cdk-iam-floyd

import { AccessLevelList } from '../../shared/access-level'; import { PolicyStatement, Operator } from '../../shared'; import { aws_iam as iam } from "aws-cdk-lib"; /** * Statement provider for service [sso](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycenter.html). * * @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement */ export declare class Sso extends PolicyStatement { servicePrefix: string; /** * Grants permission to connect a directory to be used by AWS IAM Identity Center * * Access Level: Write * * Dependent actions: * - ds:AuthorizeApplication * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toAssociateDirectory(): this; /** * Grants permission to create an association between a directory user or group and a profile * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toAssociateProfile(): this; /** * Grants permission to attach a customer managed policy reference to a permission set * * Access Level: Permissions management * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachCustomerManagedPolicyReferenceToPermissionSet.html */ toAttachCustomerManagedPolicyReferenceToPermissionSet(): this; /** * Grants permission to attach an AWS managed policy to a permission set * * Access Level: Permissions management * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AttachManagedPolicyToPermissionSet.html */ toAttachManagedPolicyToPermissionSet(): this; /** * Grants permission to assign access to a Principal for a specified AWS account using a specified permission set * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateAccountAssignment.html */ toCreateAccountAssignment(): this; /** * Grants permission to create an application * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateApplication.html */ toCreateApplication(): this; /** * Grants permission to create an application assignment * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateApplicationAssignment.html */ toCreateApplicationAssignment(): this; /** * Grants permission to add an application instance to AWS IAM Identity Center * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toCreateApplicationInstance(): this; /** * Grants permission to add a new certificate for an application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toCreateApplicationInstanceCertificate(): this; /** * Grants permission to create an identity center instance * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * Dependent actions: * - iam:CreateServiceLinkedRole * - organizations:DescribeOrganization * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateInstance.html */ toCreateInstance(): this; /** * Grants permission to enable the instance for ABAC and specify the attributes * * Access Level: Write * * Dependent actions: * - iam:AttachRolePolicy * - iam:CreateRole * - iam:DeleteRole * - iam:DeleteRolePolicy * - iam:DetachRolePolicy * - iam:GetRole * - iam:ListAttachedRolePolicies * - iam:ListRolePolicies * - iam:PutRolePolicy * - iam:UpdateAssumeRolePolicy * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateInstanceAccessControlAttributeConfiguration.html */ toCreateInstanceAccessControlAttributeConfiguration(): this; /** * Grants permission to add a managed application instance to AWS IAM Identity Center * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toCreateManagedApplicationInstance(): this; /** * Grants permission to create a permission set * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreatePermissionSet.html */ toCreatePermissionSet(): this; /** * Grants permission to create a profile for an application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toCreateProfile(): this; /** * Grants permission to create a federation trust in a target account * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toCreateTrust(): this; /** * Grants permission to create a trusted token issuer for an instance * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_CreateTrustedTokenIssuer.html */ toCreateTrustedTokenIssuer(): this; /** * Grants permission to delete a Principal's access from a specified AWS account using a specified permission set * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteAccountAssignment.html */ toDeleteAccountAssignment(): this; /** * Grants permission to delete an application * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplication.html */ toDeleteApplication(): this; /** * Grants permission to delete an access scope to an application * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAccessScope.html */ toDeleteApplicationAccessScope(): this; /** * Grants permission to delete an application assignment * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAssignment.html */ toDeleteApplicationAssignment(): this; /** * Grants permission to delete an authentication method to an application * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationAuthenticationMethod.html */ toDeleteApplicationAuthenticationMethod(): this; /** * Grants permission to delete a grant from an application * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteApplicationGrant.html */ toDeleteApplicationGrant(): this; /** * Grants permission to delete the application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDeleteApplicationInstance(): this; /** * Grants permission to delete an inactive or expired certificate from the application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDeleteApplicationInstanceCertificate(): this; /** * Grants permission to delete the inline policy from a specified permission set * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInlinePolicyFromPermissionSet.html */ toDeleteInlinePolicyFromPermissionSet(): this; /** * Grants permission to delete an identity center instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInstance.html */ toDeleteInstance(): this; /** * Grants permission to disable ABAC and remove the attributes list for the instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteInstanceAccessControlAttributeConfiguration.html */ toDeleteInstanceAccessControlAttributeConfiguration(): this; /** * Grants permission to delete the managed application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDeleteManagedApplicationInstance(): this; /** * Grants