policy_statement¶

IAM policy statement constructors.

Provides factory functions and helper classes to create AWS IAM policy statements with correct structure and syntax. Simplifies the creation of common permission patterns while ensuring policy best practices.

cdkit.srv.iam.policy_statement.create_get_caller_identity_statement(policy_statement_kwargs: Dict[str, Any] | None = None) → PolicyStatement[source]¶: Allows the caller to get their identity.

cdkit.srv.iam.policy_statement.create_assume_role_statement(role_to_assume_arn_list: list[str], policy_statement_kwargs: Dict[str, Any] | None = None) → PolicyStatement[source]¶

Allows assuming specific roles.

Parameters:: role_to_assume_arn_list – List of ARNs of roles to assume.

cdkit.srv.iam.policy_statement.create_allow_all_services_except_identity_management_statement(policy_statement_kwargs: Dict[str, Any] | None = None) → PolicyStatement[source]¶

Allow access to all AWS services except identity management services (IAM, Organizations, Account).

The principal is denied actions related to IAM, Organizations, and Account, but allowed all other actions.

cdkit.srv.iam.policy_statement.create_account_and_org_and_iam_read_only_statement(policy_statement_kwargs: Dict[str, Any] | None = None) → PolicyStatement[source]¶

Allow read-only access to IAM, Organizations, and Account resources.

The principal can view configuration details of these resources, but cannot modify or create them.

cdkit.srv.iam.policy_statement.create_prefixed_iam_management_statement(prefix: str, policy_statement_kwargs: Dict[str, Any] | None = None) → PolicyStatement[source]¶

Allow full IAM management access for resources prefixed with the given string.

The principal can manage IAM instance profiles, policies, and roles whose names start with the specified prefix.

cdkit.srv.iam.policy_statement.create_require_permission_boundary_for_role_creation_statement(policy_name: str, policy_statement_kwargs: Dict[str, Any] | None = None) → PolicyStatement[source]¶

Allow creation of IAM roles only if a specific permissions boundary is attached.

The principal can create roles only when the specified permissions boundary policy is applied.

cdkit.srv.iam.policy_statement.create_restricted_read_only_statement(policy_statement_kwargs: Dict[str, Any] | None = None) → PolicyStatement[source]¶: Grant read-only access across a wide range of AWS services, excluding any write or management actions.