Vocabulary¶
Attention
This is an early version of the package. The API might change when new features are implemented. Therefore make sure you use an exact version in your package.json
/requirements.txt
before it reaches 1.0.0.
IAM Floyd provides a fluid interface and enables you to define policy statements in a human readable and easy to understand phrase.
allow | deny (Effect)¶
The methods allow()
and deny()
control the Effect of the statement.
The default effect of any statement is Allow
, so it’s not mandatory to add either of these methods to the method chain. Though it is recommended to improve readability:
new statement.Ec2() //
.allow()
.toStartInstances();
new statement.Ec2() //
.deny()
.toStopInstances();
s1 = statement.Ec2() \
.allow() \
.to_start_instances()
s2 = statement.Ec2() \
.deny() \
.to_stop_instances()
{
"Action": [
"ec2:StartInstances"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
{
"Action": [
"ec2:StopInstances"
],
"Effect": "Deny",
"Resource": [
"*"
]
}
to (Action)¶
Every available IAM action is represented by a distinct method. These methods start with to
. You allow/deny to do something
new statement.Ec2() //
.allow()
.toStartInstances()
.toStopInstances();
statement.Ec2() \
.allow() \
.to_start_instances() \
.to_stop_instances()
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
In case of missing actions, you can just add any action key yourself via to()
:
new statement.Ec2() //
.allow()
.to('missingAction');
statement.Ec2() \
.allow() \
.to('missingAction')
{
"Action": [
"ec2:missingAction"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
all (Action)¶
While methods starting with to
add a single action to a statement, methods starting with all
add multiple actions.
allActions¶
This method adds all actions of the related service to the statement, e.g. ec2:*
new statement.Ec2() //
.allow()
.allActions();
statement.Ec2() \
.allow() \
.all_actions()
{
"Action": [
"ec2:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
allMatchingActions¶
Adds all actions matching regular expressions to the statement.
Attention
The list of actions is compiled at run time. The generated statement object contains an exact list of actions that matched when you build it. If AWS later adds/removes actions that would match the regular expression, you need to re-generate the statements.
The regular expressions need to be in Perl/JavaScript literal style and need to be passed as strings:
new statement.Ec2() //
.deny()
.allMatchingActions('/vpn/i');
statement.Ec2() \
.deny() \
.all_matching_actions('/vpn/i')
{
"Action": [
"ec2:ApplySecurityGroupsToClientVpnTargetNetwork",
"ec2:AssociateClientVpnTargetNetwork",
"ec2:AttachVpnGateway",
"ec2:AuthorizeClientVpnIngress",
"ec2:CreateClientVpnEndpoint",
"ec2:CreateClientVpnRoute",
"ec2:CreateVpnConnection",
"ec2:CreateVpnConnectionRoute",
"ec2:CreateVpnGateway",
"ec2:DeleteClientVpnEndpoint",
"ec2:DeleteClientVpnRoute",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteVpnGateway",
"ec2:DetachVpnGateway",
"ec2:DisassociateClientVpnTargetNetwork",
"ec2:ImportClientVpnClientCertificateRevocationList",
"ec2:ModifyClientVpnEndpoint",
"ec2:ModifyVpnConnection",
"ec2:ModifyVpnTunnelCertificate",
"ec2:ModifyVpnTunnelOptions",
"ec2:RevokeClientVpnIngress",
"ec2:TerminateClientVpnConnections",
"ec2:DescribeClientVpnAuthorizationRules",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeClientVpnRoutes",
"ec2:DescribeClientVpnTargetNetworks",
"ec2:DescribeVpnGateways",
"ec2:ExportClientVpnClientCertificateRevocationList",
"ec2:ExportClientVpnClientConfiguration",
"ec2:DescribeVpnConnections"
],
"Effect": "Deny",
"Resource": [
"*"
]
}
Access levels¶
To add all actions of a certain access level to the statement use the below methods.
