

Attaches a managed policy to this principal.
Parameter policy
The managed policy

method attachInlinePolicy

attachInlinePolicy: (policy: Policy) => void;

Attaches an inline policy to this principal. This is the same as calling policy.addToXxx(principal).
Parameter policy
The policy resource to attach to this principal [disable-awslint:ref-via-interface]

interface IManagedPolicy

interface IManagedPolicy {}

A managed policy

property managedPolicyArn

readonly managedPolicyArn: string;

The ARN of the managed policy

interface IOpenIdConnectProvider

interface IOpenIdConnectProvider extends IResource {}

Represents an IAM OpenID Connect provider.

property openIdConnectProviderArn

readonly openIdConnectProviderArn: string;

The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.

property openIdConnectProviderIssuer

readonly openIdConnectProviderIssuer: string;

The issuer for OIDC Provider

interface IPolicy

interface IPolicy extends IResource {}

Represents an IAM Policy
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html

property policyName

readonly policyName: string;

The name of this policy.

interface IPrincipal

interface IPrincipal extends IGrantable {}

Represents a logical IAM principal.
An IPrincipal describes a logical entity that can perform AWS API calls against sets of resources, optionally under certain conditions.
Examples of simple principals are IAM objects that you create, such as Users or Roles.
An example of a more complex principals is a ServicePrincipal (such as new ServicePrincipal("sns.amazonaws.com"), which represents the Simple Notifications Service).
A single logical Principal may also map to a set of physical principals. For example, new OrganizationPrincipal('o-1234') represents all identities that are part of the given AWS Organization.

property assumeRoleAction

readonly assumeRoleAction: string;

When this Principal is used in an AssumeRole policy, the action to use.

property policyFragment

readonly policyFragment: PrincipalPolicyFragment;

Return the policy fragment that identifies this principal in a Policy.

property principalAccount

readonly principalAccount?: string;

The AWS account ID of this principal. Can be undefined when the account is not known (for example, for service principals). Can be a Token - in that case, it's assumed to be AWS::AccountId.

method addToPolicy

addToPolicy: (statement: PolicyStatement) => boolean;

Add to the policy of this principal.
Returns
true if the statement was added, false if the principal in question does not have a policy document to add the statement to.
Deprecated
Use addToPrincipalPolicy instead.

method addToPrincipalPolicy

addToPrincipalPolicy: (statement: PolicyStatement) => AddToPrincipalPolicyResult;

Add to the policy of this principal.

interface IResourceWithPolicy

interface IResourceWithPolicy extends cdk.IResource {}

A resource with a resource policy that can be added to

method addToResourcePolicy

addToResourcePolicy: (statement: PolicyStatement) => AddToResourcePolicyResult;

Add a statement to the resource's resource policy

interface IRole

interface IRole extends IIdentity {}

A Role object

property roleArn

readonly roleArn: string;

Returns the ARN of this role.

property roleName

readonly roleName: string;

Returns the name of this role.

method grant

grant: (grantee: IPrincipal, ...actions: string[]) => Grant;

Grant the actions defined in actions to the identity Principal on this resource.

method grantAssumeRole

grantAssumeRole: (grantee: IPrincipal) => Grant;

Grant permissions to the given principal to assume this role.

method grantPassRole

grantPassRole: (grantee: IPrincipal) => Grant;

Grant permissions to the given principal to pass this role.

interface ISamlProvider

interface ISamlProvider extends IResource {}

A SAML provider

property samlProviderArn

readonly samlProviderArn: string;

The Amazon Resource Name (ARN) of the provider

interface IUser

interface IUser extends IIdentity {}

Represents an IAM user
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html

property userArn

readonly userArn: string;

The user's ARN

property userName

readonly userName: string;

The user's name

method addToGroup

addToGroup: (group: IGroup) => void;

Adds this user to a group.

interface LazyRoleProps

interface LazyRoleProps extends RoleProps {}

Properties for defining a LazyRole

interface ManagedPolicyProps

interface ManagedPolicyProps {}

Properties for defining an IAM managed policy

property description

readonly description?: string;

