/* * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. * A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ package software.amazon.awssdk.policybuilder.iam; import java.util.Collection; import java.util.List; import java.util.function.Consumer; import software.amazon.awssdk.annotations.SdkPublicApi; import software.amazon.awssdk.annotations.ThreadSafe; import software.amazon.awssdk.policybuilder.iam.internal.DefaultIamStatement; import software.amazon.awssdk.utils.builder.CopyableBuilder; import software.amazon.awssdk.utils.builder.ToCopyableBuilder; /** * A statement is the formal description of a single permission, and is always * contained within a policy object. *

* A statement describes a rule for allowing or denying access to a specific AWS * resource based on how the resource is being accessed, and who is attempting * to access the resource. Statements can also optionally contain a list of * conditions that specify when a statement is to be honored. *

* For example, consider a statement that: *

allows access (the effect) *
for a list of specific AWS account IDs (the principals) *
when accessing an SQS queue (the resource) *
using the SendMessage operation (the action) *
and the request occurs before a specific date (a condition) *

* *

* Statements takes the form: "A has permission to do B to C where D applies". *

A is the principal - the AWS account that is making a request to * access or modify one of your AWS resources. *
B is the action - the way in which your AWS resource is being accessed or modified, such * as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket. *
C is the resource - your AWS entity that the principal wants to access, such * as an Amazon SQS queue, or an object stored in Amazon S3. *
D is the set of conditions - optional constraints that specify when to allow or deny * access for the principal to access your resource. Many expressive conditions are available, * some specific to each service. For example you can use date conditions to allow access to * your resources only after or before a specific time. *

* *

* There are many resources and conditions available for use in statements, and * you can combine them to form fine grained custom access control polices. * *

* Statements are typically attached to a {@link IamPolicy}. * *

* For more information, see The IAM User guide * *

Usage Examples

* Create an * identity-based policy * statement that allows a role to write items to an Amazon DynamoDB table. * {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantWriteBookMetadata") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:PutItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * *

* Create a * resource-based policy * statement that denies access to all users. * {@snippet : * IamStatement statement = * IamStatement.builder() * .effect(IamEffect.DENY) * .addPrincipal(IamPrincipal.ALL) * .build(); * } * * @see IamPolicy * @see Statement user * guide */ @SdkPublicApi @ThreadSafe public interface IamStatement extends ToCopyableBuilder { /** * Create a {@link Builder} for an {@code IamStatement}. */ static Builder builder() { return DefaultIamStatement.builder(); } /** * Retrieve the value set by {@link Builder#sid(String)}. */ String sid(); /** * Retrieve the value set by {@link Builder#effect(IamEffect)}. */ IamEffect effect(); /** * Retrieve the value set by {@link Builder#principals(Collection)}. */ List principals(); /** * Retrieve the value set by {@link Builder#notPrincipals(Collection)}. */ List notPrincipals(); /** * Retrieve the value set by {@link Builder#actions(Collection)}. */ List actions(); /** * Retrieve the value set by {@link Builder#notActions(Collection)}. */ List notActions(); /** * Retrieve the value set by {@link Builder#resources(Collection)}. */ List resources(); /** * Retrieve the value set by {@link Builder#notResources(Collection)}. */ List notResources(); /** * Retrieve the value set by {@link Builder#conditions(Collection)}. */ List conditions(); /** * @see #builder() */ interface Builder extends CopyableBuilder { /** * Configure the {@code * Sid} element of the policy, specifying an identifier for the statement. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookMetadata") // An identifier for the statement * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * * @see Sid user * guide */ Builder sid(String sid); /** * Configure the * {@code Effect} * element of the policy, specifying whether the statement results in an allow or deny. *

* This value is required. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookMetadata") * .effect(IamEffect.ALLOW) // The statement ALLOWS access * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * * @see IamEffect * @see Effect user * guide */ Builder effect(IamEffect effect); /** * Configure the * {@code Effect} * element of the policy, specifying whether the statement results in an allow or deny. *

