Package software.amazon.awscdk.customresources

Class AwsCustomResourcePolicy

java.lang.Object
software.amazon.jsii.JsiiObject
software.amazon.awscdk.customresources.AwsCustomResourcePolicy
All Implemented Interfaces:
software.amazon.jsii.JsiiSerializable
@Generated(value="jsii-pacmak/1.119.0 (build 1634eac)", date="2025-11-17T14:41:02.810Z") @Stability(Stable) public class AwsCustomResourcePolicy extends software.amazon.jsii.JsiiObject
The IAM Policy that will be applied to the different calls.

Example: 

 String crossAccountRoleArn = "arn:aws:iam::OTHERACCOUNT:role/CrossAccountRoleName"; // arn of role deployed in separate account
 String callRegion = "us-west-1"; // sdk call to be made in specified region (optional)
  // sdk call to be made in specified region (optional)
 AwsCustomResource.Builder.create(this, "CrossAccount")
         .onCreate(AwsSdkCall.builder()
                 .assumedRoleArn(crossAccountRoleArn)
                 .region(callRegion) // optional
                 .service("sts")
                 .action("GetCallerIdentity")
                 .physicalResourceId(PhysicalResourceId.of("id"))
                 .build())
         .policy(AwsCustomResourcePolicy.fromStatements(List.of(PolicyStatement.fromJson(Map.of(
                 "Effect", "Allow",
                 "Action", "sts:AssumeRole",
                 "Resource", crossAccountRoleArn)))))
         .build();

  • Field Details

    • ANY_RESOURCE

      @Stability(Stable) public static final List<String> ANY_RESOURCE
      Use this constant to configure access to any resource.

  • Constructor Details

    • AwsCustomResourcePolicy

      protected AwsCustomResourcePolicy(software.amazon.jsii.JsiiObjectRef objRef)

    • AwsCustomResourcePolicy

      protected AwsCustomResourcePolicy(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

  • Method Details

    • fromSdkCalls

      @Stability(Stable) @NotNull public static AwsCustomResourcePolicy fromSdkCalls(@NotNull SdkCallsPolicyOptions options)
      Generate IAM Policy Statements from the configured SDK calls.

      Each SDK call with be translated to an IAM Policy Statement in the form of: call.service:call.action (e.g s3:PutObject).

      This policy generator assumes the IAM policy name has the same name as the API call. This is true in 99% of cases, but there are exceptions (for example, S3's PutBucketLifecycleConfiguration requires s3:PutLifecycleConfiguration permissions, Lambda's Invoke requires lambda:InvokeFunction permissions). Use fromStatements if you want to do a call that requires different IAM action names.

      Parameters:
      options - options for the policy generation. This parameter is required.

    • fromStatements

      @Stability(Stable) @NotNull public static AwsCustomResourcePolicy fromStatements(@NotNull List<? extends PolicyStatement> statements)
      Explicit IAM Policy Statements.

      Parameters:
      statements - the statements to propagate to the SDK calls. This parameter is required.

    • getStatements

      @Stability(Stable) @NotNull public List<PolicyStatement> getStatements()
      statements for explicit policy.

    • getResources

      @Stability(Stable) @Nullable public List<String> getResources()
      resources for auto-generated from SDK calls.