Attention
The list of actions is compiled at run time. The generated statement object contains an exact list of actions that matched when you build it. If AWS later adds/removes actions or changes the level, you need to re-generate the statements.
allListActions¶
Adds all actions with access level list to the statement.
new statement.Ec2() //
.allow()
.allListActions();
statement.Ec2() \
.allow() \
.all_list_actions()
{
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAggregateIdFormat",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeBundleTasks",
"ec2:DescribeByoipCidrs",
"ec2:DescribeCapacityReservations",
"ec2:DescribeCarrierGateways",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeClientVpnAuthorizationRules",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeClientVpnRoutes",
"ec2:DescribeClientVpnTargetNetworks",
"ec2:DescribeCoipPools",
"ec2:DescribeConversionTasks",
"ec2:DescribeCustomerGateways",
"ec2:DescribeDhcpOptions",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeExportImageTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeFleetHistory",
"ec2:DescribeFleetInstances",
"ec2:DescribeFleets",
"ec2:DescribeFlowLogs",
"ec2:DescribeFpgaImageAttribute",
"ec2:DescribeFpgaImages",
"ec2:DescribeHostReservationOfferings",
"ec2:DescribeHostReservations",
"ec2:DescribeHosts",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeIdFormat",
"ec2:DescribeIdentityIdFormat",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceEventNotificationAttributes",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
"ec2:DescribeLocalGatewayRouteTableVpcAssociations",
"ec2:DescribeLocalGatewayRouteTables",
"ec2:DescribeLocalGatewayVirtualInterfaceGroups",
"ec2:DescribeLocalGatewayVirtualInterfaces",
"ec2:DescribeLocalGateways",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeMovingAddresses",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribePrefixLists",
"ec2:DescribePrincipalIdFormat",
"ec2:DescribePublicIpv4Pools",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeReservedInstancesListings",
"ec2:DescribeReservedInstancesModifications",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotDatafeedSubscription",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequestHistory",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTrafficMirrorFilters",
"ec2:DescribeTrafficMirrorSessions",
"ec2:DescribeTrafficMirrorTargets",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayMulticastDomains",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcEndpointConnectionNotifications",
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnGateways",
"ec2:ExportClientVpnClientCertificateRevocationList",
"ec2:ExportClientVpnClientConfiguration",
"ec2:GetTransitGatewayAttachmentPropagations",
"ec2:GetTransitGatewayMulticastDomainAssociations",
"ec2:GetTransitGatewayPrefixListReferences",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchLocalGatewayRoutes",
"ec2:SearchTransitGatewayMulticastGroups",
"ec2:SearchTransitGatewayRoutes"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
allReadActions¶
Adds all actions with access level read to the statement.
new statement.Ec2() //
.allow()
.allReadActions();
statement.Ec2() \
.allow() \
.all_read_actions()
{
"Action": [
"ec2:DescribeElasticGpus",
"ec2:DescribeFastSnapshotRestores",
"ec2:DescribeScheduledInstanceAvailability",
"ec2:DescribeScheduledInstances",
"ec2:DescribeTags",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVpnConnections",
"ec2:GetAssociatedEnclaveCertificateIamRoles",
"ec2:GetCapacityReservationUsage",
"ec2:GetCoipPoolUsage",
"ec2:GetConsoleOutput",
"ec2:GetConsoleScreenshot",
"ec2:GetDefaultCreditSpecification",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetHostReservationPurchasePreview",
"ec2:GetLaunchTemplateData",
"ec2:GetManagedPrefixListAssociations",
"ec2:GetManagedPrefixListEntries",
"ec2:GetPasswordData",
"ec2:GetReservedInstancesExchangeQuote"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
allWriteActions¶
Adds all actions with access level write to the statement.
