aws-cdk-lib/aws-bedrockagentcore/lib/identity/grant-helpers.js

Version 2 of the AWS Cloud Development Kit library

"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__setModuleDefault=exports&&exports.__setModuleDefault||(Object.create?(function(o,v){Object.defineProperty(o,"default",{enumerable:!0,value:v})}):function(o,v){o.default=v}),__importStar=exports&&exports.__importStar||(function(){var ownKeys=function(o){return ownKeys=Object.getOwnPropertyNames||function(o2){var ar=[];for(var k in o2)Object.prototype.hasOwnProperty.call(o2,k)&&(ar[ar.length]=k);return ar},ownKeys(o)};return function(mod){if(mod&&mod.__esModule)return mod;var result={};if(mod!=null)for(var k=ownKeys(mod),i=0;i<k.length;i++)k[i]!=="default"&&__createBinding(result,mod,k[i]);return __setModuleDefault(result,mod),result}})();Object.defineProperty(exports,"__esModule",{value:!0}),exports.WORKLOAD_IDENTITY_USE_RESOURCES=exports.WORKLOAD_IDENTITY_PARENT_RESOURCES=exports.TOKEN_VAULT_OAUTH2_PARENT_RESOURCES=exports.TOKEN_VAULT_API_KEY_PARENT_RESOURCES=void 0,exports.buildIdentityResourceArns=buildIdentityResourceArns,exports.grantReadWithList=grantReadWithList,exports.grantCredentialSecret=grantCredentialSecret;var iam=()=>{var tmp=__importStar(require("../../../aws-iam"));return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../../core");return core_1=()=>tmp,tmp};exports.TOKEN_VAULT_API_KEY_PARENT_RESOURCES=["token-vault/default","token-vault/default/apikeycredentialprovider"],exports.TOKEN_VAULT_OAUTH2_PARENT_RESOURCES=["token-vault/default","token-vault/default/oauth2credentialprovider"],exports.WORKLOAD_IDENTITY_PARENT_RESOURCES=["workload-identity-directory/default","workload-identity-directory/default/workload-identity"],exports.WORKLOAD_IDENTITY_USE_RESOURCES=["workload-identity-directory/default","workload-identity-directory/default/workload-identity/*"];function buildIdentityResourceArns(scope,instanceArn,parentResources){const stack=core_1().Stack.of(scope),parentArns=parentResources.map(resource=>stack.formatArn({service:"bedrock-agentcore",resource,arnFormat:core_1().ArnFormat.NO_RESOURCE_NAME}));return[instanceArn,...parentArns]}function grantReadWithList(scope,grantee,resourceArn,resourceReadActions,listActions,parentResources){return iam().Grant.addToPrincipal({grantee,actions:[...resourceReadActions,...listActions],resourceArns:buildIdentityResourceArns(scope,resourceArn,parentResources)})}function grantCredentialSecret(scope,grantee,secretArn,secretActions){if(secretArn==null||secretArn==="")return;let secretResourceArns;return core_1().Token.isUnresolved(secretArn)?(core_1().Annotations.of(scope).addWarningV2("aws-cdk-lib.aws-bedrockagentcore:wildcardSecretArnGrant","The secret ARN is an unresolved token. Granting access using a wildcard prefix (bedrock-agentcore-identity!*). To scope the grant to a specific secret, import the credential provider with an explicit secretArn."),secretResourceArns=[core_1().Stack.of(scope).formatArn({service:"secretsmanager",resource:"secret",resourceName:"bedrock-agentcore-identity!*",arnFormat:core_1().ArnFormat.COLON_RESOURCE_NAME})]):secretResourceArns=[secretArn],iam().Grant.addToPrincipal({grantee,actions:secretActions,resourceArns:secretResourceArns})}