This documentation is for the developer preview release of the AWS CDK. Do not use this version of the AWS CDK in production. Subsequent releases of the AWS CDK will likely include breaking changes.

@aws-cdk/aws-iam

AWS IAM Construct Library

Define a role and add permissions to it. This will automatically create and attach an IAM policy to the role:

const role = new Role(this, 'MyRole', {
  assumedBy: new ServicePrincipal('sns.amazonaws.com')
});

role.addToPolicy(new PolicyStatement()
    .addAllResources()
    .addAction('lambda:InvokeFunction'));

Define a policy and attach it to groups, users and roles. Note that it is possible to attach the policy either by calling xxx.attachInlinePolicy(policy) or policy.attachToXxx(xxx).

const user = new User(this, 'MyUser', { password: '1234' });
const group = new Group(this, 'MyGroup');

const policy = new Policy(this, 'MyPolicy');
policy.attachToUser(user);
group.attachInlinePolicy(policy);

Managed policies can be attached using xxx.attachManagedPolicy(arn):

const group = new Group(this, 'MyGroup');
group.attachManagedPolicy('arn:aws:iam::aws:policy/AdministratorAccess');

Configuring an ExternalId

If you need to create roles that will be assumed by 3rd parties, it is generally a good idea to require an ``ExternalId` to assume them <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_. Configuring an ExternalId works like this:

const role = new iam.Role(this, 'MyRole', {
  assumedBy: new iam.AccountPrincipal('123456789012'),
  externalId: 'SUPPLY-ME',
});

IAM Principals

When defining policy statements as part of an AssumeRole policy or as part of a resource policy, statements would usually refer to a specific IAM principal under Principal.

IAM principals are modeled as classes that derive from the iam.PolicyPrincipal abstract class. Principal objects include principal type (string) and value (array of string), optional set of conditions and the action that this principal requires when it is used in an assume role policy document.

To add a principal to a policy statement you can either use the abstract statement.addPrincipal, one of the concrete addXxxPrincipal methods:

  • addAwsPrincipal, addArnPrincipal or new ArnPrincipal(arn) for { "AWS": arn }
  • addAwsAccountPrincipal or new AccountPrincipal(accountId) for { "AWS": account-arn }
  • addServicePrincipal or new ServicePrincipal(service) for { "Service": service }
  • addAccountRootPrincipal or new AccountRootPrincipal() for { "AWS": { "Ref: "AWS::AccountId" } }
  • addCanonicalUserPrincipal or new CanonicalUserPrincipal(id) for { "CanonicalUser": id }
  • addFederatedPrincipal or new FederatedPrincipal(federated, conditions, assumeAction) for { "Federated": arn } and a set of optional conditions and the assume role action to use.
  • addAnyPrincipal or new AnyPrincipal for { "AWS": "*" }

If multiple principals are added to the policy statement, they will be merged together:

const statement = new PolicyStatement();
statement.addServicePrincipal('cloudwatch.amazonaws.com');
statement.addServicePrincipal('ec2.amazonaws.com');
statement.addAwsPrincipal('arn:aws:boom:boom');

Will result in:

{
  "Principal": {
    "Service": [ "cloudwatch.amazonaws.com", "ec2.amazonaws.com" ],
    "AWS": "arn:aws:boom:boom"
  }
}

The CompositePrincipal class can also be used to define complex principals, for example:

const role = new iam.Role(this, 'MyRole', {
  assumedBy: new iam.CompositePrincipal(
    new iam.ServicePrincipal('ec2.amazonawas.com'),
    new iam.AccountPrincipal('1818188181818187272')
  )
});

Features

  • Policy name uniqueness is enforced. If two policies by the same name are attached to the same principal, the attachment will fail.
  • Policy names are not required - the CDK logical ID will be used and ensured to be unique.

Reference

View in Nuget

csproj:

<PackageReference Include="Amazon.CDK.AWS.IAM" Version="0.25.3" />

dotnet:

dotnet add package Amazon.CDK.AWS.IAM --version 0.25.3

packages.config:

<package id="Amazon.CDK.AWS.IAM" version="0.25.3" />

View in Maven Central

Apache Buildr:

'software.amazon.awscdk:iam:jar:0.25.3'

Apache Ivy:

<dependency groupId="software.amazon.awscdk" name="iam" rev="0.25.3"/>

Apache Maven:

<dependency>
  <groupId>software.amazon.awscdk</groupId>
  <artifactId>iam</artifactId>
  <version>0.25.3</version>
</dependency>

Gradle / Grails:

compile 'software.amazon.awscdk:iam:0.25.3'

Groovy Grape:

@Grapes(
@Grab(group='software.amazon.awscdk', module='iam', version='0.25.3')
)

View in NPM

npm:

$ npm i @aws-cdk/aws-iam@0.25.3

package.json:

{
  "@aws-cdk/aws-iam": "^0.25.3"
}

yarn:

$ yarn add @aws-cdk/aws-iam@0.25.3

View in NPM

npm:

$ npm i @aws-cdk/aws-iam@0.25.3

package.json:

{
  "@aws-cdk/aws-iam": "^0.25.3"
}

yarn:

$ yarn add @aws-cdk/aws-iam@0.25.3

AccountPrincipal

class @aws-cdk/aws-iam.AccountPrincipal(accountId)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.AccountPrincipal;
const { AccountPrincipal } = require('@aws-cdk/aws-iam');
import { AccountPrincipal } from '@aws-cdk/aws-iam';
Extends:ArnPrincipal
Parameters:accountId (any) –
accountId
Type:any (readonly)
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Inherited from @aws-cdk/aws-iam.ArnPrincipal

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
arn

Inherited from @aws-cdk/aws-iam.ArnPrincipal

Type:string (readonly)
assumeRoleAction

Inherited from @aws-cdk/aws-iam.PolicyPrincipal

When this Principal is used in an AssumeRole policy, the action to use.

Type:string

AccountRootPrincipal

class @aws-cdk/aws-iam.AccountRootPrincipal

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.AccountRootPrincipal;
const { AccountRootPrincipal } = require('@aws-cdk/aws-iam');
import { AccountRootPrincipal } from '@aws-cdk/aws-iam';
Extends:AccountPrincipal
accountId

Inherited from @aws-cdk/aws-iam.AccountPrincipal

Type:any (readonly)
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Inherited from @aws-cdk/aws-iam.ArnPrincipal

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
arn

Inherited from @aws-cdk/aws-iam.ArnPrincipal

Type:string (readonly)
assumeRoleAction

Inherited from @aws-cdk/aws-iam.PolicyPrincipal

When this Principal is used in an AssumeRole policy, the action to use.

