aws-cdk-lib 2.195.0__py3-none-any.whl → 2.224.0__py3-none-any.whl

aws_cdk/aws_iam/__init__.py

@@ -720,6 +720,36 @@ The following examples defines an OpenID Connect provider. Two client IDs
 (audiences) are will be able to send authentication requests to
 [https://openid/connect](https://openid/connect).
 
+It is recommended to use the new `OidcProviderNative` which native CloudFormation resource `AWS::IAM::OIDCProvider` over the old `OpenIdConnectProvider` which uses a custom resource.
+
+```python
+native_provider = iam.OidcProviderNative(self, "MyProvider",
+    url="https://openid/connect",
+    client_ids=["myclient1", "myclient2"],
+    thumbprints=["aa00aa1122aa00aa1122aa00aa1122aa00aa1122"]
+)
+```
+
+For the new `OidcProviderNative`, you must provide at least one thumbprint when creating an IAM OIDC
+provider. For example, assume that the OIDC provider is server.example.com
+and the provider stores its keys at
+https://keys.server.example.com/openid-connect. In that case, the
+thumbprint string would be the hex-encoded SHA-1 hash value of the
+certificate used by https://keys.server.example.com.
+
+The server certificate thumbprint is the hex-encoded SHA-1 hash value of
+the X.509 certificate used by the domain where the OpenID Connect provider
+makes its keys available. It is always a 40-character string.
+
+Typically this list includes only one entry. However, IAM lets you have up
+to five thumbprints for an OIDC provider. This lets you maintain multiple
+thumbprints if the identity provider is rotating certificates.
+
+Obtain the thumbprint of the root certificate authority from the provider's
+server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
+
+The older `OpenIdConnectProvider` is still supported but it is recommended to use the new `OidcProviderNative` instead.
+
 ```python
 provider = iam.OpenIdConnectProvider(self, "MyProvider",
     url="https://openid/connect",
@@ -727,12 +757,12 @@ provider = iam.OpenIdConnectProvider(self, "MyProvider",
 )
 ```
 
-You can specify an optional list of `thumbprints`. If not specified, the
+For the older `OpenIdConnectProvider`, you can specify an optional list of `thumbprints`. If not specified, the
 thumbprint of the root certificate authority (CA) will automatically be obtained
 from the host as described
 [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html).
 
-Byy default, the custom resource enforces strict security practices by rejecting
+By default, the custom resource enforces strict security practices by rejecting
 any unauthorized connections when downloading CA thumbprints from the issuer URL.
 If you need to connect to an unauthorized OIDC identity provider and understand the
 implications, you can disable this behavior by setting the feature flag
@@ -999,6 +1029,41 @@ from .. import (
     TagManager as _TagManager_0a598cb3,
     TreeInspector as _TreeInspector_488e0dd5,
 )
+from ..interfaces import IEnvironmentAware as _IEnvironmentAware_f39049ee
+from ..interfaces.aws_iam import (
+    AccessKeyReference as _AccessKeyReference_2bdfd122,
+    GroupPolicyReference as _GroupPolicyReference_d179b98e,
+    GroupReference as _GroupReference_cd6b1d81,
+    IAccessKeyRef as _IAccessKeyRef_e97ef40a,
+    IGroupPolicyRef as _IGroupPolicyRef_35f73c8c,
+    IGroupRef as _IGroupRef_aeb1d9f6,
+    IInstanceProfileRef as _IInstanceProfileRef_d6832c90,
+    IManagedPolicyRef as _IManagedPolicyRef_a7a65687,
+    IOIDCProviderRef as _IOIDCProviderRef_a866c7c8,
+    IPolicyRef as _IPolicyRef_5e74a0ba,
+    IRolePolicyRef as _IRolePolicyRef_26b13525,
+    IRoleRef as _IRoleRef_8400221f,
+    ISAMLProviderRef as _ISAMLProviderRef_6e369856,
+    IServerCertificateRef as _IServerCertificateRef_005ddfcc,
+    IServiceLinkedRoleRef as _IServiceLinkedRoleRef_ba92e11b,
+    IUserPolicyRef as _IUserPolicyRef_e6abac3e,
+    IUserRef as _IUserRef_b0ccca76,
+    IUserToGroupAdditionRef as _IUserToGroupAdditionRef_e1276f9a,
+    IVirtualMFADeviceRef as _IVirtualMFADeviceRef_fec1f13e,
+    InstanceProfileReference as _InstanceProfileReference_5eee4bbb,
+    ManagedPolicyReference as _ManagedPolicyReference_078bf7cb,
+    OIDCProviderReference as _OIDCProviderReference_9a12fabd,
+    PolicyReference as _PolicyReference_b83371a5,
+    RolePolicyReference as _RolePolicyReference_0cf19357,
+    RoleReference as _RoleReference_447077bb,
+    SAMLProviderReference as _SAMLProviderReference_08e1fac1,
+    ServerCertificateReference as _ServerCertificateReference_0e96ef93,
+    ServiceLinkedRoleReference as _ServiceLinkedRoleReference_863fd3da,
+    UserPolicyReference as _UserPolicyReference_4aa6daa0,
+    UserReference as _UserReference_6bf884c6,
+    UserToGroupAdditionReference as _UserToGroupAdditionReference_94731a73,
+    VirtualMFADeviceReference as _VirtualMFADeviceReference_dd7d7c2b,
+)
 
 
 @jsii.data_type(
@@ -1106,6 +1171,8 @@ class AccessKeyStatus(enum.Enum):
 
     An inactive key cannot be used to make API calls.
     '''
+    EXPIRED = "EXPIRED"
+    '''An expired access key.'''
 
 
 @jsii.data_type(
@@ -1259,7 +1326,7 @@ class AddToResourcePolicyResult:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IAccessKeyRef_e97ef40a)
 class CfnAccessKey(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -1302,7 +1369,8 @@ class CfnAccessKey(
         serial: typing.Optional[jsii.Number] = None,
         status: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::AccessKey``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_name: The name of the IAM user that the new key will belong to. This parameter allows (through its `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
@@ -1347,6 +1415,12 @@ class CfnAccessKey(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
+    @builtins.property
+    @jsii.member(jsii_name="accessKeyRef")
+    def access_key_ref(self) -> _AccessKeyReference_2bdfd122:
+        '''A reference to a AccessKey resource.'''
+        return typing.cast(_AccessKeyReference_2bdfd122, jsii.get(self, "accessKeyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
@@ -1507,7 +1581,7 @@ class CfnAccessKeyProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IGroupRef_aeb1d9f6)
 class CfnGroup(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -1550,7 +1624,8 @@ class CfnGroup(
         path: typing.Optional[builtins.str] = None,
         policies: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnGroup.PolicyProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::Group``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param group_name: The name of the group to create. Do not include the path in this value. The group name must be unique within the account. Group names are not distinguished by case. For example, you cannot create groups named both "ADMINS" and "admins". If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the group name. .. epigraph:: If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. If you specify a name, you must specify the ``CAPABILITY_NAMED_IAM`` value to acknowledge your template's capabilities. For more information, see `Acknowledging IAM Resources in AWS CloudFormation Templates <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-capabilities>`_ . .. epigraph:: Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using ``Fn::Join`` and ``AWS::Region`` to create a Region-specific name, as in the following example: ``{"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}`` .
@@ -1617,6 +1692,12 @@ class CfnGroup(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="groupRef")
+    def group_ref(self) -> _GroupReference_cd6b1d81:
+        '''A reference to a Group resource.'''
+        return typing.cast(_GroupReference_cd6b1d81, jsii.get(self, "groupRef"))
+
     @builtins.property
     @jsii.member(jsii_name="groupName")
     def group_name(self) -> typing.Optional[builtins.str]:
@@ -1764,7 +1845,7 @@ class CfnGroup(
             )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IGroupPolicyRef_35f73c8c)
 class CfnGroupPolicy(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -1806,7 +1887,8 @@ class CfnGroupPolicy(
         policy_name: builtins.str,
         policy_document: typing.Any = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::GroupPolicy``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param group_name: The name of the group to associate the policy with. This parameter allows (through its `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-.
@@ -1860,6 +1942,12 @@ class CfnGroupPolicy(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="groupPolicyRef")
+    def group_policy_ref(self) -> _GroupPolicyReference_d179b98e:
+        '''A reference to a GroupPolicy resource.'''
+        return typing.cast(_GroupPolicyReference_d179b98e, jsii.get(self, "groupPolicyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="groupName")
     def group_name(self) -> builtins.str:
@@ -2143,7 +2231,7 @@ class CfnGroupProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IInstanceProfileRef_d6832c90)
 class CfnInstanceProfile(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2181,7 +2269,8 @@ class CfnInstanceProfile(
         instance_profile_name: typing.Optional[builtins.str] = None,
         path: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::InstanceProfile``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param roles: The name of the role to associate with the instance profile. Only one role can be assigned to an EC2 instance at a time, and all applications on the instance share the same role and permissions.
@@ -2246,6 +2335,12 @@ class CfnInstanceProfile(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="instanceProfileRef")
+    def instance_profile_ref(self) -> _InstanceProfileReference_5eee4bbb:
+        '''A reference to a InstanceProfile resource.'''
+        return typing.cast(_InstanceProfileReference_5eee4bbb, jsii.get(self, "instanceProfileRef"))
+
     @builtins.property
     @jsii.member(jsii_name="roles")
     def roles(self) -> typing.List[builtins.str]:
@@ -2389,7 +2484,7 @@ class CfnInstanceProfileProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IManagedPolicyRef_a7a65687)
 class CfnManagedPolicy(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2441,7 +2536,8 @@ class CfnManagedPolicy(
         roles: typing.Optional[typing.Sequence[builtins.str]] = None,
         users: typing.Optional[typing.Sequence[builtins.str]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::ManagedPolicy``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param policy_document: The JSON policy document that you want to use as the content for the new policy. You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM. The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see `IAM and AWS STS character quotas <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length>`_ . To learn more about JSON policy grammar, see `Grammar of the IAM JSON policy language <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html>`_ in the *IAM User Guide* . The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ used to validate this parameter is a string of characters consisting of the following: - Any printable ASCII character ranging from the space character ( ``\\u0020`` ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through ``\\u00FF`` ) - The special characters tab ( ``\\u0009`` ), line feed ( ``\\u000A`` ), and carriage return ( ``\\u000D`` )
@@ -2585,6 +2681,12 @@ class CfnManagedPolicy(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="managedPolicyRef")
+    def managed_policy_ref(self) -> _ManagedPolicyReference_078bf7cb:
+        '''A reference to a ManagedPolicy resource.'''
+        return typing.cast(_ManagedPolicyReference_078bf7cb, jsii.get(self, "managedPolicyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="policyDocument")
     def policy_document(self) -> typing.Any:
@@ -2881,7 +2983,7 @@ class CfnManagedPolicyProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IOIDCProviderRef_a866c7c8, _ITaggable_36806126)
 class CfnOIDCProvider(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -2942,7 +3044,8 @@ class CfnOIDCProvider(
         thumbprint_list: typing.Optional[typing.Sequence[builtins.str]] = None,
         url: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::OIDCProvider``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param client_id_list: A list of client IDs (also known as audiences) that are associated with the specified IAM OIDC provider resource object. For more information, see `CreateOpenIDConnectProvider <https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateOpenIDConnectProvider.html>`_ .
@@ -3007,6 +3110,12 @@ class CfnOIDCProvider(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderRef")
+    def oidc_provider_ref(self) -> _OIDCProviderReference_9a12fabd:
+        '''A reference to a OIDCProvider resource.'''
+        return typing.cast(_OIDCProviderReference_9a12fabd, jsii.get(self, "oidcProviderRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -3188,7 +3297,7 @@ class CfnOIDCProviderProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IPolicyRef_5e74a0ba)
 class CfnPolicy(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3200,7 +3309,7 @@ class CfnPolicy(
 
