IAM Floyd provides a fluid interface and enables you to define policy statements in a human readable and easy to understand phrase.
The methods allow()
and deny()
control the Effect of the statement.
The default effect of any statement is Allow
, so it's not mandatory to add either of these methods to the method chain. Though it is recommended to improve readability:
allow-and-deny
Every available IAM action is represented by a distinct method. These methods start with to
. You allow/deny to do something
allow
In case of missing actions, you can just add any action key yourself via to()
:
actions-raw
While methods starting with to
add a single action to a statement, methods starting with all
add multiple actions.
This method adds all actions of the related service to the statement, e.g. ec2:*
actions-all
Adds all actions matching regular expressions to the statement.
Attention
The list of actions is compiled at run time. The generated statement object contains an exact list of actions that matched when you build it. If AWS later adds/removes actions that would match the regular expression, you need to re-generate the statements.
The regular expressions need to be in Perl/JavaScript literal style and need to be passed as strings:
actions-matching
To add all actions of a certain access level to the statement use the below methods.
Attention
The list of actions is compiled at run time. The generated statement object contains an exact list of actions that matched when you build it. If AWS later adds/removes actions or changes the level, you need to re-generate the statements.
Note
When working with access levels the policy size limits may be exceeded quickly, just because there are so many actions available for some services like EC2.
In these cases you should use the compact method, to compile the action list to a list of wildcard patterns.
Adds all actions with access level list to the statement.
access-levels-list
Adds all actions with access level read to the statement.
access-levels-read
Adds all actions with access level write to the statement.
access-levels-write
Adds all actions with access level permission management to the statement.
access-levels-permission-management
Adds all actions with access level tagging to the statement.
access-levels-tagging
Every available IAM condition key is represented by a distinct method. These methods start with if
. You allow/deny something if a condition is met.
Every statement provider (e.g. Ec2
) brings its unique conditions. Global condition context keys start with ifAws
.
Note
Multiple conditions on a statement all have to be true.
When you have multiple values on a single condition, one of them has to be true.
Other than that, IAM has no concept of OR
. You need to define multiple statements for each OR
branch.
conditions
Every if
method has a default operator. For instance, conditions which operate on strings usually have StringLike
as default. Most methods allow you to pass an operator as last argument.
conditions-operator-string
In case of missing conditions, you can define just any condition yourself via if()
:
conditions-raw
Condition operators can just be passed as strings. Or you can use the class statement.Operator()
:
conditions-operator-all-values
conditions-operator-any-value
conditions-operator-if-exists
Every available IAM resources key is represented by a distinct method. These methods start with on
. You allow/deny something on a specific resource (or pattern).
resource
In case of missing resources or if you already have an ARN ready, use the on()
method:
resource-raw
If no resources are applied to the statement without principals, it defaults to all resources (*
).
Note
If you use the CDK variant of the package, don't attempt to create an assume policy with this package. Assume policies have to be of type IPrincipal
and can easily be created with the iam package.
Every possible principal is represented by a distinct method. These methods start with for
. You allow/deny something for a specific principal.
principal
Some of the for*
methods accept multiple values at once:
principal-multiple
The CDK variant of the package has an additional method forCdkPrincipal
, which takes any number of iam.IPrincipal objects:
principal.cdk
Warning
Make sure, you well understand the concepts of notAction, notResource and notPrincipal. This is where things quickly go wrong, especially when used in combination.
Switches the policy provider to use NotAction.
notAction
Switches the policy provider to use NotResource.
notResource
Switches the policy provider to use NotPrincipal.
notPrincipal
This method can be used to convert a list of actions down to a list of wildcard patterns. This can be handy to reduce the policy size, especially when you work with Access levels.
Attention
When AWS later adds new actions, the patterns might match additional actions.
compact