Type:string

AnyPrincipal

class @aws-cdk/aws-iam.AnyPrincipal

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.AnyPrincipal;
const { AnyPrincipal } = require('@aws-cdk/aws-iam');
import { AnyPrincipal } from '@aws-cdk/aws-iam';

A principal representing all identities in all accounts

Extends:ArnPrincipal
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Inherited from @aws-cdk/aws-iam.ArnPrincipal

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
arn

Inherited from @aws-cdk/aws-iam.ArnPrincipal

Type:string (readonly)
assumeRoleAction

Inherited from @aws-cdk/aws-iam.PolicyPrincipal

When this Principal is used in an AssumeRole policy, the action to use.

Type:string

Anyone

class @aws-cdk/aws-iam.Anyone

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.Anyone;
const { Anyone } = require('@aws-cdk/aws-iam');
import { Anyone } from '@aws-cdk/aws-iam';

A principal representing all identities in all accounts

Extends:AnyPrincipal
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Inherited from @aws-cdk/aws-iam.ArnPrincipal

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
arn

Inherited from @aws-cdk/aws-iam.ArnPrincipal

Type:string (readonly)
assumeRoleAction

Inherited from @aws-cdk/aws-iam.PolicyPrincipal

When this Principal is used in an AssumeRole policy, the action to use.

Type:string

ArnPrincipal

class @aws-cdk/aws-iam.ArnPrincipal(arn)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.ArnPrincipal;
const { ArnPrincipal } = require('@aws-cdk/aws-iam');
import { ArnPrincipal } from '@aws-cdk/aws-iam';
Extends:PolicyPrincipal
Parameters:arn (string) –
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Implements @aws-cdk/aws-iam.PolicyPrincipal.policyFragment()

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
arn
Type:string (readonly)
assumeRoleAction

Inherited from @aws-cdk/aws-iam.PolicyPrincipal

When this Principal is used in an AssumeRole policy, the action to use.

Type:string

AwsManagedPolicy

class @aws-cdk/aws-iam.AwsManagedPolicy(managedPolicyName, scope)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.AwsManagedPolicy;
const { AwsManagedPolicy } = require('@aws-cdk/aws-iam');
import { AwsManagedPolicy } from '@aws-cdk/aws-iam';

A policy managed by AWS

For this managed policy, you only need to know the name to be able to use it.

Some managed policy names start with “service-role/”, some start with

“job-function/”, and some don’t start with anything. Do include the

prefix when constructing this object.

Parameters:
managedPolicyName
Type:string (readonly)
policyArn

The Arn of this managed policy

Type:string (readonly)
scope
Type:@aws-cdk/cdk.IConstruct (readonly)

CanonicalUserPrincipal

class @aws-cdk/aws-iam.CanonicalUserPrincipal(canonicalUserId)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CanonicalUserPrincipal;
const { CanonicalUserPrincipal } = require('@aws-cdk/aws-iam');
import { CanonicalUserPrincipal } from '@aws-cdk/aws-iam';

A policy prinicipal for canonicalUserIds - useful for S3 bucket policies that use

Origin Access identities.

See https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html

and

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

for more details.

Extends:PolicyPrincipal
Parameters:canonicalUserId (string) –
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Implements @aws-cdk/aws-iam.PolicyPrincipal.policyFragment()

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
canonicalUserId
Type:string (readonly)
assumeRoleAction

Inherited from @aws-cdk/aws-iam.PolicyPrincipal

When this Principal is used in an AssumeRole policy, the action to use.

Type:string

CfnAccessKey

class @aws-cdk/aws-iam.CfnAccessKey(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnAccessKey;
const { CfnAccessKey } = require('@aws-cdk/aws-iam');
import { CfnAccessKey } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Resource

Parameters:
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
accessKeyId
Type:string (readonly)
accessKeySecretAccessKey
Type:string (readonly)
propertyOverrides
Type:CfnAccessKeyProps (readonly)
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnAccessKeyProps (interface)

class @aws-cdk/aws-iam.CfnAccessKeyProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnAccessKeyProps;
// CfnAccessKeyProps is an interface
import { CfnAccessKeyProps } from '@aws-cdk/aws-iam';
userName

AWS::IAM::AccessKey.UserName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-username

Type:string
serial

AWS::IAM::AccessKey.Serial

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-serial

Type:number or @aws-cdk/cdk.Token (optional)
status

AWS::IAM::AccessKey.Status

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html#cfn-iam-accesskey-status

Type:string (optional)

CfnGroup

class @aws-cdk/aws-iam.CfnGroup(scope, id[, props])

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnGroup;
const { CfnGroup } = require('@aws-cdk/aws-iam');
import { CfnGroup } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Resource

Parameters:
  • scope (@aws-cdk/cdk.Construct) – scope in which this resource is defined
  • id (string) – scoped id of the resource
  • props (CfnGroupProps (optional)) – resource properties
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
groupArn
Type:string (readonly)
groupName
Type:string (readonly)
propertyOverrides
Type:CfnGroupProps (readonly)
class PolicyProperty

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnGroup.PolicyProperty;
// CfnGroup.PolicyProperty is an interface
import { CfnGroup.PolicyProperty } from '@aws-cdk/aws-iam';
policyDocument

CfnGroup.PolicyProperty.PolicyDocument

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policydocument

Type:json or @aws-cdk/cdk.Token
policyName

CfnGroup.PolicyProperty.PolicyName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policyname

Type:string
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnGroupProps (interface)

class @aws-cdk/aws-iam.CfnGroupProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnGroupProps;
// CfnGroupProps is an interface
import { CfnGroupProps } from '@aws-cdk/aws-iam';
groupName

AWS::IAM::Group.GroupName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-groupname

Type:string (optional)
managedPolicyArns

AWS::IAM::Group.ManagedPolicyArns

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-managepolicyarns

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)
path

AWS::IAM::Group.Path

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-path

Type:string (optional)
policies

AWS::IAM::Group.Policies

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html#cfn-iam-group-policies

Type:@aws-cdk/cdk.Token or (@aws-cdk/cdk.Token or PolicyProperty)[] (optional)

CfnInstanceProfile

class @aws-cdk/aws-iam.CfnInstanceProfile(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnInstanceProfile;
const { CfnInstanceProfile } = require('@aws-cdk/aws-iam');
import { CfnInstanceProfile } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Resource

Parameters:
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
instanceProfileArn
Type:string (readonly)
instanceProfileName
Type:string (readonly)
propertyOverrides
Type:CfnInstanceProfileProps (readonly)
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnInstanceProfileProps (interface)

class @aws-cdk/aws-iam.CfnInstanceProfileProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnInstanceProfileProps;
// CfnInstanceProfileProps is an interface
import { CfnInstanceProfileProps } from '@aws-cdk/aws-iam';
roles

