Package software.amazon.awssdk.policybuilder.iam

Interface IamStatement.Builder

All Superinterfaces:

Buildable, CopyableBuilder<IamStatement.Builder,IamStatement>, SdkBuilder<IamStatement.Builder,IamStatement>

All Known Implementing Classes:

DefaultIamStatement.Builder

Enclosing interface:

IamStatement

public static interface IamStatement.Builder
extends CopyableBuilder<IamStatement.Builder,IamStatement>

See Also:

• IamStatement.builder()

Method Summary

Modifier and Type	Method	Description
IamStatement.Builder	actionIds(Collection<String> actions)	Configure the Action element of the statement, specifying the actions that are allowed or denied.
IamStatement.Builder	actions(Collection<IamAction> actions)	Configure the Action element of the statement, specifying the actions that are allowed or denied.
IamStatement.Builder	addAction(String action)	Append an Action element to this statement, specifying an action that is allowed or denied.
IamStatement.Builder	addAction(IamAction action)	Append an Action element to this statement, specifying an action that is allowed or denied.
IamStatement.Builder	addCondition(String operator, String key, String values)	Append a Condition to the statement, specifying a condition in which the statement is in effect.
IamStatement.Builder	addCondition(Consumer<IamCondition.Builder> condition)	Append a Condition to the statement, specifying a condition in which the statement is in effect.
IamStatement.Builder	addCondition(IamCondition condition)	Append a Condition to the statement, specifying a condition in which the statement is in effect.
IamStatement.Builder	addCondition(IamConditionOperator operator, String key, String value)	Append a Condition to the statement, specifying a condition in which the statement is in effect.
IamStatement.Builder	addCondition(IamConditionOperator operator, IamConditionKey key, String value)	Append a Condition to the statement, specifying a condition in which the statement is in effect.
IamStatement.Builder	addConditions(String operator, String key, Collection<String> values)	Append multiple Conditions to the statement, specifying conditions in which the statement is in effect.
IamStatement.Builder	addConditions(IamConditionOperator operator, String key, Collection<String> values)	Append multiple Conditions to the statement, specifying conditions in which the statement is in effect.
IamStatement.Builder	addConditions(IamConditionOperator operator, IamConditionKey key, Collection<String> values)	Append multiple Conditions to the statement, specifying conditions in which the statement is in effect.
IamStatement.Builder	addNotAction(String action)	Append a NotAction element to this statement, specifying an action that is denied or allowed.
IamStatement.Builder	addNotAction(IamAction action)	Append a NotAction element to this statement, specifying an action that is denied or allowed.
IamStatement.Builder	addNotPrincipal(String iamPrincipalType, String notPrincipal)	Append a NotPrincipal to this statement, specifying that all principals are affected by the policy except the ones listed.
IamStatement.Builder	addNotPrincipal(Consumer<IamPrincipal.Builder> notPrincipal)	Append a NotPrincipal to this statement, specifying that all principals are affected by the policy except the ones listed.
IamStatement.Builder	addNotPrincipal(IamPrincipal notPrincipal)	Append a NotPrincipal to this statement, specifying that all principals are affected by the policy except the ones listed.
IamStatement.Builder	addNotPrincipal(IamPrincipalType iamPrincipalType, String notPrincipal)	Append a NotPrincipal to this statement, specifying that all principals are affected by the policy except the ones listed.
IamStatement.Builder	addNotPrincipals(String iamPrincipalType, Collection<String> notPrincipals)	Append multiple NotPrincipals to this statement, specifying that all principals are affected by the policy except the ones listed.