     The Groups, Roles, and Users properties are optional. However, you must specify at least one of these properties.
 
-    For information about policy documents see `Creating IAM policies <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html>`_ in the *IAM User Guide* .
+    For information about policy documents, see `Creating IAM policies <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html>`_ in the *IAM User Guide* .
 
     For information about limits on the number of inline policies that you can embed in an identity, see `Limitations on IAM Entities <https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html>`_ in the *IAM User Guide* .
     .. epigraph::
@@ -3245,7 +3354,8 @@ class CfnPolicy(
         roles: typing.Optional[typing.Sequence[builtins.str]] = None,
         users: typing.Optional[typing.Sequence[builtins.str]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::Policy``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param policy_document: The policy document. You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM. The `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ used to validate this parameter is a string of characters consisting of the following: - Any printable ASCII character ranging from the space character ( ``\\u0020`` ) through the end of the ASCII character range - The printable characters in the Basic Latin and Latin-1 Supplement character set (through ``\\u00FF`` ) - The special characters tab ( ``\\u0009`` ), line feed ( ``\\u000A`` ), and carriage return ( ``\\u000D`` )
@@ -3314,6 +3424,12 @@ class CfnPolicy(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="policyRef")
+    def policy_ref(self) -> _PolicyReference_b83371a5:
+        '''A reference to a Policy resource.'''
+        return typing.cast(_PolicyReference_b83371a5, jsii.get(self, "policyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="policyDocument")
     def policy_document(self) -> typing.Any:
@@ -3526,7 +3642,7 @@ class CfnPolicyProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IRoleRef_8400221f, _ITaggable_36806126)
 class CfnRole(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3585,7 +3701,8 @@ class CfnRole(
         role_name: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::Role``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param assume_role_policy_document: The trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role. For an example of a policy that can be used to assume a role, see `Template Examples <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role--examples>`_ . For more information about the elements that you can use in an IAM policy, see `IAM Policy Elements Reference <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html>`_ in the *IAM User Guide* .
@@ -3675,6 +3792,12 @@ class CfnRole(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="roleRef")
+    def role_ref(self) -> _RoleReference_447077bb:
+        '''A reference to a Role resource.'''
+        return typing.cast(_RoleReference_447077bb, jsii.get(self, "roleRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -3892,7 +4015,7 @@ class CfnRole(
             )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IRolePolicyRef_26b13525)
 class CfnRolePolicy(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -3936,7 +4059,8 @@ class CfnRolePolicy(
         role_name: builtins.str,
         policy_document: typing.Any = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::RolePolicy``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param policy_name: The name of the policy document. This parameter allows (through its `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
@@ -3990,6 +4114,12 @@ class CfnRolePolicy(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="rolePolicyRef")
+    def role_policy_ref(self) -> _RolePolicyReference_0cf19357:
+        '''A reference to a RolePolicy resource.'''
+        return typing.cast(_RolePolicyReference_0cf19357, jsii.get(self, "rolePolicyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="policyName")
     def policy_name(self) -> builtins.str:
@@ -4375,7 +4505,7 @@ class CfnRoleProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _ISAMLProviderRef_6e369856, _ITaggable_36806126)
 class CfnSAMLProvider(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -4432,7 +4562,8 @@ class CfnSAMLProvider(
         saml_metadata_document: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::SAMLProvider``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param add_private_key: Specifies the new private key from your external identity provider. The private key must be a .pem file that uses AES-GCM or AES-CBC encryption algorithm to decrypt SAML assertions.
@@ -4512,6 +4643,12 @@ class CfnSAMLProvider(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="samlProviderRef")
+    def saml_provider_ref(self) -> _SAMLProviderReference_08e1fac1:
+        '''A reference to a SAMLProvider resource.'''
+        return typing.cast(_SAMLProviderReference_08e1fac1, jsii.get(self, "samlProviderRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -4856,7 +4993,7 @@ class CfnSAMLProviderProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IServerCertificateRef_005ddfcc, _ITaggable_36806126)
 class CfnServerCertificate(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -4866,7 +5003,7 @@ class CfnServerCertificate(
 
     The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.
 
-    We recommend that you use `AWS Certificate Manager <https://docs.aws.amazon.com/acm/>`_ to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the `AWS Certificate Manager User Guide <https://docs.aws.amazon.com/acm/latest/userguide/>`_ .
+    We recommend that you use `Certificate Manager <https://docs.aws.amazon.com/acm/>`_ to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the `Certificate Manager User Guide <https://docs.aws.amazon.com/acm/latest/userguide/>`_ .
 
     For more information about working with server certificates, see `Working with server certificates <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html>`_ in the *IAM User Guide* . This topic includes a list of AWS services that can use the server certificates that you manage with IAM.
 