new statement.Ec2() //
.allow()
.allWriteActions();
statement.Ec2() \
.allow() \
.all_write_actions()
{
"Action": [
"ec2:AcceptReservedInstancesExchangeQuote",
"ec2:AcceptTransitGatewayPeeringAttachment",
"ec2:AcceptTransitGatewayVpcAttachment",
"ec2:AcceptVpcEndpointConnections",
"ec2:AcceptVpcPeeringConnection",
"ec2:AdvertiseByoipCidr",
"ec2:AllocateAddress",
"ec2:AllocateHosts",
"ec2:ApplySecurityGroupsToClientVpnTargetNetwork",
"ec2:AssignIpv6Addresses",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateClientVpnTargetNetwork",
"ec2:AssociateDhcpOptions",
"ec2:AssociateEnclaveCertificateIamRole",
"ec2:AssociateIamInstanceProfile",
"ec2:AssociateRouteTable",
"ec2:AssociateSubnetCidrBlock",
"ec2:AssociateTransitGatewayMulticastDomain",
"ec2:AssociateTransitGatewayRouteTable",
"ec2:AssociateVpcCidrBlock",
"ec2:AttachClassicLinkVpc",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:AttachVpnGateway",
"ec2:AuthorizeClientVpnIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:BundleInstance",
"ec2:CancelBundleTask",
"ec2:CancelCapacityReservation",
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CancelImportTask",
"ec2:CancelReservedInstancesListing",
"ec2:CancelSpotFleetRequests",
"ec2:CancelSpotInstanceRequests",
"ec2:ConfirmProductInstance",
"ec2:CopyFpgaImage",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateCapacityReservation",
"ec2:CreateCarrierGateway",
"ec2:CreateClientVpnEndpoint",
"ec2:CreateClientVpnRoute",
"ec2:CreateCustomerGateway",
"ec2:CreateDefaultSubnet",
"ec2:CreateDefaultVpc",
"ec2:CreateDhcpOptions",
"ec2:CreateEgressOnlyInternetGateway",
"ec2:CreateFleet",
"ec2:CreateFlowLogs",
"ec2:CreateFpgaImage",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateLocalGatewayRoute",
"ec2:CreateLocalGatewayRouteTableVpcAssociation",
"ec2:CreateManagedPrefixList",
"ec2:CreateNatGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateNetworkInterface",
"ec2:CreatePlacementGroup",
"ec2:CreateReservedInstancesListing",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:CreateSpotDatafeedSubscription",
"ec2:CreateSubnet",
"ec2:CreateTrafficMirrorFilter",
"ec2:CreateTrafficMirrorFilterRule",
"ec2:CreateTrafficMirrorSession",
"ec2:CreateTrafficMirrorTarget",
"ec2:CreateTransitGateway",
"ec2:CreateTransitGatewayMulticastDomain",
"ec2:CreateTransitGatewayPeeringAttachment",
"ec2:CreateTransitGatewayPrefixListReference",
"ec2:CreateTransitGatewayRoute",
"ec2:CreateTransitGatewayRouteTable",
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:CreateVpcEndpointConnectionNotification",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:CreateVpcPeeringConnection",
"ec2:CreateVpnConnection",
"ec2:CreateVpnConnectionRoute",
"ec2:CreateVpnGateway",
"ec2:DeleteCarrierGateway",
"ec2:DeleteClientVpnEndpoint",
"ec2:DeleteClientVpnRoute",
"ec2:DeleteCustomerGateway",
"ec2:DeleteDhcpOptions",
"ec2:DeleteEgressOnlyInternetGateway",
"ec2:DeleteFleets",
"ec2:DeleteFlowLogs",
"ec2:DeleteFpgaImage",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
"ec2:DeleteLocalGatewayRoute",
"ec2:DeleteLocalGatewayRouteTableVpcAssociation",
"ec2:DeleteManagedPrefixList",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteNetworkInterface",
"ec2:DeletePlacementGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteSpotDatafeedSubscription",
"ec2:DeleteSubnet",
"ec2:DeleteTrafficMirrorFilter",
"ec2:DeleteTrafficMirrorFilterRule",
"ec2:DeleteTrafficMirrorSession",
"ec2:DeleteTrafficMirrorTarget",
"ec2:DeleteTransitGateway",
"ec2:DeleteTransitGatewayMulticastDomain",
"ec2:DeleteTransitGatewayPeeringAttachment",
"ec2:DeleteTransitGatewayPrefixListReference",
"ec2:DeleteTransitGatewayRoute",
"ec2:DeleteTransitGatewayRouteTable",
"ec2:DeleteTransitGatewayVpcAttachment",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpointConnectionNotifications",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpcPeeringConnection",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteVpnGateway",
"ec2:DeprovisionByoipCidr",
"ec2:DeregisterImage",
"ec2:DeregisterInstanceEventNotificationAttributes",
"ec2:DeregisterTransitGatewayMulticastGroupMembers",
