Skip to content

Commit

Permalink
chore(iam): make examples compile (#17195)
Browse files Browse the repository at this point in the history
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
kaizencc authored Oct 29, 2021
1 parent 4c6cee5 commit 888e5a0
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 39 deletions.
58 changes: 32 additions & 26 deletions packages/@aws-cdk/aws-iam/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,17 @@ Managed policies can be attached using `xxx.addManagedPolicy(ManagedPolicy.fromA
Many of the AWS CDK resources have `grant*` methods that allow you to grant other resources access to that resource. As an example, the following code gives a Lambda function write permissions (Put, Update, Delete) to a DynamoDB table.

```ts
const fn = new lambda.Function(this, 'Function', functionProps);
const table = new dynamodb.Table(this, 'Table', tableProps);
declare const fn: lambda.Function;
declare const table: dynamodb.Table;

table.grantWriteData(fn);
```

The more generic `grant` method allows you to give specific permissions to a resource:

```ts
const fn = new lambda.Function(this, 'Function', functionProps);
const table = new dynamodb.Table(this, 'Table', tableProps);
declare const fn: lambda.Function;
declare const table: dynamodb.Table;

table.grant(fn, 'dynamodb:PutItem');
```
Expand Down Expand Up @@ -186,7 +186,7 @@ const role = new iam.Role(this, 'MyRole', {
assumedBy: new iam.CompositePrincipal(
new iam.ServicePrincipal('ec2.amazonaws.com'),
new iam.AccountPrincipal('1818188181818187272')
)
),
});
```

Expand All @@ -212,7 +212,7 @@ Cognito, Amazon, Google or Facebook, for example:
const principal = new iam.WebIdentityPrincipal('cognito-identity.amazonaws.com')
.withConditions({
"StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-2:12345678-abcd-abcd-abcd-123456" },
"ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated"}
"ForAnyValue:StringLike": {"cognito-identity.amazonaws.com:amr": "unauthenticated" },
});
```

Expand Down Expand Up @@ -256,11 +256,11 @@ const customPolicyDocument = iam.PolicyDocument.fromJson(policyDocument);

// You can pass this document as an initial document to a ManagedPolicy
// or inline Policy.
const newManagedPolicy = new ManagedPolicy(stack, 'MyNewManagedPolicy', {
document: customPolicyDocument
const newManagedPolicy = new iam.ManagedPolicy(this, 'MyNewManagedPolicy', {
document: customPolicyDocument,
});
const newPolicy = new Policy(stack, 'MyNewPolicy', {
document: customPolicyDocument
const newPolicy = new iam.Policy(this, 'MyNewPolicy', {
document: customPolicyDocument,
});
```

Expand Down Expand Up @@ -296,15 +296,18 @@ const boundary2 = new iam.ManagedPolicy(this, 'Boundary2', {
});

// Directly apply the boundary to a Role you create
declare const role: iam.Role;
iam.PermissionsBoundary.of(role).apply(boundary);

// Apply the boundary to an Role that was implicitly created for you
iam.PermissionsBoundary.of(lambdaFunction).apply(boundary);
declare const fn: lambda.Function;
iam.PermissionsBoundary.of(fn).apply(boundary);

// Apply the boundary to all Roles in a stack
iam.PermissionsBoundary.of(stack).apply(boundary);
iam.PermissionsBoundary.of(this).apply(boundary);

// Remove a Permissions Boundary that is inherited, for example from the Stack level
declare const customResource: CustomResource;
iam.PermissionsBoundary.of(customResource).clear();
```

Expand Down Expand Up @@ -347,10 +350,13 @@ pool](https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html)
you can reference the provider's ARN as follows:

```ts
import * as cognito from '@aws-cdk/aws-cognito';

declare const myProvider: iam.OpenIdConnectProvider;
new cognito.CfnIdentityPool(this, 'IdentityPool', {
openIdConnectProviderArns: [myProvider.openIdConnectProviderArn],
// And the other properties for your identity pool
allowUnauthenticatedIdentities,
allowUnauthenticatedIdentities: false,
});
```