@@ -4910,7 +5047,8 @@ class CfnServerCertificate(
         server_certificate_name: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::ServerCertificate``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param certificate_body: The contents of the public key certificate.
@@ -4979,6 +5117,12 @@ class CfnServerCertificate(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="serverCertificateRef")
+    def server_certificate_ref(self) -> _ServerCertificateReference_0e96ef93:
+        '''A reference to a ServerCertificate resource.'''
+        return typing.cast(_ServerCertificateReference_0e96ef93, jsii.get(self, "serverCertificateRef"))
+
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> _TagManager_0a598cb3:
@@ -5224,7 +5368,7 @@ class CfnServerCertificateProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IServiceLinkedRoleRef_ba92e11b)
 class CfnServiceLinkedRole(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -5256,7 +5400,8 @@ class CfnServiceLinkedRole(
         custom_suffix: typing.Optional[builtins.str] = None,
         description: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::ServiceLinkedRole``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param aws_service_name: The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: ``elasticbeanstalk.amazonaws.com`` . Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see `AWS services that work with IAM <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html>`_ in the *IAM User Guide* . Look for the services that have *Yes* in the *Service-Linked Role* column. Choose the *Yes* link to view the service-linked role documentation for that service.
@@ -5321,6 +5466,12 @@ class CfnServiceLinkedRole(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="serviceLinkedRoleRef")
+    def service_linked_role_ref(self) -> _ServiceLinkedRoleReference_863fd3da:
+        '''A reference to a ServiceLinkedRole resource.'''
+        return typing.cast(_ServiceLinkedRoleReference_863fd3da, jsii.get(self, "serviceLinkedRoleRef"))
+
     @builtins.property
     @jsii.member(jsii_name="awsServiceName")
     def aws_service_name(self) -> typing.Optional[builtins.str]:
@@ -5453,7 +5604,7 @@ class CfnServiceLinkedRoleProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IUserRef_b0ccca76, _ITaggable_36806126)
 class CfnUser(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -5512,7 +5663,8 @@ class CfnUser(
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         user_name: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::User``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param groups: A list of group names to which you want to add the user.
@@ -5593,6 +5745,12 @@ class CfnUser(
         '''Tag Manager which manages the tags for this resource.'''
         return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userRef")
+    def user_ref(self) -> _UserReference_6bf884c6:
+        '''A reference to a User resource.'''
+        return typing.cast(_UserReference_6bf884c6, jsii.get(self, "userRef"))
+
     @builtins.property
     @jsii.member(jsii_name="groups")
     def groups(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -5876,7 +6034,7 @@ class CfnUser(
             )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserPolicyRef_e6abac3e)
 class CfnUserPolicy(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -5918,7 +6076,8 @@ class CfnUserPolicy(
         user_name: builtins.str,
         policy_document: typing.Any = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::UserPolicy``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param policy_name: The name of the policy document. This parameter allows (through its `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
@@ -5972,6 +6131,12 @@ class CfnUserPolicy(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userPolicyRef")
+    def user_policy_ref(self) -> _UserPolicyReference_4aa6daa0:
+        '''A reference to a UserPolicy resource.'''
+        return typing.cast(_UserPolicyReference_4aa6daa0, jsii.get(self, "userPolicyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="policyName")
     def policy_name(self) -> builtins.str:
@@ -6345,7 +6510,7 @@ class CfnUserProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _IUserToGroupAdditionRef_e1276f9a)
 class CfnUserToGroupAddition(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -6377,7 +6542,8 @@ class CfnUserToGroupAddition(
         group_name: builtins.str,
         users: typing.Sequence[builtins.str],
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::UserToGroupAddition``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param group_name: The name of the group to update. This parameter allows (through its `regex pattern <https://docs.aws.amazon.com/http://wikipedia.org/wiki/regex>`_ ) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
@@ -6437,6 +6603,12 @@ class CfnUserToGroupAddition(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userToGroupAdditionRef")
+    def user_to_group_addition_ref(self) -> _UserToGroupAdditionReference_94731a73:
+        '''A reference to a UserToGroupAddition resource.'''
+        return typing.cast(_UserToGroupAdditionReference_94731a73, jsii.get(self, "userToGroupAdditionRef"))
+
     @builtins.property
     @jsii.member(jsii_name="groupName")
     def group_name(self) -> builtins.str:
@@ -6538,7 +6710,7 @@ class CfnUserToGroupAdditionProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556, _ITaggable_36806126)
+@jsii.implements(_IInspectable_c2943556, _IVirtualMFADeviceRef_fec1f13e, _ITaggable_36806126)
 class CfnVirtualMFADevice(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -6586,7 +6758,8 @@ class CfnVirtualMFADevice(
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         virtual_mfa_device_name: typing.Optional[builtins.str] = None,
     ) -> None:
-        '''
+        '''Create a new ``AWS::IAM::VirtualMFADevice``.
+
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param users: The IAM user associated with this virtual MFA device.
@@ -6657,6 +6830,12 @@ class CfnVirtualMFADevice(
         '''Tag Manager which manages the tags for this resource.'''
         return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
 
+    @builtins.property
+    @jsii.member(jsii_name="virtualMfaDeviceRef")
+    def virtual_mfa_device_ref(self) -> _VirtualMFADeviceReference_dd7d7c2b:
+        '''A reference to a VirtualMFADevice resource.'''
+        return typing.cast(_VirtualMFADeviceReference_dd7d7c2b, jsii.get(self, "virtualMfaDeviceRef"))
+
     @builtins.property
     @jsii.member(jsii_name="users")
     def users(self) -> typing.List[builtins.str]:
@@ -7392,7 +7571,7 @@ class Grant(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_iam.Grant"):
         cls,
         *,
         statement: "PolicyStatement",
-        resource: "IResourceWithPolicy",
+        resource: "IResourceWithPolicyV2",
         resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
         actions: typing.Sequence[builtins.str],
         grantee: "IGrantable",
@@ -7419,7 +7598,7 @@ class Grant(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_iam.Grant"):
         from the provided statement, depending on the resource's implementation of
         addToResourcePolicy.
 
-        :param statement: The policy statement to add to the resource's policy. This statement will be passed to the resource's addToResourcePolicy method. The actual handling of the statement depends on the specific IResourceWithPolicy implementation.
+        :param statement: The policy statement to add to the resource's policy. This statement will be passed to the resource's addToResourcePolicy method. The actual handling of the statement depends on the specific IResourceWithPolicyV2 implementation.
         :param resource: The resource with a resource policy. The statement will be added to the resource policy if it couldn't be added to the principal policy.
         :param resource_self_arns: When referring to the resource in a resource policy, use this as ARN. (Depending on the resource type, this needs to be '*' in a resource policy). Default: Same as regular resource ARNs
         :param actions: The actions to grant.
@@ -7483,7 +7662,7 @@ class Grant(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_iam.Grant"):
         Absence of a principal leads to a warning, but failing to add
         the permissions to a present principal is not an error.
 
-        :param scope: Construct to report warnings on in case grant could not be registered. Default: - the construct in which this construct is defined
+        :param scope: (deprecated) Construct to report warnings on in case grant could not be registered. Default: - the construct in which this construct is defined
         :param actions: The actions to grant.
         :param grantee: The principal to grant to. Default: if principal is undefined, no work is done.
         :param resource_arns: The resource ARNs to grant to.
@@ -7504,7 +7683,7 @@ class Grant(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_iam.Grant"):
     def add_to_principal_and_resource(
         cls,
         *,
-        resource: "IResourceWithPolicy",
+        resource: "IResourceWithPolicyV2",
         resource_policy_principal: typing.Optional["IPrincipal"] = None,
         resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
         actions: typing.Sequence[builtins.str],
@@ -7545,7 +7724,7 @@ class Grant(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_iam.Grant"):
     def add_to_principal_or_resource(
         cls,
         *,
-        resource: "IResourceWithPolicy",
+        resource: "IResourceWithPolicyV2",
         resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
         actions: typing.Sequence[builtins.str],
         grantee: "IGrantable",
@@ -7691,7 +7870,7 @@ class GrantOnPrincipalAndResourceOptions(CommonGrantOptions):
         grantee: "IGrantable",
         resource_arns: typing.Sequence[builtins.str],
         conditions: typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]] = None,
-        resource: "IResourceWithPolicy",
+        resource: "IResourceWithPolicyV2",
         resource_policy_principal: typing.Optional["IPrincipal"] = None,
         resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
     ) -> None:
@@ -7716,12 +7895,12 @@ class GrantOnPrincipalAndResourceOptions(CommonGrantOptions):
             # conditions: Any
             # grantable: iam.IGrantable
             # principal: iam.IPrincipal
-            # resource_with_policy: iam.IResourceWithPolicy
+            # resource_with_policy_v2: iam.IResourceWithPolicyV2
             
             grant_on_principal_and_resource_options = iam.GrantOnPrincipalAndResourceOptions(
                 actions=["actions"],
                 grantee=grantable,
-                resource=resource_with_policy,
+                resource=resource_with_policy_v2,
                 resource_arns=["resourceArns"],
             
                 # the properties below are optional
@@ -7792,14 +7971,14 @@ class GrantOnPrincipalAndResourceOptions(CommonGrantOptions):
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]], result)
 
     @builtins.property
-    def resource(self) -> "IResourceWithPolicy":
+    def resource(self) -> "IResourceWithPolicyV2":
         '''The resource with a resource policy.
 
         The statement will always be added to the resource policy.
         '''
         result = self._values.get("resource")
         assert result is not None, "Required property 'resource' is missing"
-        return typing.cast("IResourceWithPolicy", result)
+        return typing.cast("IResourceWithPolicyV2", result)
 
     @builtins.property
     def resource_policy_principal(self) -> typing.Optional["IPrincipal"]:
@@ -7860,7 +8039,7 @@ class GrantOnPrincipalOptions(CommonGrantOptions):
         :param grantee: The principal to grant to. Default: if principal is undefined, no work is done.
         :param resource_arns: The resource ARNs to grant to.
         :param conditions: Any conditions to attach to the grant. Default: - No conditions
-        :param scope: Construct to report warnings on in case grant could not be registered. Default: - the construct in which this construct is defined
+        :param scope: (deprecated) Construct to report warnings on in case grant could not be registered. Default: - the construct in which this construct is defined
 
         :exampleMetadata: fixture=_generated
 
@@ -7943,9 +8122,13 @@ class GrantOnPrincipalOptions(CommonGrantOptions):
 
     @builtins.property
     def scope(self) -> typing.Optional[_constructs_77d1e7e8.IConstruct]:
-        '''Construct to report warnings on in case grant could not be registered.
+        '''(deprecated) Construct to report warnings on in case grant could not be registered.
 
         :default: - the construct in which this construct is defined
+
+        :deprecated: The scope argument is currently unused.
+
+        :stability: deprecated
         '''
         result = self._values.get("scope")
         return typing.cast(typing.Optional[_constructs_77d1e7e8.IConstruct], result)
@@ -7982,7 +8165,7 @@ class GrantWithResourceOptions(CommonGrantOptions):
         grantee: "IGrantable",
         resource_arns: typing.Sequence[builtins.str],
         conditions: typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]] = None,
-        resource: "IResourceWithPolicy",
+        resource: "IResourceWithPolicyV2",
         resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
     ) -> None:
         '''Options for a grant operation.
@@ -8004,12 +8187,12 @@ class GrantWithResourceOptions(CommonGrantOptions):
             
             # conditions: Any
             # grantable: iam.IGrantable
-            # resource_with_policy: iam.IResourceWithPolicy
+            # resource_with_policy_v2: iam.IResourceWithPolicyV2
             
             grant_with_resource_options = iam.GrantWithResourceOptions(
                 actions=["actions"],
                 grantee=grantable,
-                resource=resource_with_policy,
+                resource=resource_with_policy_v2,
                 resource_arns=["resourceArns"],
             
                 # the properties below are optional
@@ -8076,7 +8259,7 @@ class GrantWithResourceOptions(CommonGrantOptions):
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]], result)
 
     @builtins.property
-    def resource(self) -> "IResourceWithPolicy":
+    def resource(self) -> "IResourceWithPolicyV2":
         '''The resource with a resource policy.
 