* This works the same as {@link #effect(IamEffect)}, except you do not need to {@link IamEffect}. This value is required. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookMetadata") * .effect("Allow") // The statement ALLOWs access * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * * @see IamEffect * @see Effect user * guide */ Builder effect(String effect); /** * Configure the * {@code * Principal} element of the statement, specifying the principals that are allowed or denied * access to a resource. *

* This will replace any other principals already added to the statement. *

* {@snippet : * List bookReaderRoles = * IamPrincipal.createAll("AWS", * Arrays.asList("arn:aws:iam::123456789012:role/books-service", * "arn:aws:iam::123456789012:role/books-operator")); * * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.ALLOW) * .principals(bookReaderRoles) // This statement allows access to the books service and operators * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * * @see IamPrincipal * @see Principal * user guide */ Builder principals(Collection principals); /** * Append a * {@code * Principal} to this statement, specifying a principal that is allowed or denied access to * a resource. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.ALLOW) * // This statement allows access to the books service: * .addPrincipal(IamPrincipal.create("AWS", "arn:aws:iam::123456789012:role/books-service")) * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see Principal * user guide */ Builder addPrincipal(IamPrincipal principal); /** * Append a * {@code * Principal} to this statement, specifying a principal that is allowed or denied access to * a resource. *

* This works the same as {@link #addPrincipal(IamPrincipal)}, except you do not need to specify {@code IamPrincipal * .builder()} or {@code build()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.ALLOW) * // This statement allows access to the books service: * .addPrincipal(p -> p.type("AWS").id("arn:aws:iam::123456789012:role/books-service")) * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see Principal * user guide */ Builder addPrincipal(Consumer principal); /** * Append a * {@code * Principal} to this statement, specifying a principal that is allowed or denied access to * a resource. *

* This works the same as {@link #addPrincipal(IamPrincipal)}, except you do not need to specify {@code IamPrincipal * .create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.ALLOW) * // This statement allows access to the books service: * .addPrincipal(IamPrincipalType.AWS, "arn:aws:iam::123456789012:role/books-service") * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see Principal * user guide */ Builder addPrincipal(IamPrincipalType iamPrincipalType, String principal); /** * Append a * {@code * Principal} to this statement, specifying a principal that is allowed or denied access to * a resource. *

* This works the same as {@link #addPrincipal(IamPrincipalType, String)}, except you do not need to specify {@code * IamPrincipalType.create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.ALLOW) * // This statement allows access to the books service: * .addPrincipal("AWS", "arn:aws:iam::123456789012:role/books-service") * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see Principal * user guide */ Builder addPrincipal(String iamPrincipalType, String principal); /** * Append multiple * {@code * Principal}s to this statement, specifying principals that are allowed or denied access to * a resource. *

* This works the same as calling {@link #addPrincipal(IamPrincipalType, String)} multiple times with the same * {@link IamPrincipalType}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.ALLOW) * // This statement allows access to the books service and operators: * .addPrincipals(IamPrincipalType.AWS, * Arrays.asList("arn:aws:iam::123456789012:role/books-service", * "arn:aws:iam::123456789012:role/books-operator")) * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see Principal * user guide */ Builder addPrincipals(IamPrincipalType iamPrincipalType, Collection principals); /** * Append multiple * {@code * Principal}s to this statement, specifying principals that are allowed or denied access to * a resource. *

* This works the same as calling {@link #addPrincipal(String, String)} multiple times with the same * {@link IamPrincipalType}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.ALLOW) * // This statement allows access to the books service and operators: * .addPrincipals("AWS", Arrays.asList("arn:aws:iam::123456789012:role/books-service", * "arn:aws:iam::123456789012:role/books-operator")) * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see Principal * user guide */ Builder addPrincipals(String iamPrincipalType, Collection principals); /** * Configure the * {@code * NotPrincipal} element of the statement, specifying that all principals are affected by the policy except the * ones listed. *

* Very few scenarios require the use of {@code NotPrincipal}. We recommend that you explore other authorization options * before you decide to use {@code NotPrincipal}. {@code NotPrincipal} can only be used with {@link IamEffect#DENY} * statements. *

