IAM Floyd provides a fluid interface and enables you to define policy statements in a human readable and easy to understand phrase.
The methods allow()
and deny()
control the Effect of the statement.
The default effect of any statement is Allow
, so it's not mandatory to add either of these methods to the method chain. Though it is recommended to improve readability:
allow-and-deny
Every available IAM action is represented by a distinct method. These methods start with to
. You allow/deny to do something
allow
In case of missing actions, you can just add any action key yourself via to()
:
actions-raw
While methods starting with to
add a single action to a statement, methods starting with all
add multiple actions.
This method adds all actions of the related service to the statement, e.g. ec2:*
actions-all
Adds all actions matching regular expressions to the statement.
Attention
The list of actions is compiled at run time. The generated statement object contains an exact list of actions that matched when you build it. If AWS later adds/removes actions that would match the regular expression, you need to re-generate the statements.
The regular expressions need to be in Perl/JavaScript literal style and need to be passed as strings:
actions-matching
To add all actions of a certain access level to the statement use the below methods.
Attention
The list of actions is compiled at run time. The generated statement object contains an exact list of actions that matched when you build it. If AWS later adds/removes actions or changes the level, you need to re-generate the statements.
Note
When working with access levels the policy size limits may be exceeded quickly, just because there are so many actions available for some services like EC2.
In these cases you should use the compact method, to compile the action list to a list of wildcard patterns.
Adds all actions with access level list to the statement.
access-levels-list
Adds all actions with access level read to the statement.
access-levels-read
Adds all actions with access level write to the statement.
access-levels-write
Adds all actions with access level permission management to the statement.
access-levels-permission-management
Adds all actions with access level tagging to the statement.
access-levels-tagging
Every available IAM condition key is represented by a distinct method. These methods start with if
. You allow/deny something if a condition is met.
Every statement provider (e.g. Ec2
) brings its unique conditions. Global condition context keys start with ifAws
.
Note
Multiple conditions on a statement all have to be true.
When you have multiple values on a single condition, one of them has to be true.
Other than that, IAM has no concept of OR
. You need to define multiple statements for each OR
branch.
conditions
Every if
method has a default operator. For instance, conditions which operate on strings usually have StringLike
as default. Most methods allow you to pass an operator as last argument.
Note
Operators can be passed as string, though it is recommended to use the Operators provided by the package.
conditions-operator-string
In case of missing conditions, you can define just any condition yourself via if()
:
conditions-raw
Every available IAM resources key is represented by a distinct method. These methods start with on
. You allow/deny something on a specific resource (or pattern).
resource
In case of missing resources or if you already have an ARN ready, use the on()
method:
resource-raw
Non-global resource ARNs contain the region and/or account. Generally all ARNs contain the partition. In cdk-iam-floyd
the account, region and partition default to the values provided by the stack. In iam-floyd
the partition defaults to aws
and the account and region default to *
.
The on*()
methods take optional parameters to override the default values:
resource-default-override
If you want to override the defaults for the whole statement, see in (ARN defaults).
The on* methods generate ARNs which contain partition and potentially region and account. The in()*
methods can be used to override the defaults for all consecutively added resources. You allow/deny something on resources in a specific account, region and partition.
Note
The in*()
methods do not by themselves modify the statement. They just set the defaults for the resource added consecutively to the statement. Therefore make sure to call the in*()
methods before adding resources via on*()
.
arn-defaults-separate
There also is a shorthand function to set all defaults at once:
arn-defaults-combined
Since these methods set defaults for consecutively added resources, you can also override the defaults for additional resource in the same statement:
arn-defaults-override
Note
If you use the CDK variant of the package, don't attempt to create an assume policy with this package. Assume policies have to be of type IPrincipal
and can easily be created with the iam package.
Every possible principal is represented by a distinct method. These methods start with for
. You allow/deny something for a specific principal.
principal
Some of the for*
methods accept multiple values at once:
principal-multiple
The CDK variant of the package has an additional method forCdkPrincipal
, which takes any number of iam.IPrincipal objects:
principal.cdk
Warning
Make sure, you well understand the concepts of notAction, notResource and notPrincipal. This is where things quickly go wrong, especially when used in combination.
Switches the policy provider to use NotAction.
notAction
Switches the policy provider to use NotResource.
notResource
Switches the policy provider to use NotPrincipal.
notPrincipal
This method can be used to convert a list of actions down to a list of wildcard patterns. This can be handy to reduce the policy size, especially when you work with Access levels.
Attention
When AWS later adds new actions, the patterns might match additional actions.
compact