@aws-cdk/aws-iam

  • Version 1.156.1
  • Published
  • 2.34 MB
  • 4 dependencies
  • Apache-2.0 license

Install

npm i @aws-cdk/aws-iam
yarn add @aws-cdk/aws-iam
pnpm add @aws-cdk/aws-iam

Overview

CDK routines for easily assigning correct and minimal IAM permissions

Index

Classes

Interfaces

Enums

Type Aliases

Namespaces

Classes

class AccessKey

class AccessKey extends Resource implements IAccessKey {}
  • Define a new IAM Access Key.

constructor

constructor(scope: Construct, id: string, props: AccessKeyProps);

    property accessKeyId

    readonly accessKeyId: string;

      property secretAccessKey

      readonly secretAccessKey: SecretValue;

        class AccountPrincipal

        class AccountPrincipal extends ArnPrincipal {}
        • Specify AWS account ID as the principal entity in a policy to delegate authority to the account.

        constructor

        constructor(accountId: any);
        • Parameter accountId

          AWS account ID (i.e. 123456789012)

        property accountId

        readonly accountId: any;

          property principalAccount

          readonly principalAccount: string;

            method toString

            toString: () => string;

              class AccountRootPrincipal

              class AccountRootPrincipal extends AccountPrincipal {}
              • Use the AWS account into which a stack is deployed as the principal entity in a policy

              constructor

              constructor();

                method toString

                toString: () => string;

                  class Anyone

                  class Anyone extends AnyPrincipal {}
                  • A principal representing all identities in all accounts

                    Deprecated

                    use AnyPrincipal

                  class AnyPrincipal

                  class AnyPrincipal extends ArnPrincipal {}
                  • A principal representing all AWS identities in all accounts

                    Some services behave differently when you specify Principal: '*' or Principal: { AWS: "*" } in their resource policy.

                    AnyPrincipal renders to Principal: { AWS: "*" }. This is correct most of the time, but in cases where you need the other principal, use StarPrincipal instead.

                  constructor

                  constructor();

                    method toString

                    toString: () => string;

                      class ArnPrincipal

                      class ArnPrincipal extends PrincipalBase {}
                      • Specify a principal by the Amazon Resource Name (ARN). You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions. You cannot specify IAM groups or instance profiles as principals

                        See Also

                        • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

                      constructor

                      constructor(arn: string);
                      • Parameter arn

                        Amazon Resource Name (ARN) of the principal entity (i.e. arn:aws:iam::123456789012:user/user-name)

                      property arn

                      readonly arn: string;

                        property policyFragment

                        readonly policyFragment: PrincipalPolicyFragment;

                          method inOrganization

                          inOrganization: (organizationId: string) => PrincipalBase;
                          • A convenience method for adding a condition that the principal is part of the specified AWS Organization.

                          method toString

                          toString: () => string;

                            class CanonicalUserPrincipal

                            class CanonicalUserPrincipal extends PrincipalBase {}
                            • A policy principal for canonicalUserIds - useful for S3 bucket policies that use Origin Access identities.

                              See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html

                              and

                              https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

                              for more details.

                            constructor

                            constructor(canonicalUserId: string);
                            • Parameter canonicalUserId

                              unique identifier assigned by AWS for every account. root user and IAM users for an account all see the same ID. (i.e. 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be)

                            property canonicalUserId

                            readonly canonicalUserId: string;

                              property policyFragment

                              readonly policyFragment: PrincipalPolicyFragment;

                                method toString

                                toString: () => string;

                                  class CfnAccessKey

                                  class CfnAccessKey extends cdk.CfnResource implements cdk.IInspectable {}
                                  • A CloudFormation AWS::IAM::AccessKey

                                    Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active .

                                    If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account . Consequently, you can use this operation to manage AWS account root user credentials. This is true even if the AWS account has no associated users.

                                    For information about quotas on the number of keys you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .

                                    > To ensure the security of your AWS account , the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.

                                    AWS::IAM::AccessKey external

                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html

                                  constructor

                                  constructor(scope: cdk.Construct, id: string, props: CfnAccessKeyProps);
                                  • Create a new AWS::IAM::AccessKey.

                                    Parameter scope

                                    scope in which this resource is defined

                                    Parameter id

                                    scoped id of the resource

                                    Parameter props

                                    resource properties

                                  property attrSecretAccessKey

                                  readonly attrSecretAccessKey: string;
                                  • Returns the secret access key for the specified AWS::IAM::AccessKey resource. For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY. SecretAccessKey

                                  property CFN_RESOURCE_TYPE_NAME

                                  static readonly CFN_RESOURCE_TYPE_NAME: string;
                                  • The CloudFormation resource type name for this resource class.

                                  property cfnProperties

                                  readonly cfnProperties: { [key: string]: any };

                                    property serial

                                    serial: number;
                                    • This value is specific to CloudFormation and can only be *incremented* . Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.

                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-serial

                                    property status

                                    status: string;
                                    • The status of the access key. Active means that the key is valid for API calls, while Inactive means it is not.

                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-status

                                    property userName

                                    userName: string;
                                    • The name of the IAM user that the new key will belong to.

                                      This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-username

                                    method inspect

                                    inspect: (inspector: cdk.TreeInspector) => void;
                                    • Examines the CloudFormation resource and discloses attributes.

                                      Parameter inspector

                                      tree inspector to collect and process attributes

                                    method renderProperties

                                    protected renderProperties: (props: { [key: string]: any }) => {
                                    [key: string]: any;
                                    };

                                      class CfnGroup

                                      class CfnGroup extends cdk.CfnResource implements cdk.IInspectable {}
                                      • A CloudFormation AWS::IAM::Group

                                        Creates a new group.

                                        For information about the number of groups you can create, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .

                                        AWS::IAM::Group external

                                        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html

                                      constructor

                                      constructor(scope: cdk.Construct, id: string, props?: CfnGroupProps);
                                      • Create a new AWS::IAM::Group.

                                        Parameter scope

                                        scope in which this resource is defined

                                        Parameter id

                                        scoped id of the resource

                                        Parameter props

                                        resource properties

                                      property attrArn

                                      readonly attrArn: string;
                                      • Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::Group resource. For example: arn:aws:iam::123456789012:group/mystack-mygroup-1DZETITOWEKVO . Arn

                                      property CFN_RESOURCE_TYPE_NAME

                                      static readonly CFN_RESOURCE_TYPE_NAME: string;
                                      • The CloudFormation resource type name for this resource class.

                                      property cfnProperties

                                      readonly cfnProperties: { [key: string]: any };

                                        property groupName

                                        groupName: string;
                                        • The name of the group to create. Do not include the path in this value.

                                          The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name.

                                          > If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

                                          If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .

                                          > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .

                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-groupname

                                        property managedPolicyArns

                                        managedPolicyArns: string[];
                                        • The Amazon Resource Name (ARN) of the IAM policy you want to attach.

                                          For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .

                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-managepolicyarns

                                        property path

                                        path: string;
                                        • The path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                          This parameter is optional. If it is not included, it defaults to a slash (/).

                                          This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-path

                                        property policies

                                        policies: any;
                                        • Adds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see [Declaring an IAM Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group) .

                                          > The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.

                                          For information about limits on the number of inline policies that you can embed in a group, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .

                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-policies

                                        method inspect

                                        inspect: (inspector: cdk.TreeInspector) => void;
                                        • Examines the CloudFormation resource and discloses attributes.

                                          Parameter inspector

                                          tree inspector to collect and process attributes

                                        method renderProperties

                                        protected renderProperties: (props: { [key: string]: any }) => {
                                        [key: string]: any;
                                        };

                                          class CfnInstanceProfile

                                          class CfnInstanceProfile extends cdk.CfnResource implements cdk.IInspectable {}
                                          • A CloudFormation AWS::IAM::InstanceProfile

                                            Creates a new instance profile. For information about instance profiles, see [Using instance profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) .

                                            For information about the number of instance profiles you can create, see [IAM object quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .

                                            AWS::IAM::InstanceProfile external

                                            http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html

                                          constructor

                                          constructor(scope: cdk.Construct, id: string, props: CfnInstanceProfileProps);
                                          • Create a new AWS::IAM::InstanceProfile.

                                            Parameter scope

                                            scope in which this resource is defined

                                            Parameter id

                                            scoped id of the resource

                                            Parameter props

                                            resource properties

                                          property attrArn

                                          readonly attrArn: string;
                                          • Returns the Amazon Resource Name (ARN) for the instance profile. For example:

                                            {"Fn::GetAtt" : ["MyProfile", "Arn"] }

                                            This returns a value such as arn:aws:iam::1234567890:instance-profile/MyProfile-ASDNSDLKJ . Arn

                                          property CFN_RESOURCE_TYPE_NAME

                                          static readonly CFN_RESOURCE_TYPE_NAME: string;
                                          • The CloudFormation resource type name for this resource class.

                                          property cfnProperties

                                          readonly cfnProperties: { [key: string]: any };

                                            property instanceProfileName

                                            instanceProfileName: string;
                                            • The name of the instance profile to create.

                                              This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-instanceprofilename

                                            property path

                                            path: string;
                                            • The path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                              This parameter is optional. If it is not included, it defaults to a slash (/).

                                              This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-path

                                            property roles

                                            roles: string[];
                                            • The name of the role to associate with the instance profile. Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.

                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-roles

                                            method inspect

                                            inspect: (inspector: cdk.TreeInspector) => void;
                                            • Examines the CloudFormation resource and discloses attributes.

                                              Parameter inspector

                                              tree inspector to collect and process attributes

                                            method renderProperties

                                            protected renderProperties: (props: { [key: string]: any }) => {
                                            [key: string]: any;
                                            };

                                              class CfnManagedPolicy

                                              class CfnManagedPolicy extends cdk.CfnResource implements cdk.IInspectable {}
                                              • A CloudFormation AWS::IAM::ManagedPolicy

                                                Creates a new managed policy for your AWS account .

                                                This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version. For more information about policy versions, see [Versioning for managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-versions.html) in the *IAM User Guide* .

                                                As a best practice, you can validate your IAM policies. To learn more, see [Validating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html) in the *IAM User Guide* .

                                                For more information about managed policies in general, see [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .

                                                AWS::IAM::ManagedPolicy external

                                                http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html

                                              constructor

                                              constructor(scope: cdk.Construct, id: string, props: CfnManagedPolicyProps);
                                              • Create a new AWS::IAM::ManagedPolicy.

                                                Parameter scope

                                                scope in which this resource is defined

                                                Parameter id

                                                scoped id of the resource

                                                Parameter props

                                                resource properties

                                              property CFN_RESOURCE_TYPE_NAME

                                              static readonly CFN_RESOURCE_TYPE_NAME: string;
                                              • The CloudFormation resource type name for this resource class.

                                              property cfnProperties

                                              readonly cfnProperties: { [key: string]: any };

                                                property description

                                                description: string;
                                                • A friendly description of the policy.

                                                  Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables."

                                                  The policy description is immutable. After a value is assigned, it cannot be changed.

                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-description

                                                property groups

                                                groups: string[];
                                                • The name (friendly name, not ARN) of the group to attach the policy to.

                                                  This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups

                                                property managedPolicyName

                                                managedPolicyName: string;
                                                • The friendly name of the policy.

                                                  > If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

                                                  If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .

                                                  > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .

                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-managedpolicyname

                                                property path

                                                path: string;
                                                • The path for the policy.

                                                  For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                  This parameter is optional. If it is not included, it defaults to a slash (/).

                                                  This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                  > You cannot use an asterisk (*) in the path name.

                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-ec2-dhcpoptions-path

                                                property policyDocument

                                                policyDocument: any;
                                                • The JSON policy document that you want to use as the content for the new policy.

                                                  You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.

                                                  The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and AWS STS character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length) .

                                                  To learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide* .

                                                  The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:

                                                  - Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )

                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-policydocument

                                                property roles

                                                roles: string[];
                                                • The name (friendly name, not ARN) of the role to attach the policy to.

                                                  This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                  > If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.

                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles

                                                property users

                                                users: string[];
                                                • The name (friendly name, not ARN) of the IAM user to attach the policy to.

                                                  This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-users

                                                method inspect

                                                inspect: (inspector: cdk.TreeInspector) => void;
                                                • Examines the CloudFormation resource and discloses attributes.

                                                  Parameter inspector

                                                  tree inspector to collect and process attributes

                                                method renderProperties

                                                protected renderProperties: (props: { [key: string]: any }) => {
                                                [key: string]: any;
                                                };

                                                  class CfnOIDCProvider

                                                  class CfnOIDCProvider extends cdk.CfnResource implements cdk.IInspectable {}
                                                  • A CloudFormation AWS::IAM::OIDCProvider

                                                    Creates an IAM entity to describe an identity provider (IdP) that supports [OpenID Connect (OIDC)](https://docs.aws.amazon.com/http://openid.net/connect/) .

                                                    The OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.

                                                    When you create the IAM OIDC provider, you specify the following:

                                                    - The URL of the OIDC identity provider (IdP) to trust - A list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider - A list of thumbprints of one or more server certificates that the IdP uses

                                                    You get all of this information from the OIDC IdP that you want to use to access AWS .

                                                    > The trust for the OIDC provider is derived from the IAM provider that this operation creates. Therefore, it is best to limit access to the [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) operation to highly privileged users.

                                                    AWS::IAM::OIDCProvider external

                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html

                                                  constructor

                                                  constructor(scope: cdk.Construct, id: string, props: CfnOIDCProviderProps);
                                                  • Create a new AWS::IAM::OIDCProvider.

                                                    Parameter scope

                                                    scope in which this resource is defined

                                                    Parameter id

                                                    scoped id of the resource

                                                    Parameter props

                                                    resource properties

                                                  property attrArn

                                                  readonly attrArn: string;
                                                  • Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::OIDCProvider resource. Arn

                                                  property CFN_RESOURCE_TYPE_NAME

                                                  static readonly CFN_RESOURCE_TYPE_NAME: string;
                                                  • The CloudFormation resource type name for this resource class.

                                                  property cfnProperties

                                                  readonly cfnProperties: { [key: string]: any };

                                                    property clientIdList

                                                    clientIdList: string[];
                                                    • A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .

                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-clientidlist

                                                    property tags

                                                    readonly tags: cdk.TagManager;
                                                    • A list of tags that are attached to the specified IAM OIDC provider. The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-tags

                                                    property thumbprintList

                                                    thumbprintList: string[];
                                                    • A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .

                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-thumbprintlist

                                                    property url

                                                    url: string;
                                                    • The URL that the IAM OIDC provider resource object is associated with. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .

                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-url

                                                    method inspect

                                                    inspect: (inspector: cdk.TreeInspector) => void;
                                                    • Examines the CloudFormation resource and discloses attributes.

                                                      Parameter inspector

                                                      tree inspector to collect and process attributes

                                                    method renderProperties

                                                    protected renderProperties: (props: { [key: string]: any }) => {
                                                    [key: string]: any;
                                                    };

                                                      class CfnPolicy

                                                      class CfnPolicy extends cdk.CfnResource implements cdk.IInspectable {}
                                                      • A CloudFormation AWS::IAM::Policy

                                                        Adds or updates an inline policy document that is embedded in the specified IAM user, group, or role.

                                                        An IAM user can also have a managed policy attached to it. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .

                                                        The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.

                                                        For information about limits on the number of inline policies that you can embed in an identity, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .

                                                        AWS::IAM::Policy external

                                                        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html

                                                      constructor

                                                      constructor(scope: cdk.Construct, id: string, props: CfnPolicyProps);
                                                      • Create a new AWS::IAM::Policy.

                                                        Parameter scope

                                                        scope in which this resource is defined

                                                        Parameter id

                                                        scoped id of the resource

                                                        Parameter props

                                                        resource properties

                                                      property CFN_RESOURCE_TYPE_NAME

                                                      static readonly CFN_RESOURCE_TYPE_NAME: string;
                                                      • The CloudFormation resource type name for this resource class.

                                                      property cfnProperties

                                                      readonly cfnProperties: { [key: string]: any };

                                                        property groups

                                                        groups: string[];
                                                        • The name of the group to associate the policy with.

                                                          This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.

                                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-groups

                                                        property policyDocument

                                                        policyDocument: any;
                                                        • The policy document.

                                                          You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.

                                                          The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:

                                                          - Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )

                                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument

                                                        property policyName

                                                        policyName: string;
                                                        • The name of the policy document.

                                                          This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policyname

                                                        property roles

                                                        roles: string[];
                                                        • The name of the role to associate the policy with.

                                                          This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                          > If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.

                                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles

                                                        property users

                                                        users: string[];
                                                        • The name of the user to associate the policy with.

                                                          This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-users

                                                        method inspect

                                                        inspect: (inspector: cdk.TreeInspector) => void;
                                                        • Examines the CloudFormation resource and discloses attributes.

                                                          Parameter inspector

                                                          tree inspector to collect and process attributes

                                                        method renderProperties

                                                        protected renderProperties: (props: { [key: string]: any }) => {
                                                        [key: string]: any;
                                                        };

                                                          class CfnRole

                                                          class CfnRole extends cdk.CfnResource implements cdk.IInspectable {}
                                                          • A CloudFormation AWS::IAM::Role

                                                            Creates a new role for your AWS account . For more information about roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html) . For information about quotas for role names and the number of roles you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .

                                                            AWS::IAM::Role external

                                                            http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

                                                          constructor

                                                          constructor(scope: cdk.Construct, id: string, props: CfnRoleProps);
                                                          • Create a new AWS::IAM::Role.

                                                            Parameter scope

                                                            scope in which this resource is defined

                                                            Parameter id

                                                            scoped id of the resource

                                                            Parameter props

                                                            resource properties

                                                          property assumeRolePolicyDocument

                                                          assumeRolePolicyDocument: any;
                                                          • The trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples) . For more information about the elements that you can use in an IAM policy, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide* .

                                                            http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument

                                                          property attrArn

                                                          readonly attrArn: string;
                                                          • Returns the Amazon Resource Name (ARN) for the role. For example:

                                                            {"Fn::GetAtt" : ["MyRole", "Arn"] }

                                                            This will return a value such as arn:aws:iam::1234567890:role/MyRole-AJJHDSKSDF . Arn

                                                          property attrRoleId

                                                          readonly attrRoleId: string;
                                                          • Returns the stable and unique string identifying the role. For example, AIDAJQABLZS4A3QDU576Q .

                                                            For more information about IDs, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in the *IAM User Guide* . RoleId

                                                          property CFN_RESOURCE_TYPE_NAME

                                                          static readonly CFN_RESOURCE_TYPE_NAME: string;
                                                          • The CloudFormation resource type name for this resource class.

                                                          property cfnProperties

                                                          readonly cfnProperties: { [key: string]: any };

                                                            property description

                                                            description: string;
                                                            • A description of the role that you provide.

                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-description

                                                            property managedPolicyArns

                                                            managedPolicyArns: string[];
                                                            • A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role.

                                                              For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .

                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-managepolicyarns

                                                            property maxSessionDuration

                                                            maxSessionDuration: number;
                                                            • The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

                                                              Anyone who assumes the role from the or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide* .

                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-maxsessionduration

                                                            property path

                                                            path: string;
                                                            • The path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                              This parameter is optional. If it is not included, it defaults to a slash (/).

                                                              This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-path

                                                            property permissionsBoundary

                                                            permissionsBoundary: string;
                                                            • The ARN of the policy used to set the permissions boundary for the role.

                                                              For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide* .

                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary

                                                            property policies

                                                            policies: any;
                                                            • Adds or updates an inline policy document that is embedded in the specified IAM role.

                                                              When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) .

                                                              A role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .

                                                              For information about limits on the number of inline policies that you can embed with a role, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .

                                                              > If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.

                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-policies

                                                            property roleName

                                                            roleName: string;
                                                            • A name for the IAM role, up to 64 characters in length. For valid values, see the RoleName parameter for the [CreateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *IAM User Guide* .

                                                              This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both "Role1" and "role1".

                                                              If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the role name.

                                                              If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .

                                                              > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .

                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename

                                                            property tags

                                                            readonly tags: cdk.TagManager;
                                                            • A list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-tags

                                                            method inspect

                                                            inspect: (inspector: cdk.TreeInspector) => void;
                                                            • Examines the CloudFormation resource and discloses attributes.

                                                              Parameter inspector

                                                              tree inspector to collect and process attributes

                                                            method renderProperties

                                                            protected renderProperties: (props: { [key: string]: any }) => {
                                                            [key: string]: any;
                                                            };

                                                              class CfnSAMLProvider

                                                              class CfnSAMLProvider extends cdk.CfnResource implements cdk.IInspectable {}
                                                              • A CloudFormation AWS::IAM::SAMLProvider

                                                                Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.

                                                                The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS .

                                                                When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.

                                                                > This operation requires [Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) .

                                                                For more information, see [Enabling SAML 2.0 federated users to access the AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) and [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide* .

                                                                AWS::IAM::SAMLProvider external

                                                                http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html

                                                              constructor

                                                              constructor(scope: cdk.Construct, id: string, props: CfnSAMLProviderProps);
                                                              • Create a new AWS::IAM::SAMLProvider.

                                                                Parameter scope

                                                                scope in which this resource is defined

                                                                Parameter id

                                                                scoped id of the resource

                                                                Parameter props

                                                                resource properties

                                                              property attrArn

                                                              readonly attrArn: string;
                                                              • Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::SAMLProvider resource. Arn

                                                              property CFN_RESOURCE_TYPE_NAME

                                                              static readonly CFN_RESOURCE_TYPE_NAME: string;
                                                              • The CloudFormation resource type name for this resource class.

                                                              property cfnProperties

                                                              readonly cfnProperties: { [key: string]: any };

                                                                property name

                                                                name: string;
                                                                • The name of the provider to create.

                                                                  This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-name

                                                                property samlMetadataDocument

                                                                samlMetadataDocument: string;
                                                                • An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.

                                                                  For more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide*

                                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-samlmetadatadocument

                                                                property tags

                                                                readonly tags: cdk.TagManager;
                                                                • A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                                  > If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

                                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-tags

                                                                method inspect

                                                                inspect: (inspector: cdk.TreeInspector) => void;
                                                                • Examines the CloudFormation resource and discloses attributes.

                                                                  Parameter inspector

                                                                  tree inspector to collect and process attributes

                                                                method renderProperties

                                                                protected renderProperties: (props: { [key: string]: any }) => {
                                                                [key: string]: any;
                                                                };

                                                                  class CfnServerCertificate

                                                                  class CfnServerCertificate extends cdk.CfnResource implements cdk.IInspectable {}
                                                                  • A CloudFormation AWS::IAM::ServerCertificate

                                                                    Uploads a server certificate entity for the AWS account . The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.

                                                                    We recommend that you use [AWS Certificate Manager](https://docs.aws.amazon.com/acm/) to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the [AWS Certificate Manager User Guide](https://docs.aws.amazon.com/acm/latest/userguide/) .

                                                                    For more information about working with server certificates, see [Working with server certificates](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html) in the *IAM User Guide* . This topic includes a list of AWS services that can use the server certificates that you manage with IAM.

                                                                    For information about the number of server certificates you can upload, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .

                                                                    > Because the body of the public key certificate, private key, and the certificate chain can be large, you should use POST rather than GET when calling UploadServerCertificate . For information about setting up signatures and authorization through the API, see [Signing AWS API requests](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) in the *AWS General Reference* . For general information about using the Query API with IAM, see [Calling the API by making HTTP query requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/programming.html) in the *IAM User Guide* .

                                                                    AWS::IAM::ServerCertificate external

                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html

                                                                  constructor

                                                                  constructor(scope: cdk.Construct, id: string, props?: CfnServerCertificateProps);
                                                                  • Create a new AWS::IAM::ServerCertificate.

                                                                    Parameter scope

                                                                    scope in which this resource is defined

                                                                    Parameter id

                                                                    scoped id of the resource

                                                                    Parameter props

                                                                    resource properties

                                                                  property attrArn

                                                                  readonly attrArn: string;
                                                                  • Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::ServerCertificate resource. Arn

                                                                  property certificateBody

                                                                  certificateBody: string;
                                                                  • The contents of the public key certificate.

                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatebody

                                                                  property certificateChain

                                                                  certificateChain: string;
                                                                  • The contents of the public key certificate chain.

                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatechain

                                                                  property CFN_RESOURCE_TYPE_NAME

                                                                  static readonly CFN_RESOURCE_TYPE_NAME: string;
                                                                  • The CloudFormation resource type name for this resource class.

                                                                  property cfnProperties

                                                                  readonly cfnProperties: { [key: string]: any };

                                                                    property path

                                                                    path: string;
                                                                    • The path for the server certificate. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                                      This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                                      > If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the path parameter. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/ ).

                                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-path

                                                                    property privateKey

                                                                    privateKey: string;
                                                                    • The contents of the private key in PEM-encoded format.

                                                                      The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:

                                                                      - Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )

                                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-privatekey

                                                                    property serverCertificateName

                                                                    serverCertificateName: string;
                                                                    • The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces.

                                                                      This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-servercertificatename

                                                                    property tags

                                                                    readonly tags: cdk.TagManager;
                                                                    • A list of tags that are attached to the server certificate. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-tags

                                                                    method inspect

                                                                    inspect: (inspector: cdk.TreeInspector) => void;
                                                                    • Examines the CloudFormation resource and discloses attributes.

                                                                      Parameter inspector

                                                                      tree inspector to collect and process attributes

                                                                    method renderProperties

                                                                    protected renderProperties: (props: { [key: string]: any }) => {
                                                                    [key: string]: any;
                                                                    };

                                                                      class CfnServiceLinkedRole

                                                                      class CfnServiceLinkedRole extends cdk.CfnResource implements cdk.IInspectable {}
                                                                      • A CloudFormation AWS::IAM::ServiceLinkedRole

                                                                        Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state. Allowing the service to control the role helps improve service stability and proper cleanup when a service and its role are no longer needed. For more information, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the *IAM User Guide* .

                                                                        To attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role.

                                                                        AWS::IAM::ServiceLinkedRole external

                                                                        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html

                                                                      constructor

                                                                      constructor(scope: cdk.Construct, id: string, props: CfnServiceLinkedRoleProps);
                                                                      • Create a new AWS::IAM::ServiceLinkedRole.

                                                                        Parameter scope

                                                                        scope in which this resource is defined

                                                                        Parameter id

                                                                        scoped id of the resource

                                                                        Parameter props

                                                                        resource properties

                                                                      property awsServiceName

                                                                      awsServiceName: string;
                                                                      • The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com .

                                                                        Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.

                                                                        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-awsservicename

                                                                      property CFN_RESOURCE_TYPE_NAME

                                                                      static readonly CFN_RESOURCE_TYPE_NAME: string;
                                                                      • The CloudFormation resource type name for this resource class.

                                                                      property cfnProperties

                                                                      readonly cfnProperties: { [key: string]: any };

                                                                        property customSuffix

                                                                        customSuffix: string;
                                                                        • A string that you provide, which is combined with the service-provided prefix to form the complete role name. If you make multiple requests for the same service, then you must supply a different CustomSuffix for each request. Otherwise the request fails with a duplicate role name error. For example, you could add -1 or -debug to the suffix.

                                                                          Some services do not support the CustomSuffix parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix.

                                                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-customsuffix

                                                                        property description

                                                                        description: string;
                                                                        • The description of the role.

                                                                          http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-description

                                                                        method inspect

                                                                        inspect: (inspector: cdk.TreeInspector) => void;
                                                                        • Examines the CloudFormation resource and discloses attributes.

                                                                          Parameter inspector

                                                                          tree inspector to collect and process attributes

                                                                        method renderProperties

                                                                        protected renderProperties: (props: { [key: string]: any }) => {
                                                                        [key: string]: any;
                                                                        };

                                                                          class CfnUser

                                                                          class CfnUser extends cdk.CfnResource implements cdk.IInspectable {}
                                                                          • A CloudFormation AWS::IAM::User

                                                                            Creates a new IAM user for your AWS account .

                                                                            For information about quotas for the number of IAM users you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .

                                                                            AWS::IAM::User external

                                                                            http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html

                                                                          constructor

                                                                          constructor(scope: cdk.Construct, id: string, props?: CfnUserProps);
                                                                          • Create a new AWS::IAM::User.

