From f1c08dfd5d1f262e4cd3599806fb6a1c361c5291 Mon Sep 17 00:00:00 2001 From: Sander Date: Fri, 7 Jun 2019 09:31:10 +0200 Subject: [PATCH 1/2] chore(docs): document grant* methods in IAM documentation --- packages/@aws-cdk/aws-iam/README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/packages/@aws-cdk/aws-iam/README.md b/packages/@aws-cdk/aws-iam/README.md index 30ec76bd767dc..bae6843288ac8 100644 --- a/packages/@aws-cdk/aws-iam/README.md +++ b/packages/@aws-cdk/aws-iam/README.md @@ -26,6 +26,28 @@ Managed policies can be attached using `xxx.attachManagedPolicy(arn)`: [attaching managed policies](test/example.managedpolicy.lit.ts) +### Extending permissions for existing resources + +Many of the AWS CDK resources have `grant*` methods that allow you to grant other resources access to that resource. As an example, the following code gives a Lambda function write permissions (Put, Update, Delete) to a DynamoDB table. + +```typescript +const fn = new lambda.Function(...); +const table = new dynamodb.Table(...); + +table.grantWriteData(fn); +``` + +The more generic `grant` method allows you to give specific permissions to a resource: + +```typescript +const fn = new lambda.Function(...); +const table = new dynamodb.Table(...); + +table.grant(fn, 'dynamodb:PutItem'); +``` + +You can find which `grant*` methods exist for a resource in the [AWS CDK API Reference](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-construct-library.html). + ### Configuring an ExternalId If you need to create roles that will be assumed by 3rd parties, it is generally a good idea to [require an `ExternalId` From 1fe22ff3eacb2ccc34ca652ceee5792bc13d0f03 Mon Sep 17 00:00:00 2001 From: Sander Date: Fri, 7 Jun 2019 10:47:39 +0200 Subject: [PATCH 2/2] Add additional information --- packages/@aws-cdk/aws-iam/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-iam/README.md b/packages/@aws-cdk/aws-iam/README.md index bae6843288ac8..5fe8784735d38 100644 --- a/packages/@aws-cdk/aws-iam/README.md +++ b/packages/@aws-cdk/aws-iam/README.md @@ -26,7 +26,7 @@ Managed policies can be attached using `xxx.attachManagedPolicy(arn)`: [attaching managed policies](test/example.managedpolicy.lit.ts) -### Extending permissions for existing resources +### Granting permissions to resources Many of the AWS CDK resources have `grant*` methods that allow you to grant other resources access to that resource. As an example, the following code gives a Lambda function write permissions (Put, Update, Delete) to a DynamoDB table. @@ -46,6 +46,8 @@ const table = new dynamodb.Table(...); table.grant(fn, 'dynamodb:PutItem'); ``` +The `grant*` methods accept an `IGrantable` object. This interface is implemented by IAM principles resources (groups, users and roles) and resources that assume a role such as a Lambda function, EC2 instance or a Codebuild project. + You can find which `grant*` methods exist for a resource in the [AWS CDK API Reference](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-construct-library.html). ### Configuring an ExternalId