AwsCustomResourcePolicy

class aws_cdk.custom_resources.AwsCustomResourcePolicy(*args: Any, **kwargs)

Bases: object

The IAM Policy that will be applied to the different calls.

ExampleMetadata:: infused

Example:

cross_account_role_arn = "arn:aws:iam::OTHERACCOUNT:role/CrossAccountRoleName" # arn of role deployed in separate account

call_region = "us-west-1" # sdk call to be made in specified region (optional)

cr.AwsCustomResource(self, "CrossAccount",
    on_create=cr.AwsSdkCall(
        assumed_role_arn=cross_account_role_arn,
        region=call_region,  # optional
        service="sts",
        action="GetCallerIdentity",
        physical_resource_id=cr.PhysicalResourceId.of("id")
    ),
    policy=cr.AwsCustomResourcePolicy.from_statements([iam.PolicyStatement.from_json({
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": cross_account_role_arn
    })])
)

Attributes

ANY_RESOURCE = ['*']

resources: resources for auto-generated from SDK calls.

statements: statements for explicit policy.

Static Methods

classmethod from_sdk_calls(*, resources)

Generate IAM Policy Statements from the configured SDK calls.

Each SDK call with be translated to an IAM Policy Statement in the form of: call.service:call.action (e.g s3:PutObject).

This policy generator assumes the IAM policy name has the same name as the API call. This is true in 99% of cases, but there are exceptions (for example, S3’s PutBucketLifecycleConfiguration requires s3:PutLifecycleConfiguration permissions, Lambda’s Invoke requires lambda:InvokeFunction permissions). Use fromStatements if you want to do a call that requires different IAM action names.

Parameters:: resources (Sequence[str]) – The resources that the calls will have access to. It is best to use specific resource ARN’s when possible. However, you can also use AwsCustomResourcePolicy.ANY_RESOURCE to allow access to all resources. For example, when onCreate is used to create a resource which you don’t know the physical name of in advance. Note that will apply to ALL SDK calls.
Return type:: AwsCustomResourcePolicy

classmethod from_statements(statements)

Explicit IAM Policy Statements.

Parameters:: statements (Sequence[PolicyStatement]) – the statements to propagate to the SDK calls.
Return type:: AwsCustomResourcePolicy