                                                                            Parameter scope

                                                                            scope in which this resource is defined

                                                                            Parameter id

                                                                            scoped id of the resource

                                                                            Parameter props

                                                                            resource properties

                                                                          property attrArn

                                                                          readonly attrArn: string;
                                                                          • Returns the Amazon Resource Name (ARN) for the specified AWS::IAM::User resource. For example: arn:aws:iam::123456789012:user/mystack-myuser-1CCXAFG2H2U4D . Arn

                                                                          property CFN_RESOURCE_TYPE_NAME

                                                                          static readonly CFN_RESOURCE_TYPE_NAME: string;
                                                                          • The CloudFormation resource type name for this resource class.

                                                                          property cfnProperties

                                                                          readonly cfnProperties: { [key: string]: any };

                                                                            property groups

                                                                            groups: string[];
                                                                            • A list of group names to which you want to add the user.

                                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-groups

                                                                            property loginProfile

                                                                            loginProfile: any;
                                                                            • Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console .

                                                                              You can use the AWS CLI , the AWS API, or the *Users* page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the *My Security Credentials* page in the AWS Management Console .

                                                                              For more information about managing passwords, see [Managing passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .

                                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-loginprofile

                                                                            property managedPolicyArns

                                                                            managedPolicyArns: string[];
                                                                            • A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user.

                                                                              For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .

                                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-managepolicyarns

                                                                            property path

                                                                            path: string;
                                                                            • The path for the user name. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                                              This parameter is optional. If it is not included, it defaults to a slash (/).

                                                                              This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-path

                                                                            property permissionsBoundary

                                                                            permissionsBoundary: string;
                                                                            • The ARN of the policy that is used to set the permissions boundary for the user.

                                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-permissionsboundary

                                                                            property policies

                                                                            policies: any;
                                                                            • Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see [Declaring an IAM User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) .

                                                                              > The name of each policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.

                                                                              For information about limits on the number of inline policies that you can embed in a user, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .

                                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-policies

                                                                            property tags

                                                                            readonly tags: cdk.TagManager;
                                                                            • A list of tags that you want to attach to the new user. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                                              > If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

                                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-tags

                                                                            property userName

                                                                            userName: string;
                                                                            • The name of the user to create. Do not include the path in this value.

                                                                              This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The user name must be unique within the account. User names are not distinguished by case. For example, you cannot create users named both "John" and "john".

                                                                              If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the user name.

                                                                              If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .

                                                                              > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .

                                                                              http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-username

                                                                            method inspect

                                                                            inspect: (inspector: cdk.TreeInspector) => void;
                                                                            • Examines the CloudFormation resource and discloses attributes.

                                                                              Parameter inspector

                                                                              tree inspector to collect and process attributes

                                                                            method renderProperties

                                                                            protected renderProperties: (props: { [key: string]: any }) => {
                                                                            [key: string]: any;
                                                                            };

                                                                              class CfnUserToGroupAddition

                                                                              class CfnUserToGroupAddition extends cdk.CfnResource implements cdk.IInspectable {}
                                                                              • A CloudFormation AWS::IAM::UserToGroupAddition

                                                                                Adds the specified user to the specified group.

                                                                                AWS::IAM::UserToGroupAddition external

                                                                                http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html

                                                                              constructor

                                                                              constructor(
                                                                              scope: cdk.Construct,
                                                                              id: string,
                                                                              props: CfnUserToGroupAdditionProps
                                                                              );
                                                                              • Create a new AWS::IAM::UserToGroupAddition.

                                                                                Parameter scope

                                                                                scope in which this resource is defined

                                                                                Parameter id

                                                                                scoped id of the resource

                                                                                Parameter props

                                                                                resource properties

                                                                              property CFN_RESOURCE_TYPE_NAME

                                                                              static readonly CFN_RESOURCE_TYPE_NAME: string;
                                                                              • The CloudFormation resource type name for this resource class.

                                                                              property cfnProperties

                                                                              readonly cfnProperties: { [key: string]: any };

                                                                                property groupName

                                                                                groupName: string;
                                                                                • The name of the group to update.

                                                                                  This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-groupname

                                                                                property users

                                                                                users: string[];
                                                                                • A list of the names of the users that you want to add to the group.

                                                                                  http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-users

                                                                                method inspect

                                                                                inspect: (inspector: cdk.TreeInspector) => void;
                                                                                • Examines the CloudFormation resource and discloses attributes.

                                                                                  Parameter inspector

                                                                                  tree inspector to collect and process attributes

                                                                                method renderProperties

                                                                                protected renderProperties: (props: { [key: string]: any }) => {
                                                                                [key: string]: any;
                                                                                };

                                                                                  class CfnVirtualMFADevice

                                                                                  class CfnVirtualMFADevice extends cdk.CfnResource implements cdk.IInspectable {}
                                                                                  • A CloudFormation AWS::IAM::VirtualMFADevice

                                                                                    Creates a new virtual MFA device for the AWS account . After creating the virtual MFA, use [EnableMFADevice](https://docs.aws.amazon.com/IAM/latest/APIReference/API_EnableMFADevice.html) to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, see [Using a virtual MFA device](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_VirtualMFA.html) in the *IAM User Guide* .

                                                                                    For information about the maximum number of MFA devices you can create, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html) in the *IAM User Guide* .

                                                                                    > The seed information contained in the QR code and the Base32 string should be treated like any other secret access information. In other words, protect the seed information as you would your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.

                                                                                    AWS::IAM::VirtualMFADevice external

                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html

                                                                                  constructor

                                                                                  constructor(scope: cdk.Construct, id: string, props: CfnVirtualMFADeviceProps);
                                                                                  • Create a new AWS::IAM::VirtualMFADevice.

                                                                                    Parameter scope

                                                                                    scope in which this resource is defined

                                                                                    Parameter id

                                                                                    scoped id of the resource

                                                                                    Parameter props

                                                                                    resource properties

                                                                                  property attrSerialNumber

                                                                                  readonly attrSerialNumber: string;
                                                                                  • Returns the serial number for the specified AWS::IAM::VirtualMFADevice resource. SerialNumber

                                                                                  property CFN_RESOURCE_TYPE_NAME

                                                                                  static readonly CFN_RESOURCE_TYPE_NAME: string;
                                                                                  • The CloudFormation resource type name for this resource class.

                                                                                  property cfnProperties

                                                                                  readonly cfnProperties: { [key: string]: any };

                                                                                    property path

                                                                                    path: string;
                                                                                    • The path for the virtual MFA device. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                                                      This parameter is optional. If it is not included, it defaults to a slash (/).

                                                                                      This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-path

                                                                                    property tags

                                                                                    readonly tags: cdk.TagManager;
                                                                                    • A list of tags that you want to attach to the new IAM virtual MFA device. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                                                      > If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

                                                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-tags

                                                                                    property users

                                                                                    users: string[];
                                                                                    • The IAM user associated with this virtual MFA device.

                                                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-users

                                                                                    property virtualMfaDeviceName

                                                                                    virtualMfaDeviceName: string;
                                                                                    • The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device.

                                                                                      This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                      http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-virtualmfadevice.html#cfn-iam-virtualmfadevice-virtualmfadevicename

                                                                                    method inspect

                                                                                    inspect: (inspector: cdk.TreeInspector) => void;
                                                                                    • Examines the CloudFormation resource and discloses attributes.

                                                                                      Parameter inspector

                                                                                      tree inspector to collect and process attributes

                                                                                    method renderProperties

                                                                                    protected renderProperties: (props: { [key: string]: any }) => {
                                                                                    [key: string]: any;
                                                                                    };

                                                                                      class CompositeDependable

                                                                                      class CompositeDependable implements cdk.IDependable {}
                                                                                      • Composite dependable

                                                                                        Not as simple as eagerly getting the dependency roots from the inner dependables, as they may be mutable so we need to defer the query.

                                                                                      constructor

                                                                                      constructor(...dependables: cdk.IDependable[]);

                                                                                        class CompositePrincipal

                                                                                        class CompositePrincipal extends PrincipalBase {}
                                                                                        • Represents a principal that has multiple types of principals. A composite principal cannot have conditions. i.e. multiple ServicePrincipals that form a composite principal

                                                                                        constructor

                                                                                        constructor(...principals: IPrincipal[]);

                                                                                          property assumeRoleAction

                                                                                          readonly assumeRoleAction: string;

                                                                                            property policyFragment

                                                                                            readonly policyFragment: PrincipalPolicyFragment;

                                                                                              method addPrincipals

                                                                                              addPrincipals: (...principals: IPrincipal[]) => this;
                                                                                              • Adds IAM principals to the composite principal. Composite principals cannot have conditions.

                                                                                                Parameter principals

                                                                                                IAM principals that will be added to the composite principal

                                                                                              method addToAssumeRolePolicy

                                                                                              addToAssumeRolePolicy: (doc: PolicyDocument) => void;

                                                                                                method toString

                                                                                                toString: () => string;

                                                                                                  class FederatedPrincipal

                                                                                                  class FederatedPrincipal extends PrincipalBase {}
                                                                                                  • Principal entity that represents a federated identity provider such as Amazon Cognito, that can be used to provide temporary security credentials to users who have been authenticated. Additional condition keys are available when the temporary security credentials are used to make a request. You can use these keys to write policies that limit the access of federated users.

                                                                                                    See Also

                                                                                                    • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif

                                                                                                  constructor

                                                                                                  constructor(
                                                                                                  federated: string,
                                                                                                  conditions: Conditions,
                                                                                                  assumeRoleAction?: string
                                                                                                  );
                                                                                                  • Parameter federated

                                                                                                    federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)

                                                                                                    Parameter conditions

                                                                                                    The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

                                                                                                    Parameter sessionTags

                                                                                                    Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)

                                                                                                  property assumeRoleAction

                                                                                                  readonly assumeRoleAction: string;

                                                                                                    property conditions

                                                                                                    readonly conditions: Conditions;

                                                                                                      property federated

                                                                                                      readonly federated: string;

                                                                                                        property policyFragment

                                                                                                        readonly policyFragment: PrincipalPolicyFragment;

                                                                                                          method toString

                                                                                                          toString: () => string;

                                                                                                            class Grant

                                                                                                            class Grant implements cdk.IDependable {}
                                                                                                            • Result of a grant() operation

                                                                                                              This class is not instantiable by consumers on purpose, so that they will be required to call the Grant factory functions.

                                                                                                            property principalStatement

                                                                                                            readonly principalStatement?: PolicyStatement;
                                                                                                            • The statement that was added to the principal's policy

                                                                                                              Can be accessed to (e.g.) add additional conditions to the statement.

                                                                                                            property resourceStatement

                                                                                                            readonly resourceStatement?: PolicyStatement;
                                                                                                            • The statement that was added to the resource policy

                                                                                                              Can be accessed to (e.g.) add additional conditions to the statement.

                                                                                                            property success

                                                                                                            readonly success: boolean;
                                                                                                            • Whether the grant operation was successful

                                                                                                            method addToPrincipal

                                                                                                            static addToPrincipal: (options: GrantOnPrincipalOptions) => Grant;
                                                                                                            • Try to grant the given permissions to the given principal

                                                                                                              Absence of a principal leads to a warning, but failing to add the permissions to a present principal is not an error.

                                                                                                            method addToPrincipalAndResource

                                                                                                            static addToPrincipalAndResource: (
                                                                                                            options: GrantOnPrincipalAndResourceOptions
                                                                                                            ) => Grant;
                                                                                                            • Add a grant both on the principal and on the resource

                                                                                                              As long as any principal is given, granting on the principal may fail (in case of a non-identity principal), but granting on the resource will never fail.

                                                                                                              Statement will be the resource statement.

                                                                                                            method addToPrincipalOrResource

                                                                                                            static addToPrincipalOrResource: (options: GrantWithResourceOptions) => Grant;
                                                                                                            • Grant the given permissions to the principal

                                                                                                              The permissions will be added to the principal policy primarily, falling back to the resource policy if necessary. The permissions must be granted somewhere.

                                                                                                              - Trying to grant permissions to a principal that does not admit adding to the principal policy while not providing a resource with a resource policy is an error. - Trying to grant permissions to an absent principal (possible in the case of imported resources) leads to a warning being added to the resource construct.

                                                                                                            method applyBefore

                                                                                                            applyBefore: (...constructs: cdk.IConstruct[]) => void;
                                                                                                            • Make sure this grant is applied before the given constructs are deployed

                                                                                                              The same as construct.node.addDependency(grant), but slightly nicer to read.

                                                                                                            method assertSuccess

                                                                                                            assertSuccess: () => void;
                                                                                                            • Throw an error if this grant wasn't successful

                                                                                                            method drop

                                                                                                            static drop: (grantee: IGrantable, _intent: string) => Grant;
                                                                                                            • Returns a "no-op" Grant object which represents a "dropped grant".

                                                                                                              This can be used for e.g. imported resources where you may not be able to modify the resource's policy or some underlying policy which you don't know about.

                                                                                                              Parameter grantee

                                                                                                              The intended grantee

                                                                                                              Parameter _intent

                                                                                                              The user's intent (will be ignored at the moment)

                                                                                                            class Group

                                                                                                            class Group extends GroupBase {}
                                                                                                            • An IAM Group (collection of IAM users) lets you specify permissions for multiple users, which can make it easier to manage permissions for those users.

                                                                                                              See Also

                                                                                                              • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

                                                                                                            constructor

                                                                                                            constructor(scope: Construct, id: string, props?: GroupProps);

                                                                                                              property groupArn

                                                                                                              readonly groupArn: string;

                                                                                                                property groupName

                                                                                                                readonly groupName: string;

                                                                                                                  method addManagedPolicy

                                                                                                                  addManagedPolicy: (policy: IManagedPolicy) => void;
                                                                                                                  • Attaches a managed policy to this group.

                                                                                                                    Parameter policy

                                                                                                                    The managed policy to attach.

                                                                                                                  method fromGroupArn

                                                                                                                  static fromGroupArn: (scope: Construct, id: string, groupArn: string) => IGroup;
                                                                                                                  • Import an external group by ARN.

                                                                                                                    If the imported Group ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) *and* the referenced group has a path (like arn:...:group/AdminGroup/NetworkAdmin), the groupName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Group ARN should be supplied without the path in order to resolve the correct group resource.

