UNPKG

@aws-cdk/aws-iam

Version:

CDK routines for easily assigning correct and minimal IAM permissions

github.com/aws/aws-cdk

aws/aws-cdk

129 lines (128 loc) 4.84 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
import * as cdk from '@aws-cdk/core'; import { IConstruct } from '@aws-cdk/core'; import { PolicyStatement } from './policy-statement'; /** * Properties for a new PolicyDocument */ export interface PolicyDocumentProps { /** * Automatically assign Statement Ids to all statements * * @default false */ readonly assignSids?: boolean; /** * Initial statements to add to the policy document * * @default - No statements */ readonly statements?: PolicyStatement[]; /** * Try to minimize the policy by merging statements * * To avoid overrunning the maximum policy size, combine statements if they produce * the same result. Merging happens according to the following rules: * * - The Effect of both statements is the same * - Neither of the statements have a 'Sid' * - Combine Principals if the rest of the statement is exactly the same. * - Combine Resources if the rest of the statement is exactly the same. * - Combine Actions if the rest of the statement is exactly the same. * - We will never combine NotPrincipals, NotResources or NotActions, because doing * so would change the meaning of the policy document. * * @default - false, unless the feature flag `@aws-cdk/aws-iam:minimizePolicies` is set */ readonly minimize?: boolean; } /** * A PolicyDocument is a collection of statements */ export declare class PolicyDocument implements cdk.IResolvable { /** * Creates a new PolicyDocument based on the object provided. * This will accept an object created from the `.toJSON()` call * @param obj the PolicyDocument in object form. */ static fromJson(obj: any): PolicyDocument; readonly creationStack: string[]; private readonly statements; private readonly autoAssignSids; private readonly minimize?; constructor(props?: PolicyDocumentProps); resolve(context: cdk.IResolveContext): any; /** * Whether the policy document contains any statements. */ get isEmpty(): boolean; /** * The number of statements already added to this policy. * Can be used, for example, to generate unique "sid"s within the policy. */ get statementCount(): number; /** * Adds a statement to the policy document. * * @param statement the statement to add. */ addStatements(...statement: PolicyStatement[]): void; /** * Encode the policy document as a string */ toString(): string; /** * JSON-ify the document * * Used when JSON.stringify() is called */ toJSON(): any; /** * Validate that all policy statements in the policy document satisfies the * requirements for any policy. * * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json * * @returns An array of validation error messages, or an empty array if the document is valid. */ validateForAnyPolicy(): string[]; /** * Validate that all policy statements in the policy document satisfies the * requirements for a resource-based policy. * * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json * * @returns An array of validation error messages, or an empty array if the document is valid. */ validateForResourcePolicy(): string[]; /** * Validate that all policy statements in the policy document satisfies the * requirements for an identity-based policy. * * @see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json * * @returns An array of validation error messages, or an empty array if the document is valid. */ validateForIdentityPolicy(): string[]; /** * Perform statement merging (if enabled and not done yet) * * @internal */ _maybeMergeStatements(scope: cdk.IConstruct): void; /** * Split the statements of the PolicyDocument into multiple groups, limited by their size * * We do a round of size-limited merging first (making sure to not produce statements too * large to fit into standalone policies), so that we can most accurately estimate total * policy size. Another final round of minimization will be done just before rendering to * end up with minimal policies that look nice to humans. * * Return a map of the final set of policy documents, mapped to the ORIGINAL (pre-merge) * PolicyStatements that ended up in the given PolicyDocument. * * @internal */ _splitDocument(scope: IConstruct, selfMaximumSize: number, splitMaximumSize: number): Map<PolicyDocument, PolicyStatement[]>; private render; private shouldMerge; }