IamStatement.Builder	addNotPrincipals(IamPrincipalType iamPrincipalType, Collection<String> notPrincipals)	Append multiple NotPrincipals to this statement, specifying that all principals are affected by the policy except the ones listed.
IamStatement.Builder	addNotResource(String resource)	Append a NotResource element to the statement, specifying that the statement should apply to every resource except the ones listed.
IamStatement.Builder	addNotResource(IamResource resource)	Append a NotResource element to the statement, specifying that the statement should apply to every resource except the ones listed.
IamStatement.Builder	addPrincipal(String iamPrincipalType, String principal)	Append a Principal to this statement, specifying a principal that is allowed or denied access to a resource.
IamStatement.Builder	addPrincipal(Consumer<IamPrincipal.Builder> principal)	Append a Principal to this statement, specifying a principal that is allowed or denied access to a resource.
IamStatement.Builder	addPrincipal(IamPrincipal principal)	Append a Principal to this statement, specifying a principal that is allowed or denied access to a resource.
IamStatement.Builder	addPrincipal(IamPrincipalType iamPrincipalType, String principal)	Append a Principal to this statement, specifying a principal that is allowed or denied access to a resource.
IamStatement.Builder	addPrincipals(String iamPrincipalType, Collection<String> principals)	Append multiple Principals to this statement, specifying principals that are allowed or denied access to a resource.
IamStatement.Builder	addPrincipals(IamPrincipalType iamPrincipalType, Collection<String> principals)	Append multiple Principals to this statement, specifying principals that are allowed or denied access to a resource.
IamStatement.Builder	addResource(String resource)	Append a Resource element to the statement, specifying a resource that the statement covers.
IamStatement.Builder	addResource(IamResource resource)	Append a Resource element to the statement, specifying a resource that the statement covers.
IamStatement.Builder	conditions(Collection<IamCondition> conditions)	Configure the Condition element of the statement, specifying the conditions in which the statement is in effect.
IamStatement.Builder	effect(String effect)	Configure the Effect element of the policy, specifying whether the statement results in an allow or deny.
IamStatement.Builder	effect(IamEffect effect)	Configure the Effect element of the policy, specifying whether the statement results in an allow or deny.
IamStatement.Builder	notActionIds(Collection<String> actions)	Configure the NotAction element of the statement, specifying actions that are denied or allowed.
IamStatement.Builder	notActions(Collection<IamAction> actions)	Configure the NotAction element of the statement, specifying actions that are denied or allowed.
IamStatement.Builder	notPrincipals(Collection<IamPrincipal> notPrincipals)	Configure the NotPrincipal element of the statement, specifying that all principals are affected by the policy except the ones listed.
IamStatement.Builder	notResourceIds(Collection<String> resources)	Configure the NotResource element of the statement, specifying that the statement should apply to every resource except the ones listed.
IamStatement.Builder	notResources(Collection<IamResource> resources)	Configure the NotResource element of the statement, specifying that the statement should apply to every resource except the ones listed.
IamStatement.Builder	principals(Collection<IamPrincipal> principals)	Configure the Principal element of the statement, specifying the principals that are allowed or denied access to a resource.
IamStatement.Builder	resourceIds(Collection<String> resources)	Configure the Resource element of the statement, specifying the resource(s) that the statement covers.
IamStatement.Builder	resources(Collection<IamResource> resources)	Configure the Resource element of the statement, specifying the resource(s) that the statement covers.
IamStatement.Builder	sid(String sid)	Configure the Sid element of the policy, specifying an identifier for the statement.