         The statement will be added to the resource policy if it couldn't be
@@ -8084,7 +8267,7 @@ class GrantWithResourceOptions(CommonGrantOptions):
         '''
         result = self._values.get("resource")
         assert result is not None, "Required property 'resource' is missing"
-        return typing.cast("IResourceWithPolicy", result)
+        return typing.cast("IResourceWithPolicyV2", result)
 
     @builtins.property
     def resource_self_arns(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -8217,7 +8400,11 @@ class GroupProps:
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IAccessKey")
-class IAccessKey(_IResource_c80c4260, typing_extensions.Protocol):
+class IAccessKey(
+    _IResource_c80c4260,
+    _IAccessKeyRef_e97ef40a,
+    typing_extensions.Protocol,
+):
     '''Represents an IAM Access Key.
 
     :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
@@ -8244,6 +8431,7 @@ class IAccessKey(_IResource_c80c4260, typing_extensions.Protocol):
 
 class _IAccessKeyProxy(
     jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+    jsii.proxy_for(_IAccessKeyRef_e97ef40a), # type: ignore[misc]
 ):
     '''Represents an IAM Access Key.
 
@@ -8301,7 +8489,11 @@ typing.cast(typing.Any, IGrantable).__jsii_proxy_class__ = lambda : _IGrantableP
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IInstanceProfile")
-class IInstanceProfile(_IResource_c80c4260, typing_extensions.Protocol):
+class IInstanceProfile(
+    _IResource_c80c4260,
+    _IInstanceProfileRef_d6832c90,
+    typing_extensions.Protocol,
+):
     '''Represents an IAM Instance Profile.'''
 
     @builtins.property
@@ -8331,6 +8523,7 @@ class IInstanceProfile(_IResource_c80c4260, typing_extensions.Protocol):
 
 class _IInstanceProfileProxy(
     jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+    jsii.proxy_for(_IInstanceProfileRef_d6832c90), # type: ignore[misc]
 ):
     '''Represents an IAM Instance Profile.'''
 
@@ -8365,7 +8558,7 @@ typing.cast(typing.Any, IInstanceProfile).__jsii_proxy_class__ = lambda : _IInst
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IManagedPolicy")
-class IManagedPolicy(typing_extensions.Protocol):
+class IManagedPolicy(_IManagedPolicyRef_a7a65687, typing_extensions.Protocol):
     '''A managed policy.'''
 
     @builtins.property
@@ -8378,7 +8571,9 @@ class IManagedPolicy(typing_extensions.Protocol):
         ...
 
 
-class _IManagedPolicyProxy:
+class _IManagedPolicyProxy(
+    jsii.proxy_for(_IManagedPolicyRef_a7a65687), # type: ignore[misc]
+):
     '''A managed policy.'''
 
     __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_iam.IManagedPolicy"
@@ -8396,8 +8591,69 @@ class _IManagedPolicyProxy:
 typing.cast(typing.Any, IManagedPolicy).__jsii_proxy_class__ = lambda : _IManagedPolicyProxy
 
 
+@jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IOidcProvider")
+class IOidcProvider(
+    _IResource_c80c4260,
+    _IOIDCProviderRef_a866c7c8,
+    typing_extensions.Protocol,
+):
+    '''Represents an IAM OpenID Connect provider.'''
+
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderArn")
+    def oidc_provider_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
+
+        :attribute: true
+        '''
+        ...
+
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderIssuer")
+    def oidc_provider_issuer(self) -> builtins.str:
+        '''The issuer for OIDC Provider.
+
+        :attribute: true
+        '''
+        ...
+
+
+class _IOidcProviderProxy(
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+    jsii.proxy_for(_IOIDCProviderRef_a866c7c8), # type: ignore[misc]
+):
+    '''Represents an IAM OpenID Connect provider.'''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_iam.IOidcProvider"
+
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderArn")
+    def oidc_provider_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "oidcProviderArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderIssuer")
+    def oidc_provider_issuer(self) -> builtins.str:
+        '''The issuer for OIDC Provider.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "oidcProviderIssuer"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IOidcProvider).__jsii_proxy_class__ = lambda : _IOidcProviderProxy
+
+
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IOpenIdConnectProvider")
-class IOpenIdConnectProvider(_IResource_c80c4260, typing_extensions.Protocol):
+class IOpenIdConnectProvider(
+    _IResource_c80c4260,
+    _IOIDCProviderRef_a866c7c8,
+    typing_extensions.Protocol,
+):
     '''Represents an IAM OpenID Connect provider.'''
 
     @builtins.property
@@ -8415,6 +8671,7 @@ class IOpenIdConnectProvider(_IResource_c80c4260, typing_extensions.Protocol):
 
 class _IOpenIdConnectProviderProxy(
     jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+    jsii.proxy_for(_IOIDCProviderRef_a866c7c8), # type: ignore[misc]
 ):
     '''Represents an IAM OpenID Connect provider.'''
 
@@ -8437,7 +8694,7 @@ typing.cast(typing.Any, IOpenIdConnectProvider).__jsii_proxy_class__ = lambda :
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IPolicy")
-class IPolicy(_IResource_c80c4260, typing_extensions.Protocol):
+class IPolicy(_IResource_c80c4260, _IPolicyRef_5e74a0ba, typing_extensions.Protocol):
     '''Represents an IAM Policy.
 
     :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html
@@ -8455,6 +8712,7 @@ class IPolicy(_IResource_c80c4260, typing_extensions.Protocol):
 
 class _IPolicyProxy(
     jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+    jsii.proxy_for(_IPolicyRef_5e74a0ba), # type: ignore[misc]
 ):
     '''Represents an IAM Policy.
 
@@ -8595,8 +8853,8 @@ class _IPrincipalProxy(
 typing.cast(typing.Any, IPrincipal).__jsii_proxy_class__ = lambda : _IPrincipalProxy
 
 
-@jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IResourceWithPolicy")
-class IResourceWithPolicy(_IResource_c80c4260, typing_extensions.Protocol):
+@jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IResourceWithPolicyV2")
+class IResourceWithPolicyV2(_IEnvironmentAware_f39049ee, typing_extensions.Protocol):
     '''A resource with a resource policy that can be added to.'''
 
     @jsii.member(jsii_name="addToResourcePolicy")
@@ -8611,12 +8869,12 @@ class IResourceWithPolicy(_IResource_c80c4260, typing_extensions.Protocol):
         ...
 
 
-class _IResourceWithPolicyProxy(
-    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+class _IResourceWithPolicyV2Proxy(
+    jsii.proxy_for(_IEnvironmentAware_f39049ee), # type: ignore[misc]
 ):
     '''A resource with a resource policy that can be added to.'''
 
-    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_iam.IResourceWithPolicy"
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_iam.IResourceWithPolicyV2"
 
     @jsii.member(jsii_name="addToResourcePolicy")
     def add_to_resource_policy(
@@ -8628,16 +8886,20 @@ class _IResourceWithPolicyProxy(
         :param statement: -
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__dc0b619bfbc345bc9140fcc58d59f27472a211b09306f5c2e6b0147efcef6b18)
+            type_hints = typing.get_type_hints(_typecheckingstub__d0411047245e16030f540e191ce067fdd2216fb84afd5f47032486efe2dddfda)
             check_type(argname="argument statement", value=statement, expected_type=type_hints["statement"])
         return typing.cast(AddToResourcePolicyResult, jsii.invoke(self, "addToResourcePolicy", [statement]))
 
 # Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
-typing.cast(typing.Any, IResourceWithPolicy).__jsii_proxy_class__ = lambda : _IResourceWithPolicyProxy
+typing.cast(typing.Any, IResourceWithPolicyV2).__jsii_proxy_class__ = lambda : _IResourceWithPolicyV2Proxy
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.ISamlProvider")
-class ISamlProvider(_IResource_c80c4260, typing_extensions.Protocol):
+class ISamlProvider(
+    _IResource_c80c4260,
+    _ISAMLProviderRef_6e369856,
+    typing_extensions.Protocol,
+):
     '''A SAML provider.'''
 
     @builtins.property
@@ -8652,6 +8914,7 @@ class ISamlProvider(_IResource_c80c4260, typing_extensions.Protocol):
 
 class _ISamlProviderProxy(
     jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+    jsii.proxy_for(_ISAMLProviderRef_6e369856), # type: ignore[misc]
 ):
     '''A SAML provider.'''
 