"ec2:DeregisterTransitGatewayMulticastGroupSources",
"ec2:DetachClassicLinkVpc",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DetachVolume",
"ec2:DetachVpnGateway",
"ec2:DisableEbsEncryptionByDefault",
"ec2:DisableFastSnapshotRestores",
"ec2:DisableTransitGatewayRouteTablePropagation",
"ec2:DisableVgwRoutePropagation",
"ec2:DisableVpcClassicLink",
"ec2:DisableVpcClassicLinkDnsSupport",
"ec2:DisassociateAddress",
"ec2:DisassociateClientVpnTargetNetwork",
"ec2:DisassociateEnclaveCertificateIamRole",
"ec2:DisassociateIamInstanceProfile",
"ec2:DisassociateRouteTable",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DisassociateTransitGatewayMulticastDomain",
"ec2:DisassociateTransitGatewayRouteTable",
"ec2:DisassociateVpcCidrBlock",
"ec2:EnableEbsEncryptionByDefault",
"ec2:EnableFastSnapshotRestores",
"ec2:EnableTransitGatewayRouteTablePropagation",
"ec2:EnableVgwRoutePropagation",
"ec2:EnableVolumeIO",
"ec2:EnableVpcClassicLink",
"ec2:EnableVpcClassicLinkDnsSupport",
"ec2:ExportImage",
"ec2:ExportTransitGatewayRoutes",
"ec2:ImportClientVpnClientCertificateRevocationList",
"ec2:ImportImage",
"ec2:ImportInstance",
"ec2:ImportKeyPair",
"ec2:ImportSnapshot",
"ec2:ImportVolume",
"ec2:ModifyCapacityReservation",
"ec2:ModifyClientVpnEndpoint",
"ec2:ModifyDefaultCreditSpecification",
"ec2:ModifyEbsDefaultKmsKeyId",
"ec2:ModifyFleet",
"ec2:ModifyFpgaImageAttribute",
"ec2:ModifyHosts",
"ec2:ModifyIdFormat",
"ec2:ModifyIdentityIdFormat",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyInstanceCapacityReservationAttributes",
"ec2:ModifyInstanceCreditSpecification",
"ec2:ModifyInstanceEventStartTime",
"ec2:ModifyInstanceMetadataOptions",
"ec2:ModifyInstancePlacement",
"ec2:ModifyLaunchTemplate",
"ec2:ModifyManagedPrefixList",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyReservedInstances",
"ec2:ModifySpotFleetRequest",
"ec2:ModifySubnetAttribute",
"ec2:ModifyTrafficMirrorFilterNetworkServices",
"ec2:ModifyTrafficMirrorFilterRule",
"ec2:ModifyTrafficMirrorSession",
"ec2:ModifyTransitGateway",
"ec2:ModifyTransitGatewayPrefixListReference",
"ec2:ModifyTransitGatewayVpcAttachment",
"ec2:ModifyVolume",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:ModifyVpcEndpointConnectionNotification",
"ec2:ModifyVpcEndpointServiceConfiguration",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:ModifyVpcTenancy",
"ec2:ModifyVpnConnection",
"ec2:ModifyVpnTunnelCertificate",
"ec2:ModifyVpnTunnelOptions",
"ec2:MonitorInstances",
"ec2:MoveAddressToVpc",
"ec2:ProvisionByoipCidr",
"ec2:PurchaseHostReservation",
"ec2:PurchaseReservedInstancesOffering",
"ec2:PurchaseScheduledInstances",
"ec2:RebootInstances",
"ec2:RegisterImage",
"ec2:RegisterInstanceEventNotificationAttributes",
"ec2:RegisterTransitGatewayMulticastGroupMembers",
"ec2:RegisterTransitGatewayMulticastGroupSources",
"ec2:RejectTransitGatewayPeeringAttachment",
"ec2:RejectTransitGatewayVpcAttachment",
"ec2:RejectVpcEndpointConnections",
"ec2:RejectVpcPeeringConnection",
"ec2:ReleaseAddress",
"ec2:ReleaseHosts",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:ReplaceNetworkAclAssociation",
"ec2:ReplaceNetworkAclEntry",
"ec2:ReplaceRoute",
"ec2:ReplaceRouteTableAssociation",
"ec2:ReplaceTransitGatewayRoute",
"ec2:ReportInstanceStatus",
"ec2:RequestSpotFleet",
"ec2:RequestSpotInstances",
"ec2:ResetEbsDefaultKmsKeyId",
"ec2:ResetFpgaImageAttribute",
"ec2:ResetImageAttribute",
"ec2:ResetInstanceAttribute",
"ec2:ResetNetworkInterfaceAttribute",
"ec2:RestoreAddressToClassic",
"ec2:RestoreManagedPrefixListVersion",
"ec2:RevokeClientVpnIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:RunScheduledInstances",
"ec2:SendDiagnosticInterrupt",
"ec2:StartInstances",
"ec2:StartVpcEndpointServicePrivateDnsVerification",
"ec2:StopInstances",
"ec2:TerminateClientVpnConnections",
"ec2:TerminateInstances",
"ec2:UnassignIpv6Addresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:UnmonitorInstances",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:WithdrawByoipCidr"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
allPermissionManagementActions¶
Adds all actions with access level permission management to the statement.