Methods inherited from interface software.amazon.awssdk.utils.builder.CopyableBuilder

copy

Methods inherited from interface software.amazon.awssdk.utils.builder.SdkBuilder

applyMutation, build

Method Details

sid

IamStatement.Builder sid(String sid)

Configure the Sid element of the policy, specifying an identifier for the statement.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookMetadata") // An identifier for the statement
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• Sid user guide

effect

IamStatement.Builder effect(IamEffect effect)

Configure the Effect element of the policy, specifying whether the statement results in an allow or deny.

This value is required.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookMetadata")
                .effect(IamEffect.ALLOW) // The statement ALLOWS access
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• IamEffect
• Effect user guide

effect

IamStatement.Builder effect(String effect)

Configure the Effect element of the policy, specifying whether the statement results in an allow or deny.

This works the same as effect(IamEffect), except you do not need to IamEffect. This value is required.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookMetadata")
                .effect("Allow") // The statement ALLOWs access
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• IamEffect
• Effect user guide

principals

IamStatement.Builder principals(Collection<IamPrincipal> principals)

Configure the Principal element of the statement, specifying the principals that are allowed or denied access to a resource.

This will replace any other principals already added to the statement.

List<IamPrincipal> bookReaderRoles =
    IamPrincipal.createAll("AWS",
                           Arrays.asList("arn:aws:iam::123456789012:role/books-service",
                                         "arn:aws:iam::123456789012:role/books-operator"));

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.ALLOW)
                .principals(bookReaderRoles) // This statement allows access to the books service and operators
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• IamPrincipal
• Principal user guide

addPrincipal

IamStatement.Builder addPrincipal(IamPrincipal principal)

Append a Principal to this statement, specifying a principal that is allowed or denied access to a resource.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.ALLOW)
                 // This statement allows access to the books service:
                .addPrincipal(IamPrincipal.create("AWS", "arn:aws:iam::123456789012:role/books-service"))
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• Principal user guide

addPrincipal

IamStatement.Builder addPrincipal(Consumer<IamPrincipal.Builder> principal)

Append a Principal to this statement, specifying a principal that is allowed or denied access to a resource.

This works the same as addPrincipal(IamPrincipal), except you do not need to specify IamPrincipal .builder() or build().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.ALLOW)
                // This statement allows access to the books service:
                .addPrincipal(p -> p.type("AWS").id("arn:aws:iam::123456789012:role/books-service"))
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• Principal user guide

addPrincipal

IamStatement.Builder addPrincipal(IamPrincipalType iamPrincipalType,
 String principal)

Append a Principal to this statement, specifying a principal that is allowed or denied access to a resource.

This works the same as addPrincipal(IamPrincipal), except you do not need to specify IamPrincipal .create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.ALLOW)
                // This statement allows access to the books service:
                .addPrincipal(IamPrincipalType.AWS, "arn:aws:iam::123456789012:role/books-service")
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• Principal user guide

addPrincipal

IamStatement.Builder addPrincipal(String iamPrincipalType,
 String principal)

Append a Principal to this statement, specifying a principal that is allowed or denied access to a resource.

This works the same as addPrincipal(IamPrincipalType, String), except you do not need to specify IamPrincipalType.create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.ALLOW)
                // This statement allows access to the books service:
                .addPrincipal("AWS", "arn:aws:iam::123456789012:role/books-service")
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• Principal user guide

addPrincipals

IamStatement.Builder addPrincipals(IamPrincipalType iamPrincipalType,
 Collection<String> principals)

Append multiple Principals to this statement, specifying principals that are allowed or denied access to a resource.

This works the same as calling addPrincipal(IamPrincipalType, String) multiple times with the same IamPrincipalType.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.ALLOW)
                 // This statement allows access to the books service and operators:
                .addPrincipals(IamPrincipalType.AWS,
                               Arrays.asList("arn:aws:iam::123456789012:role/books-service",
                                            "arn:aws:iam::123456789012:role/books-operator"))
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• Principal user guide

addPrincipals

IamStatement.Builder addPrincipals(String iamPrincipalType,
 Collection<String> principals)

Append multiple Principals to this statement, specifying principals that are allowed or denied access to a resource.

This works the same as calling addPrincipal(String, String) multiple times with the same IamPrincipalType.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.ALLOW)
                 // This statement allows access to the books service and operators:
                .addPrincipals("AWS", Arrays.asList("arn:aws:iam::123456789012:role/books-service",
                                                    "arn:aws:iam::123456789012:role/books-operator"))
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• Principal user guide

notPrincipals

IamStatement.Builder notPrincipals(Collection<IamPrincipal> notPrincipals)

Configure the NotPrincipal element of the statement, specifying that all principals are affected by the policy except the ones listed.

Very few scenarios require the use of NotPrincipal. We recommend that you explore other authorization options before you decide to use NotPrincipal. NotPrincipal can only be used with IamEffect.DENY statements.

This will replace any other not-principals already added to the statement.

List<IamPrincipal> bookReaderRoles =
    IamPrincipal.createAll("AWS",
                           Arrays.asList("arn:aws:iam::123456789012:role/books-service",
                                         "arn:aws:iam::123456789012:role/books-operator"));

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.DENY)
                 // This statement denies access to everyone except the books service and operators:
                .notPrincipals(bookReaderRoles)
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• NotPrincipal user guide

addNotPrincipal

IamStatement.Builder addNotPrincipal(IamPrincipal notPrincipal)

Append a NotPrincipal to this statement, specifying that all principals are affected by the policy except the ones listed.