* This will replace any other not-principals already added to the statement. *

* {@snippet : * List bookReaderRoles = * IamPrincipal.createAll("AWS", * Arrays.asList("arn:aws:iam::123456789012:role/books-service", * "arn:aws:iam::123456789012:role/books-operator")); * * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.DENY) * // This statement denies access to everyone except the books service and operators: * .notPrincipals(bookReaderRoles) * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see * NotPrincipal user guide */ Builder notPrincipals(Collection notPrincipals); /** * Append a * {@code * NotPrincipal} to this statement, specifying that all principals are affected by the policy except the * ones listed. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.DENY) * // This statement denies access to everyone except the books service: * .addNotPrincipal(IamPrincipal.create("AWS", "arn:aws:iam::123456789012:role/books-service")) * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see * NotPrincipal user guide */ Builder addNotPrincipal(IamPrincipal notPrincipal); /** * Append a * {@code * NotPrincipal} to this statement, specifying that all principals are affected by the policy except the * ones listed. *

* This works the same as {@link #addNotPrincipal(IamPrincipal)}, except you do not need to specify {@code IamPrincipal * .builder()} or {@code build()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.DENY) * // This statement denies access to everyone except the books service: * .addNotPrincipal(p -> p.type("AWS").id("arn:aws:iam::123456789012:role/books-service")) * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see * NotPrincipal user guide */ Builder addNotPrincipal(Consumer notPrincipal); /** * Append a * {@code * NotPrincipal} to this statement, specifying that all principals are affected by the policy except the * ones listed. *

* This works the same as {@link #addNotPrincipal(IamPrincipal)}, except you do not need to specify {@code IamPrincipal * .create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.DENY) * // This statement denies access to everyone except the books service: * .addNotPrincipal(IamPrincipalType.AWS, "arn:aws:iam::123456789012:role/books-service") * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see * NotPrincipal user guide */ Builder addNotPrincipal(IamPrincipalType iamPrincipalType, String notPrincipal); /** * Append a * {@code * NotPrincipal} to this statement, specifying that all principals are affected by the policy except the * ones listed. *

* This works the same as {@link #addNotPrincipal(IamPrincipalType, String)}, except you do not need to specify {@code * IamPrincipalType.create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.DENY) * // This statement denies access to everyone except the books service: * .addNotPrincipal("AWS", "arn:aws:iam::123456789012:role/books-service") * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see * NotPrincipal user guide */ Builder addNotPrincipal(String iamPrincipalType, String notPrincipal); /** * Append multiple * {@code * NotPrincipal}s to this statement, specifying that all principals are affected by the policy except the * ones listed. *

* This works the same as calling {@link #addNotPrincipal(IamPrincipalType, String)} multiple times with the same * {@link IamPrincipalType}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.DENY) * // This statement denies access to everyone except the books service and operators: * .addNotPrincipals(IamPrincipalType.AWS, * Arrays.asList("arn:aws:iam::123456789012:role/books-service", * "arn:aws:iam::123456789012:role/books-operator")) * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see * NotPrincipal user guide */ Builder addNotPrincipals(IamPrincipalType iamPrincipalType, Collection notPrincipals); /** * Append multiple * {@code * NotPrincipal}s to this statement, specifying that all principals are affected by the policy except the * ones listed. *

* This works the same as calling {@link #addNotPrincipal(String, String)} multiple times with the same * {@link IamPrincipalType}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookContent") * .effect(IamEffect.DENY) * // This statement denies access to everyone except the books service and operators: * .addNotPrincipals("AWS", Arrays.asList("arn:aws:iam::123456789012:role/books-service", * "arn:aws:iam::123456789012:role/books-operator")) * .addAction("s3:GetObject") * .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*") * .build(); * } * @see * NotPrincipal user guide */ Builder addNotPrincipals(String iamPrincipalType, Collection notPrincipals); /** * Configure the * {@code Action} * element of the statement, specifying the actions that are allowed or denied. *