@@ -8682,14 +8945,25 @@ class InstanceProfile(
 
     Example::
 
+        # vpc: ec2.Vpc
+        
+        
         role = iam.Role(self, "Role",
             assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")
         )
-        
-        instance_profile = iam.InstanceProfile.from_instance_profile_attributes(self, "ImportedInstanceProfile",
-            instance_profile_arn="arn:aws:iam::account-id:instance-profile/MyInstanceProfile",
+        instance_profile = iam.InstanceProfile(self, "InstanceProfile",
             role=role
         )
+        
+        template = ec2.LaunchTemplate(self, "LaunchTemplate",
+            launch_template_name="MyTemplateV1",
+            version_description="This is my v1 template",
+            machine_image=ec2.MachineImage.latest_amazon_linux2023(),
+            security_group=ec2.SecurityGroup(self, "LaunchTemplateSG",
+                vpc=vpc
+            ),
+            instance_profile=instance_profile
+        )
     '''
 
     def __init__(
@@ -8793,6 +9067,12 @@ class InstanceProfile(
             check_type(argname="argument instance_profile_name", value=instance_profile_name, expected_type=type_hints["instance_profile_name"])
         return typing.cast(IInstanceProfile, jsii.sinvoke(cls, "fromInstanceProfileName", [scope, id, instance_profile_name]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="instanceProfileArn")
     def instance_profile_arn(self) -> builtins.str:
@@ -8805,6 +9085,12 @@ class InstanceProfile(
         '''Returns the name of this InstanceProfile.'''
         return typing.cast(builtins.str, jsii.get(self, "instanceProfileName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="instanceProfileRef")
+    def instance_profile_ref(self) -> _InstanceProfileReference_5eee4bbb:
+        '''A reference to a InstanceProfile resource.'''
+        return typing.cast(_InstanceProfileReference_5eee4bbb, jsii.get(self, "instanceProfileRef"))
+
     @builtins.property
     @jsii.member(jsii_name="role")
     def role(self) -> typing.Optional["IRole"]:
@@ -8910,14 +9196,24 @@ class InstanceProfileProps:
 
         Example::
 
+            # vpc: ec2.Vpc
+            
+            
             role = iam.Role(self, "Role",
                 assumed_by=iam.ServicePrincipal("ec2.amazonaws.com")
             )
-            
             instance_profile = iam.InstanceProfile(self, "InstanceProfile",
-                role=role,
-                instance_profile_name="MyInstanceProfile",
-                path="/sample/path/"
+                role=role
+            )
+            
+            template = ec2.LaunchTemplate(self, "LaunchTemplate",
+                launch_template_name="MyTemplateV1",
+                version_description="This is my v1 template",
+                machine_image=ec2.MachineImage.latest_amazon_linux2023(),
+                security_group=ec2.SecurityGroup(self, "LaunchTemplateSG",
+                    vpc=vpc
+                ),
+                instance_profile=instance_profile
             )
         '''
         if __debug__:
@@ -9022,7 +9318,7 @@ class ManagedPolicy(
         *,
         description: typing.Optional[builtins.str] = None,
         document: typing.Optional["PolicyDocument"] = None,
-        groups: typing.Optional[typing.Sequence["IGroup"]] = None,
+        groups: typing.Optional[typing.Sequence[_IGroupRef_aeb1d9f6]] = None,
         managed_policy_name: typing.Optional[builtins.str] = None,
         path: typing.Optional[builtins.str] = None,
         roles: typing.Optional[typing.Sequence["IRole"]] = None,
@@ -9147,7 +9443,7 @@ class ManagedPolicy(
         return typing.cast(None, jsii.invoke(self, "addStatements", [*statement]))
 
     @jsii.member(jsii_name="attachToGroup")
-    def attach_to_group(self, group: "IGroup") -> None:
+    def attach_to_group(self, group: _IGroupRef_aeb1d9f6) -> None:
         '''Attaches this policy to a group.
 
         :param group: -
@@ -9169,7 +9465,7 @@ class ManagedPolicy(
         return typing.cast(None, jsii.invoke(self, "attachToRole", [role]))
 
     @jsii.member(jsii_name="attachToUser")
-    def attach_to_user(self, user: "IUser") -> None:
+    def attach_to_user(self, user: _IUserRef_b0ccca76) -> None:
         '''Attaches this policy to a user.
 
         :param user: -
@@ -9179,6 +9475,12 @@ class ManagedPolicy(
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
         return typing.cast(None, jsii.invoke(self, "attachToUser", [user]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="description")
     def description(self) -> builtins.str:
@@ -9218,6 +9520,12 @@ class ManagedPolicy(
         '''
         return typing.cast(builtins.str, jsii.get(self, "managedPolicyName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="managedPolicyRef")
+    def managed_policy_ref(self) -> _ManagedPolicyReference_078bf7cb:
+        '''A reference to a ManagedPolicy resource.'''
+        return typing.cast(_ManagedPolicyReference_078bf7cb, jsii.get(self, "managedPolicyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="path")
     def path(self) -> builtins.str:
@@ -9248,7 +9556,7 @@ class ManagedPolicyProps:
         *,
         description: typing.Optional[builtins.str] = None,
         document: typing.Optional["PolicyDocument"] = None,
-        groups: typing.Optional[typing.Sequence["IGroup"]] = None,
+        groups: typing.Optional[typing.Sequence[_IGroupRef_aeb1d9f6]] = None,
         managed_policy_name: typing.Optional[builtins.str] = None,
         path: typing.Optional[builtins.str] = None,
         roles: typing.Optional[typing.Sequence["IRole"]] = None,
@@ -9360,7 +9668,7 @@ class ManagedPolicyProps:
         return typing.cast(typing.Optional["PolicyDocument"], result)
 
     @builtins.property
-    def groups(self) -> typing.Optional[typing.List["IGroup"]]:
+    def groups(self) -> typing.Optional[typing.List[_IGroupRef_aeb1d9f6]]:
         '''Groups to attach this policy to.
 
         You can also use ``attachToGroup(group)`` to attach this policy to a group.
@@ -9368,7 +9676,7 @@ class ManagedPolicyProps:
         :default: - No groups.
         '''
         result = self._values.get("groups")
-        return typing.cast(typing.Optional[typing.List["IGroup"]], result)
+        return typing.cast(typing.Optional[typing.List[_IGroupRef_aeb1d9f6]], result)
 
     @builtins.property
     def managed_policy_name(self) -> typing.Optional[builtins.str]:
@@ -9444,6 +9752,271 @@ class ManagedPolicyProps:
         )
 