Very few scenarios require the use of NotPrincipal. We recommend that you explore other authorization options before you decide to use NotPrincipal. NotPrincipal can only be used with IamEffect.DENY statements.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.DENY)
                 // This statement denies access to everyone except the books service:
                .addNotPrincipal(IamPrincipal.create("AWS", "arn:aws:iam::123456789012:role/books-service"))
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• NotPrincipal user guide

addNotPrincipal

IamStatement.Builder addNotPrincipal(Consumer<IamPrincipal.Builder> notPrincipal)

Append a NotPrincipal to this statement, specifying that all principals are affected by the policy except the ones listed.

Very few scenarios require the use of NotPrincipal. We recommend that you explore other authorization options before you decide to use NotPrincipal. NotPrincipal can only be used with IamEffect.DENY statements.

This works the same as addNotPrincipal(IamPrincipal), except you do not need to specify IamPrincipal .builder() or build().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.DENY)
                 // This statement denies access to everyone except the books service:
                .addNotPrincipal(p -> p.type("AWS").id("arn:aws:iam::123456789012:role/books-service"))
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• NotPrincipal user guide

addNotPrincipal

IamStatement.Builder addNotPrincipal(IamPrincipalType iamPrincipalType,
 String notPrincipal)

Append a NotPrincipal to this statement, specifying that all principals are affected by the policy except the ones listed.

Very few scenarios require the use of NotPrincipal. We recommend that you explore other authorization options before you decide to use NotPrincipal. NotPrincipal can only be used with IamEffect.DENY statements.

This works the same as addNotPrincipal(IamPrincipal), except you do not need to specify IamPrincipal .create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.DENY)
                 // This statement denies access to everyone except the books service:
                .addNotPrincipal(IamPrincipalType.AWS, "arn:aws:iam::123456789012:role/books-service")
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• NotPrincipal user guide

addNotPrincipal

IamStatement.Builder addNotPrincipal(String iamPrincipalType,
 String notPrincipal)

Append a NotPrincipal to this statement, specifying that all principals are affected by the policy except the ones listed.

Very few scenarios require the use of NotPrincipal. We recommend that you explore other authorization options before you decide to use NotPrincipal. NotPrincipal can only be used with IamEffect.DENY statements.

This works the same as addNotPrincipal(IamPrincipalType, String), except you do not need to specify IamPrincipalType.create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.DENY)
                 // This statement denies access to everyone except the books service:
                .addNotPrincipal("AWS", "arn:aws:iam::123456789012:role/books-service")
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• NotPrincipal user guide

addNotPrincipals

IamStatement.Builder addNotPrincipals(IamPrincipalType iamPrincipalType,
 Collection<String> notPrincipals)

Append multiple NotPrincipals to this statement, specifying that all principals are affected by the policy except the ones listed.

Very few scenarios require the use of NotPrincipal. We recommend that you explore other authorization options before you decide to use NotPrincipal. NotPrincipal can only be used with IamEffect.DENY statements.

This works the same as calling addNotPrincipal(IamPrincipalType, String) multiple times with the same IamPrincipalType.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.DENY)
                 // This statement denies access to everyone except the books service and operators:
                .addNotPrincipals(IamPrincipalType.AWS,
                                  Arrays.asList("arn:aws:iam::123456789012:role/books-service",
                                               "arn:aws:iam::123456789012:role/books-operator"))
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• NotPrincipal user guide

addNotPrincipals

IamStatement.Builder addNotPrincipals(String iamPrincipalType,
 Collection<String> notPrincipals)

Append multiple NotPrincipals to this statement, specifying that all principals are affected by the policy except the ones listed.

Very few scenarios require the use of NotPrincipal. We recommend that you explore other authorization options before you decide to use NotPrincipal. NotPrincipal can only be used with IamEffect.DENY statements.