* This will replace any other actions already added to the statement. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadWriteBookMetadata") * .effect(IamEffect.ALLOW) * // This statement grants access to read and write items in Amazon DynamoDB: * .actions(Arrays.asList(IamAction.create("dynamodb:PutItem"), * IamAction.create("dynamodb:GetItem"))) * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * @see Action user * guide */ Builder actions(Collection actions); /** * Configure the * {@code Action} * element of the statement, specifying the actions that are allowed or denied. *

* This works the same as {@link #actions(Collection)}, except you do not need to call {@code IamAction.create() * } on each action. This will replace any other actions already added to the statement. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadWriteBookMetadata") * .effect(IamEffect.ALLOW) * // This statement grants access to read and write items in Amazon DynamoDB: * .actionIds(Arrays.asList("dynamodb:PutItem", "dynamodb:GetItem")) * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * @see Action user * guide */ Builder actionIds(Collection actions); /** * Append an {@code * Action} element to this statement, specifying an action that is allowed or denied. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookMetadata") * .effect(IamEffect.ALLOW) * // This statement grants access to read items in Amazon DynamoDB: * .addAction(IamAction.create("dynamodb:GetItem")) * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * @see Action user * guide */ Builder addAction(IamAction action); /** * Append an {@code * Action} element to this statement, specifying an action that is allowed or denied. *

* This works the same as {@link #addAction(IamAction)}, except you do not need to call {@code IamAction.create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookMetadata") * .effect(IamEffect.ALLOW) * // This statement grants access to read items in Amazon DynamoDB: * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * @see Action user * guide */ Builder addAction(String action); /** * Configure the * {@code * NotAction} element of the statement, specifying actions that are denied or allowed. *

* This will replace any other not-actions already added to the statement. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantAllButDeleteBookMetadataTable") * .effect(IamEffect.ALLOW) * // This statement grants access to do ALL CURRENT AND FUTURE actions against the books table, except * // dynamodb:DeleteTable * .notActions(Arrays.asList(IamAction.create("dynamodb:DeleteTable"))) * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * @see NotAction * user guide */ Builder notActions(Collection actions); /** * Configure the * {@code * NotAction} element of the statement, specifying actions that are denied or allowed. *

* This works the same as {@link #notActions(Collection)}, except you do not need to call {@code IamAction.create()} * on each action. This will replace any other not-actions already added to the statement. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantAllButDeleteBookMetadataTable") * .effect(IamEffect.ALLOW) * // This statement grants access to do ALL CURRENT AND FUTURE actions against the books table, except * // dynamodb:DeleteTable * .notActionIds(Arrays.asList("dynamodb:DeleteTable")) * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * @see NotAction * user guide */ Builder notActionIds(Collection actions); /** * Append a * {@code * NotAction} element to this statement, specifying an action that is denied or allowed. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantAllButDeleteBookMetadataTable") * .effect(IamEffect.ALLOW) * // This statement grants access to do ALL CURRENT AND FUTURE actions against the books table, except * // dynamodb:DeleteTable * .addNotAction(IamAction.create("dynamodb:DeleteTable")) * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * @see NotAction * user guide */ Builder addNotAction(IamAction action); /** * Append a * {@code * NotAction} element to this statement, specifying an action that is denied or allowed. *

* This works the same as {@link #addNotAction(IamAction)}, except you do not need to call {@code IamAction.create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantAllButDeleteBookMetadataTable") * .effect(IamEffect.ALLOW) * // This statement grants access to do ALL CURRENT AND FUTURE actions against the books table, except * // dynamodb:DeleteTable * .addNotAction("dynamodb:DeleteTable") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * @see NotAction * user guide */ Builder addNotAction(String action); /** * Configure the * {@code Resource} * element of the statement, specifying the resource(s) that the statement covers. *

* This will replace any other resources already added to the statement. *

* {@snippet : * List resources = * Arrays.asList(IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/books"), * IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/customers")); * * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookAndCustomersMetadata") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * // This statement grants access to the books and customers tables: * .resources(resources) * .build(); * } * @see Resource * user guide */ Builder resources(Collection resources); /** * Configure the * {@code Resource} * element of the statement, specifying the resource(s) that the statement covers. *

