Note
Use the online policy converter to migrate any JSON policy to Floyd code!
Depending on your scenario, you need to either install/import iam-floyd
or cdk-iam-floyd
:
bash JavaScript
# for use without AWS CDK use the iam-floyd package npm install iam-floyd
# for use with CDK use the cdk-iam-floyd package npm install cdk-iam-floyd
bash Python
# for use without AWS CDK use the iam-floyd package pip install iam-floyd
# for use with CDK use the cdk-iam-floyd package pip install cdk-iam-floyd
js
// for use without AWS CDK use the iam-floyd package var statement = require('iam-floyd');
// for use with CDK use the cdk-iam-floyd package var statement = require('cdk-iam-floyd');
ts
// for use without AWS CDK use the iam-floyd package import * as statement from 'iam-floyd';
// for use with CDK use the cdk-iam-floyd package import * as statement from 'cdk-iam-floyd';
py
# for use without AWS CDK use the iam-floyd package import iam_floyd as statement
# for use with CDK use the cdk-iam-floyd package import cdk_iam_floyd as statement
Both packages contain a statement provider for each AWS service, e.g. Ec2
. A statement provider is a class with methods for each and every available action, resource type and condition. Calling such method will add the action/resource/condition to the statement:
action-single
Every method returns the statement provider, so you can chain method calls:
action-chaining
The default effect of any statement is Allow
. To add some linguistic sugar you can explicitly call the allow()
method:
allow
Or deny()
:
deny
To set an SID you can pass it as argument in the statement provider:
sid
You can work with access levels. For every access level there are distinct methods available to add all related actions to the statement:
JavaScript
allListActions()
allReadActions()
allWriteActions()
allPermissionManagementActions()
allTaggingActions()
Python
all_list_actions()
all_read_actions()
all_write_actions()
all_permission_management_actions()
all_tagging_actions()
access-levels
To add actions based on regular expressions, use the method allMatchingActions()
.
Important
No matter in which language you use the package, the regular expressions need to be in Perl/JavaScript literal style and need to be passed as strings!
actions-matching
To add all actions (e.g. ec2:*
), call the allActions()
method:
actions-all
For every available condition key, there are if*()
methods available.
conditions
To add a condition not covered by the available methods, you can define just any condition yourself via if()
:
conditions-raw
The default operator for conditions of type String is StringLike.
Most of the if*()
methods allow an optional operator as last argument:
conditions-operator-string
Statements without principals, by default, apply to all resources. To limit to specific resources, add them via on*()
. For every resource type an on*()
method exists:
resource
If instead you have an ARN ready, use the on()
method:
resource-raw
To invert the policy you can use notAction()
, notResource()
and notPrincipal()
:
notAction
notResource
notPrincipal