This works the same as calling addNotPrincipal(String, String) multiple times with the same IamPrincipalType.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookContent")
                .effect(IamEffect.DENY)
                 // This statement denies access to everyone except the books service and operators:
                .addNotPrincipals("AWS", Arrays.asList("arn:aws:iam::123456789012:role/books-service",
                                                       "arn:aws:iam::123456789012:role/books-operator"))
                .addAction("s3:GetObject")
                .addResource("arn:aws:s3:us-west-2:123456789012:accesspoint/book-content/object/*")
                .build();

See Also:

• NotPrincipal user guide

actions

IamStatement.Builder actions(Collection<IamAction> actions)

Configure the Action element of the statement, specifying the actions that are allowed or denied.

This will replace any other actions already added to the statement.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadWriteBookMetadata")
                .effect(IamEffect.ALLOW)
                // This statement grants access to read and write items in Amazon DynamoDB:
                .actions(Arrays.asList(IamAction.create("dynamodb:PutItem"),
                                       IamAction.create("dynamodb:GetItem")))
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• Action user guide

actionIds

IamStatement.Builder actionIds(Collection<String> actions)

Configure the Action element of the statement, specifying the actions that are allowed or denied.

This works the same as actions(Collection), except you do not need to call IamAction.create() on each action. This will replace any other actions already added to the statement.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadWriteBookMetadata")
                .effect(IamEffect.ALLOW)
                // This statement grants access to read and write items in Amazon DynamoDB:
                .actionIds(Arrays.asList("dynamodb:PutItem", "dynamodb:GetItem"))
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• Action user guide

addAction

IamStatement.Builder addAction(IamAction action)

Append an Action element to this statement, specifying an action that is allowed or denied.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookMetadata")
                .effect(IamEffect.ALLOW)
                // This statement grants access to read items in Amazon DynamoDB:
                .addAction(IamAction.create("dynamodb:GetItem"))
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• Action user guide

addAction

IamStatement.Builder addAction(String action)

Append an Action element to this statement, specifying an action that is allowed or denied.

This works the same as addAction(IamAction), except you do not need to call IamAction.create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookMetadata")
                .effect(IamEffect.ALLOW)
                // This statement grants access to read items in Amazon DynamoDB:
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• Action user guide

notActions

IamStatement.Builder notActions(Collection<IamAction> actions)

Configure the NotAction element of the statement, specifying actions that are denied or allowed.

This will replace any other not-actions already added to the statement.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantAllButDeleteBookMetadataTable")
                .effect(IamEffect.ALLOW)
                // This statement grants access to do ALL CURRENT AND FUTURE actions against the books table, except
                // dynamodb:DeleteTable
                .notActions(Arrays.asList(IamAction.create("dynamodb:DeleteTable")))
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• NotAction user guide

notActionIds

IamStatement.Builder notActionIds(Collection<String> actions)

Configure the NotAction element of the statement, specifying actions that are denied or allowed.

This works the same as notActions(Collection), except you do not need to call IamAction.create() on each action. This will replace any other not-actions already added to the statement.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantAllButDeleteBookMetadataTable")
                .effect(IamEffect.ALLOW)
                // This statement grants access to do ALL CURRENT AND FUTURE actions against the books table, except
                // dynamodb:DeleteTable
                .notActionIds(Arrays.asList("dynamodb:DeleteTable"))
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• NotAction user guide

addNotAction

IamStatement.Builder addNotAction(IamAction action)

Append a NotAction element to this statement, specifying an action that is denied or allowed.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantAllButDeleteBookMetadataTable")
                .effect(IamEffect.ALLOW)
                // This statement grants access to do ALL CURRENT AND FUTURE actions against the books table, except
                // dynamodb:DeleteTable
                .addNotAction(IamAction.create("dynamodb:DeleteTable"))
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• NotAction user guide

addNotAction

IamStatement.Builder addNotAction(String action)

Append a NotAction element to this statement, specifying an action that is denied or allowed.

This works the same as addNotAction(IamAction), except you do not need to call IamAction.create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantAllButDeleteBookMetadataTable")
                .effect(IamEffect.ALLOW)
                // This statement grants access to do ALL CURRENT AND FUTURE actions against the books table, except
                // dynamodb:DeleteTable
                .addNotAction("dynamodb:DeleteTable")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• NotAction user guide

resources

IamStatement.Builder resources(Collection<IamResource> resources)

Configure the Resource element of the statement, specifying the resource(s) that the statement covers.

This will replace any other resources already added to the statement.

