Interface CfnApp.PermissionModelProperty
- All Superinterfaces:
software.amazon.jsii.JsiiSerializable
- All Known Implementing Classes:
CfnApp.PermissionModelProperty.Jsii$Proxy
- Enclosing class:
CfnApp
@Stability(Stable)
public static interface CfnApp.PermissionModelProperty
extends software.amazon.jsii.JsiiSerializable
Defines the roles and credentials that AWS Resilience Hub would use while creating the application, importing its resources, and running an assessment.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import software.amazon.awscdk.services.resiliencehub.*;
PermissionModelProperty permissionModelProperty = PermissionModelProperty.builder()
.type("type")
// the properties below are optional
.crossAccountRoleArns(List.of("crossAccountRoleArns"))
.invokerRoleName("invokerRoleName")
.build();
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeInterfaceDescriptionstatic final classA builder forCfnApp.PermissionModelPropertystatic final classAn implementation forCfnApp.PermissionModelProperty -
Method Summary
Modifier and TypeMethodDescriptionbuilder()Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts.default StringExisting AWS IAM role name in the primary AWS account that will be assumed by AWS Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.getType()Defines how AWS Resilience Hub scans your resources.Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Method Details
-
getType
Defines how AWS Resilience Hub scans your resources.It can scan for the resources by using a pre-existing role in your AWS account, or by using the credentials of the current IAM user.
- See Also:
-
getCrossAccountRoleArns
Defines a list of role Amazon Resource Names (ARNs) to be used in other accounts.These ARNs are used for querying purposes while importing resources and assessing your application.
- These ARNs are required only when your resources are in other accounts and you have different role name in these accounts. Else, the invoker role name will be used in the other accounts.
- These roles must have a trust policy with
iam:AssumeRolepermission to the invoker role in the primary account.
- See Also:
-
getInvokerRoleName
Existing AWS IAM role name in the primary AWS account that will be assumed by AWS Resilience Hub Service Principle to obtain a read-only access to your application resources while running an assessment.If your IAM role includes a path, you must include the path in the
invokerRoleNameparameter. For example, if your IAM role's ARN isarn:aws:iam:123456789012:role/my-path/role-name, you should passmy-path/role-name.- You must have
iam:passRolepermission for this role while creating or updating the application. - Currently,
invokerRoleNameaccepts only[A-Za-z0-9_+=,.@-]characters.
- See Also:
- You must have
-
builder
-