A description of the managed policy. Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables." The policy description is immutable. After a value is assigned, it cannot be changed.
- empty

property document

readonly document?: PolicyDocument;

Initial PolicyDocument to use for this ManagedPolicy. If omited, any PolicyStatement provided in the statements property will be applied against the empty default PolicyDocument.
- An empty policy.

property groups

readonly groups?: IGroup[];

Groups to attach this policy to. You can also use attachToGroup(group) to attach this policy to a group.
- No groups.

property managedPolicyName

readonly managedPolicyName?: string;

The name of the managed policy. If you specify multiple policies for an entity, specify unique names. For example, if you specify a list of policies for an IAM role, each policy must have a unique name.
- A name is automatically generated.

property path

readonly path?: string;

The path for the policy. This parameter allows (through its regex pattern) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercased letters.
For more information about paths, see IAM Identifiers in the IAM User Guide.
- "/"

property roles

readonly roles?: IRole[];

Roles to attach this policy to. You can also use attachToRole(role) to attach this policy to a role.
- No roles.

property statements

readonly statements?: PolicyStatement[];

Initial set of permissions to add to this policy document. You can also use addPermission(statement) to add permissions later.
- No statements.

property users

readonly users?: IUser[];

Users to attach this policy to. You can also use attachToUser(user) to attach this policy to a user.
- No users.

interface OpenIdConnectProviderProps

interface OpenIdConnectProviderProps {}

Initialization properties for OpenIdConnectProvider.

property clientIds

readonly clientIds?: string[];

A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)
You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider.
Client IDs are up to 255 characters long.
- no clients are allowed

property thumbprints

readonly thumbprints?: string[];

A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates.
Typically this list includes only one entry. However, IAM lets you have up to five thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates.
The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string.
You must provide at least one thumbprint when creating an IAM OIDC provider. For example, assume that the OIDC provider is server.example.com and the provider stores its keys at https://keys.server.example.com/openid-connect. In that case, the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com.
- If no thumbprints are specified (an empty array or undefined), the thumbprint of the root certificate authority will be obtained from the provider's server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

property url

readonly url: string;

The URL of the identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com.
You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error.

interface PolicyDocumentProps

interface PolicyDocumentProps {}

Properties for a new PolicyDocument

property assignSids

readonly assignSids?: boolean;

Automatically assign Statement Ids to all statements
false

property minimize

readonly minimize?: boolean;

Try to minimize the policy by merging statements
To avoid overrunning the maximum policy size, combine statements if they produce the same result. Merging happens according to the following rules:
- The Effect of both statements is the same - Neither of the statements have a 'Sid' - Combine Principals if the rest of the statement is exactly the same. - Combine Resources if the rest of the statement is exactly the same. - Combine Actions if the rest of the statement is exactly the same. - We will never combine NotPrincipals, NotResources or NotActions, because doing so would change the meaning of the policy document.
- false, unless the feature flag @aws-cdk/aws-iam:minimizePolicies is set

property statements

readonly statements?: PolicyStatement[];

Initial statements to add to the policy document
- No statements

interface PolicyProps

interface PolicyProps {}

Properties for defining an IAM inline policy document

property document

readonly document?: PolicyDocument;

Initial PolicyDocument to use for this Policy. If omited, any PolicyStatement provided in the statements property will be applied against the empty default PolicyDocument.
- An empty policy.

property force

readonly force?: boolean;

Force creation of an AWS::IAM::Policy
Unless set to true, this Policy construct will not materialize to an AWS::IAM::Policy CloudFormation resource in case it would have no effect (for example, if it remains unattached to an IAM identity or if it has no statements). This is generally desired behavior, since it prevents creating invalid--and hence undeployable--CloudFormation templates.
In cases where you know the policy must be created and it is actually an error if no statements have been added to it, you can set this to true.
false

property groups

readonly groups?: IGroup[];

Groups to attach this policy to. You can also use attachToGroup(group) to attach this policy to a group.
- No groups.