AWS::IAM::InstanceProfile.Roles

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-roles

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[]
instanceProfileName

AWS::IAM::InstanceProfile.InstanceProfileName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-instanceprofilename

Type:string (optional)
path

AWS::IAM::InstanceProfile.Path

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html#cfn-iam-instanceprofile-path

Type:string (optional)

CfnManagedPolicy

class @aws-cdk/aws-iam.CfnManagedPolicy(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnManagedPolicy;
const { CfnManagedPolicy } = require('@aws-cdk/aws-iam');
import { CfnManagedPolicy } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Resource

Parameters:
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
managedPolicyArn
Type:string (readonly)
propertyOverrides
Type:CfnManagedPolicyProps (readonly)
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnManagedPolicyProps (interface)

class @aws-cdk/aws-iam.CfnManagedPolicyProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnManagedPolicyProps;
// CfnManagedPolicyProps is an interface
import { CfnManagedPolicyProps } from '@aws-cdk/aws-iam';
policyDocument

AWS::IAM::ManagedPolicy.PolicyDocument

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-policydocument

Type:json or @aws-cdk/cdk.Token
description

AWS::IAM::ManagedPolicy.Description

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-description

Type:string (optional)
groups

AWS::IAM::ManagedPolicy.Groups

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)
managedPolicyName

AWS::IAM::ManagedPolicy.ManagedPolicyName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-managedpolicyname

Type:string (optional)
path

AWS::IAM::ManagedPolicy.Path

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-ec2-dhcpoptions-path

Type:string (optional)
roles

AWS::IAM::ManagedPolicy.Roles

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-roles

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)
users

AWS::IAM::ManagedPolicy.Users

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-users

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)

CfnPolicy

class @aws-cdk/aws-iam.CfnPolicy(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnPolicy;
const { CfnPolicy } = require('@aws-cdk/aws-iam');
import { CfnPolicy } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Resource

Parameters:
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
policyName
Type:string (readonly)
propertyOverrides
Type:CfnPolicyProps (readonly)
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnPolicyProps (interface)

class @aws-cdk/aws-iam.CfnPolicyProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnPolicyProps;
// CfnPolicyProps is an interface
import { CfnPolicyProps } from '@aws-cdk/aws-iam';
policyDocument

AWS::IAM::Policy.PolicyDocument

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policydocument

Type:json or @aws-cdk/cdk.Token
policyName

AWS::IAM::Policy.PolicyName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-policyname

Type:string
groups

AWS::IAM::Policy.Groups

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-groups

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)
roles

AWS::IAM::Policy.Roles

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)
users

AWS::IAM::Policy.Users

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-users

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)

CfnRole

class @aws-cdk/aws-iam.CfnRole(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnRole;
const { CfnRole } = require('@aws-cdk/aws-iam');
import { CfnRole } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Resource

Parameters:
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
propertyOverrides
Type:CfnRoleProps (readonly)
roleArn
Type:string (readonly)
roleId
Type:string (readonly)
roleName
Type:string (readonly)
class PolicyProperty

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnRole.PolicyProperty;
// CfnRole.PolicyProperty is an interface
import { CfnRole.PolicyProperty } from '@aws-cdk/aws-iam';
policyDocument

CfnRole.PolicyProperty.PolicyDocument

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policydocument

Type:json or @aws-cdk/cdk.Token
policyName

CfnRole.PolicyProperty.PolicyName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policyname

Type:string
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnRoleProps (interface)

class @aws-cdk/aws-iam.CfnRoleProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnRoleProps;
// CfnRoleProps is an interface
import { CfnRoleProps } from '@aws-cdk/aws-iam';
assumeRolePolicyDocument

AWS::IAM::Role.AssumeRolePolicyDocument

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument

Type:json or @aws-cdk/cdk.Token
managedPolicyArns

AWS::IAM::Role.ManagedPolicyArns

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-managepolicyarns

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)
maxSessionDuration

AWS::IAM::Role.MaxSessionDuration

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-maxsessionduration

Type:number or @aws-cdk/cdk.Token (optional)
path

AWS::IAM::Role.Path

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-path

Type:string (optional)
permissionsBoundary

AWS::IAM::Role.PermissionsBoundary

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary

Type:string (optional)
policies

AWS::IAM::Role.Policies

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-policies

Type:@aws-cdk/cdk.Token or (@aws-cdk/cdk.Token or PolicyProperty)[] (optional)
roleName

AWS::IAM::Role.RoleName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-rolename

Type:string (optional)

CfnServiceLinkedRole

class @aws-cdk/aws-iam.CfnServiceLinkedRole(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnServiceLinkedRole;
const { CfnServiceLinkedRole } = require('@aws-cdk/aws-iam');
import { CfnServiceLinkedRole } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Resource

Parameters:
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
propertyOverrides
Type:CfnServiceLinkedRoleProps (readonly)
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnServiceLinkedRoleProps (interface)

class @aws-cdk/aws-iam.CfnServiceLinkedRoleProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnServiceLinkedRoleProps;
// CfnServiceLinkedRoleProps is an interface
import { CfnServiceLinkedRoleProps } from '@aws-cdk/aws-iam';
awsServiceName

AWS::IAM::ServiceLinkedRole.AWSServiceName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-awsservicename

Type:string
customSuffix

AWS::IAM::ServiceLinkedRole.CustomSuffix

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-customsuffix

Type:string (optional)
description

AWS::IAM::ServiceLinkedRole.Description

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html#cfn-iam-servicelinkedrole-description

Type:string (optional)

CfnUser

class @aws-cdk/aws-iam.CfnUser(scope, id[, props])

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnUser;
const { CfnUser } = require('@aws-cdk/aws-iam');
import { CfnUser } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Resource

Parameters:
  • scope (@aws-cdk/cdk.Construct) – scope in which this resource is defined
  • id (string) – scoped id of the resource
  • props (CfnUserProps (optional)) – resource properties
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
propertyOverrides
Type:CfnUserProps (readonly)
userArn
Type:string (readonly)
userName
Type:string (readonly)
class LoginProfileProperty

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnUser.LoginProfileProperty;
// CfnUser.LoginProfileProperty is an interface
import { CfnUser.LoginProfileProperty } from '@aws-cdk/aws-iam';
password

CfnUser.LoginProfileProperty.Password

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html#cfn-iam-user-loginprofile-password

Type:string
passwordResetRequired

CfnUser.LoginProfileProperty.PasswordResetRequired

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html#cfn-iam-user-loginprofile-passwordresetrequired

