iam-floyd 0.722.0 → 0.723.0

package/README.md

@@ -17,9 +17,9 @@
 Support for:
 
 - 428 Services
-- 19256 Actions
+- 19257 Actions
 - 2057 Resource Types
-- 2148 Condition keys
+- 2155 Condition keys
 <!-- /stats -->
 
 ![EXPERIMENTAL](https://img.shields.io/badge/stability-experimantal-orange?style=for-the-badge)**<br>This is an early version of the package. The API will change while I implement new features. Therefore make sure you use an exact version in your `package.json` before it reaches 1.0.0.**

package/lib/generated/policy-statements/bedrockagentcore.d.ts

@@ -51,6 +51,22 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/API_BatchUpdateMemoryRecords.html
      */
     toBatchUpdateMemoryRecords(): this;
+    /**
+     * Grants permission to retrieve access token with OAuth2 for 3LO flow to access external resource
+     *
+     * Access Level: Read
+     *
+     * Possible conditions:
+     * - .ifInboundJwtClaimIss()
+     * - .ifInboundJwtClaimSub()
+     * - .ifInboundJwtClaimAud()
+     * - .ifInboundJwtClaimScope()
+     * - .ifInboundJwtClaimClientId()
+     * - .ifUserid()
+     *
+     * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/API_CompleteResourceTokenAuth.html
+     */
+    toCompleteResourceTokenAuth(): this;
     /**
      * Grants permission to connect to a browser automation stream
      *
@@ -99,6 +115,10 @@ export declare class BedrockAgentcore extends PolicyStatement {
      *
      * Access Level: Write
      *
+     * Possible conditions:
+     * - .ifAwsRequestTag()
+     * - .ifAwsTagKeys()
+     *
      * https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateApiKeyCredentialProvider.html
      */
     toCreateApiKeyCredentialProvider(): this;
@@ -181,6 +201,10 @@ export declare class BedrockAgentcore extends PolicyStatement {
      *
      * Access Level: Write
      *
+     * Possible conditions:
+     * - .ifAwsRequestTag()
+     * - .ifAwsTagKeys()
+     *
      * https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateOauth2CredentialProvider.html
      */
     toCreateOauth2CredentialProvider(): this;
@@ -189,6 +213,10 @@ export declare class BedrockAgentcore extends PolicyStatement {
      *
      * Access Level: Write
      *
+     * Possible conditions:
+     * - .ifAwsRequestTag()
+     * - .ifAwsTagKeys()
+     *
      * https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateWorkloadIdentity.html
      */
     toCreateWorkloadIdentity(): this;
@@ -445,6 +473,13 @@ export declare class BedrockAgentcore extends PolicyStatement {
      *
      * Access Level: Write
      *
+     * Possible conditions:
+     * - .ifInboundJwtClaimIss()
+     * - .ifInboundJwtClaimSub()
+     * - .ifInboundJwtClaimAud()
+     * - .ifInboundJwtClaimScope()
+     * - .ifInboundJwtClaimClientId()
+     *
      * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/API_GetWorkloadAccessTokenForJWT.html
      */
     toGetWorkloadAccessTokenForJWT(): this;
@@ -453,6 +488,9 @@ export declare class BedrockAgentcore extends PolicyStatement {
      *
      * Access Level: Write
      *
+     * Possible conditions:
+     * - .ifUserid()
+     *
      * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/API_GetWorkloadAccessTokenForUserId.html
      */
     toGetWorkloadAccessTokenForUserId(): this;
@@ -862,6 +900,9 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
      * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
      * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+     *
+     * Possible conditions:
+     * - .ifAwsResourceTag()
      */
     onWorkloadIdentity(directoryId: string, workloadIdentityName: string, account?: string, region?: string, partition?: string): this;
     /**
@@ -874,6 +915,9 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
      * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
      * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+     *
+     * Possible conditions:
+     * - .ifAwsResourceTag()
      */
     onOauth2credentialprovider(tokenVaultId: string, name: string, account?: string, region?: string, partition?: string): this;
     /**
@@ -886,6 +930,9 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
      * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
      * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+     *
+     * Possible conditions:
+     * - .ifAwsResourceTag()
      */
     onApikeycredentialprovider(tokenVaultId: string, name: string, account?: string, region?: string, partition?: string): this;
     /**
@@ -974,6 +1021,9 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
      * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
      * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+     *
+     * Possible conditions:
+     * - .ifAwsResourceTag()
      */
     onWorkloadIdentityDirectory(directoryId: string, account?: string, region?: string, partition?: string): this;
     /**
@@ -985,6 +1035,9 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
      * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
      * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
+     *
