121 lines
4.5 KiB
TypeScript
121 lines
4.5 KiB
TypeScript
import type { ITableRef } from './dynamodb.generated';
|
|
import * as iam from '../../aws-iam';
|
|
/**
|
|
* Construction properties for TableGrants
|
|
*/
|
|
export interface TableGrantsProps {
|
|
/**
|
|
* The table to grant permissions on
|
|
*/
|
|
readonly table: ITableRef;
|
|
/**
|
|
* Additional regions other than the main one that this table is replicated to
|
|
*
|
|
* @default - No regions
|
|
*/
|
|
readonly regions?: string[];
|
|
/**
|
|
* Whether this table has indexes
|
|
*
|
|
* If so, permissions are granted on all table indexes as well.
|
|
*
|
|
* @default false
|
|
*/
|
|
readonly hasIndex?: boolean;
|
|
/**
|
|
* The encrypted resource on which actions will be allowed
|
|
*
|
|
* @deprecated - Leave this field undefined. If the table is encrypted with a customer-managed KMS key, appropriate
|
|
* grants to the key will be automatically added.
|
|
*
|
|
* @default - A best-effort attempt will be made to discover an associated KMS key and grant permissions to it.
|
|
*/
|
|
readonly encryptedResource?: iam.IEncryptedResource;
|
|
/**
|
|
* The resource with policy on which actions will be allowed
|
|
*
|
|
* @deprecated - Leave this field undefined. A best-effort attempt will be made to discover a resource policy and add
|
|
* permissions to it.
|
|
*
|
|
* @default - A best-effort attempt will be made to discover a resource policy and add permissions to it.
|
|
*/
|
|
readonly policyResource?: iam.IResourceWithPolicyV2;
|
|
}
|
|
/**
|
|
* A set of permissions to grant on a Table
|
|
*/
|
|
export declare class TableGrants {
|
|
/**
|
|
* Creates a TableGrants object for a given table.
|
|
*/
|
|
static fromTable(table: ITableRef, regions?: string[], hasIndex?: boolean): TableGrants;
|
|
private readonly table;
|
|
private readonly arns;
|
|
private readonly encryptedResource?;
|
|
private readonly policyResource?;
|
|
constructor(props: TableGrantsProps);
|
|
/**
|
|
* Adds an IAM policy statement associated with this table to an IAM
|
|
* principal's policy.
|
|
*
|
|
* If `encryptionKey` is present, appropriate grants to the key needs to be added
|
|
* separately using the `table.encryptionKey.grant*` methods.
|
|
*
|
|
* @param grantee The principal (no-op if undefined)
|
|
* @param actions The set of actions to allow (i.e. "dynamodb:PutItem", "dynamodb:GetItem", ...)
|
|
*/
|
|
actions(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
|
|
/**
|
|
* Permits an IAM principal all data read operations from this table:
|
|
* BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan, DescribeTable.
|
|
*
|
|
* Appropriate grants will also be added to the customer-managed KMS key
|
|
* if one was configured.
|
|
*
|
|
* @param grantee The principal to grant access to
|
|
*/
|
|
readData(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* Permits an IAM principal all data write operations to this table:
|
|
* BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable.
|
|
*
|
|
* Appropriate grants will also be added to the customer-managed KMS key
|
|
* if one was configured.
|
|
*
|
|
* @param grantee The principal to grant access to
|
|
*/
|
|
writeData(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* Permits an IAM principal to all data read/write operations to this table.
|
|
* BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan,
|
|
* BatchWriteItem, PutItem, UpdateItem, DeleteItem, DescribeTable
|
|
*
|
|
* Appropriate grants will also be added to the customer-managed KMS key
|
|
* if one was configured.
|
|
*
|
|
* @param grantee The principal to grant access to
|
|
*/
|
|
readWriteData(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* Permits all DynamoDB operations ("dynamodb:*") to an IAM principal.
|
|
*
|
|
* Appropriate grants will also be added to the customer-managed KMS key
|
|
* if one was configured.
|
|
*
|
|
* @param grantee The principal to grant access to
|
|
*/
|
|
fullAccess(grantee: iam.IGrantable): iam.Grant;
|
|
/**
|
|
* Grants permissions for this table to act as a source for multi-account global table replication.
|
|
*
|
|
* @param destinationReplicaArn The ARN of the destination replica table in the other account
|
|
*/
|
|
multiAccountReplicationTo(destinationReplicaArn: string): void;
|
|
/**
|
|
* Grants permissions for this table to act as a destination for multi-account global table replication.
|
|
*
|
|
* @param sourceReplicaArn The ARN of the source replica table in the other account
|
|
*/
|
|
multiAccountReplicationFrom(sourceReplicaArn: string): void;
|
|
}
|