aws-cdk-github-oidc

import { Duration } from 'aws-cdk-lib'; import { IManagedPolicy, PolicyDocument } from 'aws-cdk-lib/aws-iam'; /** * Properties for defining an IAM Role. * These are copied fron @aws-cdk/aws-iam, but since JSII does not support * TypeScript <Partial<iam.RoleProps>> (or Omit), we have to do this stupid thing. * * Basically exactly the same as source, but with assumedBy removed. * * @stability stable */ export interface RoleProps { /** * List of IDs that the role assumer needs to provide one of when assuming this role. * * If the configured and provided external IDs do not match, the * AssumeRole operation will fail. * * @default No external ID required * @stability stable */ readonly externalIds?: string[]; /** * A list of managed policies associated with this role. * * You can add managed policies later using * `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`. * * @default - No managed policies. * @stability stable */ readonly managedPolicies?: IManagedPolicy[]; /** * A list of named policies to inline into this role. * * These policies will be * created with the role, whereas those added by ``addToPolicy`` are added * using a separate CloudFormation resource (allowing a way around circular * dependencies that could otherwise be introduced). * * @default - No policy is inlined in the Role resource. * @stability stable */ readonly inlinePolicies?: { [name: string]: PolicyDocument; }; /** * The path associated with this role. * * For information about IAM paths, see * Friendly Names and Paths in IAM User Guide. * * @default / * @stability stable */ readonly path?: string; /** * AWS supports permissions boundaries for IAM entities (users or roles). * * A permissions boundary is an advanced feature for using a managed policy * to set the maximum permissions that an identity-based policy can grant to * an IAM entity. An entity's permissions boundary allows it to perform only * the actions that are allowed by both its identity-based policies and its * permissions boundaries. * * @default - No permissions boundary. * @stability stable * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html */ readonly permissionsBoundary?: IManagedPolicy; /** * A name for the IAM role. * * For valid values, see the RoleName parameter for * the CreateRole action in the IAM API Reference. * * IMPORTANT: If you specify a name, you cannot perform updates that require * replacement of this resource. You can perform updates that require no or * some interruption. If you must replace the resource, specify a new name. * * If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to * acknowledge your template's capabilities. For more information, see * Acknowledging IAM Resources in AWS CloudFormation Templates. * * @default - AWS CloudFormation generates a unique physical ID and uses that ID * for the role name. * @stability stable */ readonly roleName?: string; /** * The maximum session duration that you want to set for the specified role. * * This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours. * * Anyone who assumes the role from the AWS CLI or API can use the * DurationSeconds API parameter or the duration-seconds CLI parameter to * request a longer session. The MaxSessionDuration setting determines the * maximum duration that can be requested using the DurationSeconds * parameter. * * If users don't specify a value for the DurationSeconds parameter, their * security credentials are valid for one hour by default. This applies when * you use the AssumeRole* API operations or the assume-role* CLI operations * but does not apply when you use those operations to create a console URL. * * @default Duration.hours(1) * @stability stable * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html */ readonly maxSessionDuration?: Duration; /** * A description of the role. * * It can be up to 1000 characters long. * * @default - No description. * @stability stable */ readonly description?: string; }