permission to delete a permission set * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeletePermissionSet.html */ toDeletePermissionSet(): this; /** * Grants permission to remove permissions boundary from a permission set * * Access Level: Permissions management * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeletePermissionsBoundaryFromPermissionSet.html */ toDeletePermissionsBoundaryFromPermissionSet(): this; /** * Grants permission to delete the permission policy associated with a permission set * * Access Level: Permissions management * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDeletePermissionsPolicy(): this; /** * Grants permission to delete the profile for an application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDeleteProfile(): this; /** * Grants permission to delete a trusted token issuer for an instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DeleteTrustedTokenIssuer.html */ toDeleteTrustedTokenIssuer(): this; /** * Grants permission to describe the status of the assignment creation request * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeAccountAssignmentCreationStatus.html */ toDescribeAccountAssignmentCreationStatus(): this; /** * Grants permission to describe the status of an assignment deletion request * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeAccountAssignmentDeletionStatus.html */ toDescribeAccountAssignmentDeletionStatus(): this; /** * Grants permission to obtain information about an application * * Access Level: Read * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplication.html */ toDescribeApplication(): this; /** * Grants permission to retrieve an application assignment * * Access Level: Read * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplicationAssignment.html */ toDescribeApplicationAssignment(): this; /** * Grants permission to describe an application provider * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeApplicationProvider.html */ toDescribeApplicationProvider(): this; /** * Grants permission to obtain information about the directories for this account * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDescribeDirectories(): this; /** * Grants permission to obtain information about an identity center instance * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeInstance.html */ toDescribeInstance(): this; /** * Grants permission to get the list of attributes used by the instance for ABAC * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeInstanceAccessControlAttributeConfiguration.html */ toDescribeInstanceAccessControlAttributeConfiguration(): this; /** * Grants permission to describe a permission set * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribePermissionSet.html */ toDescribePermissionSet(): this; /** * Grants permission to describe the status for the given Permission Set Provisioning request * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribePermissionSetProvisioningStatus.html */ toDescribePermissionSetProvisioningStatus(): this; /** * Grants permission to retrieve all the permissions policies associated with a permission set * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDescribePermissionsPolicies(): this; /** * Grants permission to obtain the regions where your organization has enabled AWS IAM Identity Center * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDescribeRegisteredRegions(): this; /** * Grants permission to describe a trusted token issuer for an instance * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeTrustedTokenIssuer.html */ toDescribeTrustedTokenIssuer(): this; /** * Grants permission to obtain information about the trust relationships for this account * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDescribeTrusts(): this; /** * Grants permission to detach a customer managed policy reference from a permission set * * Access Level: Permissions management * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DetachCustomerManagedPolicyReferenceFromPermissionSet.html */ toDetachCustomerManagedPolicyReferenceFromPermissionSet(): this; /** * Grants permission to detach the attached AWS managed policy from the specified permission set * * Access Level: Permissions management * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DetachManagedPolicyFromPermissionSet.html */ toDetachManagedPolicyFromPermissionSet(): this; /** * Grants permission to disassociate a directory to be used by AWS IAM Identity Center * * Access Level: Write * * Dependent actions: * - ds:UnauthorizeApplication * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDisassociateDirectory(): this; /** * Grants permission to disassociate a directory user or group from a profile * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toDisassociateProfile(): this; /** * Grants permission to get an access scope to an application * * Access Level: Read * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAccessScope.html */ toGetApplicationAccessScope(): this; /** * Grants permission to read assignment configurations for an application * * Access Level: Read * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAssignmentConfiguration.html */ toGetApplicationAssignmentConfiguration(): this; /** * Grants permission to get an authentication method to an application * * Access Level: Read * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationAuthenticationMethod.html */ toGetApplicationAuthenticationMethod(): this; /** * Grants permission to obtain details about a grant belonging to an application * * Access Level: Read * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetApplicationGrant.html */ toGetApplicationGrant(): this; /** * Grants permission to retrieve details for an application instance * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetApplicationInstance(): this; /** * Grants permission to retrieve application template details * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetApplicationTemplate(): this; /** * Grants permission to obtain the inline policy assigned to the permission set * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetInlinePolicyForPermissionSet.html */ toGetInlinePolicyForPermissionSet(): this; /** * Grants permission to retrieve details for an application instance * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetManagedApplicationInstance(): this; /** * Grants permission to retrieve Mfa Device Management settings for the directory * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetMfaDeviceManagementForDirectory(): this; /** * Grants permission to retrieve details of a permission set * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetPermissionSet(): this; /** * Grants permission to get permissions boundary for a permission set * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_GetPermissionsBoundaryForPermissionSet.html */ toGetPermissionsBoundaryForPermissionSet(): this; /** * Grants permission to retrieve all permission policies associated with a permission set * * Access Level: Read * * Dependent actions: * - sso:DescribePermissionsPolicies * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetPermissionsPolicy(): this; /** * Grants permission to retrieve a profile for an application instance * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetProfile(): this; /** * Grants permission to check if AWS IAM Identity Center is enabled * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetSSOStatus(): this; /** * Grants permission to retrieve shared configuration for the current SSO instance * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetSharedSsoConfiguration(): this; /** * Grants permission to retrieve configuration for the current SSO instance * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetSsoConfiguration(): this; /** * Grants permission to retrieve the federation trust in a target account * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toGetTrust(): this; /** * Grants permission to update the application instance by uploading an application SAML metadata file provided by the service provider * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toImportApplicationInstanceServiceProviderMetadata(): this; /** * Grants permission to list the status of the AWS account assignment creation requests for a specified SSO instance * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentCreationStatus.html */ toListAccountAssignmentCreationStatus(): this; /** * Grants permission to list the status of the AWS account assignment deletion requests for a specified SSO instance * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentDeletionStatus.html */ toListAccountAssignmentDeletionStatus(): this; /** * Grants permission to list the assignee of the specified AWS account with the specified permission set * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignments.html */ toListAccountAssignments(): this; /** * Grants permission to list accounts assigned to user or group * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountAssignmentsForPrincipal.html */ toListAccountAssignmentsForPrincipal(): this; /** * Grants permission to list all the AWS accounts where the specified permission set is provisioned * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListAccountsForProvisionedPermissionSet.html */ toListAccountsForProvisionedPermissionSet(): this; /** * Grants permission to list access scopes to an application * * Access Level: List * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAccessScopes.html */ toListApplicationAccessScopes(): this; /** * Grants permission to list application assignments * * Access Level: List * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAssignments.html */ toListApplicationAssignments(): this; /** * Grants permission to list applications assigned to user or group * * Access Level: List * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAssignmentsForPrincipal.html */ toListApplicationAssignmentsForPrincipal(): this; /** * Grants permission to list authentication methods to an application * * Access Level: List * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationAuthenticationMethods.html */ toListApplicationAuthenticationMethods(): this; /** * Grants permission to list grants from an application * * Access Level: List * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationGrants.html */ toListApplicationGrants(): this; /** * Grants permission to retrieve all of the certificates for a given application instance * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toListApplicationInstanceCertificates(): this; /** * Grants permission to retrieve all application instances * * Access Level: List * * Dependent actions: * - sso:GetApplicationInstance * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toListApplicationInstances(): this; /** * Grants permission to list application providers * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplicationProviders.html */ toListApplicationProviders(): this; /** * Grants permission to retrieve all supported application templates * * Access Level: List * * Dependent actions: * - sso:GetApplicationTemplate * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toListApplicationTemplates(): this; /** * Grants permission to retrieve all applications associated with the instance of IAM Identity Center * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListApplications.html */ toListApplications(): this; /** * Grants permission to list the customer managed policy references that are attached to a permission set * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListCustomerManagedPolicyReferencesInPermissionSet.html */ toListCustomerManagedPolicyReferencesInPermissionSet(): this; /** * Grants permission to retrieve details about the directory connected to AWS IAM Identity Center * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toListDirectoryAssociations(): this; /** * Grants permission to list the SSO Instances that the caller has access to * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html */ toListInstances(): this; /** * Grants permission to list the AWS managed policies that are attached to a specified permission set * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListManagedPoliciesInPermissionSet.html */ toListManagedPoliciesInPermissionSet(): this; /** * Grants permission to list the status