List<IamResource> resources =
    Arrays.asList(IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/books"),
                  IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/customers"));

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookAndCustomersMetadata")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                // This statement grants access to the books and customers tables:
                .resources(resources)
                .build();

See Also:

• Resource user guide

resourceIds

IamStatement.Builder resourceIds(Collection<String> resources)

Configure the Resource element of the statement, specifying the resource(s) that the statement covers.

This works the same as resources(Collection), except you do not need to call IamResource.create() on each resource. This will replace any other resources already added to the statement.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookAndCustomersMetadata")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                // This statement grants access to the books and customers tables:
                .resourceIds(Arrays.asList("arn:aws:dynamodb:us-east-2:123456789012:table/books",
                                           "arn:aws:dynamodb:us-east-2:123456789012:table/customers"))
                .build();

See Also:

• Resource user guide

addResource

IamStatement.Builder addResource(IamResource resource)

Append a Resource element to the statement, specifying a resource that the statement covers.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookMetadata")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                // This statement grants access to the books table:
                .addResource(IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/books"))
                .build();

See Also:

• Resource user guide

addResource

IamStatement.Builder addResource(String resource)

Append a Resource element to the statement, specifying a resource that the statement covers.

This works the same as addResource(IamResource), except you do not need to call IamResource.create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBookMetadata")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                // This statement grants access to the books table:
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                .build();

See Also:

• Resource user guide

notResources

IamStatement.Builder notResources(Collection<IamResource> resources)

Configure the NotResource element of the statement, specifying that the statement should apply to every resource except the ones listed.

This will replace any other not-resources already added to the statement.

List<IamResource> notResources =
    Arrays.asList(IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/customers"));

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadNotCustomers")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                // This statement grants access to EVERY CURRENT AND FUTURE RESOURCE except the customers table:
                .notResources(notResources)
                .build();

See Also:

• NotResource user guide

notResourceIds

IamStatement.Builder notResourceIds(Collection<String> resources)

Configure the NotResource element of the statement, specifying that the statement should apply to every resource except the ones listed.

This works the same as notResources(Collection), except you do not need to call IamResource.create() on each resource. This will replace any other not-resources already added to the statement.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadNotCustomers")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                // This statement grants access to EVERY CURRENT AND FUTURE RESOURCE except the customers table:
                .notResourceIds(Arrays.asList("arn:aws:dynamodb:us-east-2:123456789012:table/customers"))
                .build();

See Also:

• NotResource user guide

addNotResource

IamStatement.Builder addNotResource(IamResource resource)

Append a NotResource element to the statement, specifying that the statement should apply to every resource except the ones listed.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadNotCustomers")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                // This statement grants access to EVERY CURRENT AND FUTURE RESOURCE except the customers table:
                .addNotResource(IamResource.create("arn:aws:dynamodb:us-east-2:123456789012:table/customers"))
                .build();

See Also:

• NotResource user guide

addNotResource

IamStatement.Builder addNotResource(String resource)

Append a NotResource element to the statement, specifying that the statement should apply to every resource except the ones listed.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadNotCustomers")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                // This statement grants access to EVERY CURRENT AND FUTURE RESOURCE except the customers table:
                .addNotResource("arn:aws:dynamodb:us-east-2:123456789012:table/customers")
                .build();

See Also:

• NotResource user guide

conditions

IamStatement.Builder conditions(Collection<IamCondition> conditions)

Configure the Condition element of the statement, specifying the conditions in which the statement is in effect.

This will replace any other conditions already added to the statement.

IamCondition startTime = IamCondition.create(IamConditionOperator.DATE_GREATER_THAN,
                                             "aws:CurrentTime",
                                             "1988-05-21T00:00:00Z");
IamCondition endTime = IamCondition.create(IamConditionOperator.DATE_LESS_THAN,
                                           "aws:CurrentTime",
                                           "2065-09-01T00:00:00Z");

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBooks")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                // This statement grants access between the specified start and end times:
                .conditions(Arrays.asList(startTime, endTime))
                .build();

See Also:

• Condition user guide

addCondition

IamStatement.Builder addCondition(IamCondition condition)

Append a Condition to the statement, specifying a condition in which the statement is in effect.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBooks")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                // This statement grants access after a specified start time:
                .addCondition(IamCondition.create(IamConditionOperator.DATE_GREATER_THAN,
                                                  "aws:CurrentTime",
                                                  "1988-05-21T00:00:00Z"))
                .build();

See Also:

• Condition user guide

addCondition

IamStatement.Builder addCondition(Consumer<IamCondition.Builder> condition)

Append a Condition to the statement, specifying a condition in which the statement is in effect.

