aws-cdk-lib/aws-kms/lib/key-grants.js

Version 2 of the AWS Cloud Development Kit library

"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.KeyGrants=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var kms_generated_1=()=>{var tmp=require("./kms.generated");return kms_generated_1=()=>tmp,tmp},perms=()=>{var tmp=require("./private/perms");return perms=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},cxapi=()=>{var tmp=require("../../cx-api");return cxapi=()=>tmp,tmp};class KeyGrants{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_kms.KeyGrants",version:"2.248.0"};static fromKey(resource,trustAccountIdentities){try{jsiiDeprecationWarnings().aws_cdk_lib_interfaces_aws_kms_IKeyRef(resource)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromKey),error}return new KeyGrants({resource,trustAccountIdentities})}resource;trustAccountIdentities;policyResource;constructor(props){this.resource=props.resource,this.trustAccountIdentities=props.trustAccountIdentities??core_1().FeatureFlags.of(this.resource).isEnabled(cxapi().KMS_DEFAULT_KEY_POLICIES),this.policyResource=iam().ResourceWithPolicies.of(this.resource)}actions(grantee,...actions){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.actions),error}const granteeStackDependsOnKeyStack=this.granteeStackDependsOnKeyStack(grantee),principal=granteeStackDependsOnKeyStack?new(iam()).AccountPrincipal(granteeStackDependsOnKeyStack):grantee.grantPrincipal,crossAccountAccess=this.isGranteeFromAnotherAccount(grantee),crossRegionAccess=this.isGranteeFromAnotherRegion(grantee),crossEnvironment=crossAccountAccess||crossRegionAccess;if(this.policyResource){const grantOptions={grantee,actions,resource:this.policyResource,resourceArns:[this.resource.keyRef.keyArn],resourceSelfArns:crossEnvironment?void 0:["*"]};return!kms_generated_1().CfnKey.isCfnKey(this.resource)&&this.trustAccountIdentities&&!crossEnvironment?iam().Grant.addToPrincipalOrResource(grantOptions):iam().Grant.addToPrincipalAndResource({...grantOptions,resourceArns:crossEnvironment?["*"]:[this.resource.keyRef.keyArn],resourcePolicyPrincipal:principal})}else return iam().Grant.addToPrincipal({actions,grantee,resourceArns:[this.resource.keyRef.keyArn]})}admin(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.admin),error}return this.actions(grantee,...perms().ADMIN_ACTIONS)}decrypt(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.decrypt),error}return this.actions(grantee,...perms().DECRYPT_ACTIONS)}encrypt(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.encrypt),error}return this.actions(grantee,...perms().ENCRYPT_ACTIONS)}encryptDecrypt(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.encryptDecrypt),error}return this.actions(grantee,...perms().DECRYPT_ACTIONS,...perms().ENCRYPT_ACTIONS)}sign(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.sign),error}return this.actions(grantee,...perms().SIGN_ACTIONS)}verify(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.verify),error}return this.actions(grantee,...perms().VERIFY_ACTIONS)}signVerify(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.signVerify),error}return this.actions(grantee,...perms().SIGN_ACTIONS,...perms().VERIFY_ACTIONS)}generateMac(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.generateMac),error}return this.actions(grantee,...perms().GENERATE_HMAC_ACTIONS)}verifyMac(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.verifyMac),error}return this.actions(grantee,...perms().VERIFY_HMAC_ACTIONS)}granteeStackDependsOnKeyStack(grantee){const grantPrincipal=grantee.grantPrincipal;if(!iam().principalIsOwnedResource(grantPrincipal))return;const keyStack=core_1().Stack.of(this.resource),granteeStack=core_1().Stack.of(grantPrincipal);if(keyStack!==granteeStack)return granteeStack.dependencies.includes(keyStack)?granteeStack.account:void 0}isGranteeFromAnotherRegion(grantee){if(!iam().principalIsOwnedResource(grantee.grantPrincipal))return!1;const keyStack=core_1().Stack.of(this.resource),identityStack=core_1().Stack.of(grantee.grantPrincipal);return core_1().FeatureFlags.of(this.resource).isEnabled(cxapi().KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)?keyStack.region!==identityStack.region&&this.resource.env.region!==identityStack.region:keyStack.region!==identityStack.region}isGranteeFromAnotherAccount(grantee){if(!iam().principalIsOwnedResource(grantee.grantPrincipal))return!1;const keyStack=core_1().Stack.of(this.resource),identityStack=core_1().Stack.of(grantee.grantPrincipal);return core_1().FeatureFlags.of(this.resource).isEnabled(cxapi().KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)?keyStack.account!==identityStack.account&&this.resource.env.account!==identityStack.account:keyStack.account!==identityStack.account}}exports.KeyGrants=KeyGrants;