aws-cdk-lib

import type { ITableRef } from './dynamodb.generated'; import * as iam from '../../aws-iam'; /** * Construction properties for TableGrants */ export interface TableGrantsProps { /** * The table to grant permissions on */ readonly table: ITableRef; /** * Additional regions other than the main one that this table is replicated to * * @default - No regions */ readonly regions?: string[]; /** * Whether this table has indexes * * If so, permissions are granted on all table indexes as well. * * @default false */ readonly hasIndex?: boolean; /** * The encrypted resource on which actions will be allowed * * @deprecated - Leave this field undefined. If the table is encrypted with a customer-managed KMS key, appropriate * grants to the key will be automatically added. * * @default - A best-effort attempt will be made to discover an associated KMS key and grant permissions to it. */ readonly encryptedResource?: iam.IEncryptedResource; /** * The resource with policy on which actions will be allowed * * @deprecated - Leave this field undefined. A best-effort attempt will be made to discover a resource policy and add * permissions to it. * * @default - A best-effort attempt will be made to discover a resource policy and add permissions to it. */ readonly policyResource?: iam.IResourceWithPolicyV2; } /** * A set of permissions to grant on a Table */ export declare class TableGrants { /** * Creates a TableGrants object for a given table. */ static fromTable(table: ITableRef, regions?: string[], hasIndex?: boolean): TableGrants; private readonly table; private readonly arns; private readonly encryptedResource?; private readonly policyResource?; constructor(props: TableGrantsProps); /** * Adds an IAM policy statement associated with this table to an IAM * principal's policy. * * If `encryptionKey` is present, appropriate grants to the key needs to be added * separately using the `table.encryptionKey.grant*` methods. * * @param grantee The principal (no-op if undefined) * @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...) */ actions(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; /** * Permits an IAM principal all data read operations from this table: * BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan, DescribeTable. * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. * * @param grantee The principal to grant access to */ readData(grantee: iam.IGrantable): iam.Grant; /** * Permits an IAM principal all data write operations to this table: * BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable. * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. * * @param grantee The principal to grant access to */ writeData(grantee: iam.IGrantable): iam.Grant; /** * Permits an IAM principal to all data read/write operations to this table. * BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan, * BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. * * @param grantee The principal to grant access to */ readWriteData(grantee: iam.IGrantable): iam.Grant; /** * Permits all DynamoDB operations ("dynamodb:*") to an IAM principal. * * Appropriate grants will also be added to the customer-managed KMS key * if one was configured. * * @param grantee The principal to grant access to */ fullAccess(grantee: iam.IGrantable): iam.Grant; /** * Grants permissions for this table to act as a source for multi-account global table replication. * * @param destinationReplicaArn The ARN of the destination replica table in the other account */ multiAccountReplicationTo(destinationReplicaArn: string): void; /** * Grants permissions for this table to act as a destination for multi-account global table replication. * * @param sourceReplicaArn The ARN of the source replica table in the other account */ multiAccountReplicationFrom(sourceReplicaArn: string): void; }