                                                                                                                    Parameter scope

                                                                                                                    construct scope

                                                                                                                    Parameter id

                                                                                                                    construct id

                                                                                                                    Parameter groupArn

                                                                                                                    the ARN of the group to import (e.g. arn:aws:iam::account-id:group/group-name)

                                                                                                                  method fromGroupName

                                                                                                                  static fromGroupName: (
                                                                                                                  scope: Construct,
                                                                                                                  id: string,
                                                                                                                  groupName: string
                                                                                                                  ) => IGroup;
                                                                                                                  • Import an existing group by given name (with path). This method has same caveats of fromGroupArn

                                                                                                                    Parameter scope

                                                                                                                    construct scope

                                                                                                                    Parameter id

                                                                                                                    construct id

                                                                                                                    Parameter groupName

                                                                                                                    the groupName (path included) of the existing group to import

                                                                                                                  class LazyRole

                                                                                                                  class LazyRole extends cdk.Resource implements IRole {}
                                                                                                                  • An IAM role that only gets attached to the construct tree once it gets used, not before

                                                                                                                    This construct can be used to simplify logic in other constructs which need to create a role but only if certain configurations occur (such as when AutoScaling is configured). The role can be configured in one place, but if it never gets used it doesn't get instantiated and will not be synthesized or deployed.

                                                                                                                    AWS::IAM::Role

                                                                                                                  constructor

                                                                                                                  constructor(scope: Construct, id: string, props: LazyRoleProps);

                                                                                                                    property assumeRoleAction

                                                                                                                    readonly assumeRoleAction: string;

                                                                                                                      property grantPrincipal

                                                                                                                      readonly grantPrincipal: IPrincipal;

                                                                                                                        property policyFragment

                                                                                                                        readonly policyFragment: PrincipalPolicyFragment;

                                                                                                                          property principalAccount

                                                                                                                          readonly principalAccount: string;

                                                                                                                            property roleArn

                                                                                                                            readonly roleArn: string;
                                                                                                                            • Returns the ARN of this role.

                                                                                                                            property roleId

                                                                                                                            readonly roleId: string;
                                                                                                                            • Returns the stable and unique string identifying the role (i.e. AIDAJQABLZS4A3QDU576Q)

                                                                                                                            property roleName

                                                                                                                            readonly roleName: string;

                                                                                                                              method addManagedPolicy

                                                                                                                              addManagedPolicy: (policy: IManagedPolicy) => void;
                                                                                                                              • Attaches a managed policy to this role.

                                                                                                                                Parameter policy

                                                                                                                                The managed policy to attach.

                                                                                                                              method addToPolicy

                                                                                                                              addToPolicy: (statement: PolicyStatement) => boolean;

                                                                                                                                method addToPrincipalPolicy

                                                                                                                                addToPrincipalPolicy: (statement: PolicyStatement) => AddToPrincipalPolicyResult;
                                                                                                                                • Adds a permission to the role's default policy document. If there is no default policy attached to this role, it will be created.

                                                                                                                                  Parameter statement

                                                                                                                                  The permission statement to add to the policy document

                                                                                                                                method attachInlinePolicy

                                                                                                                                attachInlinePolicy: (policy: Policy) => void;
                                                                                                                                • Attaches a policy to this role.

                                                                                                                                  Parameter policy

                                                                                                                                  The policy to attach

                                                                                                                                method grant

                                                                                                                                grant: (identity: IPrincipal, ...actions: string[]) => Grant;
                                                                                                                                • Grant the actions defined in actions to the identity Principal on this resource.

                                                                                                                                method grantPassRole

                                                                                                                                grantPassRole: (identity: IPrincipal) => Grant;
                                                                                                                                • Grant permissions to the given principal to pass this role.

                                                                                                                                class ManagedPolicy

                                                                                                                                class ManagedPolicy extends Resource implements IManagedPolicy {}
                                                                                                                                • Managed policy

                                                                                                                                constructor

                                                                                                                                constructor(scope: Construct, id: string, props?: ManagedPolicyProps);

                                                                                                                                  property description

                                                                                                                                  readonly description: string;
                                                                                                                                  • The description of this policy.

                                                                                                                                  property document

                                                                                                                                  readonly document: PolicyDocument;
                                                                                                                                  • The policy document.

                                                                                                                                  property managedPolicyArn

                                                                                                                                  readonly managedPolicyArn: string;
                                                                                                                                  • Returns the ARN of this managed policy.

                                                                                                                                  property managedPolicyName

                                                                                                                                  readonly managedPolicyName: string;
                                                                                                                                  • The name of this policy.

                                                                                                                                  property path

                                                                                                                                  readonly path: string;
                                                                                                                                  • The path of this policy.

                                                                                                                                  method addStatements

                                                                                                                                  addStatements: (...statement: PolicyStatement[]) => void;
                                                                                                                                  • Adds a statement to the policy document.

                                                                                                                                  method attachToGroup

                                                                                                                                  attachToGroup: (group: IGroup) => void;
                                                                                                                                  • Attaches this policy to a group.

                                                                                                                                  method attachToRole

                                                                                                                                  attachToRole: (role: IRole) => void;
                                                                                                                                  • Attaches this policy to a role.

                                                                                                                                  method attachToUser

                                                                                                                                  attachToUser: (user: IUser) => void;
                                                                                                                                  • Attaches this policy to a user.

                                                                                                                                  method fromAwsManagedPolicyName

                                                                                                                                  static fromAwsManagedPolicyName: (managedPolicyName: string) => IManagedPolicy;
                                                                                                                                  • Import a managed policy from one of the policies that AWS manages.

                                                                                                                                    For this managed policy, you only need to know the name to be able to use it.

                                                                                                                                    Some managed policy names start with "service-role/", some start with "job-function/", and some don't start with anything. Include the prefix when constructing this object.

                                                                                                                                  method fromManagedPolicyArn

                                                                                                                                  static fromManagedPolicyArn: (
                                                                                                                                  scope: Construct,
                                                                                                                                  id: string,
                                                                                                                                  managedPolicyArn: string
                                                                                                                                  ) => IManagedPolicy;
                                                                                                                                  • Import an external managed policy by ARN.

                                                                                                                                    For this managed policy, you only need to know the ARN to be able to use it. This can be useful if you got the ARN from a CloudFormation Export.

                                                                                                                                    If the imported Managed Policy ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) *and* the referenced managed policy has a path (like arn:...:policy/AdminPolicy/AdminAllow), the managedPolicyName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Managed Policy ARN should be supplied without the path in order to resolve the correct managed policy resource.

                                                                                                                                    Parameter scope

                                                                                                                                    construct scope

                                                                                                                                    Parameter id

                                                                                                                                    construct id

                                                                                                                                    Parameter managedPolicyArn

                                                                                                                                    the ARN of the managed policy to import

                                                                                                                                  method fromManagedPolicyName

                                                                                                                                  static fromManagedPolicyName: (
                                                                                                                                  scope: Construct,
                                                                                                                                  id: string,
                                                                                                                                  managedPolicyName: string
                                                                                                                                  ) => IManagedPolicy;
                                                                                                                                  • Import a customer managed policy from the managedPolicyName.

                                                                                                                                    For this managed policy, you only need to know the name to be able to use it.

                                                                                                                                  method validate

                                                                                                                                  protected validate: () => string[];

                                                                                                                                    class OpenIdConnectPrincipal

                                                                                                                                    class OpenIdConnectPrincipal extends WebIdentityPrincipal {}
                                                                                                                                    • A principal that represents a federated identity provider as from a OpenID Connect provider.

                                                                                                                                    constructor

                                                                                                                                    constructor(
                                                                                                                                    openIdConnectProvider: IOpenIdConnectProvider,
                                                                                                                                    conditions?: Conditions
                                                                                                                                    );
                                                                                                                                    • Parameter openIdConnectProvider

                                                                                                                                      OpenID Connect provider

                                                                                                                                      Parameter conditions

                                                                                                                                      The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

                                                                                                                                    property policyFragment

                                                                                                                                    readonly policyFragment: PrincipalPolicyFragment;

                                                                                                                                      method toString

                                                                                                                                      toString: () => string;

                                                                                                                                        class OpenIdConnectProvider

                                                                                                                                        class OpenIdConnectProvider extends Resource implements IOpenIdConnectProvider {}
                                                                                                                                        • IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce. You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account. This is useful when creating a mobile app or web application that requires access to AWS resources, but you don't want to create custom sign-in code or manage your own user identities.

                                                                                                                                          See Also

                                                                                                                                          • http://openid.net/connect

                                                                                                                                          • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html

                                                                                                                                            AWS::CloudFormation::CustomResource

                                                                                                                                        constructor

                                                                                                                                        constructor(scope: Construct, id: string, props: OpenIdConnectProviderProps);
                                                                                                                                        • Defines an OpenID Connect provider.

                                                                                                                                          Parameter scope

                                                                                                                                          The definition scope

                                                                                                                                          Parameter id

                                                                                                                                          Construct ID

                                                                                                                                          Parameter props

                                                                                                                                          Initialization properties

                                                                                                                                        property openIdConnectProviderArn

                                                                                                                                        readonly openIdConnectProviderArn: string;
                                                                                                                                        • The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.

                                                                                                                                        property openIdConnectProviderIssuer

                                                                                                                                        readonly openIdConnectProviderIssuer: string;

                                                                                                                                          method fromOpenIdConnectProviderArn

                                                                                                                                          static fromOpenIdConnectProviderArn: (
                                                                                                                                          scope: Construct,
                                                                                                                                          id: string,
                                                                                                                                          openIdConnectProviderArn: string
                                                                                                                                          ) => IOpenIdConnectProvider;
                                                                                                                                          • Imports an Open ID connect provider from an ARN.

                                                                                                                                            Parameter scope

                                                                                                                                            The definition scope

                                                                                                                                            Parameter id

                                                                                                                                            ID of the construct

                                                                                                                                            Parameter openIdConnectProviderArn

                                                                                                                                            the ARN to import

                                                                                                                                          class OrganizationPrincipal

                                                                                                                                          class OrganizationPrincipal extends PrincipalBase {}
                                                                                                                                          • A principal that represents an AWS Organization

                                                                                                                                          constructor

                                                                                                                                          constructor(organizationId: string);
                                                                                                                                          • Parameter organizationId

                                                                                                                                            The unique identifier (ID) of an organization (i.e. o-12345abcde)

                                                                                                                                          property organizationId

                                                                                                                                          readonly organizationId: string;

                                                                                                                                            property policyFragment

                                                                                                                                            readonly policyFragment: PrincipalPolicyFragment;

                                                                                                                                              method toString

                                                                                                                                              toString: () => string;

                                                                                                                                                class PermissionsBoundary

                                                                                                                                                class PermissionsBoundary {}
                                                                                                                                                • Modify the Permissions Boundaries of Users and Roles in a construct tree

                                                                                                                                                  const policy = iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess');
                                                                                                                                                  iam.PermissionsBoundary.of(this).apply(policy);

                                                                                                                                                method apply

                                                                                                                                                apply: (boundaryPolicy: IManagedPolicy) => void;
                                                                                                                                                • Apply the given policy as Permissions Boundary to all Roles and Users in the scope.

                                                                                                                                                  Will override any Permissions Boundaries configured previously; in case a Permission Boundary is applied in multiple scopes, the Boundary applied closest to the Role wins.

                                                                                                                                                method clear

                                                                                                                                                clear: () => void;
                                                                                                                                                • Remove previously applied Permissions Boundaries

                                                                                                                                                method of

                                                                                                                                                static of: (scope: IConstruct) => PermissionsBoundary;
                                                                                                                                                • Access the Permissions Boundaries of a construct tree

                                                                                                                                                class Policy

                                                                                                                                                class Policy extends Resource implements IPolicy {}
                                                                                                                                                • The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles, or groups. For more information about IAM policies, see [Overview of IAM Policies](http://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html) in the IAM User Guide guide.

                                                                                                                                                constructor

                                                                                                                                                constructor(scope: Construct, id: string, props?: PolicyProps);

                                                                                                                                                  property document

                                                                                                                                                  readonly document: PolicyDocument;
                                                                                                                                                  • The policy document.

                                                                                                                                                  property policyName

                                                                                                                                                  readonly policyName: string;
                                                                                                                                                  • The name of this policy.

                                                                                                                                                  method addStatements

                                                                                                                                                  addStatements: (...statement: PolicyStatement[]) => void;
                                                                                                                                                  • Adds a statement to the policy document.

                                                                                                                                                  method attachToGroup

                                                                                                                                                  attachToGroup: (group: IGroup) => void;
                                                                                                                                                  • Attaches this policy to a group.

                                                                                                                                                  method attachToRole

                                                                                                                                                  attachToRole: (role: IRole) => void;
                                                                                                                                                  • Attaches this policy to a role.

                                                                                                                                                  method attachToUser

                                                                                                                                                  attachToUser: (user: IUser) => void;
                                                                                                                                                  • Attaches this policy to a user.

                                                                                                                                                  method fromPolicyName

                                                                                                                                                  static fromPolicyName: (
                                                                                                                                                  scope: Construct,
                                                                                                                                                  id: string,
                                                                                                                                                  policyName: string
                                                                                                                                                  ) => IPolicy;
                                                                                                                                                  • Import a policy in this app based on its name

                                                                                                                                                  method validate

                                                                                                                                                  protected validate: () => string[];

                                                                                                                                                    class PolicyDocument

                                                                                                                                                    class PolicyDocument implements cdk.IResolvable {}
                                                                                                                                                    • A PolicyDocument is a collection of statements

                                                                                                                                                    constructor

                                                                                                                                                    constructor(props?: PolicyDocumentProps);

                                                                                                                                                      property creationStack

                                                                                                                                                      readonly creationStack: string[];

                                                                                                                                                        property isEmpty

                                                                                                                                                        readonly isEmpty: boolean;
                                                                                                                                                        • Whether the policy document contains any statements.

                                                                                                                                                        property statementCount

                                                                                                                                                        readonly statementCount: number;
                                                                                                                                                        • The number of statements already added to this policy. Can be used, for example, to generate unique "sid"s within the policy.

                                                                                                                                                        method addStatements

                                                                                                                                                        addStatements: (...statement: PolicyStatement[]) => void;
                                                                                                                                                        • Adds a statement to the policy document.