property policyName

readonly policyName?: string;

The name of the policy. If you specify multiple policies for an entity, specify unique names. For example, if you specify a list of policies for an IAM role, each policy must have a unique name.
- Uses the logical ID of the policy resource, which is ensured to be unique within the stack.

property roles

readonly roles?: IRole[];

Roles to attach this policy to. You can also use attachToRole(role) to attach this policy to a role.
- No roles.

property statements

readonly statements?: PolicyStatement[];

Initial set of permissions to add to this policy document. You can also use addStatements(...statement) to add permissions later.
- No statements.

property users

readonly users?: IUser[];

Users to attach this policy to. You can also use attachToUser(user) to attach this policy to a user.
- No users.

interface PolicyStatementProps

interface PolicyStatementProps {}

Interface for creating a policy statement

property actions

readonly actions?: string[];

List of actions to add to the statement
- no actions

property conditions

readonly conditions?: {
    [key: string]: any;
};

Conditions to add to the statement
- no condition

property effect

readonly effect?: Effect;

Whether to allow or deny the actions in this statement
Effect.ALLOW

property notActions

readonly notActions?: string[];

List of not actions to add to the statement
- no not-actions

property notPrincipals

readonly notPrincipals?: IPrincipal[];

List of not principals to add to the statement
- no not principals

property notResources

readonly notResources?: string[];

NotResource ARNs to add to the statement
- no not-resources

property principals

readonly principals?: IPrincipal[];

List of principals to add to the statement
- no principals

property resources

readonly resources?: string[];

Resource ARNs to add to the statement
- no resources

property sid

readonly sid?: string;

The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document's ID. In IAM, the Sid value must be unique within a JSON policy.
- no sid

interface RoleProps

interface RoleProps {}

Properties for defining an IAM Role

property assumedBy

readonly assumedBy: IPrincipal;

The IAM principal (i.e. new ServicePrincipal('sns.amazonaws.com')) which can assume this role.
You can later modify the assume role policy document by accessing it via the assumeRolePolicy property.

property description

readonly description?: string;

A description of the role. It can be up to 1000 characters long.
- No description.

property externalId

readonly externalId?: string;

ID that the role assumer needs to provide when assuming this role
If the configured and provided external IDs do not match, the AssumeRole operation will fail.
Deprecated
see externalIds
No external ID required

property externalIds

readonly externalIds?: string[];

List of IDs that the role assumer needs to provide one of when assuming this role
If the configured and provided external IDs do not match, the AssumeRole operation will fail.
No external ID required

property inlinePolicies

readonly inlinePolicies?: {
    [name: string]: PolicyDocument;
};

A list of named policies to inline into this role. These policies will be created with the role, whereas those added by ``addToPolicy`` are added using a separate CloudFormation resource (allowing a way around circular dependencies that could otherwise be introduced).
- No policy is inlined in the Role resource.

property managedPolicies

readonly managedPolicies?: IManagedPolicy[];

A list of managed policies associated with this role.
You can add managed policies later using addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName)).
- No managed policies.

property maxSessionDuration

readonly maxSessionDuration?: Duration;

The maximum session duration that you want to set for the specified role. This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
Anyone who assumes the role from the AWS CLI or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter.
If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
Duration.hours(1)

property path

readonly path?: string;

The path associated with this role. For information about IAM paths, see Friendly Names and Paths in IAM User Guide.
/

property permissionsBoundary

readonly permissionsBoundary?: IManagedPolicy;

AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
- No permissions boundary.

property roleName

readonly roleName?: string;

A name for the IAM role. For valid values, see the RoleName parameter for the CreateRole action in the IAM API Reference.
IMPORTANT: If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.
- AWS CloudFormation generates a unique physical ID and uses that ID for the role name.

interface SamlProviderProps

interface SamlProviderProps {}

Properties for a SAML provider

property metadataDocument

readonly metadataDocument: SamlMetadataDocument;

An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.

property name

readonly name?: string;