Type:boolean or @aws-cdk/cdk.Token (optional)
class PolicyProperty

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnUser.PolicyProperty;
// CfnUser.PolicyProperty is an interface
import { CfnUser.PolicyProperty } from '@aws-cdk/aws-iam';
policyDocument

CfnUser.PolicyProperty.PolicyDocument

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policydocument

Type:json or @aws-cdk/cdk.Token
policyName

CfnUser.PolicyProperty.PolicyName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-policy.html#cfn-iam-policies-policyname

Type:string
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnUserProps (interface)

class @aws-cdk/aws-iam.CfnUserProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnUserProps;
// CfnUserProps is an interface
import { CfnUserProps } from '@aws-cdk/aws-iam';
groups

AWS::IAM::User.Groups

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-groups

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)
loginProfile

AWS::IAM::User.LoginProfile

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-loginprofile

Type:@aws-cdk/cdk.Token or LoginProfileProperty (optional)
managedPolicyArns

AWS::IAM::User.ManagedPolicyArns

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-managepolicyarns

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[] (optional)
path

AWS::IAM::User.Path

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-path

Type:string (optional)
permissionsBoundary

AWS::IAM::User.PermissionsBoundary

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-permissionsboundary

Type:string (optional)
policies

AWS::IAM::User.Policies

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-policies

Type:@aws-cdk/cdk.Token or (@aws-cdk/cdk.Token or PolicyProperty)[] (optional)
userName

AWS::IAM::User.UserName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html#cfn-iam-user-username

Type:string (optional)

CfnUserToGroupAddition

class @aws-cdk/aws-iam.CfnUserToGroupAddition(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnUserToGroupAddition;
const { CfnUserToGroupAddition } = require('@aws-cdk/aws-iam');
import { CfnUserToGroupAddition } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Resource

Parameters:
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
propertyOverrides
Type:CfnUserToGroupAdditionProps (readonly)
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnUserToGroupAdditionProps (interface)

class @aws-cdk/aws-iam.CfnUserToGroupAdditionProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CfnUserToGroupAdditionProps;
// CfnUserToGroupAdditionProps is an interface
import { CfnUserToGroupAdditionProps } from '@aws-cdk/aws-iam';
groupName

AWS::IAM::UserToGroupAddition.GroupName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-groupname

Type:string
users

AWS::IAM::UserToGroupAddition.Users

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-addusertogroup.html#cfn-iam-addusertogroup-users

Type:@aws-cdk/cdk.Token or (string or @aws-cdk/cdk.Token)[]

CompositePrincipal

class @aws-cdk/aws-iam.CompositePrincipal(principal, *additionalPrincipals)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.CompositePrincipal;
const { CompositePrincipal } = require('@aws-cdk/aws-iam');
import { CompositePrincipal } from '@aws-cdk/aws-iam';
Extends:

PolicyPrincipal

Parameters:
addPrincipals(*principals) → @aws-cdk/aws-iam.CompositePrincipal
Parameters:*principals (PolicyPrincipal) –
Return type:CompositePrincipal
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Implements @aws-cdk/aws-iam.PolicyPrincipal.policyFragment()

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
assumeRoleAction

Inherited from @aws-cdk/aws-iam.PolicyPrincipal

When this Principal is used in an AssumeRole policy, the action to use.

Type:string

FederatedPrincipal

class @aws-cdk/aws-iam.FederatedPrincipal(federated, conditions[, assumeRoleAction])

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.FederatedPrincipal;
const { FederatedPrincipal } = require('@aws-cdk/aws-iam');
import { FederatedPrincipal } from '@aws-cdk/aws-iam';
Extends:

PolicyPrincipal

Parameters:
  • federated (string) –
  • conditions (string => any) –
  • assumeRoleAction (string (optional)) –
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Implements @aws-cdk/aws-iam.PolicyPrincipal.policyFragment()

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
conditions
Type:string => any (readonly)
federated
Type:string (readonly)
assumeRoleAction

Overrides @aws-cdk/aws-iam.PolicyPrincipal.assumeRoleAction

Type:string

Group

class @aws-cdk/aws-iam.Group(scope, id[, props])

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.Group;
const { Group } = require('@aws-cdk/aws-iam');
import { Group } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Construct

Implements:

IPrincipal

Parameters:
addToPolicy(statement)

Implements @aws-cdk/aws-iam.IPrincipal.addToPolicy()

Adds an IAM statement to the default policy.

Parameters:statement (PolicyStatement) –
addUser(user)

Adds a user to this group.

Parameters:user (User) –
attachInlinePolicy(policy)

Implements @aws-cdk/aws-iam.IPrincipal.attachInlinePolicy()

Attaches a policy to this group.

Parameters:policy (Policy) – The policy to attach.
attachManagedPolicy(arn)

Implements @aws-cdk/aws-iam.IPrincipal.attachManagedPolicy()

Attaches a managed policy to this group.

Parameters:arn (string) – The ARN of the managed policy to attach.
groupArn

The ARN of this group.

Type:string (readonly)
groupName

The runtime name of this group.

Type:string (readonly)
principal

Implements @aws-cdk/aws-iam.IPrincipal.principal()

An “AWS” policy principal that represents this group.

Type:PolicyPrincipal (readonly)
prepare()

Inherited from @aws-cdk/cdk.Construct

Perform final modifications before synthesis

This method can be implemented by derived constructs in order to perform

final changes before synthesis. prepare() will be called after child

constructs have been prepared.

This is an advanced framework feature. Only use this if you

understand the implications.

Protected method

toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)

GroupProps (interface)

class @aws-cdk/aws-iam.GroupProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.GroupProps;
// GroupProps is an interface
import { GroupProps } from '@aws-cdk/aws-iam';
groupName

A name for the IAM group. For valid values, see the GroupName parameter

for the CreateGroup action in the IAM API Reference. If you don’t specify

a name, AWS CloudFormation generates a unique physical ID and uses that

ID for the group name.

If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to

acknowledge your template’s capabilities. For more information, see

Acknowledging IAM Resources in AWS CloudFormation Templates.

Type:string (optional)
Default:Generated by CloudFormation (recommended)
managedPolicyArns

A list of ARNs for managed policies associated with group.

Type:any[] (optional)
Default:No managed policies.
path

The path to the group. For more information about paths, see [IAM

Identifiers](http://docs.aws.amazon.com/IAM/latest/UserGuide/index.html?Using_Identifiers.html)

in the IAM User Guide.

