UNPKG

aws-cdk-lib

Version:

Version 2 of the AWS Cloud Development Kit library

github.com/aws/aws-cdk

aws/aws-cdk

118 lines (117 loc) 5.73 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import { GrantReplicationPermissionProps } from './bucket'; import { IBucketRef } from './s3.generated'; import { Grant, IGrantable } from '../../aws-iam'; import * as iam from '../../aws-iam/lib/grant'; /** * Collection of grant methods for a Bucket */ export declare class BucketGrants { private readonly bucket; private readonly encryptedResource?; private readonly policyResource?; /** * Creates grants for an IBucketRef */ static fromBucket(bucket: IBucketRef): BucketGrants; private constructor(); /** * Grant read permissions for this bucket and it's contents to an IAM * principal (Role/Group/User). * * If encryption is used, permission to use the key to decrypt the contents * of the bucket will also be granted to the same principal. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ read(identity: IGrantable, objectsKeyPattern?: any): Grant; /** * Grant write permissions for this bucket and it's contents to an IAM * principal (Role/Group/User). * * If encryption is used, permission to use the key to decrypt the contents * of the bucket will also be granted to the same principal. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ write(identity: IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): Grant; /** * Grants s3:DeleteObject* permission to an IAM principal for objects * in this bucket. * * @param grantee The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ delete(grantee: IGrantable, objectsKeyPattern?: any): Grant; /** * Allows unrestricted access to objects from this bucket. * * IMPORTANT: This permission allows anyone to perform actions on S3 objects * in this bucket, which is useful for when you configure your bucket as a * website and want everyone to be able to read objects in the bucket without * needing to authenticate. * * Without arguments, this method will grant read ("s3:GetObject") access to * all objects ("*") in the bucket. * * The method returns the `iam.Grant` object, which can then be modified * as needed. For example, you can add a condition that will restrict access only * to an IPv4 range like this: * * const grant = bucket.grantPublicAccess(); * grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” }); * * Note that if this `IBucket` refers to an existing bucket, possibly not * managed by CloudFormation, this method will have no effect, since it's * impossible to modify the policy of an existing bucket. * * @param keyPrefix the prefix of S3 object keys (e.g. `home/*`). Default is "*". * @param allowedActions the set of S3 actions to allow. Default is "s3:GetObject". */ publicAccess(keyPrefix?: string, ...allowedActions: string[]): Grant; /** * Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal. * * If encryption is used, permission to use the key to encrypt the contents * of written files will also be granted to the same principal. * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ put(identity: IGrantable, objectsKeyPattern?: any): Grant; /** * Grants s3:PutObjectAcl and s3:PutObjectVersionAcl permissions for this bucket to an IAM principal. * * If encryption is used, permission to use the key to encrypt the contents * of written files will also be granted to the same principal. * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ putAcl(identity: IGrantable, objectsKeyPattern?: string): Grant; /** * Grant read and write permissions for this bucket and it's contents to an IAM * principal (Role/Group/User). * * If encryption is used, permission to use the key to decrypt the contents * of the bucket will also be granted to the same principal. * * @param identity The principal * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in. */ readWrite(identity: IGrantable, objectsKeyPattern?: any): Grant; private get putActions(); private get writeActions(); /** * Grant replication permission to a principal. * This method allows the principal to perform replication operations on this bucket. * * Note that when calling this function for source or destination buckets that support KMS encryption, * you need to specify the KMS key for encryption and the KMS key for decryption, respectively. * * @param identity The principal to grant replication permission to. * @param props The properties of the replication source and destination buckets. */ replicationPermission(identity: IGrantable, props: GrantReplicationPermissionProps): iam.Grant; private grant; private arnForObjects; }