How to use the @aws-cdk/aws-iam.Grant function in @aws-cdk/aws-iam
To help you get started, we’ve selected a few @aws-cdk/aws-iam examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
aws / aws-cdk / packages / @aws-cdk / aws-logs / lib / log-group.ts View on Github 
public grant(grantee: iam.IGrantable, ...actions: string[]) {
return iam.Grant.addToPrincipal({
grantee,
actions,
// A LogGroup ARN out of CloudFormation already includes a ':*' at the end to include the log streams under the group.
// See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#w2ab1c21c10c63c43c11
resourceArns: [this.logGroupArn],
scope: this,
});
}
}public grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant {
// KMS verifies whether the principals included in its key policy actually exist.
// This is a problem if the stack the grantee is part of depends on the key stack
// (as it won't exist before the key policy is attempted to be created).
// In that case, make the account the resource policy principal
const granteeStackDependsOnKeyStack = this.granteeStackDependsOnKeyStack(grantee);
const principal = granteeStackDependsOnKeyStack
? new iam.AccountPrincipal(granteeStackDependsOnKeyStack)
: grantee.grantPrincipal;
const crossAccountAccess = this.isGranteeFromAnotherAccount(grantee);
const crossRegionAccess = this.isGranteeFromAnotherRegion(grantee);
const crossEnvironment = crossAccountAccess || crossRegionAccess;
return iam.Grant.addToPrincipalAndResource({
grantee,
actions,
resource: this,
resourcePolicyPrincipal: principal,
// if the key is used in a cross-environment matter,
// we can't access the Key ARN (they don't have physical names),
// so fall back to using '*'. ToDo we need to make this better... somehow
resourceArns: crossEnvironment ? ['*'] : [this.keyArn],
resourceSelfArns: crossEnvironment ? undefined : ['*'],
});
}public grantRead(grantee: iam.IGrantable, versionStages?: string[]): iam.Grant {
// @see https://docs.aws.amazon.com/fr_fr/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html
const result = iam.Grant.addToPrincipal({
grantee,
actions: ['secretsmanager:GetSecretValue'],
resourceArns: [this.secretArn],
scope: this
});
if (versionStages != null && result.principalStatement) {
result.principalStatement.addCondition('ForAnyValue:StringEquals', {
'secretsmanager:VersionStage': versionStages
});
}
if (this.encryptionKey) {
// @see https://docs.aws.amazon.com/fr_fr/kms/latest/developerguide/services-secrets-manager.html
this.encryptionKey.grantDecrypt(
new kms.ViaServicePrincipal(`secretsmanager.${Stack.of(this).region}.amazonaws.com`, grantee.grantPrincipal)
);public grantInvoke(grantee: iam.IGrantable): iam.Grant {
return iam.Grant.addToPrincipalOrResource({
grantee,
actions: ['lambda:InvokeFunction'],
resourceArns: [this.functionArn],
// Fake resource-like object on which to call addToResourcePolicy(), which actually
// calls addPermission()
resource: {
addToResourcePolicy: (_statement) => {
// Couldn't add permissions to the principal, so add them locally.
const identifier = `Invoke${grantee.grantPrincipal}`; // calls the .toString() of the princpal
this.addPermission(identifier, {
principal: grantee.grantPrincipal!,
action: 'lambda:InvokeFunction',
});
},
node: this.node,private grant(grantee: iam.IGrantable, ...actions: string[]) {
return iam.Grant.addToPrincipal({
grantee,
actions,
resourceArns: [this.streamArn],
scope: this,
});
}
}public static grantPutMetricData(grantee: iam.IGrantable): iam.Grant {
return iam.Grant.addToPrincipal({
grantee,
actions: ['cloudwatch:PutMetricData'],
resourceArns: ['*']
});
}public grant(grantee: iam.IGrantable, ...actions: string[]) {
return iam.Grant.addToPrincipalOrResource({
grantee,
actions,
resourceArns: [this.queueArn],
resource: this,
});
}
}public grantPutLifecycleEventHookExecutionStatus(grantee: iam.IGrantable): iam.Grant {
return iam.Grant.addToPrincipal({
grantee,
resourceArns: [this.deploymentGroupArn],
actions: ['codedeploy:PutLifecycleEventHookExecutionStatus'],
});
}
}public grantPublish(grantee: iam.IGrantable) {
return iam.Grant.addToPrincipalOrResource({
grantee,
actions: ['sns:Publish'],
resourceArns: [this.topicArn],
resource: this,
});
}private grant(grantee: iam.IGrantable, actions: string[]) {
return iam.Grant.addToPrincipal({
grantee,
resourceArns: [this.tableArn],
actions,
});
}
}@aws-cdk/aws-iam
CDK routines for easily assigning correct and minimal IAM permissions
Package Health Score
70 / 100Popular @aws-cdk/aws-iam functions
- @aws-cdk/aws-iam.AccountPrincipal
- @aws-cdk/aws-iam.AccountRootPrincipal
- @aws-cdk/aws-iam.AnyPrincipal
- @aws-cdk/aws-iam.ArnPrincipal
- @aws-cdk/aws-iam.CanonicalUserPrincipal
- @aws-cdk/aws-iam.CfnAccessKey
- @aws-cdk/aws-iam.CfnInstanceProfile
- @aws-cdk/aws-iam.Effect
- @aws-cdk/aws-iam.Grant
- @aws-cdk/aws-iam.ManagedPolicy
- @aws-cdk/aws-iam.ManagedPolicy.fromAwsManagedPolicyName
- @aws-cdk/aws-iam.Policy
- @aws-cdk/aws-iam.PolicyDocument
- @aws-cdk/aws-iam.PolicyStatement
- @aws-cdk/aws-iam.PrincipalBase
- @aws-cdk/aws-iam.Role
- @aws-cdk/aws-iam.ServicePrincipal
- @aws-cdk/aws-iam.UnknownPrincipal
- @aws-cdk/aws-iam.User