                                                                                                                                                          Parameter statement

                                                                                                                                                          the statement to add.

                                                                                                                                                        method fromJson

                                                                                                                                                        static fromJson: (obj: any) => PolicyDocument;
                                                                                                                                                        • Creates a new PolicyDocument based on the object provided. This will accept an object created from the .toJSON() call

                                                                                                                                                          Parameter obj

                                                                                                                                                          the PolicyDocument in object form.

                                                                                                                                                        method resolve

                                                                                                                                                        resolve: (context: cdk.IResolveContext) => any;

                                                                                                                                                          method toJSON

                                                                                                                                                          toJSON: () => any;
                                                                                                                                                          • JSON-ify the document

                                                                                                                                                            Used when JSON.stringify() is called

                                                                                                                                                          method toString

                                                                                                                                                          toString: () => string;
                                                                                                                                                          • Encode the policy document as a string

                                                                                                                                                          method validateForAnyPolicy

                                                                                                                                                          validateForAnyPolicy: () => string[];
                                                                                                                                                          • Validate that all policy statements in the policy document satisfies the requirements for any policy.

                                                                                                                                                            See Also

                                                                                                                                                            • https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

                                                                                                                                                          method validateForIdentityPolicy

                                                                                                                                                          validateForIdentityPolicy: () => string[];
                                                                                                                                                          • Validate that all policy statements in the policy document satisfies the requirements for an identity-based policy.

                                                                                                                                                            See Also

                                                                                                                                                            • https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

                                                                                                                                                          method validateForResourcePolicy

                                                                                                                                                          validateForResourcePolicy: () => string[];
                                                                                                                                                          • Validate that all policy statements in the policy document satisfies the requirements for a resource-based policy.

                                                                                                                                                            See Also

                                                                                                                                                            • https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

                                                                                                                                                          class PolicyStatement

                                                                                                                                                          class PolicyStatement {}
                                                                                                                                                          • Represents a statement in an IAM policy document.

                                                                                                                                                          constructor

                                                                                                                                                          constructor(props?: PolicyStatementProps);

                                                                                                                                                            property effect

                                                                                                                                                            effect: Effect;
                                                                                                                                                            • Whether to allow or deny the actions in this statement

                                                                                                                                                            property hasPrincipal

                                                                                                                                                            readonly hasPrincipal: boolean;
                                                                                                                                                            • Indicates if this permission has a "Principal" section.

                                                                                                                                                            property hasResource

                                                                                                                                                            readonly hasResource: boolean;
                                                                                                                                                            • Indicates if this permission has at least one resource associated with it.

                                                                                                                                                            property principals

                                                                                                                                                            readonly principals: IPrincipal[];
                                                                                                                                                            • Expose principals to allow their ARNs to be replaced by account ID strings in policy statements for resources policies that don't allow full account ARNs, such as AWS::Logs::ResourcePolicy.

                                                                                                                                                            property sid

                                                                                                                                                            sid?: string;
                                                                                                                                                            • Statement ID for this statement

                                                                                                                                                            method addAccountCondition

                                                                                                                                                            addAccountCondition: (accountId: string) => void;
                                                                                                                                                            • Add a condition that limits to a given account

                                                                                                                                                              This method can only be called once: subsequent calls will overwrite earlier calls.

                                                                                                                                                            method addAccountRootPrincipal

                                                                                                                                                            addAccountRootPrincipal: () => void;
                                                                                                                                                            • Adds an AWS account root user principal to this policy statement

                                                                                                                                                            method addActions

                                                                                                                                                            addActions: (...actions: string[]) => void;
                                                                                                                                                            • Specify allowed actions into the "Action" section of the policy statement.

                                                                                                                                                              Parameter actions

                                                                                                                                                              actions that will be allowed.

                                                                                                                                                              See Also

                                                                                                                                                              • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html

                                                                                                                                                            method addAllResources

                                                                                                                                                            addAllResources: () => void;
                                                                                                                                                            • Adds a ``"*"`` resource to this statement.

                                                                                                                                                            method addAnyPrincipal

                                                                                                                                                            addAnyPrincipal: () => void;
                                                                                                                                                            • Adds all identities in all accounts ("*") to this policy statement

                                                                                                                                                            method addArnPrincipal

                                                                                                                                                            addArnPrincipal: (arn: string) => void;
                                                                                                                                                            • Specify a principal using the ARN identifier of the principal. You cannot specify IAM groups and instance profiles as principals.

                                                                                                                                                              Parameter arn

                                                                                                                                                              ARN identifier of AWS account, IAM user, or IAM role (i.e. arn:aws:iam::123456789012:user/user-name)

                                                                                                                                                            method addAwsAccountPrincipal

                                                                                                                                                            addAwsAccountPrincipal: (accountId: string) => void;
                                                                                                                                                            • Specify AWS account ID as the principal entity to the "Principal" section of a policy statement.

                                                                                                                                                            method addCanonicalUserPrincipal

                                                                                                                                                            addCanonicalUserPrincipal: (canonicalUserId: string) => void;
                                                                                                                                                            • Adds a canonical user ID principal to this policy document

                                                                                                                                                              Parameter canonicalUserId

                                                                                                                                                              unique identifier assigned by AWS for every account

                                                                                                                                                            method addCondition

                                                                                                                                                            addCondition: (key: string, value: Condition) => void;
                                                                                                                                                            • Add a condition to the Policy

                                                                                                                                                              If multiple calls are made to add a condition with the same operator and field, only the last one wins. For example:

                                                                                                                                                              declare const stmt: iam.PolicyStatement;
                                                                                                                                                              stmt.addCondition('StringEquals', { 'aws:SomeField': '1' });
                                                                                                                                                              stmt.addCondition('StringEquals', { 'aws:SomeField': '2' });

                                                                                                                                                              Will end up with the single condition StringEquals: { 'aws:SomeField': '2' }.

                                                                                                                                                              If you meant to add a condition to say that the field can be *either* 1 or 2, write this:

                                                                                                                                                              declare const stmt: iam.PolicyStatement;
                                                                                                                                                              stmt.addCondition('StringEquals', { 'aws:SomeField': ['1', '2'] });

                                                                                                                                                            method addConditions

                                                                                                                                                            addConditions: (conditions: Conditions) => void;
                                                                                                                                                            • Add multiple conditions to the Policy

                                                                                                                                                              See the addCondition function for a caveat on calling this method multiple times.

                                                                                                                                                            method addFederatedPrincipal

                                                                                                                                                            addFederatedPrincipal: (federated: any, conditions: Conditions) => void;
                                                                                                                                                            • Adds a federated identity provider such as Amazon Cognito to this policy statement.

                                                                                                                                                              Parameter federated

                                                                                                                                                              federated identity provider (i.e. 'cognito-identity.amazonaws.com')

                                                                                                                                                              Parameter conditions

                                                                                                                                                              The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

                                                                                                                                                            method addNotActions

                                                                                                                                                            addNotActions: (...notActions: string[]) => void;
                                                                                                                                                            • Explicitly allow all actions except the specified list of actions into the "NotAction" section of the policy document.

                                                                                                                                                              Parameter notActions

                                                                                                                                                              actions that will be denied. All other actions will be permitted.

                                                                                                                                                              See Also

                                                                                                                                                              • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html

                                                                                                                                                            method addNotPrincipals

                                                                                                                                                            addNotPrincipals: (...notPrincipals: IPrincipal[]) => void;
                                                                                                                                                            • Specify principals that is not allowed or denied access to the "NotPrincipal" section of a policy statement.

                                                                                                                                                              Parameter notPrincipals

                                                                                                                                                              IAM principals that will be denied access

                                                                                                                                                              See Also

                                                                                                                                                              • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html

                                                                                                                                                            method addNotResources

                                                                                                                                                            addNotResources: (...arns: string[]) => void;
                                                                                                                                                            • Specify resources that this policy statement will not apply to in the "NotResource" section of this policy statement. All resources except the specified list will be matched.

                                                                                                                                                              Parameter arns

                                                                                                                                                              Amazon Resource Names (ARNs) of the resources that this policy statement does not apply to

                                                                                                                                                              See Also

                                                                                                                                                              • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

                                                                                                                                                            method addPrincipals

                                                                                                                                                            addPrincipals: (...principals: IPrincipal[]) => void;
                                                                                                                                                            • Adds principals to the "Principal" section of a policy statement.

                                                                                                                                                              Parameter principals

                                                                                                                                                              IAM principals that will be added

                                                                                                                                                              See Also

                                                                                                                                                              • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

                                                                                                                                                            method addResources

                                                                                                                                                            addResources: (...arns: string[]) => void;
                                                                                                                                                            • Specify resources that this policy statement applies into the "Resource" section of this policy statement.

                                                                                                                                                              Parameter arns

                                                                                                                                                              Amazon Resource Names (ARNs) of the resources that this policy statement applies to

                                                                                                                                                              See Also

                                                                                                                                                              • https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

                                                                                                                                                            method addServicePrincipal

                                                                                                                                                            addServicePrincipal: (service: string, opts?: ServicePrincipalOpts) => void;
                                                                                                                                                            • Adds a service principal to this policy statement.

                                                                                                                                                              Parameter service

                                                                                                                                                              the service name for which a service principal is requested (e.g: s3.amazonaws.com).

                                                                                                                                                              Parameter opts

                                                                                                                                                              options for adding the service principal (such as specifying a principal in a different region)

                                                                                                                                                            method copy

                                                                                                                                                            copy: (overrides?: PolicyStatementProps) => PolicyStatement;
                                                                                                                                                            • Create a new PolicyStatement with the same exact properties as this one, except for the overrides

                                                                                                                                                            method fromJson

                                                                                                                                                            static fromJson: (obj: any) => PolicyStatement;
                                                                                                                                                            • Creates a new PolicyStatement based on the object provided. This will accept an object created from the .toJSON() call

                                                                                                                                                              Parameter obj

                                                                                                                                                              the PolicyStatement in object form.

                                                                                                                                                            method toJSON

                                                                                                                                                            toJSON: () => any;
                                                                                                                                                            • JSON-ify the statement

                                                                                                                                                              Used when JSON.stringify() is called

                                                                                                                                                            method toStatementJson

                                                                                                                                                            toStatementJson: () => any;
                                                                                                                                                            • JSON-ify the policy statement

                                                                                                                                                              Used when JSON.stringify() is called

                                                                                                                                                            method toString

                                                                                                                                                            toString: () => string;
                                                                                                                                                            • String representation of this policy statement

                                                                                                                                                            method validateForAnyPolicy

                                                                                                                                                            validateForAnyPolicy: () => string[];
                                                                                                                                                            • Validate that the policy statement satisfies base requirements for a policy.

                                                                                                                                                            method validateForIdentityPolicy

                                                                                                                                                            validateForIdentityPolicy: () => string[];
                                                                                                                                                            • Validate that the policy statement satisfies all requirements for an identity-based policy.

                                                                                                                                                            method validateForResourcePolicy

                                                                                                                                                            validateForResourcePolicy: () => string[];
                                                                                                                                                            • Validate that the policy statement satisfies all requirements for a resource-based policy.

                                                                                                                                                            class PrincipalBase

                                                                                                                                                            abstract class PrincipalBase implements IAssumeRolePrincipal {}
                                                                                                                                                            • Base class for policy principals

                                                                                                                                                            property assumeRoleAction

                                                                                                                                                            readonly assumeRoleAction: string;
                                                                                                                                                            • When this Principal is used in an AssumeRole policy, the action to use.

                                                                                                                                                            property grantPrincipal

                                                                                                                                                            readonly grantPrincipal: IPrincipal;

                                                                                                                                                              property policyFragment

                                                                                                                                                              abstract readonly policyFragment: PrincipalPolicyFragment;
                                                                                                                                                              • Return the policy fragment that identifies this principal in a Policy.

                                                                                                                                                              property principalAccount

                                                                                                                                                              readonly principalAccount: string;

                                                                                                                                                                method addToAssumeRolePolicy

                                                                                                                                                                addToAssumeRolePolicy: (document: PolicyDocument) => void;

                                                                                                                                                                  method addToPolicy

                                                                                                                                                                  addToPolicy: (statement: PolicyStatement) => boolean;

                                                                                                                                                                    method addToPrincipalPolicy

                                                                                                                                                                    addToPrincipalPolicy: (
                                                                                                                                                                    _statement: PolicyStatement
                                                                                                                                                                    ) => AddToPrincipalPolicyResult;

                                                                                                                                                                      method toJSON

                                                                                                                                                                      toJSON: () => { [key: string]: string[] };
                                                                                                                                                                      • JSON-ify the principal

                                                                                                                                                                        Used when JSON.stringify() is called

                                                                                                                                                                      method toString

                                                                                                                                                                      toString: () => string;

                                                                                                                                                                        method withConditions

                                                                                                                                                                        withConditions: (conditions: Conditions) => PrincipalBase;
                                                                                                                                                                        • Returns a new PrincipalWithConditions using this principal as the base, with the passed conditions added.

                                                                                                                                                                          When there is a value for the same operator and key in both the principal and the conditions parameter, the value from the conditions parameter will be used.

                                                                                                                                                                          Returns

                                                                                                                                                                          a new PrincipalWithConditions object.

                                                                                                                                                                        method withSessionTags

                                                                                                                                                                        withSessionTags: () => PrincipalBase;
                                                                                                                                                                        • Returns a new principal using this principal as the base, with session tags enabled.

                                                                                                                                                                          Returns

                                                                                                                                                                          a new SessionTagsPrincipal object.

                                                                                                                                                                        class PrincipalPolicyFragment

                                                                                                                                                                        class PrincipalPolicyFragment {}
                                                                                                                                                                        • A collection of the fields in a PolicyStatement that can be used to identify a principal.

                                                                                                                                                                          This consists of the JSON used in the "Principal" field, and optionally a set of "Condition"s that need to be applied to the policy.

                                                                                                                                                                          Generally, a principal looks like:

                                                                                                                                                                          { '': ['ID', 'ID', ...] }

                                                                                                                                                                          And this is also the type of the field principalJson. However, there is a special type of principal that is just the string '*', which is treated differently by some services. To represent that principal, principalJson should contain { 'LiteralString': ['*'] }.