of the Permission Set Provisioning requests for a specified SSO instance * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSetProvisioningStatus.html */ toListPermissionSetProvisioningStatus(): this; /** * Grants permission to retrieve all permission sets * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSets.html */ toListPermissionSets(): this; /** * Grants permission to list all the permission sets that are provisioned to a specified AWS account * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListPermissionSetsProvisionedToAccount.html */ toListPermissionSetsProvisionedToAccount(): this; /** * Grants permission to retrieve the directory user or group associated with the profile * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toListProfileAssociations(): this; /** * Grants permission to retrieve all profiles for an application instance * * Access Level: List * * Dependent actions: * - sso:GetProfile * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toListProfiles(): this; /** * Grants permission to list the tags that are attached to a specified resource * * Access Level: Read * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListTagsForResource.html */ toListTagsForResource(): this; /** * Grants permission to list trusted token issuers for an instance * * Access Level: List * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListTrustedTokenIssuers.html */ toListTrustedTokenIssuers(): this; /** * Grants permission to provision a specified permission set to the specified target * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ProvisionPermissionSet.html */ toProvisionPermissionSet(): this; /** * Grants permission to create/update an access scope to an application * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAccessScope.html */ toPutApplicationAccessScope(): this; /** * Grants permission to add assignment configurations to an application * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAssignmentConfiguration.html */ toPutApplicationAssignmentConfiguration(): this; /** * Grants permission to create/update an authentication method to an application * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationAuthenticationMethod.html */ toPutApplicationAuthenticationMethod(): this; /** * Grants permission to create/update a grant to an application * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutApplicationGrant.html */ toPutApplicationGrant(): this; /** * Grants permission to attach an IAM inline policy to a permission set * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutInlinePolicyToPermissionSet.html */ toPutInlinePolicyToPermissionSet(): this; /** * Grants permission to put Mfa Device Management settings for the directory * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toPutMfaDeviceManagementForDirectory(): this; /** * Grants permission to add permissions boundary to a permission set * * Access Level: Permissions management * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PutPermissionsBoundaryToPermissionSet.html */ toPutPermissionsBoundaryToPermissionSet(): this; /** * Grants permission to add a policy to a permission set * * Access Level: Permissions management * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toPutPermissionsPolicy(): this; /** * Grants permission to search for groups within the associated directory * * Access Level: Read * * Dependent actions: * - ds:DescribeDirectories * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toSearchGroups(): this; /** * Grants permission to search for users within the associated directory * * Access Level: Read * * Dependent actions: * - ds:DescribeDirectories * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toSearchUsers(): this; /** * Grants permission to initialize AWS IAM Identity Center * * Access Level: Write * * Dependent actions: * - organizations:DescribeOrganization * - organizations:EnableAWSServiceAccess * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toStartSSO(): this; /** * Grants permission to associate a set of tags with a specified resource * * Access Level: Tagging * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_TagResource.html */ toTagResource(): this; /** * Grants permission to disassociate a set of tags from a specified resource * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UntagResource.html */ toUntagResource(): this; /** * Grants permission to update an application * * Access Level: Write * * Possible conditions: * - .ifApplicationAccount() * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateApplication.html */ toUpdateApplication(): this; /** * Grants permission to set a certificate as the active one for this application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateApplicationInstanceActiveCertificate(): this; /** * Grants permission to update display data of an application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateApplicationInstanceDisplayData(): this; /** * Grants permission to update federation response configuration for the application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateApplicationInstanceResponseConfiguration(): this; /** * Grants permission to update federation response schema configuration for the application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateApplicationInstanceResponseSchemaConfiguration(): this; /** * Grants permission to update security details for the application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateApplicationInstanceSecurityConfiguration(): this; /** * Grants permission to update service provider related configuration for the application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateApplicationInstanceServiceProviderConfiguration(): this; /** * Grants permission to update the status of an application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateApplicationInstanceStatus(): this; /** * Grants permission to update the user attribute mappings for your connected directory * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateDirectoryAssociation(): this; /** * Grants permission to update an identity center instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateInstance.html */ toUpdateInstance(): this; /** * Grants