new statement.Ec2() //
.allow()
.allPermissionManagementActions();
statement.Ec2() \
.allow() \
.all_permission_management_actions()
{
"Action": [
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterfacePermission",
"ec2:ModifySnapshotAttribute",
"ec2:ModifyVpcEndpointServicePermissions",
"ec2:ResetSnapshotAttribute"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
allTaggingActions¶
Adds all actions with access level tagging to the statement.
new statement.Ec2() //
.allow()
.allTaggingActions();
statement.Ec2() \
.allow() \
.all_tagging_actions()
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
if (Condition)¶
Every available IAM condition key is represented by a distinct method. These methods start with if
. You allow/deny something if a condition is met.
Every statement provider (e.g. Ec2
) brings its unique conditions. Global condition context keys start with ifAws
.
Note
Multiple conditions on a statement all have to be true.
When you have multiple values on a single condition, one of them has to be true.
Other than that, IAM has no concept of OR
. You need to define multiple statements for each OR
branch.
new statement.Ec2()
.allow()
.toStartInstances()
.ifEncrypted()
.ifInstanceType(['t3.micro', 't3.nano'])
.ifAssociatePublicIpAddress(false)
.ifAwsRequestTag('Owner', 'John');
statement.Ec2() \
.allow() \
.to_start_instances() \
.if_encrypted() \
.if_instance_type(['t3.micro', 't3.nano']) \
.if_associate_public_ip_address(False) \
.if_aws_request_tag('Owner', 'John')
{
"Action": [
"ec2:StartInstances"
],
"Condition": {
"Bool": {
"ec2:AssociatePublicIpAddress": false,
"ec2:Encrypted": true
},
"StringLike": {
"aws:RequestTag/Owner": "John",
"ec2:InstanceType": [
"t3.micro",
"t3.nano"
]
}
},
"Effect": "Allow",
"Resource": [
"*"
]
}
Every if
method has a default operator. For instance, conditions which operate on strings usually have StringLike
as default. Most methods allow you to pass an operator as last argument.
new statement.Ec2()
.allow()
.toStartInstances()
.ifAwsRequestTag('TagWithSpecialChars', '*John*', 'StringEquals');
statement.Ec2() \
.allow() \
.to_start_instances() \
.if_aws_request_tag('TagWithSpecialChars', '*John*', 'StringEquals')
{
"Action": [
"ec2:StartInstances"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/TagWithSpecialChars": "*John*"
}
},
"Effect": "Allow",
"Resource": [
"*"
]
}
In case of missing conditions, you can define just any condition yourself via if()
:
new statement.Ec2()
.allow()
.toStartInstances()
.if('ec2:missingCondition', 'some-value');
statement.Ec2() \
.allow() \
.to_start_instances() \
.if_('ec2:missingCondition', 'some-value')
{
"Action": [
"ec2:StartInstances"
],
"Condition": {
"StringLike": {
"ec2:missingCondition": "some-value"
}
},
"Effect": "Allow",
"Resource": [
"*"
]
}
Operators¶
Condition operators can just be passed as strings. Or you can use the class statement.Operator()
:
new statement.Dynamodb()
.allow()
.toGetItem()
.onTable('Thread')
.ifAttributes(
['ID', 'Message', 'Tags'],
new statement.Operator().stringEquals().forAllValues()
);
statement.Dynamodb() \
.allow() \
.to_get_item() \
.on_table('Thread') \
.if_attributes(['ID', 'Message', 'Tags'],
statement.Operator().string_equals().for_all_values())
{
"Action": [
"dynamodb:GetItem"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"ID",
"Message",
"Tags"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:*:*:table/Thread"
]
}
new statement.Dynamodb()
.deny()
.toPutItem()
.onTable('Thread')
.ifAttributes(
['ID', 'PostDateTime'],
new statement.Operator().stringEquals().forAnyValue()
);
statement.Dynamodb() \
.deny() \
.to_put_item() \
.on_table('Thread') \
.if_attributes(['ID', 'PostDateTime'],
statement.Operator().string_equals().for_any_value())
{
"Action": [
"dynamodb:PutItem"
],
"Condition": {
"ForAnyValue:StringEquals": {
"dynamodb:Attributes": [
"ID",
"PostDateTime"
]
}
},
"Effect": "Deny",
"Resource": [
"arn:aws:dynamodb:*:*:table/Thread"
]
}
new statement.Ec2()
.allow()
.toStartInstances()
.ifAwsRequestTag(
'Environment',
['Production', 'Staging', 'Dev'],
new statement.Operator().stringEquals().ifExists()
);
statement.Ec2() \
.allow() \
.to_start_instances() \
.if_aws_request_tag('Environment',
['Production', 'Staging', 'Dev'],
statement.Operator().string_equals().if_exists())
{
"Action": [
"ec2:StartInstances"
],
"Condition": {
"StringEqualsIfExists": {
"aws:RequestTag/Environment": [
"Production",
"Staging",
"Dev"
]
}
},
"Effect": "Allow",
"Resource": [
"*"
]
}
on (Resource)¶
Every available IAM resources key is represented by a distinct method. These methods start with on
. You allow/deny something on a specific resource (or pattern).