                                                                                                                                                                        constructor

                                                                                                                                                                        constructor(principalJson: { [key: string]: string[] }, conditions?: Conditions);
                                                                                                                                                                        • Parameter principalJson

                                                                                                                                                                          JSON of the "Principal" section in a policy statement

                                                                                                                                                                          Parameter conditions

                                                                                                                                                                          conditions that need to be applied to this policy

                                                                                                                                                                        property conditions

                                                                                                                                                                        readonly conditions: Conditions;
                                                                                                                                                                        • The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

                                                                                                                                                                        property principalJson

                                                                                                                                                                        readonly principalJson: { [key: string]: string[] };

                                                                                                                                                                          class PrincipalWithConditions

                                                                                                                                                                          class PrincipalWithConditions extends PrincipalAdapter {}
                                                                                                                                                                          • An IAM principal with additional conditions specifying when the policy is in effect.

                                                                                                                                                                            For more information about conditions, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html

                                                                                                                                                                          constructor

                                                                                                                                                                          constructor(principal: IPrincipal, conditions: Conditions);

                                                                                                                                                                            property conditions

                                                                                                                                                                            readonly conditions: Record<string, any>;
                                                                                                                                                                            • The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

                                                                                                                                                                            property policyFragment

                                                                                                                                                                            readonly policyFragment: PrincipalPolicyFragment;

                                                                                                                                                                              method addCondition

                                                                                                                                                                              addCondition: (key: string, value: Condition) => void;
                                                                                                                                                                              • Add a condition to the principal

                                                                                                                                                                              method addConditions

                                                                                                                                                                              addConditions: (conditions: Conditions) => void;
                                                                                                                                                                              • Adds multiple conditions to the principal

                                                                                                                                                                                Values from the conditions parameter will overwrite existing values with the same operator and key.

                                                                                                                                                                              method toJSON

                                                                                                                                                                              toJSON: () => { [key: string]: string[] };
                                                                                                                                                                              • JSON-ify the principal

                                                                                                                                                                                Used when JSON.stringify() is called

                                                                                                                                                                              method toString

                                                                                                                                                                              toString: () => string;

                                                                                                                                                                                class Role

                                                                                                                                                                                class Role extends Resource implements IRole {}
                                                                                                                                                                                • IAM Role

                                                                                                                                                                                  Defines an IAM role. The role is created with an assume policy document associated with the specified AWS service principal defined in serviceAssumeRole.

                                                                                                                                                                                constructor

                                                                                                                                                                                constructor(scope: Construct, id: string, props: RoleProps);

                                                                                                                                                                                  property assumeRoleAction

                                                                                                                                                                                  readonly assumeRoleAction: string;

                                                                                                                                                                                    property assumeRolePolicy

                                                                                                                                                                                    readonly assumeRolePolicy?: PolicyDocument;
                                                                                                                                                                                    • The assume role policy document associated with this role.

                                                                                                                                                                                    property grantPrincipal

                                                                                                                                                                                    readonly grantPrincipal: IPrincipal;

                                                                                                                                                                                      property permissionsBoundary

                                                                                                                                                                                      readonly permissionsBoundary?: IManagedPolicy;
                                                                                                                                                                                      • Returns the permissions boundary attached to this role

                                                                                                                                                                                      property policyFragment

                                                                                                                                                                                      readonly policyFragment: PrincipalPolicyFragment;
                                                                                                                                                                                      • Returns the role.

                                                                                                                                                                                      property principalAccount

                                                                                                                                                                                      readonly principalAccount: string;

                                                                                                                                                                                        property roleArn

                                                                                                                                                                                        readonly roleArn: string;
                                                                                                                                                                                        • Returns the ARN of this role.

                                                                                                                                                                                        property roleId

                                                                                                                                                                                        readonly roleId: string;
                                                                                                                                                                                        • Returns the stable and unique string identifying the role. For example, AIDAJQABLZS4A3QDU576Q.

                                                                                                                                                                                        property roleName

                                                                                                                                                                                        readonly roleName: string;
                                                                                                                                                                                        • Returns the name of the role.

                                                                                                                                                                                        method addManagedPolicy

                                                                                                                                                                                        addManagedPolicy: (policy: IManagedPolicy) => void;
                                                                                                                                                                                        • Attaches a managed policy to this role.

                                                                                                                                                                                          Parameter policy

                                                                                                                                                                                          The the managed policy to attach.

                                                                                                                                                                                        method addToPolicy

                                                                                                                                                                                        addToPolicy: (statement: PolicyStatement) => boolean;

                                                                                                                                                                                          method addToPrincipalPolicy

                                                                                                                                                                                          addToPrincipalPolicy: (statement: PolicyStatement) => AddToPrincipalPolicyResult;
                                                                                                                                                                                          • Adds a permission to the role's default policy document. If there is no default policy attached to this role, it will be created.

                                                                                                                                                                                            Parameter statement

                                                                                                                                                                                            The permission statement to add to the policy document

                                                                                                                                                                                          method attachInlinePolicy

                                                                                                                                                                                          attachInlinePolicy: (policy: Policy) => void;
                                                                                                                                                                                          • Attaches a policy to this role.

                                                                                                                                                                                            Parameter policy

                                                                                                                                                                                            The policy to attach

                                                                                                                                                                                          method fromRoleArn

                                                                                                                                                                                          static fromRoleArn: (
                                                                                                                                                                                          scope: Construct,
                                                                                                                                                                                          id: string,
                                                                                                                                                                                          roleArn: string,
                                                                                                                                                                                          options?: FromRoleArnOptions
                                                                                                                                                                                          ) => IRole;
                                                                                                                                                                                          • Import an external role by ARN.

                                                                                                                                                                                            If the imported Role ARN is a Token (such as a CfnParameter.valueAsString or a Fn.importValue()) *and* the referenced role has a path (like arn:...:role/AdminRoles/Alice), the roleName property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the path in order to resolve the correct role resource.

                                                                                                                                                                                            Parameter scope

                                                                                                                                                                                            construct scope

                                                                                                                                                                                            Parameter id

                                                                                                                                                                                            construct id

                                                                                                                                                                                            Parameter roleArn

                                                                                                                                                                                            the ARN of the role to import

                                                                                                                                                                                            Parameter options

                                                                                                                                                                                            allow customizing the behavior of the returned role

                                                                                                                                                                                          method fromRoleName

                                                                                                                                                                                          static fromRoleName: (scope: Construct, id: string, roleName: string) => IRole;
                                                                                                                                                                                          • Import an external role by name.

                                                                                                                                                                                            The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to.

                                                                                                                                                                                          method grant

                                                                                                                                                                                          grant: (grantee: IPrincipal, ...actions: string[]) => Grant;
                                                                                                                                                                                          • Grant the actions defined in actions to the identity Principal on this resource.

                                                                                                                                                                                          method grantPassRole

                                                                                                                                                                                          grantPassRole: (identity: IPrincipal) => Grant;
                                                                                                                                                                                          • Grant permissions to the given principal to pass this role.

                                                                                                                                                                                          method validate

                                                                                                                                                                                          protected validate: () => string[];

                                                                                                                                                                                            method withoutPolicyUpdates

                                                                                                                                                                                            withoutPolicyUpdates: (options?: WithoutPolicyUpdatesOptions) => IRole;
                                                                                                                                                                                            • Return a copy of this Role object whose Policies will not be updated

                                                                                                                                                                                              Use the object returned by this method if you want this Role to be used by a construct without it automatically updating the Role's Policies.

                                                                                                                                                                                              If you do, you are responsible for adding the correct statements to the Role's policies yourself.

                                                                                                                                                                                            class SamlConsolePrincipal

                                                                                                                                                                                            class SamlConsolePrincipal extends SamlPrincipal {}
                                                                                                                                                                                            • Principal entity that represents a SAML federated identity provider for programmatic and AWS Management Console access.

                                                                                                                                                                                            constructor

                                                                                                                                                                                            constructor(samlProvider: ISamlProvider, conditions?: Conditions);

                                                                                                                                                                                              method toString

                                                                                                                                                                                              toString: () => string;

                                                                                                                                                                                                class SamlMetadataDocument

                                                                                                                                                                                                abstract class SamlMetadataDocument {}
                                                                                                                                                                                                • A SAML metadata document

                                                                                                                                                                                                property xml

                                                                                                                                                                                                abstract readonly xml: string;
                                                                                                                                                                                                • The XML content of the metadata document

                                                                                                                                                                                                method fromFile

                                                                                                                                                                                                static fromFile: (path: string) => SamlMetadataDocument;
                                                                                                                                                                                                • Create a SAML metadata document from a XML file

                                                                                                                                                                                                method fromXml

                                                                                                                                                                                                static fromXml: (xml: string) => SamlMetadataDocument;
                                                                                                                                                                                                • Create a SAML metadata document from a XML string

                                                                                                                                                                                                class SamlPrincipal

                                                                                                                                                                                                class SamlPrincipal extends FederatedPrincipal {}
                                                                                                                                                                                                • Principal entity that represents a SAML federated identity provider

                                                                                                                                                                                                constructor

                                                                                                                                                                                                constructor(samlProvider: ISamlProvider, conditions: Conditions);

                                                                                                                                                                                                  method toString

                                                                                                                                                                                                  toString: () => string;

                                                                                                                                                                                                    class SamlProvider

                                                                                                                                                                                                    class SamlProvider extends Resource implements ISamlProvider {}
                                                                                                                                                                                                    • A SAML provider

                                                                                                                                                                                                    constructor

                                                                                                                                                                                                    constructor(scope: Construct, id: string, props: SamlProviderProps);

                                                                                                                                                                                                      property samlProviderArn

                                                                                                                                                                                                      readonly samlProviderArn: string;

                                                                                                                                                                                                        method fromSamlProviderArn

                                                                                                                                                                                                        static fromSamlProviderArn: (
                                                                                                                                                                                                        scope: Construct,
                                                                                                                                                                                                        id: string,
                                                                                                                                                                                                        samlProviderArn: string
                                                                                                                                                                                                        ) => ISamlProvider;
                                                                                                                                                                                                        • Import an existing provider

                                                                                                                                                                                                        class ServicePrincipal

                                                                                                                                                                                                        class ServicePrincipal extends PrincipalBase {}
                                                                                                                                                                                                        • An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).

                                                                                                                                                                                                        constructor

                                                                                                                                                                                                        constructor(service: string, opts?: ServicePrincipalOpts);
                                                                                                                                                                                                        • Parameter service

                                                                                                                                                                                                          AWS service (i.e. sqs.amazonaws.com)

                                                                                                                                                                                                        property policyFragment

                                                                                                                                                                                                        readonly policyFragment: PrincipalPolicyFragment;

                                                                                                                                                                                                          property service

                                                                                                                                                                                                          readonly service: string;

                                                                                                                                                                                                            method toString

                                                                                                                                                                                                            toString: () => string;

                                                                                                                                                                                                              class SessionTagsPrincipal

                                                                                                                                                                                                              class SessionTagsPrincipal extends PrincipalAdapter {}
                                                                                                                                                                                                              • Enables session tags on role assumptions from a principal

                                                                                                                                                                                                                For more information on session tags, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html

                                                                                                                                                                                                              constructor

                                                                                                                                                                                                              constructor(principal: IPrincipal);

                                                                                                                                                                                                                method addToAssumeRolePolicy

                                                                                                                                                                                                                addToAssumeRolePolicy: (doc: PolicyDocument) => void;

                                                                                                                                                                                                                  class StarPrincipal

                                                                                                                                                                                                                  class StarPrincipal extends PrincipalBase {}
                                                                                                                                                                                                                  • A principal that uses a literal '*' in the IAM JSON language

                                                                                                                                                                                                                    Some services behave differently when you specify Principal: "*" or Principal: { AWS: "*" } in their resource policy.

                                                                                                                                                                                                                    StarPrincipal renders to Principal: *. Most of the time, you should use AnyPrincipal instead.

                                                                                                                                                                                                                  property policyFragment

                                                                                                                                                                                                                  readonly policyFragment: PrincipalPolicyFragment;

                                                                                                                                                                                                                    method toString

                                                                                                                                                                                                                    toString: () => string;

                                                                                                                                                                                                                      class UnknownPrincipal

                                                                                                                                                                                                                      class UnknownPrincipal implements IPrincipal {}
                                                                                                                                                                                                                      • A principal for use in resources that need to have a role but it's unknown

                                                                                                                                                                                                                        Some resources have roles associated with them which they assume, such as Lambda Functions, CodeBuild projects, StepFunctions machines, etc.

                                                                                                                                                                                                                        When those resources are imported, their actual roles are not always imported with them. When that happens, we use an instance of this class instead, which will add user warnings when statements are attempted to be added to it.

                                                                                                                                                                                                                      constructor

                                                                                                                                                                                                                      constructor(props: UnknownPrincipalProps);

                                                                                                                                                                                                                        property assumeRoleAction

                                                                                                                                                                                                                        readonly assumeRoleAction: string;

                                                                                                                                                                                                                          property grantPrincipal

                                                                                                                                                                                                                          readonly grantPrincipal: IPrincipal;

                                                                                                                                                                                                                            property policyFragment

                                                                                                                                                                                                                            readonly policyFragment: PrincipalPolicyFragment;

                                                                                                                                                                                                                              method addToPolicy

                                                                                                                                                                                                                              addToPolicy: (statement: PolicyStatement) => boolean;

                                                                                                                                                                                                                                method addToPrincipalPolicy

                                                                                                                                                                                                                                addToPrincipalPolicy: (statement: PolicyStatement) => AddToPrincipalPolicyResult;

                                                                                                                                                                                                                                  class User

                                                                                                                                                                                                                                  class User extends Resource implements IIdentity, IUser {}
                                                                                                                                                                                                                                  • Define a new IAM user

                                                                                                                                                                                                                                  constructor

                                                                                                                                                                                                                                  constructor(scope: Construct, id: string, props?: UserProps);

                                                                                                                                                                                                                                    property assumeRoleAction

                                                                                                                                                                                                                                    readonly assumeRoleAction: string;

                                                                                                                                                                                                                                      property grantPrincipal

                                                                                                                                                                                                                                      readonly grantPrincipal: IPrincipal;

                                                                                                                                                                                                                                        property permissionsBoundary

                                                                                                                                                                                                                                        readonly permissionsBoundary?: IManagedPolicy;
                                                                                                                                                                                                                                        • Returns the permissions boundary attached to this user

                                                                                                                                                                                                                                        property policyFragment

                                                                                                                                                                                                                                        readonly policyFragment: PrincipalPolicyFragment;

                                                                                                                                                                                                                                          property principalAccount

                                                                                                                                                                                                                                          readonly principalAccount: string;

                                                                                                                                                                                                                                            property userArn

                                                                                                                                                                                                                                            readonly userArn: string;
                                                                                                                                                                                                                                            • An attribute that represents the user's ARN.