+     * Possible conditions:
+     * - .ifAwsResourceTag()
      */
     onTokenVault(tokenVaultId: string, account?: string, region?: string, partition?: string): this;
     /**
@@ -995,10 +1048,13 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * Applies to actions:
      * - .toCreateAgentRuntime()
      * - .toCreateAgentRuntimeEndpoint()
+     * - .toCreateApiKeyCredentialProvider()
      * - .toCreateBrowser()
      * - .toCreateCodeInterpreter()
      * - .toCreateGateway()
      * - .toCreateMemory()
+     * - .toCreateOauth2CredentialProvider()
+     * - .toCreateWorkloadIdentity()
      * - .toTagResource()
      *
      * @param tagKey The tag key to check
@@ -1014,10 +1070,15 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * Applies to resource types:
      * - memory
      * - gateway
+     * - workload-identity
+     * - oauth2credentialprovider
+     * - apikeycredentialprovider
      * - runtime
      * - runtime-endpoint
      * - code-interpreter-custom
      * - browser-custom
+     * - workload-identity-directory
+     * - token-vault
      *
      * @param tagKey The tag key to check
      * @param value The value(s) to check
@@ -1032,10 +1093,13 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * Applies to actions:
      * - .toCreateAgentRuntime()
      * - .toCreateAgentRuntimeEndpoint()
+     * - .toCreateApiKeyCredentialProvider()
      * - .toCreateBrowser()
      * - .toCreateCodeInterpreter()
      * - .toCreateGateway()
      * - .toCreateMemory()
+     * - .toCreateOauth2CredentialProvider()
+     * - .toCreateWorkloadIdentity()
      * - .toTagResource()
      * - .toUntagResource()
      *
@@ -1052,6 +1116,71 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
      */
     ifGatewayAuthorizerType(value: string | string[], operator?: Operator | string): this;
+    /**
+     * Filters access by the audience claim (aud) in the JWT passed in the request
+     *
+     * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-aud
+     *
+     * Applies to actions:
+     * - .toCompleteResourceTokenAuth()
+     * - .toGetWorkloadAccessTokenForJWT()
+     *
+     * @param value The value(s) to check
+     * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
+     */
+    ifInboundJwtClaimAud(value: string | string[], operator?: Operator | string): this;
+    /**
+     * Filters access by the client_id claim in the JWT passed in the request
+     *
+     * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-client_id
+     *
+     * Applies to actions:
+     * - .toCompleteResourceTokenAuth()
+     * - .toGetWorkloadAccessTokenForJWT()
+     *
+     * @param value The value(s) to check
+     * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
+     */
+    ifInboundJwtClaimClientId(value: string | string[], operator?: Operator | string): this;
+    /**
+     * Filters access by the issuer (iss) claim present in the JWT passed in the request
+     *
+     * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-iss
+     *
+     * Applies to actions:
+     * - .toCompleteResourceTokenAuth()
+     * - .toGetWorkloadAccessTokenForJWT()
+     *
+     * @param value The value(s) to check
+     * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
+     */
+    ifInboundJwtClaimIss(value: string | string[], operator?: Operator | string): this;
+    /**
+     * Filters access by the scope claim in the JWT passed in the request
+     *
+     * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-scope
+     *
+     * Applies to actions:
+     * - .toCompleteResourceTokenAuth()
+     * - .toGetWorkloadAccessTokenForJWT()
+     *
+     * @param value The value(s) to check
+     * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
+     */
+    ifInboundJwtClaimScope(value: string | string[], operator?: Operator | string): this;
+    /**
+     * Filters access by the subject claim (sub) in the JWT passed in the request
+     *
+     * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-sub
+     *
+     * Applies to actions:
+     * - .toCompleteResourceTokenAuth()
+     * - .toGetWorkloadAccessTokenForJWT()
+     *
+     * @param value The value(s) to check
+     * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
+     */
+    ifInboundJwtClaimSub(value: string | string[], operator?: Operator | string): this;
     /**
      * Filters access by Actor Id
      *
@@ -1111,4 +1240,17 @@ export declare class BedrockAgentcore extends PolicyStatement {
      * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
      */
     ifStrategyId(value: string | string[], operator?: Operator | string): this;
+    /**
+     * Filters access by the static user ID value passed in the request
+     *
+     * https://docs.aws.amazon.com/bedrock-agentcore/latest/APIReference/#condition-keys-userid
+     *
+     * Applies to actions:
+     * - .toCompleteResourceTokenAuth()
+     * - .toGetWorkloadAccessTokenForUserId()
+     *
+     * @param value The value(s) to check
+     * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
+     */
+    ifUserid(value: string | string[], operator?: Operator | string): this;
 }