UNPKG

aws-cdk-lib

Version:

Version 2 of the AWS Cloud Development Kit library

github.com/aws/aws-cdk

aws/aws-cdk

99 lines (98 loc) 3.39 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
import { ITableRef } from './dynamodb.generated'; import * as iam from '../../aws-iam'; /** * Construction properties for TableGrants */ export interface TableGrantsProps { /** * The table to grant permissions on */ readonly table: ITableRef; /** * Additional regions other than the main one that this table is replicated to * * @default - No regions */ readonly regions?: string[]; /** * Whether this table has indexes * * If so, permissions are granted on all table indexes as well. * * @default false */ readonly hasIndex?: boolean; /** * The encrypted resource on which actions will be allowed * * @default - No permission is added to the KMS key, even if it exists */ readonly encryptedResource?: iam.IEncryptedResource; /** * The resource with policy on which actions will be allowed * * @default - No resource policy is created */ readonly policyResource?: iam.IResourceWithPolicyV2; } /** * A set of permissions to grant on a Table */ export declare class TableGrants { private readonly table; private readonly arns; private readonly encryptedResource?; private readonly policyResource?; constructor(props: TableGrantsProps); /** * Adds an IAM policy statement associated with this table to an IAM * principal's policy. * * If `encryptionKey` is present, appropriate grants to the key needs to be added * separately using the `table.encryptionKey.grant*` methods. * * @param grantee The principal (no-op if undefined) * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...) */ actions(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; /** * Permits an IAM principal all data read operations from this table: * BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan, DescribeTable. * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. * * @param grantee The principal to grant access to */ readData(grantee: iam.IGrantable): iam.Grant; /** * Permits an IAM principal all data write operations to this table: * BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable. * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. * * @param grantee The principal to grant access to */ writeData(grantee: iam.IGrantable): iam.Grant; /** * Permits an IAM principal to all data read/write operations to this table. * BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan, * BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. * * @param grantee The principal to grant access to */ readWriteData(grantee: iam.IGrantable): iam.Grant; /** * Permits all DynamoDB operations ("dynamodb:*") to an IAM principal. * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. * * @param grantee The principal to grant access to */ fullAccess(grantee: iam.IGrantable): iam.Grant; }