Type:string (optional)

IPrincipal (interface)

class @aws-cdk/aws-iam.IPrincipal

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.IPrincipal;
// IPrincipal is an interface
import { IPrincipal } from '@aws-cdk/aws-iam';

A construct that represents an IAM principal, such as a user, group or role.

principal

The IAM principal of this identity (i.e. AWS principal, service principal, etc).

Type:PolicyPrincipal (readonly)
addToPolicy(statement)

Adds an IAM statement to the default inline policy associated with this

principal. If a policy doesn’t exist, it is created.

Parameters:statement (PolicyStatement) –
Abstract:Yes
attachInlinePolicy(policy)

Attaches an inline policy to this principal.

This is the same as calling policy.addToXxx(principal).

Parameters:policy (Policy) – The policy resource to attach to this principal.
Abstract:Yes
attachManagedPolicy(arn)

Attaches a managed policy to this principal.

Parameters:arn (string) – The ARN of the managed policy
Abstract:Yes

IRole (interface)

class @aws-cdk/aws-iam.IRole

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.IRole;
// IRole is an interface
import { IRole } from '@aws-cdk/aws-iam';

A Role object

Extends:@aws-cdk/cdk.IConstruct
Extends:IPrincipal
roleArn

Returns the ARN of this role.

Type:string (readonly)
roleId

Returns the stable and unique string identifying the role. For example,

AIDAJQABLZS4A3QDU576Q.

Type:string (readonly)
roleName

Returns the name of this role.

Type:string (readonly)
export() → @aws-cdk/aws-iam.RoleImportProps

Export this role to another stack.

Return type:RoleImportProps
Abstract:Yes
addToPolicy(statement)

Inherited from @aws-cdk/aws-iam.IPrincipal

Adds an IAM statement to the default inline policy associated with this

principal. If a policy doesn’t exist, it is created.

Parameters:statement (PolicyStatement) –
Abstract:Yes
attachInlinePolicy(policy)

Inherited from @aws-cdk/aws-iam.IPrincipal

Attaches an inline policy to this principal.

This is the same as calling policy.addToXxx(principal).

Parameters:policy (Policy) – The policy resource to attach to this principal.
Abstract:Yes
attachManagedPolicy(arn)

Inherited from @aws-cdk/aws-iam.IPrincipal

Attaches a managed policy to this principal.

Parameters:arn (string) – The ARN of the managed policy
Abstract:Yes
principal

Inherited from @aws-cdk/aws-iam.IPrincipal

The IAM principal of this identity (i.e. AWS principal, service principal, etc).

Type:PolicyPrincipal (readonly)
node

Inherited from @aws-cdk/cdk.IConstruct

The construct node in the scope tree.

Type:@aws-cdk/cdk.ConstructNode (readonly)
dependencyRoots

Inherited from @aws-cdk/cdk.IDependable

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)

LazyRole

class @aws-cdk/aws-iam.LazyRole(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.LazyRole;
const { LazyRole } = require('@aws-cdk/aws-iam');
import { LazyRole } from '@aws-cdk/aws-iam';

An IAM role that only gets attached to the construct tree once it gets used, not before

This construct can be used to simplify logic in other constructs

which need to create a role but only if certain configurations occur

(such as when AutoScaling is configured). The role can be configured in one

place, but if it never gets used it doesn’t get instantiated and will

not be synthesized or deployed.

Extends:

@aws-cdk/cdk.Construct

Implements:

IRole

Parameters:
addToPolicy(statement)

Implements @aws-cdk/aws-iam.IPrincipal.addToPolicy()

Adds a permission to the role’s default policy document.

If there is no default policy attached to this role, it will be created.

Parameters:statement (PolicyStatement) –
attachInlinePolicy(policy)

Implements @aws-cdk/aws-iam.IPrincipal.attachInlinePolicy()

Attaches a policy to this role.

Parameters:policy (Policy) – The policy to attach
attachManagedPolicy(arn)

Implements @aws-cdk/aws-iam.IPrincipal.attachManagedPolicy()

Attaches a managed policy to this role.

Parameters:arn (string) – The ARN of the managed policy to attach.
export() → @aws-cdk/aws-iam.RoleImportProps

Implements @aws-cdk/aws-iam.IRole.export()

Export this role to another stack.

Return type:RoleImportProps
principal

Implements @aws-cdk/aws-iam.IPrincipal.principal()

Returns a Principal object representing the ARN of this role.

Type:PolicyPrincipal (readonly)
props
Type:RoleProps (readonly)
roleArn

Implements @aws-cdk/aws-iam.IRole.roleArn()

Returns the ARN of this role.

Type:string (readonly)
roleId

Implements @aws-cdk/aws-iam.IRole.roleId()

Returns the stable and unique string identifying the role. For example,

AIDAJQABLZS4A3QDU576Q.

Type:string (readonly)
roleName

Implements @aws-cdk/aws-iam.IRole.roleName()

Returns the name of this role.

Type:string (readonly)
prepare()

Inherited from @aws-cdk/cdk.Construct

Perform final modifications before synthesis

This method can be implemented by derived constructs in order to perform

final changes before synthesis. prepare() will be called after child

constructs have been prepared.

This is an advanced framework feature. Only use this if you

understand the implications.

Protected method

toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)

Policy

class @aws-cdk/aws-iam.Policy(scope, id[, props])

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.Policy;
const { Policy } = require('@aws-cdk/aws-iam');
import { Policy } from '@aws-cdk/aws-iam';

The AWS::IAM::Policy resource associates an IAM policy with IAM users, roles,

or groups. For more information about IAM policies, see [Overview of IAM

Policies](http://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html)

in the IAM User Guide guide.

Extends:

@aws-cdk/cdk.Construct

Parameters:
addStatement(statement)

Adds a statement to the policy document.

Parameters:statement (PolicyStatement) –
attachToGroup(group)

Attaches this policy to a group.

Parameters:group (Group) –
attachToRole(role)

Attaches this policy to a role.

Parameters:role (IRole) –
attachToUser(user)

Attaches this policy to a user.

Parameters:user (User) –
validate() → string[]

Overrides @aws-cdk/cdk.Construct.validate()

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Return type:string[]
document

The policy document.

Type:PolicyDocument (readonly)
policyName

The name of this policy.

Type:string (readonly)
prepare()

Inherited from @aws-cdk/cdk.Construct

Perform final modifications before synthesis

This method can be implemented by derived constructs in order to perform

final changes before synthesis. prepare() will be called after child

constructs have been prepared.

This is an advanced framework feature. Only use this if you

understand the implications.

