211 lines
7.0 KiB
TypeScript
211 lines
7.0 KiB
TypeScript
import type { Construct } from 'constructs';
|
|
import type { IGroup } from './group';
|
|
import type { IUserRef, UserReference } from './iam.generated';
|
|
import type { IIdentity } from './identity-base';
|
|
import type { IManagedPolicy } from './managed-policy';
|
|
import { Policy } from './policy';
|
|
import type { PolicyStatement } from './policy-statement';
|
|
import type { AddToPrincipalPolicyResult, IPrincipal, PrincipalPolicyFragment } from './principals';
|
|
import type { SecretValue } from '../../core';
|
|
import { Resource } from '../../core';
|
|
/**
|
|
* Represents an IAM user
|
|
*
|
|
* @see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
|
|
*/
|
|
export interface IUser extends IIdentity, IUserRef {
|
|
/**
|
|
* The user's name
|
|
* @attribute
|
|
*/
|
|
readonly userName: string;
|
|
/**
|
|
* The user's ARN
|
|
* @attribute
|
|
*/
|
|
readonly userArn: string;
|
|
/**
|
|
* Adds this user to a group.
|
|
*/
|
|
addToGroup(group: IGroup): void;
|
|
}
|
|
/**
|
|
* Properties for defining an IAM user
|
|
*/
|
|
export interface UserProps {
|
|
/**
|
|
* Groups to add this user to. You can also use `addToGroup` to add this
|
|
* user to a group.
|
|
*
|
|
* @default - No groups.
|
|
*/
|
|
readonly groups?: IGroup[];
|
|
/**
|
|
* A list of managed policies associated with this role.
|
|
*
|
|
* You can add managed policies later using
|
|
* `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
|
|
*
|
|
* @default - No managed policies.
|
|
*/
|
|
readonly managedPolicies?: IManagedPolicy[];
|
|
/**
|
|
* The path for the user name. For more information about paths, see IAM
|
|
* Identifiers in the IAM User Guide.
|
|
*
|
|
* @default /
|
|
*/
|
|
readonly path?: string;
|
|
/**
|
|
* AWS supports permissions boundaries for IAM entities (users or roles).
|
|
* A permissions boundary is an advanced feature for using a managed policy
|
|
* to set the maximum permissions that an identity-based policy can grant to
|
|
* an IAM entity. An entity's permissions boundary allows it to perform only
|
|
* the actions that are allowed by both its identity-based policies and its
|
|
* permissions boundaries.
|
|
*
|
|
* @link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary
|
|
* @link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
|
|
*
|
|
* @default - No permissions boundary.
|
|
*/
|
|
readonly permissionsBoundary?: IManagedPolicy;
|
|
/**
|
|
* A name for the IAM user. For valid values, see the UserName parameter for
|
|
* the CreateUser action in the IAM API Reference. If you don't specify a
|
|
* name, AWS CloudFormation generates a unique physical ID and uses that ID
|
|
* for the user name.
|
|
*
|
|
* If you specify a name, you cannot perform updates that require
|
|
* replacement of this resource. You can perform updates that require no or
|
|
* some interruption. If you must replace the resource, specify a new name.
|
|
*
|
|
* If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
|
|
* acknowledge your template's capabilities. For more information, see
|
|
* Acknowledging IAM Resources in AWS CloudFormation Templates.
|
|
*
|
|
* @default - Generated by CloudFormation (recommended)
|
|
*/
|
|
readonly userName?: string;
|
|
/**
|
|
* The password for the user. This is required so the user can access the
|
|
* AWS Management Console.
|
|
*
|
|
* You can use `SecretValue.unsafePlainText` to specify a password in plain text or
|
|
* use `secretsmanager.Secret.fromSecretAttributes` to reference a secret in
|
|
* Secrets Manager.
|
|
*
|
|
* @default - User won't be able to access the management console without a password.
|
|
*/
|
|
readonly password?: SecretValue;
|
|
/**
|
|
* Specifies whether the user is required to set a new password the next
|
|
* time the user logs in to the AWS Management Console.