 
+@jsii.implements(IOidcProvider)
+class OidcProviderNative(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_iam.OidcProviderNative",
+):
+    '''IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce.
+
+    You use an IAM OIDC identity provider
+    when you want to establish trust between an OIDC-compatible IdP and your AWS
+    account. This is useful when creating a mobile app or web application that
+    requires access to AWS resources, but you don't want to create custom sign-in
+    code or manage your own user identities.
+
+    :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
+    :resource: AWS::IAM::OIDCProvider
+    :exampleMetadata: infused
+
+    Example::
+
+        native_provider = iam.OidcProviderNative(self, "MyProvider",
+            url="https://openid/connect",
+            client_ids=["myclient1", "myclient2"],
+            thumbprints=["aa00aa1122aa00aa1122aa00aa1122aa00aa1122"]
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        url: builtins.str,
+        client_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+        oidc_provider_name: typing.Optional[builtins.str] = None,
+        thumbprints: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''Defines a Native OpenID Connect provider.
+
+        :param scope: The definition scope.
+        :param id: Construct ID.
+        :param url: The URL of the identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com. You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error. Warning: This URL cannot contain any port numbers
+        :param client_ids: A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.) You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider. Client IDs are up to 255 characters long. Default: - no clients are allowed
+        :param oidc_provider_name: The name of the Native OIDC Provider. Default: - A name is automatically generated.
+        :param thumbprints: A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates. Typically this list includes only 1 entry or empty. However, IAM lets you have up to 5 thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates. The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string. For example, assume that the OIDC provider is server.example.com and the provider stores its keys at https://keys.server.example.com/openid-connect. In that case, the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com. This property is optional. If it is not included, IAM will retrieve and use the top intermediate certificate authority (CA) thumbprint of the OpenID Connect identity provider server certificate. Obtain the thumbprint of the root certificate authority from the provider's server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html Default: - no thumbprints are allowed. IAM will retrieve and use thumbprint of idenity provider server cerctificate
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__680e816817bfe60e999b472326e5b4b238c62d88192645c5b0bfcd07a0a2a70a)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = OidcProviderNativeProps(
+            url=url,
+            client_ids=client_ids,
+            oidc_provider_name=oidc_provider_name,
+            thumbprints=thumbprints,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="fromOidcProviderArn")
+    @builtins.classmethod
+    def from_oidc_provider_arn(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        oidc_provider_arn: builtins.str,
+    ) -> IOidcProvider:
+        '''Imports an Open ID connect provider from an ARN.
+
+        :param scope: The definition scope.
+        :param id: ID of the construct.
+        :param oidc_provider_arn: the ARN to import.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__2bbbb35dca97e313a334486d4f1f9ad4d587da8ed7cab00044df51dcffea77cc)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument oidc_provider_arn", value=oidc_provider_arn, expected_type=type_hints["oidc_provider_arn"])
+        return typing.cast(IOidcProvider, jsii.sinvoke(cls, "fromOidcProviderArn", [scope, id, oidc_provider_arn]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderArn")
+    def oidc_provider_arn(self) -> builtins.str:
+        '''The Amazon Resource Name (ARN) of the Native IAM OpenID Connect provider.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "oidcProviderArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderIssuer")
+    def oidc_provider_issuer(self) -> builtins.str:
+        '''The issuer for the Native OIDC Provider.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "oidcProviderIssuer"))
+
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderRef")
+    def oidc_provider_ref(self) -> _OIDCProviderReference_9a12fabd:
+        '''A reference to a OIDCProvider resource.'''
+        return typing.cast(_OIDCProviderReference_9a12fabd, jsii.get(self, "oidcProviderRef"))
+
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderThumbprints")
+    def oidc_provider_thumbprints(self) -> builtins.str:
+        '''The thumbprints configured for this provider.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "oidcProviderThumbprints"))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_iam.OidcProviderNativeProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "url": "url",
+        "client_ids": "clientIds",
+        "oidc_provider_name": "oidcProviderName",
+        "thumbprints": "thumbprints",
+    },
+)
+class OidcProviderNativeProps:
+    def __init__(
+        self,
+        *,
+        url: builtins.str,
+        client_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+        oidc_provider_name: typing.Optional[builtins.str] = None,
+        thumbprints: typing.Optional[typing.Sequence[builtins.str]] = None,
+    ) -> None:
+        '''Initialization properties for ``OIDCProviderNative``.
+
+        :param url: The URL of the identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com. You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error. Warning: This URL cannot contain any port numbers
+        :param client_ids: A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.) You can register multiple client IDs with the same provider. For example, you might have multiple applications that use the same OIDC provider. You cannot register more than 100 client IDs with a single IAM OIDC provider. Client IDs are up to 255 characters long. Default: - no clients are allowed
+        :param oidc_provider_name: The name of the Native OIDC Provider. Default: - A name is automatically generated.
+        :param thumbprints: A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates. Typically this list includes only 1 entry or empty. However, IAM lets you have up to 5 thumbprints for an OIDC provider. This lets you maintain multiple thumbprints if the identity provider is rotating certificates. The server certificate thumbprint is the hex-encoded SHA-1 hash value of the X.509 certificate used by the domain where the OpenID Connect provider makes its keys available. It is always a 40-character string. For example, assume that the OIDC provider is server.example.com and the provider stores its keys at https://keys.server.example.com/openid-connect. In that case, the thumbprint string would be the hex-encoded SHA-1 hash value of the certificate used by https://keys.server.example.com. This property is optional. If it is not included, IAM will retrieve and use the top intermediate certificate authority (CA) thumbprint of the OpenID Connect identity provider server certificate. Obtain the thumbprint of the root certificate authority from the provider's server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html Default: - no thumbprints are allowed. IAM will retrieve and use thumbprint of idenity provider server cerctificate
+
+        :exampleMetadata: infused
+
+        Example::
+
+            native_provider = iam.OidcProviderNative(self, "MyProvider",
+                url="https://openid/connect",
+                client_ids=["myclient1", "myclient2"],
+                thumbprints=["aa00aa1122aa00aa1122aa00aa1122aa00aa1122"]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__6981defdaab974b803e9671371e547d5d70ee03239eed02c8d458e1a2e5aa307)
+            check_type(argname="argument url", value=url, expected_type=type_hints["url"])
+            check_type(argname="argument client_ids", value=client_ids, expected_type=type_hints["client_ids"])
+            check_type(argname="argument oidc_provider_name", value=oidc_provider_name, expected_type=type_hints["oidc_provider_name"])
+            check_type(argname="argument thumbprints", value=thumbprints, expected_type=type_hints["thumbprints"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "url": url,
+        }
+        if client_ids is not None:
+            self._values["client_ids"] = client_ids
+        if oidc_provider_name is not None:
+            self._values["oidc_provider_name"] = oidc_provider_name
+        if thumbprints is not None:
+            self._values["thumbprints"] = thumbprints
+
+    @builtins.property
+    def url(self) -> builtins.str:
+        '''The URL of the identity provider.
+
+        The URL must begin with https:// and
+        should correspond to the iss claim in the provider's OpenID Connect ID
+        tokens. Per the OIDC standard, path components are allowed but query
+        parameters are not. Typically the URL consists of only a hostname, like
+        https://server.example.org or https://example.com.
+
+        You cannot register the same provider multiple times in a single AWS
+        account. If you try to submit a URL that has already been used for an
+        OpenID Connect provider in the AWS account, you will get an error.
+
+        Warning: This URL cannot contain any port numbers
+        '''
+        result = self._values.get("url")
+        assert result is not None, "Required property 'url' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def client_ids(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''A list of client IDs (also known as audiences).
+
+        When a mobile or web app
+        registers with an OpenID Connect provider, they establish a value that
+        identifies the application. (This is the value that's sent as the client_id
+        parameter on OAuth requests.)
+
+        You can register multiple client IDs with the same provider. For example,
+        you might have multiple applications that use the same OIDC provider. You
+        cannot register more than 100 client IDs with a single IAM OIDC provider.
+
+        Client IDs are up to 255 characters long.
+
+        :default: - no clients are allowed
+        '''
+        result = self._values.get("client_ids")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    @builtins.property
+    def oidc_provider_name(self) -> typing.Optional[builtins.str]:
+        '''The name of the Native OIDC Provider.
+
+        :default: - A name is automatically generated.
+        '''
+        result = self._values.get("oidc_provider_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def thumbprints(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificates.
+
+        Typically this list includes only 1 entry or empty. However, IAM lets
+        you have up to 5 thumbprints for an OIDC provider. This lets you maintain
+        multiple thumbprints if the identity provider is rotating certificates.
+
+        The server certificate thumbprint is the hex-encoded SHA-1 hash value of
+        the X.509 certificate used by the domain where the OpenID Connect provider
+        makes its keys available. It is always a 40-character string.
+
+        For example, assume that the OIDC provider is server.example.com and the
+        provider stores its keys at https://keys.server.example.com/openid-connect.
+        In that case, the thumbprint string would be the hex-encoded SHA-1 hash
+        value of the certificate used by https://keys.server.example.com.
+
+        This property is optional. If it is not included, IAM will retrieve and use
+        the top intermediate certificate authority (CA) thumbprint of the OpenID
+        Connect identity provider server certificate.
+
+        Obtain the thumbprint of the root certificate authority from the provider's
+        server as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
+
+        :default:
+
+        - no thumbprints are allowed. IAM will retrieve and use thumbprint
+        of idenity provider server cerctificate
+        '''
+        result = self._values.get("thumbprints")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "OidcProviderNativeProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.implements(IOpenIdConnectProvider)
 class OpenIdConnectProvider(
     _Resource_45bc6135,
@@ -9458,6 +10031,24 @@ class OpenIdConnectProvider(
     requires access to AWS resources, but you don't want to create custom sign-in
     code or manage your own user identities.
 
+    ⚠️ **IMPORTANT NOTICE FOR CONTRIBUTORS** ⚠️
+
+    **DO NOT ADD NEW FEATURES TO THIS CONSTRUCT**
+
+    This construct uses a custom resource with Lambda functions and is maintained
+    for backward compatibility only. We cannot deprecate it due to its usage in
+    existing services like EKS (see https://github.com/aws/aws-cdk/pull/28634#discussion_r1842962697).
+
+    For new functionality, developers should use ``OidcProviderNative`` instead, which
+    utilizes the native CloudFormation resource ``AWS::IAM::OIDCProvider`` and provides
+    the same functionality with less complexity.
+
+    If you are considering adding features to this construct, please:
+
+    1. Consider implementing the feature in ``OidcProviderNative`` instead
+    2. Discuss with the CDK team before proceeding
+    3. Ensure any changes maintain strict backward compatibility
+
     :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
     :resource: AWS::CloudFormation::CustomResource
     :exampleMetadata: infused
@@ -9518,6 +10109,18 @@ class OpenIdConnectProvider(
             check_type(argname="argument open_id_connect_provider_arn", value=open_id_connect_provider_arn, expected_type=type_hints["open_id_connect_provider_arn"])
         return typing.cast(IOpenIdConnectProvider, jsii.sinvoke(cls, "fromOpenIdConnectProviderArn", [scope, id, open_id_connect_provider_arn]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
+    @builtins.property
+    @jsii.member(jsii_name="oidcProviderRef")
+    def oidc_provider_ref(self) -> _OIDCProviderReference_9a12fabd:
+        '''A reference to a OIDCProvider resource.'''
+        return typing.cast(_OIDCProviderReference_9a12fabd, jsii.get(self, "oidcProviderRef"))
+
     @builtins.property
     @jsii.member(jsii_name="openIdConnectProviderArn")
     def open_id_connect_provider_arn(self) -> builtins.str:
@@ -9848,6 +10451,12 @@ class Policy(
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
         return typing.cast(None, jsii.invoke(self, "attachToUser", [user]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="document")
     def document(self) -> "PolicyDocument":
@@ -9869,6 +10478,12 @@ class Policy(
         '''
         return typing.cast(builtins.str, jsii.get(self, "policyName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="policyRef")
+    def policy_ref(self) -> _PolicyReference_b83371a5:
+        '''A reference to a Policy resource.'''
+        return typing.cast(_PolicyReference_b83371a5, jsii.get(self, "policyRef"))
+
 
 @jsii.implements(_IResolvable_da3f097b)
 class PolicyDocument(
@@ -10762,6 +11377,12 @@ class PolicyStatement(
         '''
         return typing.cast(typing.List[builtins.str], jsii.invoke(self, "validateForResourcePolicy", []))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="actions")
     def actions(self) -> typing.List[builtins.str]:
@@ -11470,18 +12091,18 @@ class SamlMetadataDocument(
 ):
     '''A SAML metadata document.
 