Protected method

toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)

PolicyDocument

class @aws-cdk/aws-iam.PolicyDocument([baseDocument])

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.PolicyDocument;
const { PolicyDocument } = require('@aws-cdk/aws-iam');
import { PolicyDocument } from '@aws-cdk/aws-iam';
Extends:@aws-cdk/cdk.Token
Parameters:baseDocument (any (optional)) –
addStatement(statement) → @aws-cdk/aws-iam.PolicyDocument
Parameters:statement (PolicyStatement) –
Return type:PolicyDocument
resolve(_context) → any

Overrides @aws-cdk/cdk.Token.resolve()

Parameters:_context (@aws-cdk/cdk.ResolveContext) –
Return type:any
isEmpty
Type:boolean (readonly)
statementCount

The number of statements already added to this policy.

Can be used, for example, to generate uniuqe “sid”s within the policy.

Type:number (readonly)
baseDocument
Type:any (optional) (readonly)
toJSON() → any

Inherited from @aws-cdk/cdk.Token

Turn this Token into JSON

This gets called by JSON.stringify(). We want to prohibit this, because

it’s not possible to do this properly, so we just throw an error here.

Return type:any
toList() → string[]

Inherited from @aws-cdk/cdk.Token

Return a string list representation of this token

Call this if the Token intrinsically evaluates to a list of strings.

If so, you can represent the Token in a similar way in the type

system.

Note that even though the Token is represented as a list of strings, you

still cannot do any operations on it such as concatenation, indexing,

or taking its length. The only useful operations you can do to these lists

is constructing a FnJoin or a FnSelect on it.

Return type:string[]
toString() → string

Inherited from @aws-cdk/cdk.Token

Return a reversible string representation of this token

If the Token is initialized with a literal, the stringified value of the

literal is returned. Otherwise, a special quoted string representation

of the Token is returned that can be embedded into other strings.

Strings with quoted Tokens in them can be restored back into

complex values with the Tokens restored by calling resolve()

on the string.

Return type:string
displayName

Inherited from @aws-cdk/cdk.Token

A human-readable display hint for this Token

Type:string (optional) (readonly)
isReference

Inherited from @aws-cdk/cdk.Token

Indicate whether this Token represent a “reference”

The Construct tree can be queried for the Reference Tokens that

are used in it.

Type:boolean (optional) (readonly)
valueOrFunction

Inherited from @aws-cdk/cdk.Token

What this token will evaluate to, literal or function.

Type:any (optional) (readonly)

PolicyPrincipal

class @aws-cdk/aws-iam.PolicyPrincipal

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.PolicyPrincipal;
const { PolicyPrincipal } = require('@aws-cdk/aws-iam');
import { PolicyPrincipal } from '@aws-cdk/aws-iam';

Represents an IAM principal.

Abstract:Yes
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
Abstract:Yes
assumeRoleAction

When this Principal is used in an AssumeRole policy, the action to use.

Type:string

PolicyProps (interface)

class @aws-cdk/aws-iam.PolicyProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.PolicyProps;
// PolicyProps is an interface
import { PolicyProps } from '@aws-cdk/aws-iam';
groups

Groups to attach this policy to.

You can also use attachToGroup(group) to attach this policy to a group.

Type:Group[] (optional)
policyName

The name of the policy. If you specify multiple policies for an entity,

specify unique names. For example, if you specify a list of policies for

an IAM role, each policy must have a unique name.

Type:string (optional)
Default:Uses the logical ID of the policy resource, which is ensured to

be unique within the stack.

@aws-cdk/aws-iam.roles

Roles to attach this policy to.

You can also use attachToRole(role) to attach this policy to a role.

Type:IRole[] (optional)
@aws-cdk/aws-iam.statements

Initial set of permissions to add to this policy document.

You can also use addPermission(statement) to add permissions later.

Type:PolicyStatement[] (optional)
@aws-cdk/aws-iam.users

Users to attach this policy to.

You can also use attachToUser(user) to attach this policy to a user.

Type:User[] (optional)

PolicyStatement

class @aws-cdk/aws-iam.PolicyStatement([effect])

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.PolicyStatement;
const { PolicyStatement } = require('@aws-cdk/aws-iam');
import { PolicyStatement } from '@aws-cdk/aws-iam';

Represents a statement in an IAM policy document.

Extends:@aws-cdk/cdk.Token
Parameters:effect (PolicyStatementEffect (optional)) –
addAccountRootPrincipal() → @aws-cdk/aws-iam.PolicyStatement
Return type:PolicyStatement
addAction(action) → @aws-cdk/aws-iam.PolicyStatement
Parameters:action (string) –
Return type:PolicyStatement
addActions(*actions) → @aws-cdk/aws-iam.PolicyStatement
Parameters:*actions (string) –
Return type:PolicyStatement
addAllResources() → @aws-cdk/aws-iam.PolicyStatement

Adds a "*" resource to this statement.

Return type:PolicyStatement
addAnyPrincipal() → @aws-cdk/aws-iam.PolicyStatement
Return type:PolicyStatement
addArnPrincipal(arn) → @aws-cdk/aws-iam.PolicyStatement
Parameters:arn (string) –
Return type:PolicyStatement
addAwsAccountPrincipal(accountId) → @aws-cdk/aws-iam.PolicyStatement
Parameters:accountId (string) –
Return type:PolicyStatement
addAwsPrincipal(arn) → @aws-cdk/aws-iam.PolicyStatement
Parameters:arn (string) –
Return type:PolicyStatement
addCanonicalUserPrincipal(canonicalUserId) → @aws-cdk/aws-iam.PolicyStatement
Parameters:canonicalUserId (string) –
Return type:PolicyStatement
addCondition(key, value) → @aws-cdk/aws-iam.PolicyStatement

Add a condition to the Policy

Parameters:
  • key (string) –
  • value (any) –
Return type:

PolicyStatement

addConditions(conditions) → @aws-cdk/aws-iam.PolicyStatement

Add multiple conditions to the Policy

Parameters:conditions (string => any) –
Return type:PolicyStatement
addFederatedPrincipal(federated, conditions) → @aws-cdk/aws-iam.PolicyStatement
Parameters:
  • federated (any) –
  • conditions (string => any) –
Return type:

PolicyStatement

addPrincipal(principal) → @aws-cdk/aws-iam.PolicyStatement
Parameters:principal (PolicyPrincipal) –
Return type:PolicyStatement
addResource(arn) → @aws-cdk/aws-iam.PolicyStatement
Parameters:arn (string) –
Return type:PolicyStatement
addResources(*arns) → @aws-cdk/aws-iam.PolicyStatement
Parameters:*arns (string) –
Return type:PolicyStatement
addServicePrincipal(service) → @aws-cdk/aws-iam.PolicyStatement
Parameters:service (string) –
Return type:PolicyStatement
allow() → @aws-cdk/aws-iam.PolicyStatement

Sets the permission effect to allow access to resources.