                                                                                                                                                                                                                                            property userName

                                                                                                                                                                                                                                            readonly userName: string;
                                                                                                                                                                                                                                            • An attribute that represents the user name.

                                                                                                                                                                                                                                            method addManagedPolicy

                                                                                                                                                                                                                                            addManagedPolicy: (policy: IManagedPolicy) => void;
                                                                                                                                                                                                                                            • Attaches a managed policy to the user.

                                                                                                                                                                                                                                              Parameter policy

                                                                                                                                                                                                                                              The managed policy to attach.

                                                                                                                                                                                                                                            method addToGroup

                                                                                                                                                                                                                                            addToGroup: (group: IGroup) => void;
                                                                                                                                                                                                                                            • Adds this user to a group.

                                                                                                                                                                                                                                            method addToPolicy

                                                                                                                                                                                                                                            addToPolicy: (statement: PolicyStatement) => boolean;

                                                                                                                                                                                                                                              method addToPrincipalPolicy

                                                                                                                                                                                                                                              addToPrincipalPolicy: (statement: PolicyStatement) => AddToPrincipalPolicyResult;
                                                                                                                                                                                                                                              • Adds an IAM statement to the default policy.

                                                                                                                                                                                                                                                Returns

                                                                                                                                                                                                                                                true

                                                                                                                                                                                                                                              method attachInlinePolicy

                                                                                                                                                                                                                                              attachInlinePolicy: (policy: Policy) => void;
                                                                                                                                                                                                                                              • Attaches a policy to this user.

                                                                                                                                                                                                                                              method fromUserArn

                                                                                                                                                                                                                                              static fromUserArn: (scope: Construct, id: string, userArn: string) => IUser;
                                                                                                                                                                                                                                              • Import an existing user given a user ARN.

                                                                                                                                                                                                                                                If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.

                                                                                                                                                                                                                                                Parameter scope

                                                                                                                                                                                                                                                construct scope

                                                                                                                                                                                                                                                Parameter id

                                                                                                                                                                                                                                                construct id

                                                                                                                                                                                                                                                Parameter userArn

                                                                                                                                                                                                                                                the ARN of an existing user to import

                                                                                                                                                                                                                                              method fromUserAttributes

                                                                                                                                                                                                                                              static fromUserAttributes: (
                                                                                                                                                                                                                                              scope: Construct,
                                                                                                                                                                                                                                              id: string,
                                                                                                                                                                                                                                              attrs: UserAttributes
                                                                                                                                                                                                                                              ) => IUser;
                                                                                                                                                                                                                                              • Import an existing user given user attributes.

                                                                                                                                                                                                                                                If the ARN comes from a Token, the User cannot have a path; if so, any attempt to reference its username will fail.

                                                                                                                                                                                                                                                Parameter scope

                                                                                                                                                                                                                                                construct scope

                                                                                                                                                                                                                                                Parameter id

                                                                                                                                                                                                                                                construct id

                                                                                                                                                                                                                                                Parameter attrs

                                                                                                                                                                                                                                                the attributes of the user to import

                                                                                                                                                                                                                                              method fromUserName

                                                                                                                                                                                                                                              static fromUserName: (scope: Construct, id: string, userName: string) => IUser;
                                                                                                                                                                                                                                              • Import an existing user given a username.

                                                                                                                                                                                                                                                Parameter scope

                                                                                                                                                                                                                                                construct scope

                                                                                                                                                                                                                                                Parameter id

                                                                                                                                                                                                                                                construct id

                                                                                                                                                                                                                                                Parameter userName

                                                                                                                                                                                                                                                the username of the existing user to import

                                                                                                                                                                                                                                              class WebIdentityPrincipal

                                                                                                                                                                                                                                              class WebIdentityPrincipal extends FederatedPrincipal {}
                                                                                                                                                                                                                                              • A principal that represents a federated identity provider as Web Identity such as Cognito, Amazon, Facebook, Google, etc.

                                                                                                                                                                                                                                              constructor

                                                                                                                                                                                                                                              constructor(identityProvider: string, conditions?: Conditions);
                                                                                                                                                                                                                                              • Parameter identityProvider

                                                                                                                                                                                                                                                identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)

                                                                                                                                                                                                                                                Parameter conditions

                                                                                                                                                                                                                                                The conditions under which the policy is in effect. See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).

                                                                                                                                                                                                                                                Parameter sessionTags

                                                                                                                                                                                                                                                Whether to enable session tagging (see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)

                                                                                                                                                                                                                                              property policyFragment

                                                                                                                                                                                                                                              readonly policyFragment: PrincipalPolicyFragment;

                                                                                                                                                                                                                                                method toString

                                                                                                                                                                                                                                                toString: () => string;

                                                                                                                                                                                                                                                  Interfaces

                                                                                                                                                                                                                                                  interface AccessKeyProps

                                                                                                                                                                                                                                                  interface AccessKeyProps {}
                                                                                                                                                                                                                                                  • Properties for defining an IAM access key.

                                                                                                                                                                                                                                                  property serial

                                                                                                                                                                                                                                                  readonly serial?: number;
                                                                                                                                                                                                                                                  • A CloudFormation-specific value that signifies the access key should be replaced/rotated. This value can only be incremented. Incrementing this value will cause CloudFormation to replace the Access Key resource.

                                                                                                                                                                                                                                                    - No serial value

                                                                                                                                                                                                                                                  property status

                                                                                                                                                                                                                                                  readonly status?: AccessKeyStatus;
                                                                                                                                                                                                                                                  • The status of the access key. An Active access key is allowed to be used to make API calls; An Inactive key cannot.

                                                                                                                                                                                                                                                    - The access key is active

                                                                                                                                                                                                                                                  property user

                                                                                                                                                                                                                                                  readonly user: IUser;
                                                                                                                                                                                                                                                  • The IAM user this key will belong to.

                                                                                                                                                                                                                                                    Changing this value will result in the access key being deleted and a new access key (with a different ID and secret value) being assigned to the new user.

                                                                                                                                                                                                                                                  interface AddToPrincipalPolicyResult

                                                                                                                                                                                                                                                  interface AddToPrincipalPolicyResult {}
                                                                                                                                                                                                                                                  • Result of calling addToPrincipalPolicy

                                                                                                                                                                                                                                                  property policyDependable

                                                                                                                                                                                                                                                  readonly policyDependable?: cdk.IDependable;
                                                                                                                                                                                                                                                  • Dependable which allows depending on the policy change being applied

                                                                                                                                                                                                                                                    - Required if statementAdded is true.

                                                                                                                                                                                                                                                  property statementAdded

                                                                                                                                                                                                                                                  readonly statementAdded: boolean;
                                                                                                                                                                                                                                                  • Whether the statement was added to the identity's policies.

                                                                                                                                                                                                                                                  interface AddToResourcePolicyResult

                                                                                                                                                                                                                                                  interface AddToResourcePolicyResult {}
                                                                                                                                                                                                                                                  • Result of calling addToResourcePolicy

                                                                                                                                                                                                                                                  property policyDependable

                                                                                                                                                                                                                                                  readonly policyDependable?: cdk.IDependable;
                                                                                                                                                                                                                                                  • Dependable which allows depending on the policy change being applied

                                                                                                                                                                                                                                                    - If statementAdded is true, the resource object itself. Otherwise, no dependable.

                                                                                                                                                                                                                                                  property statementAdded

                                                                                                                                                                                                                                                  readonly statementAdded: boolean;
                                                                                                                                                                                                                                                  • Whether the statement was added

                                                                                                                                                                                                                                                  interface CfnAccessKeyProps

                                                                                                                                                                                                                                                  interface CfnAccessKeyProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnAccessKey

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html

                                                                                                                                                                                                                                                  property serial

                                                                                                                                                                                                                                                  readonly serial?: number;
                                                                                                                                                                                                                                                  • This value is specific to CloudFormation and can only be *incremented* . Incrementing this value notifies CloudFormation that you want to rotate your access key. When you update your stack, CloudFormation will replace the existing access key with a new key.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-serial

                                                                                                                                                                                                                                                  property status

                                                                                                                                                                                                                                                  readonly status?: string;
                                                                                                                                                                                                                                                  • The status of the access key. Active means that the key is valid for API calls, while Inactive means it is not.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-status

                                                                                                                                                                                                                                                  property userName

                                                                                                                                                                                                                                                  readonly userName: string;
                                                                                                                                                                                                                                                  • The name of the IAM user that the new key will belong to.

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-username

                                                                                                                                                                                                                                                  interface CfnGroupProps

                                                                                                                                                                                                                                                  interface CfnGroupProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnGroup

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html

                                                                                                                                                                                                                                                  property groupName

                                                                                                                                                                                                                                                  readonly groupName?: string;
                                                                                                                                                                                                                                                  • The name of the group to create. Do not include the path in this value.

                                                                                                                                                                                                                                                    The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name.

                                                                                                                                                                                                                                                    > If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

                                                                                                                                                                                                                                                    If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .

                                                                                                                                                                                                                                                    > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-groupname

                                                                                                                                                                                                                                                  property managedPolicyArns

                                                                                                                                                                                                                                                  readonly managedPolicyArns?: string[];
                                                                                                                                                                                                                                                  • The Amazon Resource Name (ARN) of the IAM policy you want to attach.

                                                                                                                                                                                                                                                    For more information about ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-managepolicyarns

                                                                                                                                                                                                                                                  property path

                                                                                                                                                                                                                                                  readonly path?: string;
                                                                                                                                                                                                                                                  • The path to the group. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    This parameter is optional. If it is not included, it defaults to a slash (/).

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-path

                                                                                                                                                                                                                                                  property policies

                                                                                                                                                                                                                                                  readonly policies?:
                                                                                                                                                                                                                                                  | Array<CfnGroup.PolicyProperty | cdk.IResolvable>
                                                                                                                                                                                                                                                  | cdk.IResolvable;
                                                                                                                                                                                                                                                  • Adds or updates an inline policy document that is embedded in the specified IAM group. To view AWS::IAM::Group snippets, see [Declaring an IAM Group Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-group) .

                                                                                                                                                                                                                                                    > The name of each inline policy for a role, user, or group must be unique. If you don't choose unique names, updates to the IAM identity will fail.

                                                                                                                                                                                                                                                    For information about limits on the number of inline policies that you can embed in a group, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-policies

                                                                                                                                                                                                                                                  interface CfnInstanceProfileProps

                                                                                                                                                                                                                                                  interface CfnInstanceProfileProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnInstanceProfile

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html

                                                                                                                                                                                                                                                  property instanceProfileName

                                                                                                                                                                                                                                                  readonly instanceProfileName?: string;
                                                                                                                                                                                                                                                  • The name of the instance profile to create.

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-instanceprofilename

                                                                                                                                                                                                                                                  property path

                                                                                                                                                                                                                                                  readonly path?: string;
                                                                                                                                                                                                                                                  • The path to the instance profile. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    This parameter is optional. If it is not included, it defaults to a slash (/).

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-path

                                                                                                                                                                                                                                                  property roles

                                                                                                                                                                                                                                                  readonly roles: string[];
                                                                                                                                                                                                                                                  • The name of the role to associate with the instance profile. Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-roles

                                                                                                                                                                                                                                                  interface CfnManagedPolicyProps

                                                                                                                                                                                                                                                  interface CfnManagedPolicyProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnManagedPolicy

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html

                                                                                                                                                                                                                                                  property description

                                                                                                                                                                                                                                                  readonly description?: string;
                                                                                                                                                                                                                                                  • A friendly description of the policy.

                                                                                                                                                                                                                                                    Typically used to store information about the permissions defined in the policy. For example, "Grants access to production DynamoDB tables."

                                                                                                                                                                                                                                                    The policy description is immutable. After a value is assigned, it cannot be changed.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-description

                                                                                                                                                                                                                                                  property groups

                                                                                                                                                                                                                                                  readonly groups?: string[];
                                                                                                                                                                                                                                                  • The name (friendly name, not ARN) of the group to attach the policy to.

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups

                                                                                                                                                                                                                                                  property managedPolicyName

                                                                                                                                                                                                                                                  readonly managedPolicyName?: string;
                                                                                                                                                                                                                                                  • The friendly name of the policy.

                                                                                                                                                                                                                                                    > If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.

                                                                                                                                                                                                                                                    If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .

                                                                                                                                                                                                                                                    > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-managedpolicyname

                                                                                                                                                                                                                                                  property path

                                                                                                                                                                                                                                                  readonly path?: string;
                                                                                                                                                                                                                                                  • The path for the policy.

                                                                                                                                                                                                                                                    For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    This parameter is optional. If it is not included, it defaults to a slash (/).

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                                                                                                                                                                                                                    > You cannot use an asterisk (*) in the path name.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-ec2-dhcpoptions-path

                                                                                                                                                                                                                                                  property policyDocument

                                                                                                                                                                                                                                                  readonly policyDocument: any | cdk.IResolvable;
                                                                                                                                                                                                                                                  • The JSON policy document that you want to use as the content for the new policy.

                                                                                                                                                                                                                                                    You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.

                                                                                                                                                                                                                                                    The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see [IAM and AWS STS character quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length) .

                                                                                                                                                                                                                                                    To learn more about JSON policy grammar, see [Grammar of the IAM JSON policy language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:

                                                                                                                                                                                                                                                    - Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-policydocument

                                                                                                                                                                                                                                                  property roles

                                                                                                                                                                                                                                                  readonly roles?: string[];
                                                                                                                                                                                                                                                  • The name (friendly name, not ARN) of the role to attach the policy to.

                                                                                                                                                                                                                                                    This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    > If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles

                                                                                                                                                                                                                                                  property users

                                                                                                                                                                                                                                                  readonly users?: string[];
                                                                                                                                                                                                                                                  • The name (friendly name, not ARN) of the IAM user to attach the policy to.