* This works the same as {@link #resources(Collection)}, except you do not need to call {@code IamResource.create()} * on each resource. This will replace any other resources already added to the statement. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookAndCustomersMetadata") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * // This statement grants access to the books and customers tables: * .resourceIds(Arrays.asList("arn:aws:dynamodb:us-east-2:123456789012:table/books", * "arn:aws:dynamodb:us-east-2:123456789012:table/customers")) * .build(); * } * @see Resource * user guide */ Builder resourceIds(Collection resources); /** * Append a * {@code Resource} * element to the statement, specifying a resource that the statement covers. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookMetadata") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * // This statement grants access to the books table: * .addResource(IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/books")) * .build(); * } * @see Resource * user guide */ Builder addResource(IamResource resource); /** * Append a * {@code Resource} * element to the statement, specifying a resource that the statement covers. *

* This works the same as {@link #addResource(IamResource)}, except you do not need to call {@code IamResource.create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBookMetadata") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * // This statement grants access to the books table: * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * .build(); * } * @see Resource * user guide */ Builder addResource(String resource); /** * Configure the * {@code * NotResource} element of the statement, specifying that the statement should apply to every resource except the * ones listed. *

* This will replace any other not-resources already added to the statement. *

* {@snippet : * List notResources = * Arrays.asList(IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/customers")); * * IamStatement statement = * IamStatement.builder() * .sid("GrantReadNotCustomers") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * // This statement grants access to EVERY CURRENT AND FUTURE RESOURCE except the customers table: * .notResources(notResources) * .build(); * } * @see * NotResource user guide */ Builder notResources(Collection resources); /** * Configure the * {@code * NotResource} element of the statement, specifying that the statement should apply to every resource except the * ones listed. *

* This works the same as {@link #notResources(Collection)}, except you do not need to call {@code IamResource.create()} * on each resource. This will replace any other not-resources already added to the statement. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadNotCustomers") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * // This statement grants access to EVERY CURRENT AND FUTURE RESOURCE except the customers table: * .notResourceIds(Arrays.asList("arn:aws:dynamodb:us-east-2:123456789012:table/customers")) * .build(); * } * @see * NotResource user guide */ Builder notResourceIds(Collection resources); /** * Append a * {@code * NotResource} element to the statement, specifying that the statement should apply to every resource except the * ones listed. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadNotCustomers") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * // This statement grants access to EVERY CURRENT AND FUTURE RESOURCE except the customers table: * .addNotResource(IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/customers")) * .build(); * } * @see * NotResource user guide */ Builder addNotResource(IamResource resource); /** * Append a * {@code * NotResource} element to the statement, specifying that the statement should apply to every resource except the * ones listed. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadNotCustomers") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * // This statement grants access to EVERY CURRENT AND FUTURE RESOURCE except the customers table: * .addNotResource("arn:aws:dynamodb:us-east-2:123456789012:table/customers") * .build(); * } * @see * NotResource user guide */ Builder addNotResource(String resource); /** * Configure the * {@code * Condition} element of the statement, specifying the conditions in which the statement is in effect. *

* This will replace any other conditions already added to the statement. *

* {@snippet : * IamCondition startTime = IamCondition.create(IamConditionOperator.DATE_GREATER_THAN, * "aws:CurrentTime", * "1988-05-21T00:00:00Z"); * IamCondition endTime = IamCondition.create(IamConditionOperator.DATE_LESS_THAN, * "aws:CurrentTime", * "2065-09-01T00:00:00Z"); * * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBooks") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * // This statement grants access between the specified start and end times: * .conditions(Arrays.asList(startTime, endTime)) * .build(); * } * @see Condition * user guide */ Builder conditions(Collection conditions); /** * Append a * {@code * Condition} to the statement, specifying a condition in which the statement is in effect. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBooks") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * // This statement grants access after a specified start time: * .addCondition(IamCondition.create(IamConditionOperator.DATE_GREATER_THAN, * "aws:CurrentTime", * "1988-05-21T00:00:00Z")) * .build(); * } * @see Condition * user guide */ Builder addCondition(IamCondition condition); /** * Append a * {@code * Condition} to the statement, specifying a condition in which the statement is in effect. *