Return type:PolicyStatement
deny() → @aws-cdk/aws-iam.PolicyStatement

Sets the permission effect to deny access to resources.

Return type:PolicyStatement
describe(sid) → @aws-cdk/aws-iam.PolicyStatement
Parameters:sid (string) –
Return type:PolicyStatement
limitToAccount(accountId) → @aws-cdk/aws-iam.PolicyStatement
Parameters:accountId (string) –
Return type:PolicyStatement
resolve(_context) → any

Overrides @aws-cdk/cdk.Token.resolve()

Parameters:_context (@aws-cdk/cdk.ResolveContext) –
Return type:any
setCondition(key, value) → @aws-cdk/aws-iam.PolicyStatement

Add a condition to the Policy.

Parameters:
  • key (string) –
  • value (any) –
Return type:

PolicyStatement

toJson() → any
Return type:any
hasPrincipal

Indicates if this permission has a “Principal” section.

Type:boolean (readonly)
hasResource

Indicates if this permission as at least one resource associated with it.

Type:boolean (readonly)
toJSON() → any

Inherited from @aws-cdk/cdk.Token

Turn this Token into JSON

This gets called by JSON.stringify(). We want to prohibit this, because

it’s not possible to do this properly, so we just throw an error here.

Return type:any
toList() → string[]

Inherited from @aws-cdk/cdk.Token

Return a string list representation of this token

Call this if the Token intrinsically evaluates to a list of strings.

If so, you can represent the Token in a similar way in the type

system.

Note that even though the Token is represented as a list of strings, you

still cannot do any operations on it such as concatenation, indexing,

or taking its length. The only useful operations you can do to these lists

is constructing a FnJoin or a FnSelect on it.

Return type:string[]
toString() → string

Inherited from @aws-cdk/cdk.Token

Return a reversible string representation of this token

If the Token is initialized with a literal, the stringified value of the

literal is returned. Otherwise, a special quoted string representation

of the Token is returned that can be embedded into other strings.

Strings with quoted Tokens in them can be restored back into

complex values with the Tokens restored by calling resolve()

on the string.

Return type:string
displayName

Inherited from @aws-cdk/cdk.Token

A human-readable display hint for this Token

Type:string (optional) (readonly)
isReference

Inherited from @aws-cdk/cdk.Token

Indicate whether this Token represent a “reference”

The Construct tree can be queried for the Reference Tokens that

are used in it.

Type:boolean (optional) (readonly)
valueOrFunction

Inherited from @aws-cdk/cdk.Token

What this token will evaluate to, literal or function.

Type:any (optional) (readonly)

PolicyStatementEffect (enum)

class @aws-cdk/aws-iam.PolicyStatementEffect

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.PolicyStatementEffect;
const { PolicyStatementEffect } = require('@aws-cdk/aws-iam');
import { PolicyStatementEffect } from '@aws-cdk/aws-iam';
Allow
Deny

PrincipalPolicyFragment

class @aws-cdk/aws-iam.PrincipalPolicyFragment(principalJson[, conditions])

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.PrincipalPolicyFragment;
const { PrincipalPolicyFragment } = require('@aws-cdk/aws-iam');
import { PrincipalPolicyFragment } from '@aws-cdk/aws-iam';

A collection of the fields in a PolicyStatement that can be used to identify a principal.

This consists of the JSON used in the “Principal” field, and optionally a

set of “Condition”s that need to be applied to the policy.

Parameters:
  • principalJson (string => string[]) –
  • conditions (string => any (optional)) –
conditions
Type:string => any (readonly)
principalJson
Type:string => string[] (readonly)

Role

class @aws-cdk/aws-iam.Role(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.Role;
const { Role } = require('@aws-cdk/aws-iam');
import { Role } from '@aws-cdk/aws-iam';

IAM Role

Defines an IAM role. The role is created with an assume policy document associated with

the specified AWS service principal defined in serviceAssumeRole.

Extends:

@aws-cdk/cdk.Construct

Implements:

IRole

Parameters:
static import(scope, id, props) → @aws-cdk/aws-iam.IRole

Import a role that already exists

Parameters:
Return type:

IRole

addToPolicy(statement)

Implements @aws-cdk/aws-iam.IPrincipal.addToPolicy()

Adds a permission to the role’s default policy document.

If there is no default policy attached to this role, it will be created.

Parameters:statement (PolicyStatement) –
attachInlinePolicy(policy)

Implements @aws-cdk/aws-iam.IPrincipal.attachInlinePolicy()

Attaches a policy to this role.

Parameters:policy (Policy) – The policy to attach
attachManagedPolicy(arn)

Implements @aws-cdk/aws-iam.IPrincipal.attachManagedPolicy()

Attaches a managed policy to this role.

Parameters:arn (string) – The ARN of the managed policy to attach.
export() → @aws-cdk/aws-iam.RoleImportProps

Implements @aws-cdk/aws-iam.IRole.export()

Export this role to another stack.

Return type:RoleImportProps
grant(identity, *actions)

Grant the actions defined in actions to the identity Principal on this resource.

Parameters:
  • identity (IPrincipal (optional)) –
  • *actions (string) –
grantPassRole([identity])

Grant permissions to the given principal to pass this role.

Parameters:identity (IPrincipal (optional)) –
principal

Implements @aws-cdk/aws-iam.IPrincipal.principal()

Returns the ARN of this role.

Type:PolicyPrincipal (readonly)
roleArn

Implements @aws-cdk/aws-iam.IRole.roleArn()

Returns the ARN of this role.

Type:string (readonly)
roleId

Implements @aws-cdk/aws-iam.IRole.roleId()

Returns the stable and unique string identifying the role. For example,

AIDAJQABLZS4A3QDU576Q.

Type:string (readonly)
roleName

Implements @aws-cdk/aws-iam.IRole.roleName()

Returns the name of the role.

Type:string (readonly)
assumeRolePolicy

The assume role policy document associated with this role.

Type:PolicyDocument (optional) (readonly)
prepare()

Inherited from @aws-cdk/cdk.Construct

Perform final modifications before synthesis

This method can be implemented by derived constructs in order to perform

final changes before synthesis. prepare() will be called after child

constructs have been prepared.

This is an advanced framework feature. Only use this if you

understand the implications.

Protected method

toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)

RoleImportProps (interface)

class @aws-cdk/aws-iam.RoleImportProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.RoleImportProps;
// RoleImportProps is an interface
import { RoleImportProps } from '@aws-cdk/aws-iam';

Properties to import a Role

roleArn

The role’s ARN

Type:string
roleId

The stable and unique string identifying the role. For example,

AIDAJQABLZS4A3QDU576Q.