-    :exampleMetadata: infused
+    :exampleMetadata: fixture=client-vpn infused
 
     Example::
 
-        provider = iam.SamlProvider(self, "Provider",
-            metadata_document=iam.SamlMetadataDocument.from_file("/path/to/saml-metadata-document.xml")
+        vpc.add_client_vpn_endpoint("Endpoint",
+            cidr="10.100.0.0/16",
+            server_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id",
+            # Mutual authentication
+            client_certificate_arn="arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id",
+            # User-based authentication
+            user_based_authentication=ec2.ClientVpnUserBasedAuthentication.federated(saml_provider)
         )
-        principal = iam.SamlPrincipal(provider, {
-            "StringEquals": {
-                "SAML:iss": "issuer"
-            }
-        })
     '''
 
     def __init__(self) -> None:
@@ -11593,12 +12214,24 @@ class SamlProvider(
             check_type(argname="argument saml_provider_arn", value=saml_provider_arn, expected_type=type_hints["saml_provider_arn"])
         return typing.cast(ISamlProvider, jsii.sinvoke(cls, "fromSamlProviderArn", [scope, id, saml_provider_arn]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="samlProviderArn")
     def saml_provider_arn(self) -> builtins.str:
         '''The Amazon Resource Name (ARN) of the provider.'''
         return typing.cast(builtins.str, jsii.get(self, "samlProviderArn"))
 
+    @builtins.property
+    @jsii.member(jsii_name="samlProviderRef")
+    def saml_provider_ref(self) -> _SAMLProviderReference_08e1fac1:
+        '''A reference to a SAMLProvider resource.'''
+        return typing.cast(_SAMLProviderReference_08e1fac1, jsii.get(self, "samlProviderRef"))
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_iam.SamlProviderProps",
@@ -12232,12 +12865,24 @@ class AccessKey(
 
         jsii.create(self.__class__, self, [scope, id, props])
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="accessKeyId")
     def access_key_id(self) -> builtins.str:
         '''The Access Key ID.'''
         return typing.cast(builtins.str, jsii.get(self, "accessKeyId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="accessKeyRef")
+    def access_key_ref(self) -> _AccessKeyReference_2bdfd122:
+        '''A reference to a AccessKey resource.'''
+        return typing.cast(_AccessKeyReference_2bdfd122, jsii.get(self, "accessKeyRef"))
+
     @builtins.property
     @jsii.member(jsii_name="secretAccessKey")
     def secret_access_key(self) -> _SecretValue_3dd0ddae:
@@ -12266,7 +12911,7 @@ class GrantPolicyWithResourceOptions(GrantWithResourceOptions):
         grantee: IGrantable,
         resource_arns: typing.Sequence[builtins.str],
         conditions: typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]] = None,
-        resource: IResourceWithPolicy,
+        resource: IResourceWithPolicyV2,
         resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
         statement: PolicyStatement,
     ) -> None:
@@ -12282,7 +12927,7 @@ class GrantPolicyWithResourceOptions(GrantWithResourceOptions):
         :param conditions: Any conditions to attach to the grant. Default: - No conditions
         :param resource: The resource with a resource policy. The statement will be added to the resource policy if it couldn't be added to the principal policy.
         :param resource_self_arns: When referring to the resource in a resource policy, use this as ARN. (Depending on the resource type, this needs to be '*' in a resource policy). Default: Same as regular resource ARNs
-        :param statement: The policy statement to add to the resource's policy. This statement will be passed to the resource's addToResourcePolicy method. The actual handling of the statement depends on the specific IResourceWithPolicy implementation.
+        :param statement: The policy statement to add to the resource's policy. This statement will be passed to the resource's addToResourcePolicy method. The actual handling of the statement depends on the specific IResourceWithPolicyV2 implementation.
 
         :exampleMetadata: infused
 
@@ -12369,7 +13014,7 @@ class GrantPolicyWithResourceOptions(GrantWithResourceOptions):
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]], result)
 
     @builtins.property
-    def resource(self) -> IResourceWithPolicy:
+    def resource(self) -> IResourceWithPolicyV2:
         '''The resource with a resource policy.
 
         The statement will be added to the resource policy if it couldn't be
@@ -12377,7 +13022,7 @@ class GrantPolicyWithResourceOptions(GrantWithResourceOptions):
         '''
         result = self._values.get("resource")
         assert result is not None, "Required property 'resource' is missing"
-        return typing.cast(IResourceWithPolicy, result)
+        return typing.cast(IResourceWithPolicyV2, result)
 
     @builtins.property
     def resource_self_arns(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -12395,7 +13040,7 @@ class GrantPolicyWithResourceOptions(GrantWithResourceOptions):
         '''The policy statement to add to the resource's policy.
 
         This statement will be passed to the resource's addToResourcePolicy method.
-        The actual handling of the statement depends on the specific IResourceWithPolicy
+        The actual handling of the statement depends on the specific IResourceWithPolicyV2
         implementation.
         '''
         result = self._values.get("statement")
@@ -12562,8 +13207,48 @@ class _IIdentityProxy(
 typing.cast(typing.Any, IIdentity).__jsii_proxy_class__ = lambda : _IIdentityProxy
 
 
+@jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IResourceWithPolicy")
+class IResourceWithPolicy(
+    IResourceWithPolicyV2,
+    _IResource_c80c4260,
+    typing_extensions.Protocol,
+):
+    '''(deprecated) A resource with a resource policy that can be added to.
+
+    This interface is maintained for backwards compatibility, but should
+    not be used in new code. Prefer ``IResourceWithPolicyV2`` instead.
+
+    :deprecated: Implement ``IResourceWithPolicyV2`` instead.
+
+    :stability: deprecated
+    '''
+
+    pass
+
+
+class _IResourceWithPolicyProxy(
+    jsii.proxy_for(IResourceWithPolicyV2), # type: ignore[misc]
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+):
+    '''(deprecated) A resource with a resource policy that can be added to.
+
+    This interface is maintained for backwards compatibility, but should
+    not be used in new code. Prefer ``IResourceWithPolicyV2`` instead.
+
+    :deprecated: Implement ``IResourceWithPolicyV2`` instead.
+
+    :stability: deprecated
+    '''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_iam.IResourceWithPolicy"
+    pass
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, IResourceWithPolicy).__jsii_proxy_class__ = lambda : _IResourceWithPolicyProxy
+
+
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IRole")
-class IRole(IIdentity, typing_extensions.Protocol):
+class IRole(IIdentity, _IRoleRef_8400221f, typing_extensions.Protocol):
     '''A Role object.'''
 
     @builtins.property
@@ -12612,6 +13297,7 @@ class IRole(IIdentity, typing_extensions.Protocol):
 
 class _IRoleProxy(
     jsii.proxy_for(IIdentity), # type: ignore[misc]
+    jsii.proxy_for(_IRoleRef_8400221f), # type: ignore[misc]
 ):
     '''A Role object.'''
 
@@ -12675,7 +13361,7 @@ typing.cast(typing.Any, IRole).__jsii_proxy_class__ = lambda : _IRoleProxy
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IUser")
-class IUser(IIdentity, typing_extensions.Protocol):
+class IUser(IIdentity, _IUserRef_b0ccca76, typing_extensions.Protocol):
     '''Represents an IAM user.
 
     :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
@@ -12710,6 +13396,7 @@ class IUser(IIdentity, typing_extensions.Protocol):
 
 class _IUserProxy(
     jsii.proxy_for(IIdentity), # type: ignore[misc]
+    jsii.proxy_for(_IUserRef_b0ccca76), # type: ignore[misc]
 ):
     '''Represents an IAM user.
 
@@ -12926,6 +13613,12 @@ class LazyRole(
             check_type(argname="argument identity", value=identity, expected_type=type_hints["identity"])
         return typing.cast(Grant, jsii.invoke(self, "grantPassRole", [identity]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="assumeRoleAction")
     def assume_role_action(self) -> builtins.str:
@@ -12965,6 +13658,12 @@ class LazyRole(
         '''Returns the name of this role.'''
         return typing.cast(builtins.str, jsii.get(self, "roleName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="roleRef")
+    def role_ref(self) -> _RoleReference_447077bb:
+        '''A reference to a Role resource.'''
+        return typing.cast(_RoleReference_447077bb, jsii.get(self, "roleRef"))
+
     @builtins.property
     @jsii.member(jsii_name="principalAccount")
     def principal_account(self) -> typing.Optional[builtins.str]:
@@ -13575,25 +14274,25 @@ class Role(
     Defines an IAM role. The role is created with an assume policy document associated with
     the specified AWS service principal defined in ``serviceAssumeRole``.
 
-    :exampleMetadata: infused
+    :exampleMetadata: fixture=default infused
 
     Example::
 
-        # Option 3: Create a new role that allows the account root principal to assume. Add this role in the `system:masters` and witch to this role from the AWS console.
-        # cluster: eks.Cluster
-        
-        
-        console_read_only_role = iam.Role(self, "ConsoleReadOnlyRole",
-            assumed_by=iam.ArnPrincipal("arn_for_trusted_principal")
+        # Create a custom execution role
+        execution_role = iam.Role(self, "BrowserExecutionRole",
+            assumed_by=iam.ServicePrincipal("bedrock-agentcore.amazonaws.com"),
+            managed_policies=[
+                iam.ManagedPolicy.from_aws_managed_policy_name("AmazonBedrockAgentCoreBrowserExecutionRolePolicy")
+            ]
         )
-        console_read_only_role.add_to_policy(iam.PolicyStatement(
-            actions=["eks:AccessKubernetesApi", "eks:Describe*", "eks:List*"
-            ],
-            resources=[cluster.cluster_arn]
-        ))
         
-        # Add this role to system:masters RBAC group
-        cluster.aws_auth.add_masters_role(console_read_only_role)
+        # Create browser with custom execution role
+        browser = agentcore.BrowserCustom(self, "MyBrowser",
+            browser_custom_name="my_browser",
+            description="Browser with custom execution role",
+            network_configuration=agentcore.BrowserNetworkConfiguration.using_public_network(),
+            execution_role=execution_role
+        )
     '''
 
     def __init__(
@@ -13936,6 +14635,12 @@ class Role(
 
         return typing.cast(IRole, jsii.invoke(self, "withoutPolicyUpdates", [options]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="assumeRoleAction")
     def assume_role_action(self) -> builtins.str:
@@ -13978,6 +14683,12 @@ class Role(
         '''Returns the name of the role.'''
         return typing.cast(builtins.str, jsii.get(self, "roleName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="roleRef")
+    def role_ref(self) -> _RoleReference_447077bb:
+        '''A reference to a Role resource.'''
+        return typing.cast(_RoleReference_447077bb, jsii.get(self, "roleRef"))
+
     @builtins.property
     @jsii.member(jsii_name="assumeRolePolicy")
     def assume_role_policy(self) -> typing.Optional[PolicyDocument]:
@@ -14010,20 +14721,25 @@ class ServicePrincipal(
 ):
     '''An IAM principal that represents an AWS service (i.e. ``sqs.amazonaws.com``).
 