* This works the same as {@link #addCondition(IamCondition)}, except you do not need to specify {@code IamCondition * .builder()} or {@code build()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBooks") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * // This statement grants access after a specified start time: * .addCondition(c -> c.operator(IamConditionOperator.DATE_GREATER_THAN) * .key("aws:CurrentTime") * .value("1988-05-21T00:00:00Z")) * .build(); * } * @see Condition * user guide */ Builder addCondition(Consumer condition); /** * Append a * {@code * Condition} to the statement, specifying a condition in which the statement is in effect. *

* This works the same as {@link #addCondition(IamCondition)}, except you do not need to specify {@code IamCondition * .create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBooks") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * // This statement grants access after a specified start time: * .addCondition(IamConditionOperator.DATE_GREATER_THAN, * IamConditionKey.create("aws:CurrentTime"), * "1988-05-21T00:00:00Z") * .build(); * } * @see Condition * user guide */ Builder addCondition(IamConditionOperator operator, IamConditionKey key, String value); /** * Append a * {@code * Condition} to the statement, specifying a condition in which the statement is in effect. *

* This works the same as {@link #addCondition(IamCondition)}, except you do not need to specify {@code IamCondition * .create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBooks") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * // This statement grants access after a specified start time: * .addCondition(IamConditionOperator.DATE_GREATER_THAN, "aws:CurrentTime", "1988-05-21T00:00:00Z") * .build(); * } * @see Condition * user guide */ Builder addCondition(IamConditionOperator operator, String key, String value); /** * Append a * {@code * Condition} to the statement, specifying a condition in which the statement is in effect. *

* This works the same as {@link #addCondition(IamCondition)}, except you do not need to specify {@code IamCondition * .create()}. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBooks") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * // This statement grants access after a specified start time: * .addCondition("DateGreaterThan", "aws:CurrentTime", "1988-05-21T00:00:00Z") * .build(); * } * @see Condition * user guide */ Builder addCondition(String operator, String key, String values); /** * Append multiple * {@code * Condition}s to the statement, specifying conditions in which the statement is in effect. *

* This works the same as {@link #addCondition(IamConditionOperator, IamConditionKey, String)} multiple times with the * same operator and key, but different values. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBooks") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * // This statement grants access only in the us-east-1 and us-west-2 regions: * .addConditions(IamConditionOperator.STRING_EQUALS, * IamConditionKey.create("aws:RequestedRegion"), * Arrays.asList("us-east-1", "us-west-2")) * .build(); * } * @see Condition * user guide */ Builder addConditions(IamConditionOperator operator, IamConditionKey key, Collection values); /** * Append multiple * {@code * Condition}s to the statement, specifying conditions in which the statement is in effect. *

* This works the same as {@link #addCondition(IamConditionOperator, String, String)} multiple times with the * same operator and key, but different values. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBooks") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * // This statement grants access only in the us-east-1 and us-west-2 regions: * .addConditions(IamConditionOperator.STRING_EQUALS, * "aws:RequestedRegion", * Arrays.asList("us-east-1", "us-west-2")) * .build(); * } * @see Condition * user guide */ Builder addConditions(IamConditionOperator operator, String key, Collection values); /** * Append multiple * {@code * Condition}s to the statement, specifying conditions in which the statement is in effect. *

* This works the same as {@link #addCondition(String, String, String)} multiple times with the * same operator and key, but different values. *

* {@snippet : * IamStatement statement = * IamStatement.builder() * .sid("GrantReadBooks") * .effect(IamEffect.ALLOW) * .addAction("dynamodb:GetItem") * .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books") * // This statement grants access only in the us-east-1 and us-west-2 regions: * .addConditions("StringEquals", "aws:RequestedRegion", Arrays.asList("us-east-1", "us-west-2")) * .build(); * } * @see Condition * user guide */ Builder addConditions(String operator, String key, Collection values); } }