The name of the provider to create.
This parameter allows a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
Length must be between 1 and 128 characters.
- a CloudFormation generated name

interface ServicePrincipalOpts

interface ServicePrincipalOpts {}

Options for a service principal.

property conditions

readonly conditions?: {
    [key: string]: any;
};

Additional conditions to add to the Service Principal
- No conditions

property region

readonly region?: string;

The region in which the service is operating.
- the current Stack's region.
Deprecated
You should not need to set this. The stack's region is always correct.

interface UnknownPrincipalProps

interface UnknownPrincipalProps {}

Properties for an UnknownPrincipal

property resource

readonly resource: IConstruct;

The resource the role proxy is for

interface UserAttributes

interface UserAttributes {}

Represents a user defined outside of this stack.

property userArn

readonly userArn: string;

The ARN of the user.
Format: arn::iam:::user/

interface UserProps

interface UserProps {}

Properties for defining an IAM user

property groups

readonly groups?: IGroup[];

Groups to add this user to. You can also use addToGroup to add this user to a group.
- No groups.

property managedPolicies

readonly managedPolicies?: IManagedPolicy[];

A list of managed policies associated with this role.
You can add managed policies later using addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName)).
- No managed policies.

property password

readonly password?: SecretValue;

The password for the user. This is required so the user can access the AWS Management Console.
You can use SecretValue.unsafePlainText to specify a password in plain text or use secretsmanager.Secret.fromSecretAttributes to reference a secret in Secrets Manager.
- User won't be able to access the management console without a password.

property passwordResetRequired

readonly passwordResetRequired?: boolean;

Specifies whether the user is required to set a new password the next time the user logs in to the AWS Management Console.
If this is set to 'true', you must also specify "initialPassword".
false

property path

readonly path?: string;

The path for the user name. For more information about paths, see IAM Identifiers in the IAM User Guide.
/

property permissionsBoundary

readonly permissionsBoundary?: IManagedPolicy;

AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
- No permissions boundary.

property userName

readonly userName?: string;

A name for the IAM user. For valid values, see the UserName parameter for the CreateUser action in the IAM API Reference. If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name.
If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see Acknowledging IAM Resources in AWS CloudFormation Templates.
- Generated by CloudFormation (recommended)

interface WithoutPolicyUpdatesOptions

interface WithoutPolicyUpdatesOptions {}

Options for the withoutPolicyUpdates() modifier of a Role

property addGrantsToResources

readonly addGrantsToResources?: boolean;

Add grants to resources instead of dropping them
If this is false or not specified, grant permissions added to this role are ignored. It is your own responsibility to make sure the role has the required permissions.
If this is true, any grant permissions will be added to the resource instead.
false

Enums

enum AccessKeyStatus

enum AccessKeyStatus {
    ACTIVE = 'Active',
    INACTIVE = 'Inactive',
}

Valid statuses for an IAM Access Key.

member ACTIVE

ACTIVE = 'Active'

An active access key. An active key can be used to make API calls.

member INACTIVE

INACTIVE = 'Inactive'

An inactive access key. An inactive key cannot be used to make API calls.

enum Effect

enum Effect {
    ALLOW = 'Allow',
    DENY = 'Deny',
}

The Effect element of an IAM policy
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html

member ALLOW

ALLOW = 'Allow'

Allows access to a resource in an IAM policy statement. By default, access to resources are denied.

member DENY

DENY = 'Deny'

Explicitly deny access to a resource. By default, all requests are denied implicitly.
See Also
- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Type Aliases

type Condition

type Condition = any;

Condition for when an IAM policy is in effect. Maps from the keys in a request's context to a string value or array of string values. See the Conditions interface for more details.

type Conditions

type Conditions = Record<string, Condition>;

Conditions for when an IAM Policy is in effect, specified in the following structure:
{ "Operator": { "keyInRequestContext": "value" } }
The value can be either a single string value or an array of string values.
For more information, including which operators are supported, see [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