permission to update the attributes to use with the instance for ABAC * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateInstanceAccessControlAttributeConfiguration.html */ toUpdateInstanceAccessControlAttributeConfiguration(): this; /** * Grants permission to update the status of a managed application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateManagedApplicationInstanceStatus(): this; /** * Grants permission to update the permission set * * Access Level: Permissions management * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdatePermissionSet.html */ toUpdatePermissionSet(): this; /** * Grants permission to update the profile for an application instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateProfile(): this; /** * Grants permission to update the configuration for the current SSO instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateSSOConfiguration(): this; /** * Grants permission to update the federation trust in a target account * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-using-id-policies.html#policyexample */ toUpdateTrust(): this; /** * Grants permission to update a trusted token issuer for an instance * * Access Level: Write * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_UpdateTrustedTokenIssuer.html */ toUpdateTrustedTokenIssuer(): this; protected accessLevelList: AccessLevelList; /** * Adds a resource of type PermissionSet to the statement * * https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html * * @param instanceId - Identifier for the instanceId. * @param permissionSetId - Identifier for the permissionSetId. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onPermissionSet(instanceId: string, permissionSetId: string, partition?: string): this; /** * Adds a resource of type Account to the statement * * https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-accounts.html * * @param accountId - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onAccount(accountId?: string, partition?: string): this; /** * Adds a resource of type Instance to the statement * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_InstanceMetadata.html * * @param instanceId - Identifier for the instanceId. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onInstance(instanceId: string, partition?: string): this; /** * Adds a resource of type Application to the statement * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_Application.html * * @param instanceId - Identifier for the instanceId. * @param applicationId - Identifier for the applicationId. * @param accountId - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() * - .ifApplicationAccount() */ onApplication(instanceId: string, applicationId: string, accountId?: string, partition?: string): this; /** * Adds a resource of type TrustedTokenIssuer to the statement * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_TrustedTokenIssuerMetadata.html * * @param instanceId - Identifier for the instanceId. * @param trustedTokenIssuerId - Identifier for the trustedTokenIssuerId. * @param accountId - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onTrustedTokenIssuer(instanceId: string, trustedTokenIssuerId: string, accountId?: string, partition?: string): this; /** * Adds a resource of type ApplicationProvider to the statement * * https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ApplicationProvider.html * * @param applicationProviderId - Identifier for the applicationProviderId. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onApplicationProvider(applicationProviderId: string, partition?: string): this; /** * Filters access by the tags that are passed in the request * * https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html * * Applies to actions: * - .toCreateApplication() * - .toCreateInstance() * - .toCreatePermissionSet() * - .toCreateTrustedTokenIssuer() * - .toTagResource() * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsRequestTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters access by the tags associated with the resource * * https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html * * Applies to resource types: * - PermissionSet * - Instance * - Application * - TrustedTokenIssuer * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsResourceTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters access by the tag keys that are passed in the request * * https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html * * Applies to actions: * - .toCreateApplication() * - .toCreateInstance() * - .toCreatePermissionSet() * - .toCreateTrustedTokenIssuer() * - .toTagResource() * - .toUntagResource() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsTagKeys(value: string | string[], operator?: Operator | string): this; /** * Filters access by the account which creates the application. This condition key is not supported for customer managed SAML applications * * https://docs.aws.amazon.com/singlesignon/latest/userguide/API_Application.html * * Applies to actions: * - .toCreateApplicationAssignment() * - .toDeleteApplication() * - .toDeleteApplicationAccessScope() * - .toDeleteApplicationAssignment() * - .toDeleteApplicationAuthenticationMethod() * - .toDeleteApplicationGrant() * - .toDescribeApplication() * - .toDescribeApplicationAssignment() * - .toGetApplicationAccessScope() * - .toGetApplicationAssignmentConfiguration() * - .toGetApplicationAuthenticationMethod() * - .toGetApplicationGrant() * - .toListApplicationAccessScopes() * - .toListApplicationAssignments() * - .toListApplicationAssignmentsForPrincipal() * - .toListApplicationAuthenticationMethods() * - .toListApplicationGrants() * - .toPutApplicationAccessScope() * - .toPutApplicationAssignmentConfiguration() * - .toPutApplicationAuthenticationMethod() * - .toPutApplicationGrant() * - .toUpdateApplication() * * Applies to resource types: * - Application * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifApplicationAccount(value: string | string[], operator?: Operator | string): this; /** * Statement provider for service [sso](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycenter.html). * */ constructor(props?: iam.PolicyStatementProps); }