new statement.S3()
.allow()
.allActions()
.onBucket('example-bucket')
.onObject('example-bucket', 'some/path/*');
statement.S3() \
.allow() \
.all_actions() \
.on_bucket('example-bucket') \
.on_object('example-bucket', 'some/path/*')
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/some/path/*"
]
}
In case of missing resources or if you already have an ARN ready, use the on()
method:
new statement.S3() //
.allow()
.allActions()
.on(
'arn:aws:s3:::example-bucket', //
'arn:aws:s3:::another-bucket'
);
statement.S3() \
.allow() \
.all_actions() \
.on('arn:aws:s3:::example-bucket',
'arn:aws:s3:::another-bucket')
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::another-bucket"
]
}
If no resources are applied to the statement without principals, it defaults to all resources (*
).
for (Principal)¶
Note
If you use the CDK variant of the package, don’t attempt to create an assume policy with this package. Assume policies have to be of type IPrincipal
and can easily be created with the iam package.
Every possible principal is represented by a distinct method. These methods start with for
. You allow/deny something for a specific principal.
new statement.Sts() //
.allow()
.toAssumeRole()
.forAccount('1234567890');
new statement.Sts()
.allow()
.toAssumeRoleWithSAML()
.forService('lambda.amazonaws.com');
new statement.Sts() //
.allow()
.toAssumeRole()
.forUser('1234567890', 'Bob');
new statement.Sts() //
.allow()
.toAssumeRole()
.forRole('1234567890', 'role-name');
new statement.Sts() //
.allow()
.toAssumeRoleWithSAML()
.forFederatedCognito();
new statement.Sts() //
.allow()
.toAssumeRoleWithSAML()
.forFederatedAmazon();
new statement.Sts() //
.allow()
.toAssumeRoleWithSAML()
.forFederatedGoogle();
new statement.Sts() //
.allow()
.toAssumeRoleWithSAML()
.forFederatedFacebook();
new statement.Sts()
.allow()
.toAssumeRoleWithSAML()
.forSaml('1234567890', 'saml-provider');
new statement.Sts() //
.allow()
.toAssumeRole()
.forPublic();
new statement.Sts()
.allow()
.toAssumeRole()
.forAssumedRoleSession('123456789', 'role-name', 'session-name');
new statement.Sts() //
.allow()
.toAssumeRole()
.forCanonicalUser('userID');
new statement.Sts() //
.allow()
.toAssumeRole()
.for('arn:foo:bar');
s1 = statement.Sts() \
.allow() \
.to_assume_role() \
.for_account('1234567890')
s2 = statement.Sts() \
.allow() \
.to_assume_role_with_saml() \
.for_service('lambda.amazonaws.com')
s3 = statement.Sts() \
.allow() \
.to_assume_role() \
.for_user('1234567890', 'Bob')
s4 = statement.Sts() \
.allow() \
.to_assume_role() \
.for_role('1234567890', 'role-name')
s5 = statement.Sts() \
.allow() \
.to_assume_role_with_saml() \
.for_federated_cognito()
s6 = statement.Sts() \
.allow() \
.to_assume_role_with_saml() \
.for_federated_amazon()
s7 = statement.Sts() \
.allow() \
.to_assume_role_with_saml() \
.for_federated_google()
s8 = statement.Sts() \
.allow() \
.to_assume_role_with_saml() \
.for_federated_facebook()
s9 = statement.Sts() \
.allow() \
.to_assume_role_with_saml() \
.for_saml('1234567890', 'saml-provider')
s10 = statement.Sts() \
.allow() \
.to_assume_role() \
.for_public()
s11 = statement.Sts() \
.allow() \
.to_assume_role() \
.for_assumed_role_session('123456789', 'role-name', 'session-name')
s12 = statement.Sts() \
.allow() \
.to_assume_role() \
