aws-cdk-lib/aws-kms/lib/key-grants.js

Version 2 of the AWS Cloud Development Kit library

"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__setModuleDefault=exports&&exports.__setModuleDefault||(Object.create?(function(o,v){Object.defineProperty(o,"default",{enumerable:!0,value:v})}):function(o,v){o.default=v}),__importStar=exports&&exports.__importStar||(function(){var ownKeys=function(o){return ownKeys=Object.getOwnPropertyNames||function(o2){var ar=[];for(var k in o2)Object.prototype.hasOwnProperty.call(o2,k)&&(ar[ar.length]=k);return ar},ownKeys(o)};return function(mod){if(mod&&mod.__esModule)return mod;var result={};if(mod!=null)for(var k=ownKeys(mod),i=0;i<k.length;i++)k[i]!=="default"&&__createBinding(result,mod,k[i]);return __setModuleDefault(result,mod),result}})();Object.defineProperty(exports,"__esModule",{value:!0}),exports.KeyGrants=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var kms_generated_1=()=>{var tmp=require("./kms.generated");return kms_generated_1=()=>tmp,tmp},perms=()=>{var tmp=__importStar(require("./private/perms"));return perms=()=>tmp,tmp},iam=()=>{var tmp=__importStar(require("../../aws-iam"));return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},cxapi=()=>{var tmp=__importStar(require("../../cx-api"));return cxapi=()=>tmp,tmp};class KeyGrants{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_kms.KeyGrants",version:"2.259.0"};static fromKey(resource,trustAccountIdentities){try{jsiiDeprecationWarnings().aws_cdk_lib_interfaces_aws_kms_IKeyRef(resource)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.fromKey),error}return new KeyGrants({resource,trustAccountIdentities})}resource;trustAccountIdentities;policyResource;constructor(props){this.resource=props.resource,this.trustAccountIdentities=props.trustAccountIdentities??core_1().FeatureFlags.of(this.resource).isEnabled(cxapi().KMS_DEFAULT_KEY_POLICIES),this.policyResource=iam().ResourceWithPolicies.of(this.resource)}actions(grantee,...actions){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.actions),error}const granteeStackDependsOnKeyStack=this.granteeStackDependsOnKeyStack(grantee),principal=granteeStackDependsOnKeyStack?new(iam()).AccountPrincipal(granteeStackDependsOnKeyStack):grantee.grantPrincipal,crossAccountAccess=this.isGranteeFromAnotherAccount(grantee),crossRegionAccess=this.isGranteeFromAnotherRegion(grantee),crossEnvironment=crossAccountAccess||crossRegionAccess;if(this.policyResource){const grantOptions={grantee,actions,resource:this.policyResource,resourceArns:[this.resource.keyRef.keyArn],resourceSelfArns:crossEnvironment?void 0:["*"]};return!kms_generated_1().CfnKey.isCfnKey(this.resource)&&this.trustAccountIdentities&&!crossEnvironment?iam().Grant.addToPrincipalOrResource(grantOptions):iam().Grant.addToPrincipalAndResource({...grantOptions,resourceArns:crossEnvironment?["*"]:[this.resource.keyRef.keyArn],resourcePolicyPrincipal:principal})}else return iam().Grant.addToPrincipal({actions,grantee,resourceArns:[this.resource.keyRef.keyArn]})}admin(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.admin),error}return this.actions(grantee,...perms().ADMIN_ACTIONS)}decrypt(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.decrypt),error}return this.actions(grantee,...perms().DECRYPT_ACTIONS)}encrypt(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.encrypt),error}return this.actions(grantee,...perms().ENCRYPT_ACTIONS)}encryptDecrypt(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.encryptDecrypt),error}return this.actions(grantee,...perms().DECRYPT_ACTIONS,...perms().ENCRYPT_ACTIONS)}sign(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.sign),error}return this.actions(grantee,...perms().SIGN_ACTIONS)}verify(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.verify),error}return this.actions(grantee,...perms().VERIFY_ACTIONS)}signVerify(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.signVerify),error}return this.actions(grantee,...perms().SIGN_ACTIONS,...perms().VERIFY_ACTIONS)}generateMac(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.generateMac),error}return this.actions(grantee,...perms().GENERATE_HMAC_ACTIONS)}verifyMac(grantee){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_iam_IGrantable(grantee)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.verifyMac),error}return this.actions(grantee,...perms().VERIFY_HMAC_ACTIONS)}granteeStackDependsOnKeyStack(grantee){const grantPrincipal=grantee.grantPrincipal;if(!iam().principalIsOwnedResource(grantPrincipal))return;const keyStack=core_1().Stack.of(this.resource),granteeStack=core_1().Stack.of(grantPrincipal);if(keyStack!==granteeStack)return granteeStack.dependencies.includes(keyStack)?granteeStack.account:void 0}isGranteeFromAnotherRegion(grantee){if(!iam().principalIsOwnedResource(grantee.grantPrincipal))return!1;const keyStack=core_1().Stack.of(this.resource),identityStack=core_1().Stack.of(grantee.grantPrincipal);return core_1().FeatureFlags.of(this.resource).isEnabled(cxapi().KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)?keyStack.region!==identityStack.region&&this.resource.env.region!==identityStack.region:keyStack.region!==identityStack.region}isGranteeFromAnotherAccount(grantee){if(!iam().principalIsOwnedResource(grantee.grantPrincipal))return!1;const keyStack=core_1().Stack.of(this.resource),identityStack=core_1().Stack.of(grantee.grantPrincipal);return core_1().FeatureFlags.of(this.resource).isEnabled(cxapi().KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE)?keyStack.account!==identityStack.account&&this.resource.env.account!==identityStack.account:keyStack.account!==identityStack.account}}exports.KeyGrants=KeyGrants;