|
|
*
|
|
* If this is set to 'true', you must also specify "initialPassword".
|
|
*
|
|
* @default false
|
|
*/
|
|
readonly passwordResetRequired?: boolean;
|
|
}
|
|
/**
|
|
* Represents a user defined outside of this stack.
|
|
*/
|
|
export interface UserAttributes {
|
|
/**
|
|
* The ARN of the user.
|
|
*
|
|
* Format: arn:<partition>:iam::<account-id>:user/<user-name-with-path>
|
|
*/
|
|
readonly userArn: string;
|
|
}
|
|
/**
|
|
* Define a new IAM user
|
|
*/
|
|
export declare class User extends Resource implements IIdentity, IUser {
|
|
/**
|
|
* Uniquely identifies this class.
|
|
*/
|
|
static readonly PROPERTY_INJECTION_ID: string;
|
|
/**
|
|
* Import an existing user given a username.
|
|
*
|
|
* @param scope construct scope
|
|
* @param id construct id
|
|
* @param userName the username of the existing user to import
|
|
*/
|
|
static fromUserName(scope: Construct, id: string, userName: string): IUser;
|
|
/**
|
|
* Import an existing user given a user ARN.
|
|
*
|
|
* If the ARN comes from a Token, the User cannot have a path; if so, any attempt
|
|
* to reference its username will fail.
|
|
*
|
|
* @param scope construct scope
|
|
* @param id construct id
|
|
* @param userArn the ARN of an existing user to import
|
|
*/
|
|
static fromUserArn(scope: Construct, id: string, userArn: string): IUser;
|
|
/**
|
|
* Import an existing user given user attributes.
|
|
*
|
|
* If the ARN comes from a Token, the User cannot have a path; if so, any attempt
|
|
* to reference its username will fail.
|
|
*
|
|
* @param scope construct scope
|
|
* @param id construct id
|
|
* @param attrs the attributes of the user to import
|
|
*/
|
|
static fromUserAttributes(scope: Construct, id: string, attrs: UserAttributes): IUser;
|
|
readonly grantPrincipal: IPrincipal;
|
|
readonly principalAccount: string | undefined;
|
|
readonly assumeRoleAction: string;
|
|
/**
|
|
* The CfnUser resource
|
|
*/
|
|
private readonly _resource;
|
|
/**
|
|
* An attribute that represents the user name.
|
|
* @attribute
|
|
*/
|
|
get userName(): string;
|
|
/**
|
|
* An attribute that represents the user's ARN.
|
|
* @attribute
|
|
*/
|
|
get userArn(): string;
|
|
/**
|
|
* Returns the permissions boundary attached to this user
|
|
*/
|
|
readonly permissionsBoundary?: IManagedPolicy;
|
|
readonly policyFragment: PrincipalPolicyFragment;
|
|
private readonly groups;
|
|
private readonly _managedPolicies;
|
|
private readonly attachedPolicies;
|
|
private defaultPolicy?;
|
|
private readonly _path?;
|
|
constructor(scope: Construct, id: string, props?: UserProps);
|
|
get userRef(): UserReference;
|
|
/**
|
|
* Adds this user to a group.
|
|
*/
|
|
addToGroup(group: IGroup): void;
|
|
/**
|
|
* Attaches a managed policy to the user.
|
|
* @param policy The managed policy to attach.
|
|
*/
|
|
addManagedPolicy(policy: IManagedPolicy): void;
|
|
/**
|
|
* Attaches a policy to this user.
|
|
*/
|
|
attachInlinePolicy(policy: Policy): void;
|
|
/**
|
|
* Adds an IAM statement to the default policy.
|
|
*
|
|
* @returns true
|
|
*/
|
|
addToPrincipalPolicy(statement: PolicyStatement): AddToPrincipalPolicyResult;
|
|
addToPolicy(statement: PolicyStatement): boolean;
|
|
private parseLoginProfile;
|
|
}
|