.for_canonical_user('userID')
s13 = statement.Sts() \
.allow() \
.to_assume_role() \
.for_('arn:foo:bar')
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:root"
]
}
}
{
"Action": [
"sts:AssumeRoleWithSAML"
],
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
}
}
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/Bob"
]
}
}
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:role/role-name"
]
}
}
{
"Action": [
"sts:AssumeRoleWithSAML"
],
"Effect": "Allow",
"Principal": {
"Federated": [
"cognito-identity.amazonaws.com"
]
}
}
{
"Action": [
"sts:AssumeRoleWithSAML"
],
"Effect": "Allow",
"Principal": {
"Federated": [
"www.amazon.com"
]
}
}
{
"Action": [
"sts:AssumeRoleWithSAML"
],
"Effect": "Allow",
"Principal": {
"Federated": [
"accounts.google.com"
]
}
}
{
"Action": [
"sts:AssumeRoleWithSAML"
],
"Effect": "Allow",
"Principal": {
"Federated": [
"graph.facebook.com"
]
}
}
{
"Action": [
"sts:AssumeRoleWithSAML"
],
"Effect": "Allow",
"Principal": {
"Federated": [
"arn:aws:iam::1234567890:saml-provider/saml-provider"
]
}
}
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
}
}
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::123456789:assumed-role/role-name/session-name"
]
}
}
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"CanonicalUser": [
"userID"
]
}
}
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:foo:bar"
]
}
}
The CDK variant of the package has an additional method forCdkPrincipal
, which takes any number of iam.IPrincipal objects:
new statement.Sts()
.allow()
.toAssumeRole()
.forCdkPrincipal(
new iam.ServicePrincipal('sns.amazonaws.com'),
new iam.ServicePrincipal('lambda.amazonaws.com')
);
statement.Sts() \
.allow() \
.to_assume_role() \
.for_cdk_principal(iam.ServicePrincipal('sns.amazonaws.com'),
iam.ServicePrincipal('lambda.amazonaws.com'))
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"${Token[sns.amazonaws.com.9]}",
"${Token[lambda.amazonaws.com.10]}"
]
}
}
not (notAction, notResource and notPrincipal)¶
Warning
Make sure, you well understand the concepts of notAction, notResource and notPrincipal. This is where things quickly go wrong, especially when used in combination.
notActions¶
Switches the policy provider to use NotAction.
new statement.S3()
.allow()
.notActions()
.toDeleteBucket()
.onBucket('example-bucket');
statement.S3() \
.allow() \
.not_actions() \
.to_delete_bucket() \
.on_bucket('example-bucket')
{
"Effect": "Allow",
"NotAction": [
"s3:DeleteBucket"
],
"Resource": [
"arn:aws:s3:::example-bucket"
]
}
notResources¶
Switches the policy provider to use NotResource.
new statement.S3()
.allow()
.notResources()
.toDeleteBucket()
.onBucket('example-bucket');
statement.S3() \
.allow() \
.not_resources() \
.to_delete_bucket() \
.on_bucket('example-bucket')
{
"Action": [
"s3:DeleteBucket"
],
"Effect": "Allow",
"NotResource": [
"arn:aws:s3:::example-bucket"
]
}
notPrincipals¶
Switches the policy provider to use NotPrincipal.
new statement.S3()
.allow()
.allActions()
.notPrincipals()
.forUser('1234567890', 'Bob')
.onObject('example-bucket', '*');
statement.S3() \
.allow() \
.all_actions() \
.not_principals() \
.for_user('1234567890', 'Bob')
.on_object('example-bucket', '*')
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::1234567890:user/Bob"
]
},
"Resource": [
"arn:aws:s3:::example-bucket/*"
]
}