aws-cdk-lib/aws-bedrockagentcore/lib/identity/grant-helpers.js

Version 2 of the AWS Cloud Development Kit library

"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.WORKLOAD_IDENTITY_USE_RESOURCES=exports.WORKLOAD_IDENTITY_PARENT_RESOURCES=exports.TOKEN_VAULT_OAUTH2_PARENT_RESOURCES=exports.TOKEN_VAULT_API_KEY_PARENT_RESOURCES=void 0,exports.buildIdentityResourceArns=buildIdentityResourceArns,exports.grantReadWithList=grantReadWithList,exports.grantCredentialSecret=grantCredentialSecret;var iam=()=>{var tmp=require("../../../aws-iam");return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../../core");return core_1=()=>tmp,tmp};exports.TOKEN_VAULT_API_KEY_PARENT_RESOURCES=["token-vault/default","token-vault/default/apikeycredentialprovider"],exports.TOKEN_VAULT_OAUTH2_PARENT_RESOURCES=["token-vault/default","token-vault/default/oauth2credentialprovider"],exports.WORKLOAD_IDENTITY_PARENT_RESOURCES=["workload-identity-directory/default","workload-identity-directory/default/workload-identity"],exports.WORKLOAD_IDENTITY_USE_RESOURCES=["workload-identity-directory/default","workload-identity-directory/default/workload-identity/*"];function buildIdentityResourceArns(scope,instanceArn,parentResources){const stack=core_1().Stack.of(scope),parentArns=parentResources.map(resource=>stack.formatArn({service:"bedrock-agentcore",resource,arnFormat:core_1().ArnFormat.NO_RESOURCE_NAME}));return[instanceArn,...parentArns]}function grantReadWithList(scope,grantee,resourceArn,resourceReadActions,listActions,parentResources){return iam().Grant.addToPrincipal({grantee,actions:[...resourceReadActions,...listActions],resourceArns:buildIdentityResourceArns(scope,resourceArn,parentResources)})}function grantCredentialSecret(scope,grantee,secretArn,secretActions){if(secretArn==null||secretArn==="")return;let secretResourceArns;return core_1().Token.isUnresolved(secretArn)?(core_1().Annotations.of(scope).addWarningV2("aws-cdk-lib.aws-bedrockagentcore:wildcardSecretArnGrant","The secret ARN is an unresolved token. Granting access using a wildcard prefix (bedrock-agentcore-identity!*). To scope the grant to a specific secret, import the credential provider with an explicit secretArn."),secretResourceArns=[core_1().Stack.of(scope).formatArn({service:"secretsmanager",resource:"secret",resourceName:"bedrock-agentcore-identity!*",arnFormat:core_1().ArnFormat.COLON_RESOURCE_NAME})]):secretResourceArns=[secretArn],iam().Grant.addToPrincipal({grantee,actions:secretActions,resourceArns:secretResourceArns})}