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-users

                                                                                                                                                                                                                                                  interface CfnOIDCProviderProps

                                                                                                                                                                                                                                                  interface CfnOIDCProviderProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnOIDCProvider

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html

                                                                                                                                                                                                                                                  property clientIdList

                                                                                                                                                                                                                                                  readonly clientIdList?: string[];
                                                                                                                                                                                                                                                  • A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-clientidlist

                                                                                                                                                                                                                                                  property tags

                                                                                                                                                                                                                                                  readonly tags?: cdk.CfnTag[];
                                                                                                                                                                                                                                                  • A list of tags that are attached to the specified IAM OIDC provider. The returned list of tags is sorted by tag key. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-tags

                                                                                                                                                                                                                                                  property thumbprintList

                                                                                                                                                                                                                                                  readonly thumbprintList: string[];
                                                                                                                                                                                                                                                  • A list of certificate thumbprints that are associated with the specified IAM OIDC provider resource object. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-thumbprintlist

                                                                                                                                                                                                                                                  property url

                                                                                                                                                                                                                                                  readonly url?: string;
                                                                                                                                                                                                                                                  • The URL that the IAM OIDC provider resource object is associated with. For more information, see [CreateOpenIDConnectProvider](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html) .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-oidcprovider.html#cfn-iam-oidcprovider-url

                                                                                                                                                                                                                                                  interface CfnPolicyProps

                                                                                                                                                                                                                                                  interface CfnPolicyProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnPolicy

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html

                                                                                                                                                                                                                                                  property groups

                                                                                                                                                                                                                                                  readonly groups?: string[];
                                                                                                                                                                                                                                                  • The name of the group to associate the policy with.

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-groups

                                                                                                                                                                                                                                                  property policyDocument

                                                                                                                                                                                                                                                  readonly policyDocument: any | cdk.IResolvable;
                                                                                                                                                                                                                                                  • The policy document.

                                                                                                                                                                                                                                                    You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.

                                                                                                                                                                                                                                                    The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:

                                                                                                                                                                                                                                                    - Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument

                                                                                                                                                                                                                                                  property policyName

                                                                                                                                                                                                                                                  readonly policyName: string;
                                                                                                                                                                                                                                                  • The name of the policy document.

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policyname

                                                                                                                                                                                                                                                  property roles

                                                                                                                                                                                                                                                  readonly roles?: string[];
                                                                                                                                                                                                                                                  • The name of the role to associate the policy with.

                                                                                                                                                                                                                                                    This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    > If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles

                                                                                                                                                                                                                                                  property users

                                                                                                                                                                                                                                                  readonly users?: string[];
                                                                                                                                                                                                                                                  • The name of the user to associate the policy with.

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-users

                                                                                                                                                                                                                                                  interface CfnRoleProps

                                                                                                                                                                                                                                                  interface CfnRoleProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnRole

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

                                                                                                                                                                                                                                                  property assumeRolePolicyDocument

                                                                                                                                                                                                                                                  readonly assumeRolePolicyDocument: any | cdk.IResolvable;
                                                                                                                                                                                                                                                  • The trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see [Template Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples) . For more information about the elements that you can use in an IAM policy, see [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument

                                                                                                                                                                                                                                                  property description

                                                                                                                                                                                                                                                  readonly description?: string;
                                                                                                                                                                                                                                                  • A description of the role that you provide.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-description

                                                                                                                                                                                                                                                  property managedPolicyArns

                                                                                                                                                                                                                                                  readonly managedPolicyArns?: string[];
                                                                                                                                                                                                                                                  • A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the role.

                                                                                                                                                                                                                                                    For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-managepolicyarns

                                                                                                                                                                                                                                                  property maxSessionDuration

                                                                                                                                                                                                                                                  readonly maxSessionDuration?: number;
                                                                                                                                                                                                                                                  • The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.

                                                                                                                                                                                                                                                    Anyone who assumes the role from the or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL. For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-maxsessionduration

                                                                                                                                                                                                                                                  property path

                                                                                                                                                                                                                                                  readonly path?: string;
                                                                                                                                                                                                                                                  • The path to the role. For more information about paths, see [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    This parameter is optional. If it is not included, it defaults to a slash (/).

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-path

                                                                                                                                                                                                                                                  property permissionsBoundary

                                                                                                                                                                                                                                                  readonly permissionsBoundary?: string;
                                                                                                                                                                                                                                                  • The ARN of the policy used to set the permissions boundary for the role.

                                                                                                                                                                                                                                                    For more information about permissions boundaries, see [Permissions boundaries for IAM identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary

                                                                                                                                                                                                                                                  property policies

                                                                                                                                                                                                                                                  readonly policies?:
                                                                                                                                                                                                                                                  | Array<CfnRole.PolicyProperty | cdk.IResolvable>
                                                                                                                                                                                                                                                  | cdk.IResolvable;
                                                                                                                                                                                                                                                  • Adds or updates an inline policy document that is embedded in the specified IAM role.

                                                                                                                                                                                                                                                    When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role. You can update a role's trust policy later. For more information about IAM roles, go to [Using Roles to Delegate Permissions and Federate Identities](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) .

                                                                                                                                                                                                                                                    A role can also have an attached managed policy. For information about policies, see [Managed Policies and Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-managed-vs-inline.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    For information about limits on the number of inline policies that you can embed with a role, see [Limitations on IAM Entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    > If an external policy (such as AWS::IAM::Policy or AWS::IAM::ManagedPolicy ) has a Ref to a role and if a resource (such as AWS::ECS::Service ) also has a Ref to the same role, add a DependsOn attribute to the resource to make the resource depend on the external policy. This dependency ensures that the role's policy is available throughout the resource's lifecycle. For example, when you delete a stack with an AWS::ECS::Service resource, the DependsOn attribute ensures that AWS CloudFormation deletes the AWS::ECS::Service resource before deleting its role's policy.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-policies

                                                                                                                                                                                                                                                  property roleName

                                                                                                                                                                                                                                                  readonly roleName?: string;
                                                                                                                                                                                                                                                  • A name for the IAM role, up to 64 characters in length. For valid values, see the RoleName parameter for the [CreateRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) action in the *IAM User Guide* .

                                                                                                                                                                                                                                                    This parameter allows (per its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-. The role name must be unique within the account. Role names are not distinguished by case. For example, you cannot create roles named both "Role1" and "role1".

                                                                                                                                                                                                                                                    If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the role name.

                                                                                                                                                                                                                                                    If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities. For more information, see [Acknowledging IAM Resources in AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities) .

                                                                                                                                                                                                                                                    > Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]} .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename

                                                                                                                                                                                                                                                  property tags

                                                                                                                                                                                                                                                  readonly tags?: cdk.CfnTag[];
                                                                                                                                                                                                                                                  • A list of tags that are attached to the role. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-tags

                                                                                                                                                                                                                                                  interface CfnSAMLProviderProps

                                                                                                                                                                                                                                                  interface CfnSAMLProviderProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnSAMLProvider

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html

                                                                                                                                                                                                                                                  property name

                                                                                                                                                                                                                                                  readonly name?: string;
                                                                                                                                                                                                                                                  • The name of the provider to create.

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-name

                                                                                                                                                                                                                                                  property samlMetadataDocument

                                                                                                                                                                                                                                                  readonly samlMetadataDocument: string;
                                                                                                                                                                                                                                                  • An XML document generated by an identity provider (IdP) that supports SAML 2.0. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP.

                                                                                                                                                                                                                                                    For more information, see [About SAML 2.0-based federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) in the *IAM User Guide*

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-samlmetadatadocument

                                                                                                                                                                                                                                                  property tags

                                                                                                                                                                                                                                                  readonly tags?: cdk.CfnTag[];
                                                                                                                                                                                                                                                  • A list of tags that you want to attach to the new IAM SAML provider. Each tag consists of a key name and an associated value. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    > If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-samlprovider.html#cfn-iam-samlprovider-tags

                                                                                                                                                                                                                                                  interface CfnServerCertificateProps

                                                                                                                                                                                                                                                  interface CfnServerCertificateProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnServerCertificate

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html

                                                                                                                                                                                                                                                  property certificateBody

                                                                                                                                                                                                                                                  readonly certificateBody?: string;
                                                                                                                                                                                                                                                  • The contents of the public key certificate.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatebody

                                                                                                                                                                                                                                                  property certificateChain

                                                                                                                                                                                                                                                  readonly certificateChain?: string;
                                                                                                                                                                                                                                                  • The contents of the public key certificate chain.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-certificatechain

                                                                                                                                                                                                                                                  property path

                                                                                                                                                                                                                                                  readonly path?: string;
                                                                                                                                                                                                                                                  • The path for the server certificate. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    This parameter is optional. If it is not included, it defaults to a slash (/). This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                                                                                                                                                                                                                    > If you are uploading a server certificate specifically for use with Amazon CloudFront distributions, you must specify a path using the path parameter. The path must begin with /cloudfront and must include a trailing slash (for example, /cloudfront/test/ ).

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-path

                                                                                                                                                                                                                                                  property privateKey

                                                                                                                                                                                                                                                  readonly privateKey?: string;
                                                                                                                                                                                                                                                  • The contents of the private key in PEM-encoded format.

                                                                                                                                                                                                                                                    The [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) used to validate this parameter is a string of characters consisting of the following:

                                                                                                                                                                                                                                                    - Any printable ASCII character ranging from the space character ( \ u0020 ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through \ u00FF ) - The special characters tab ( \ u0009 ), line feed ( \ u000A ), and carriage return ( \ u000D )

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-privatekey

                                                                                                                                                                                                                                                  property serverCertificateName

                                                                                                                                                                                                                                                  readonly serverCertificateName?: string;
                                                                                                                                                                                                                                                  • The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces.

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-servercertificatename

                                                                                                                                                                                                                                                  property tags

                                                                                                                                                                                                                                                  readonly tags?: cdk.CfnTag[];
                                                                                                                                                                                                                                                  • A list of tags that are attached to the server certificate. For more information about tagging, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servercertificate.html#cfn-iam-servercertificate-tags

                                                                                                                                                                                                                                                  interface CfnServiceLinkedRoleProps

                                                                                                                                                                                                                                                  interface CfnServiceLinkedRoleProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnServiceLinkedRole

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html

                                                                                                                                                                                                                                                  property awsServiceName

                                                                                                                                                                                                                                                  readonly awsServiceName: string;
                                                                                                                                                                                                                                                  • The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com .

                                                                                                                                                                                                                                                    Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-awsservicename

                                                                                                                                                                                                                                                  property customSuffix

                                                                                                                                                                                                                                                  readonly customSuffix?: string;
                                                                                                                                                                                                                                                  • A string that you provide, which is combined with the service-provided prefix to form the complete role name. If you make multiple requests for the same service, then you must supply a different CustomSuffix for each request. Otherwise the request fails with a duplicate role name error. For example, you could add -1 or -debug to the suffix.

                                                                                                                                                                                                                                                    Some services do not support the CustomSuffix parameter. If you provide an optional suffix and the operation fails, try the operation again without the suffix.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-customsuffix

                                                                                                                                                                                                                                                  property description

                                                                                                                                                                                                                                                  readonly description?: string;
                                                                                                                                                                                                                                                  • The description of the role.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-description

                                                                                                                                                                                                                                                  interface CfnUserProps

                                                                                                                                                                                                                                                  interface CfnUserProps {}
                                                                                                                                                                                                                                                  • Properties for defining a CfnUser

                                                                                                                                                                                                                                                    external

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html

                                                                                                                                                                                                                                                  property groups

                                                                                                                                                                                                                                                  readonly groups?: string[];
                                                                                                                                                                                                                                                  • A list of group names to which you want to add the user.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-groups

                                                                                                                                                                                                                                                  property loginProfile

                                                                                                                                                                                                                                                  readonly loginProfile?: CfnUser.LoginProfileProperty | cdk.IResolvable;
                                                                                                                                                                                                                                                  • Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console .

                                                                                                                                                                                                                                                    You can use the AWS CLI , the AWS API, or the *Users* page in the IAM console to create a password for any IAM user. Use [ChangePassword](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ChangePassword.html) to update your own existing password in the *My Security Credentials* page in the AWS Management Console .

                                                                                                                                                                                                                                                    For more information about managing passwords, see [Managing passwords](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingLogins.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-loginprofile

                                                                                                                                                                                                                                                  property managedPolicyArns

                                                                                                                                                                                                                                                  readonly managedPolicyArns?: string[];
                                                                                                                                                                                                                                                  • A list of Amazon Resource Names (ARNs) of the IAM managed policies that you want to attach to the user.

                                                                                                                                                                                                                                                    For more information about ARNs, see [Amazon Resource Names (ARNs) and AWS Service Namespaces](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference* .

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-managepolicyarns

                                                                                                                                                                                                                                                  property path

                                                                                                                                                                                                                                                  readonly path?: string;
                                                                                                                                                                                                                                                  • The path for the user name. For more information about paths, see [IAM identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) in the *IAM User Guide* .

                                                                                                                                                                                                                                                    This parameter is optional. If it is not included, it defaults to a slash (/).

                                                                                                                                                                                                                                                    This parameter allows (through its [regex pattern](https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex) ) a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. In addition, it can contain any ASCII character from the ! ( \ u0021 ) through the DEL character ( \ u007F ), including most punctuation characters, digits, and upper and lowercased letters.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-path

                                                                                                                                                                                                                                                  property permissionsBoundary

                                                                                                                                                                                                                                                  readonly permissionsBoundary?: string;
                                                                                                                                                                                                                                                  • The ARN of the policy that is used to set the permissions boundary for the user.

                                                                                                                                                                                                                                                    http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-permissionsboundary

                                                                                                                                                                                                                                                  property policies

                                                                                                                                                                                                                                                  readonly policies?:
                                                                                                                                                                                                                                                  | Array<CfnUser.PolicyProperty | cdk.IResolvable>
                                                                                                                                                                                                                                                  | cdk.IResolvable;
                                                                                                                                                                                                                                                  • Adds or updates an inline policy document that is embedded in the specified IAM user. To view AWS::IAM::User snippets, see [Declaring an IAM User Resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) .

                                                                                                                                                                                                                                                    > The name of each policy for a role, user, or group must be unique. If