Type:string (optional)
Default:If “roleId” is not specified for an imported role, then

role.roleId will throw an exception. In most cases, role ID is not really needed.

RoleProps (interface)

class @aws-cdk/aws-iam.RoleProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.RoleProps;
// RoleProps is an interface
import { RoleProps } from '@aws-cdk/aws-iam';
assumedBy

The IAM principal (i.e. new ServicePrincipal(‘sns.amazonaws.com’))

which can assume this role.

You can later modify the assume role policy document by accessing it via

the assumeRolePolicy property.

Type:PolicyPrincipal
externalId

ID that the role assumer needs to provide when assuming this role

If the configured and provided external IDs do not match, the

AssumeRole operation will fail.

Type:string (optional)
Default:No external ID required
inlinePolicies

A list of named policies to inline into this role. These policies will be

created with the role, whereas those added by addToPolicy are added

using a separate CloudFormation resource (allowing a way around circular

dependencies that could otherwise be introduced).

Type:string => PolicyDocument (optional)
Default:No policy is inlined in the Role resource.
managedPolicyArns

A list of ARNs for managed policies associated with this role.

You can add managed policies later using attachManagedPolicy(arn).

Type:string[] (optional)
Default:No managed policies.
maxSessionDurationSec

The maximum session duration (in seconds) that you want to set for the

specified role. If you do not specify a value for this setting, the

default maximum of one hour is applied. This setting can have a value

from 1 hour (3600sec) to 12 (43200sec) hours.

Anyone who assumes the role from the AWS CLI or API can use the

DurationSeconds API parameter or the duration-seconds CLI parameter to

request a longer session. The MaxSessionDuration setting determines the

maximum duration that can be requested using the DurationSeconds

parameter.

If users don’t specify a value for the DurationSeconds parameter, their

security credentials are valid for one hour by default. This applies when

you use the AssumeRole* API operations or the assume-role* CLI operations

but does not apply when you use those operations to create a console URL.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html

Type:number (optional)
path

The path associated with this role. For information about IAM paths, see

Friendly Names and Paths in IAM User Guide.

Type:string (optional)
roleName

A name for the IAM role. For valid values, see the RoleName parameter for

the CreateRole action in the IAM API Reference. If you don’t specify a

name, AWS CloudFormation generates a unique physical ID and uses that ID

for the group name.

IMPORTANT: If you specify a name, you cannot perform updates that require

replacement of this resource. You can perform updates that require no or

some interruption. If you must replace the resource, specify a new name.

If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to

acknowledge your template’s capabilities. For more information, see

Acknowledging IAM Resources in AWS CloudFormation Templates.

Type:string (optional)

ServicePrincipal

class @aws-cdk/aws-iam.ServicePrincipal(service)

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.ServicePrincipal;
const { ServicePrincipal } = require('@aws-cdk/aws-iam');
import { ServicePrincipal } from '@aws-cdk/aws-iam';

An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).

Extends:PolicyPrincipal
Parameters:service (string) –
policyFragment() → @aws-cdk/aws-iam.PrincipalPolicyFragment

Implements @aws-cdk/aws-iam.PolicyPrincipal.policyFragment()

Return the policy fragment that identifies this principal in a Policy.

Return type:PrincipalPolicyFragment
service
Type:string (readonly)
assumeRoleAction

Inherited from @aws-cdk/aws-iam.PolicyPrincipal

When this Principal is used in an AssumeRole policy, the action to use.

Type:string

User

class @aws-cdk/aws-iam.User(scope, id[, props])

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.User;
const { User } = require('@aws-cdk/aws-iam');
import { User } from '@aws-cdk/aws-iam';
Extends:

@aws-cdk/cdk.Construct

Implements:

IPrincipal

Parameters:
addToGroup(group)

Adds this user to a group.

Parameters:group (Group) –
addToPolicy(statement)

Implements @aws-cdk/aws-iam.IPrincipal.addToPolicy()

Adds an IAM statement to the default policy.

Parameters:statement (PolicyStatement) –
attachInlinePolicy(policy)

Implements @aws-cdk/aws-iam.IPrincipal.attachInlinePolicy()

Attaches a policy to this user.

Parameters:policy (Policy) –
attachManagedPolicy(arn)

Implements @aws-cdk/aws-iam.IPrincipal.attachManagedPolicy()

Attaches a managed policy to the user.

Parameters:arn (string) – The ARN of the managed policy to attach.
principal

Implements @aws-cdk/aws-iam.IPrincipal.principal()

Returns the ARN of this user.

Type:PolicyPrincipal (readonly)
userArn

An attribute that represents the user’s ARN.

Type:string (readonly)
userName

An attribute that represents the user name.

Type:string (readonly)
prepare()

Inherited from @aws-cdk/cdk.Construct

Perform final modifications before synthesis

This method can be implemented by derived constructs in order to perform

final changes before synthesis. prepare() will be called after child

constructs have been prepared.

This is an advanced framework feature. Only use this if you

understand the implications.

Protected method

toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)

UserProps (interface)

class @aws-cdk/aws-iam.UserProps

Language-specific names:

using Amazon.CDK.AWS.IAM;
import software.amazon.awscdk.services.iam.UserProps;
// UserProps is an interface
import { UserProps } from '@aws-cdk/aws-iam';
groups

Groups to add this user to. You can also use addToGroup to add this

user to a group.

Type:Group[] (optional)
managedPolicyArns

A list of ARNs for managed policies attacherd to this user.

You can use addManagedPolicy(arn) to attach a managed policy to this user.

Type:any[] (optional)
Default:No managed policies.
password

The password for the user. This is required so the user can access the

AWS Management Console.

Type:string (optional)
Default:User won’t be able to access the management console without a password.
passwordResetRequired

Specifies whether the user is required to set a new password the next

time the user logs in to the AWS Management Console.

If this is set to ‘true’, you must also specify “initialPassword”.

Type:boolean (optional)
Default:false
path

The path for the user name. For more information about paths, see IAM

Identifiers in the IAM User Guide.

Type:string (optional)
userName

A name for the IAM user. For valid values, see the UserName parameter for

the CreateUser action in the IAM API Reference. If you don’t specify a

name, AWS CloudFormation generates a unique physical ID and uses that ID

for the user name.

If you specify a name, you cannot perform updates that require

replacement of this resource. You can perform updates that require no or

some interruption. If you must replace the resource, specify a new name.

If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to

acknowledge your template’s capabilities. For more information, see

Acknowledging IAM Resources in AWS CloudFormation Templates.

Type:string (optional)
Default:Generated by CloudFormation (recommended)