Expand All @@ -359,7 +365,7 @@ The `OpenIdConnectPrincipal` class can be used as a principal used with a `OpenI
```ts
const provider = new iam.OpenIdConnectProvider(this, 'MyProvider', {
url: 'https://openid/connect',
clientIds: [ 'myclient1', 'myclient2' ]
clientIds: [ 'myclient1', 'myclient2' ],
});
const principal = new iam.OpenIdConnectPrincipal(provider);
```
Expand Down Expand Up @@ -410,34 +416,34 @@ new iam.Role(this, 'Role', {
IAM manages users for your AWS account. To create a new user:

```ts
const user = new User(this, 'MyUser');
const user = new iam.User(this, 'MyUser');
```

To import an existing user by name [with path](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names):

```ts
const user = User.fromUserName(stack, 'MyImportedUserByName', 'johnsmith');
const user = iam.User.fromUserName(this, 'MyImportedUserByName', 'johnsmith');
```

To import an existing user by ARN:

```ts
const user = User.fromUserArn(this, 'MyImportedUserByArn', 'arn:aws:iam::123456789012:user/johnsmith');
const user = iam.User.fromUserArn(this, 'MyImportedUserByArn', 'arn:aws:iam::123456789012:user/johnsmith');
```

To import an existing user by attributes:

```ts
const user = User.fromUserAttributes(stack, 'MyImportedUserByAttributes', {
const user = iam.User.fromUserAttributes(this, 'MyImportedUserByAttributes', {
userArn: 'arn:aws:iam::123456789012:user/johnsmith',
});
```

To add a user to a group (both for a new and imported user/group):

```ts
const user = new User(this, 'MyUser'); // or User.fromUserName(stack, 'User', 'johnsmith');
const group = new Group(this, 'MyGroup'); // or Group.fromGroupArn(stack, 'Group', 'arn:aws:iam::account-id:group/group-name');
const user = new iam.User(this, 'MyUser'); // or User.fromUserName(stack, 'User', 'johnsmith');
const group = new iam.Group(this, 'MyGroup'); // or Group.fromGroupArn(stack, 'Group', 'arn:aws:iam::account-id:group/group-name');

user.addToGroup(group);
// or
Expand All @@ -447,9 +453,9 @@ group.addUser(user);

## Features

* Policy name uniqueness is enforced. If two policies by the same name are attached to the same
principal, the attachment will fail.
* Policy names are not required - the CDK logical ID will be used and ensured to be unique.
* Policies are validated during synthesis to ensure that they have actions, and that policies
attached to IAM principals specify relevant resources, while policies attached to resources
specify which IAM principals they apply to.
* Policy name uniqueness is enforced. If two policies by the same name are attached to the same
principal, the attachment will fail.
* Policy names are not required - the CDK logical ID will be used and ensured to be unique.
* Policies are validated during synthesis to ensure that they have actions, and that policies
attached to IAM principals specify relevant resources, while policies attached to resources
specify which IAM principals they apply to.
8 changes: 4 additions & 4 deletions packages/@aws-cdk/aws-iam/lib/permissions-boundary.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ import { IManagedPolicy } from './managed-policy';
/**
* Modify the Permissions Boundaries of Users and Roles in a construct tree
*
* @example
*
* const policy = ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess');
* PermissionsBoundary.of(stack).apply(policy);
* ```ts
* const policy = iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess');
* iam.PermissionsBoundary.of(this).apply(policy);
* ```
*/
export class PermissionsBoundary {
/**
Expand Down
13 changes: 4 additions & 9 deletions packages/@aws-cdk/aws-iam/rosetta/default.ts-fixture
Original file line number Diff line number Diff line change
@@ -1,17 +1,12 @@
import { Construct } from '@aws-cdk/core';
import { Construct } from 'constructs';
import { CustomResource, Stack } from '@aws-cdk/core';
import * as codepipeline from '@aws-cdk/aws-codepipeline';
import * as cognito from '@aws-cdk/aws-cognito';
import * as dynamodb from '@aws-cdk/aws-dynamodb';
import * as lambda from '@aws-cdk/aws-lambda';
import * as iam from '@aws-cdk/aws-iam';

declare const allowUnauthenticatedIdentities: boolean;
declare const functionProps: lambda.FunctionProps;
declare const myProvider: iam.OpenIdConnectProvider;
declare const tableProps: dynamodb.TableProps;

class fixture$construct extends Construct {
public constructor(scope: Construct, id: string) {
class Fixture extends Stack {
constructor(scope: Construct, id: string) {
super(scope, id);

/// here
Expand Down

0 comments on commit 888e5a0

Please sign in to comment.