This works the same as addCondition(IamCondition), except you do not need to specify IamCondition .builder() or build().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBooks")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                // This statement grants access after a specified start time:
                .addCondition(c -> c.operator(IamConditionOperator.DATE_GREATER_THAN)
                                    .key("aws:CurrentTime")
                                    .value("1988-05-21T00:00:00Z"))
                .build();

See Also:

• Condition user guide

addCondition

IamStatement.Builder addCondition(IamConditionOperator operator,
 IamConditionKey key,
 String value)

Append a Condition to the statement, specifying a condition in which the statement is in effect.

This works the same as addCondition(IamCondition), except you do not need to specify IamCondition .create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBooks")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                // This statement grants access after a specified start time:
                .addCondition(IamConditionOperator.DATE_GREATER_THAN,
                              IamConditionKey.create("aws:CurrentTime"),
                              "1988-05-21T00:00:00Z")
                .build();

See Also:

• Condition user guide

addCondition

IamStatement.Builder addCondition(IamConditionOperator operator,
 String key,
 String value)

Append a Condition to the statement, specifying a condition in which the statement is in effect.

This works the same as addCondition(IamCondition), except you do not need to specify IamCondition .create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBooks")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                // This statement grants access after a specified start time:
                .addCondition(IamConditionOperator.DATE_GREATER_THAN, "aws:CurrentTime", "1988-05-21T00:00:00Z")
                .build();

See Also:

• Condition user guide

addCondition

IamStatement.Builder addCondition(String operator,
 String key,
 String values)

Append a Condition to the statement, specifying a condition in which the statement is in effect.

This works the same as addCondition(IamCondition), except you do not need to specify IamCondition .create().

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBooks")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                // This statement grants access after a specified start time:
                .addCondition("DateGreaterThan", "aws:CurrentTime", "1988-05-21T00:00:00Z")
                .build();

See Also:

• Condition user guide

addConditions

IamStatement.Builder addConditions(IamConditionOperator operator,
 IamConditionKey key,
 Collection<String> values)

Append multiple Conditions to the statement, specifying conditions in which the statement is in effect.

This works the same as addCondition(IamConditionOperator, IamConditionKey, String) multiple times with the same operator and key, but different values.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBooks")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                // This statement grants access only in the us-east-1 and us-west-2 regions:
                .addConditions(IamConditionOperator.STRING_EQUALS,
                               IamConditionKey.create("aws:RequestedRegion"),
                               Arrays.asList("us-east-1", "us-west-2"))
                .build();

See Also:

• Condition user guide

addConditions

IamStatement.Builder addConditions(IamConditionOperator operator,
 String key,
 Collection<String> values)

Append multiple Conditions to the statement, specifying conditions in which the statement is in effect.

This works the same as addCondition(IamConditionOperator, String, String) multiple times with the same operator and key, but different values.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBooks")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                // This statement grants access only in the us-east-1 and us-west-2 regions:
                .addConditions(IamConditionOperator.STRING_EQUALS,
                               "aws:RequestedRegion",
                               Arrays.asList("us-east-1", "us-west-2"))
                .build();

See Also:

• Condition user guide

addConditions

IamStatement.Builder addConditions(String operator,
 String key,
 Collection<String> values)

Append multiple Conditions to the statement, specifying conditions in which the statement is in effect.

This works the same as addCondition(String, String, String) multiple times with the same operator and key, but different values.

IamStatement statement =
    IamStatement.builder()
                .sid("GrantReadBooks")
                .effect(IamEffect.ALLOW)
                .addAction("dynamodb:GetItem")
                .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                // This statement grants access only in the us-east-1 and us-west-2 regions:
                .addConditions("StringEquals", "aws:RequestedRegion", Arrays.asList("us-east-1", "us-west-2"))
                .build();

See Also:

• Condition user guide