Namespaces

namespace CfnGroup

namespace CfnGroup {}

interface PolicyProperty

interface PolicyProperty {}

Contains information about an attached policy.
An attached policy is a managed policy that has been attached to a user, group, or role.
For more information about managed policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html

property policyDocument

readonly policyDocument: any | cdk.IResolvable;

The policy document.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policydocument

property policyName

readonly policyName: string;

The friendly name (not ARN) identifying the policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policyname

namespace CfnRole

namespace CfnRole {}

interface PolicyProperty

interface PolicyProperty {}

Contains information about an attached policy.
An attached policy is a managed policy that has been attached to a user, group, or role.
For more information about managed policies, refer to [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html

property policyDocument

readonly policyDocument: any | cdk.IResolvable;

The entire contents of the policy that defines permissions. For more information, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policydocument

property policyName

readonly policyName: string;

The friendly name (not ARN) identifying the policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policyname

namespace CfnUser

namespace CfnUser {}

interface LoginProfileProperty

interface LoginProfileProperty {}

Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console . For more information about managing passwords, see [Managing Passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html

property password

readonly password: string;

The user's password.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html#cfn-iam-user-loginprofile-password

property passwordResetRequired

readonly passwordResetRequired?: boolean | cdk.IResolvable;

Specifies whether the user is required to set a new password on next sign-in.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html#cfn-iam-user-loginprofile-passwordresetrequired

interface PolicyProperty

interface PolicyProperty {}

Contains information about an attached policy.
An attached policy is a managed policy that has been attached to a user, group, or role.
For more information about managed policies, refer to [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .
external
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html

property policyDocument

readonly policyDocument: any | cdk.IResolvable;

The entire contents of the policy that defines permissions. For more information, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) .
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policydocument

property policyName

readonly policyName: string;

The friendly name (not ARN) identifying the policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policyname

Package Files (18)

Dependencies (4)

Dev Dependencies (10)

Peer Dependencies (3)

Badge

To add a badge like this oneto your package's README, use the codes available below.

You may also use Shields.io to create a custom badge linking to https://www.jsdocs.io/package/@aws-cdk/aws-iam.

Markdown

[![jsDocs.io](https://img.shields.io/badge/jsDocs.io-reference-blue)](https://www.jsdocs.io/package/@aws-cdk/aws-iam)

HTML

<a href="https://www.jsdocs.io/package/@aws-cdk/aws-iam"><img src="https://img.shields.io/badge/jsDocs.io-reference-blue" alt="jsDocs.io"></a>

Updated 9 months ago.
Package analyzed in 5018 ms.
Missing or incorrect documentation? Open an issue for this package.

@aws-cdk/aws-iam

Install

Overview

Index

Classes

Interfaces

Enums

Type Aliases

Namespaces

Classes

class AccessKey

property accessKeyId

property secretAccessKey

class AccountPrincipal

Parameter accountId

property accountId

property principalAccount

method toString

class AccountRootPrincipal

method toString

class Anyone

Deprecated

class AnyPrincipal

method toString

class ArnPrincipal

See Also

Parameter arn

property arn

property policyFragment

method dedupeString

method inOrganization

method toString

class CanonicalUserPrincipal

Parameter canonicalUserId

property canonicalUserId

property policyFragment

method dedupeString

method toString

class CfnAccessKey

Parameter scope

Parameter id

Parameter props

property attrSecretAccessKey

property CFN_RESOURCE_TYPE_NAME

property cfnProperties

property serial

property status

property userName

method inspect

Parameter inspector

method renderProperties

class CfnGroup

Parameter scope

Parameter id

Parameter props

property attrArn

property CFN_RESOURCE_TYPE_NAME

property cfnProperties

property groupName

property managedPolicyArns

property path

property policies

method inspect

Parameter inspector

method renderProperties

class CfnInstanceProfile

Parameter scope

Parameter id

Parameter props

property attrArn

property CFN_RESOURCE_TYPE_NAME

property cfnProperties

property instanceProfileName

property path

property roles

method inspect

Parameter inspector

method renderProperties

class CfnManagedPolicy

Parameter scope