-    :exampleMetadata: infused
+    :exampleMetadata: fixture=default infused
 
     Example::
 
-        # definition: sfn.IChainable
-        role = iam.Role(self, "Role",
-            assumed_by=iam.ServicePrincipal("lambda.amazonaws.com")
-        )
-        state_machine = sfn.StateMachine(self, "StateMachine",
-            definition_body=sfn.DefinitionBody.from_chainable(definition)
+        # Create a custom execution role
+        execution_role = iam.Role(self, "BrowserExecutionRole",
+            assumed_by=iam.ServicePrincipal("bedrock-agentcore.amazonaws.com"),
+            managed_policies=[
+                iam.ManagedPolicy.from_aws_managed_policy_name("AmazonBedrockAgentCoreBrowserExecutionRolePolicy")
+            ]
         )
         
-        # Give role permission to get execution history of ALL executions for the state machine
-        state_machine.grant_execution(role, "states:GetExecutionHistory")
+        # Create browser with custom execution role
+        browser = agentcore.BrowserCustom(self, "MyBrowser",
+            browser_custom_name="my_browser",
+            description="Browser with custom execution role",
+            network_configuration=agentcore.BrowserNetworkConfiguration.using_public_network(),
+            execution_role=execution_role
+        )
     '''
 
     def __init__(
@@ -14470,6 +15186,12 @@ class User(
             check_type(argname="argument policy", value=policy, expected_type=type_hints["policy"])
         return typing.cast(None, jsii.invoke(self, "attachInlinePolicy", [policy]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="assumeRoleAction")
     def assume_role_action(self) -> builtins.str:
@@ -14506,6 +15228,12 @@ class User(
         '''
         return typing.cast(builtins.str, jsii.get(self, "userName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="userRef")
+    def user_ref(self) -> _UserReference_6bf884c6:
+        '''A reference to a User resource.'''
+        return typing.cast(_UserReference_6bf884c6, jsii.get(self, "userRef"))
+
     @builtins.property
     @jsii.member(jsii_name="permissionsBoundary")
     def permissions_boundary(self) -> typing.Optional[IManagedPolicy]:
@@ -14541,7 +15269,7 @@ class ArnPrincipal(
     Example::
 
         # Option 2: create your custom mastersRole with scoped assumeBy arn as the Cluster prop. Switch to this role from the AWS console.
-        from aws_cdk.lambda_layer_kubectl_v32 import KubectlV32Layer
+        from aws_cdk.lambda_layer_kubectl_v34 import KubectlV34Layer
         # vpc: ec2.Vpc
         
         
@@ -14551,8 +15279,8 @@ class ArnPrincipal(
         
         cluster = eks.Cluster(self, "EksCluster",
             vpc=vpc,
-            version=eks.KubernetesVersion.V1_32,
-            kubectl_layer=KubectlV32Layer(self, "KubectlLayer"),
+            version=eks.KubernetesVersion.V1_34,
+            kubectl_layer=KubectlV34Layer(self, "KubectlLayer"),
             masters_role=masters_role
         )
         
@@ -14849,7 +15577,7 @@ class FederatedPrincipal(
 
 
 @jsii.interface(jsii_type="aws-cdk-lib.aws_iam.IGroup")
-class IGroup(IIdentity, typing_extensions.Protocol):
+class IGroup(IIdentity, _IGroupRef_aeb1d9f6, typing_extensions.Protocol):
     '''Represents an IAM Group.
 
     :see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html
@@ -14876,6 +15604,7 @@ class IGroup(IIdentity, typing_extensions.Protocol):
 
 class _IGroupProxy(
     jsii.proxy_for(IIdentity), # type: ignore[misc]
+    jsii.proxy_for(_IGroupRef_aeb1d9f6), # type: ignore[misc]
 ):
     '''Represents an IAM Group.
 
@@ -14982,7 +15711,7 @@ class SamlPrincipal(
 
     def __init__(
         self,
-        saml_provider: ISamlProvider,
+        saml_provider: _ISAMLProviderRef_6e369856,
         conditions: typing.Mapping[builtins.str, typing.Any],
     ) -> None:
         '''
@@ -15111,13 +15840,15 @@ class AccountRootPrincipal(
 
     Example::
 
-        bucket = s3.Bucket(self, "MyBucket")
-        result = bucket.add_to_resource_policy(
-            iam.PolicyStatement(
-                actions=["s3:GetObject"],
-                resources=[bucket.arn_for_objects("file.txt")],
-                principals=[iam.AccountRootPrincipal()]
-            ))
+        # Adds to IAM user's policy (not resource policy)
+        # user: iam.User
+        table = dynamodb.TableV2(self, "Table",
+            partition_key=dynamodb.Attribute(name="pk", type=dynamodb.AttributeType.STRING)
+        )
+        
+        # Automatically adds to table's resource policy (same account)
+        table.grant_read_data(iam.AccountRootPrincipal())
+        table.grant_read_data(user)
     '''
 
     def __init__(self) -> None:
@@ -15330,6 +16061,12 @@ class Group(
             check_type(argname="argument policy", value=policy, expected_type=type_hints["policy"])
         return typing.cast(None, jsii.invoke(self, "attachInlinePolicy", [policy]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PROPERTY_INJECTION_ID")
+    def PROPERTY_INJECTION_ID(cls) -> builtins.str:
+        '''Uniquely identifies this class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "PROPERTY_INJECTION_ID"))
+
     @builtins.property
     @jsii.member(jsii_name="assumeRoleAction")
     def assume_role_action(self) -> builtins.str:
@@ -15354,6 +16091,12 @@ class Group(
         '''Returns the IAM Group Name.'''
         return typing.cast(builtins.str, jsii.get(self, "groupName"))
 
+    @builtins.property
+    @jsii.member(jsii_name="groupRef")
+    def group_ref(self) -> _GroupReference_cd6b1d81:
+        '''A reference to a Group resource.'''
+        return typing.cast(_GroupReference_cd6b1d81, jsii.get(self, "groupRef"))
+
     @builtins.property
     @jsii.member(jsii_name="policyFragment")
     def policy_fragment(self) -> PrincipalPolicyFragment:
@@ -15393,7 +16136,7 @@ class OpenIdConnectPrincipal(
 
     def __init__(
         self,
-        open_id_connect_provider: IOpenIdConnectProvider,
+        open_id_connect_provider: _IOIDCProviderRef_a866c7c8,
         conditions: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
     ) -> None:
         '''
@@ -15525,10 +16268,12 @@ __all__ = [
     "IIdentity",
     "IInstanceProfile",
     "IManagedPolicy",
+    "IOidcProvider",
     "IOpenIdConnectProvider",
     "IPolicy",
     "IPrincipal",
     "IResourceWithPolicy",
+    "IResourceWithPolicyV2",
     "IRole",
     "ISamlProvider",
     "IUser",
@@ -15539,6 +16284,8 @@ __all__ = [
     "LazyRoleProps",
     "ManagedPolicy",
     "ManagedPolicyProps",
+    "OidcProviderNative",
+    "OidcProviderNativeProps",
     "OpenIdConnectPrincipal",
     "OpenIdConnectProvider",
     "OpenIdConnectProviderProps",
@@ -16728,7 +17475,7 @@ def _typecheckingstub__a60e5877e638d22c44d2e72be768df7f85caf47bec9ab2e6b2adcce82
     grantee: IGrantable,
     resource_arns: typing.Sequence[builtins.str],
     conditions: typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]] = None,
-    resource: IResourceWithPolicy,
+    resource: IResourceWithPolicyV2,
     resource_policy_principal: typing.Optional[IPrincipal] = None,
     resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
 ) -> None:
@@ -16752,7 +17499,7 @@ def _typecheckingstub__d76f68f1d67dcad526c87768d88423a4092a0ef3127be7cb534620448
     grantee: IGrantable,
     resource_arns: typing.Sequence[builtins.str],
     conditions: typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]] = None,
-    resource: IResourceWithPolicy,
+    resource: IResourceWithPolicyV2,
     resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -16773,7 +17520,7 @@ def _typecheckingstub__7c10aadcc3756f5f6d5486d7ecd5cabd7845be5964af1722a9d4962d5
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__dc0b619bfbc345bc9140fcc58d59f27472a211b09306f5c2e6b0147efcef6b18(
+def _typecheckingstub__d0411047245e16030f540e191ce067fdd2216fb84afd5f47032486efe2dddfda(
     statement: PolicyStatement,
 ) -> None:
     """Type checking stubs"""
@@ -16839,7 +17586,7 @@ def _typecheckingstub__2cd427eaa6d6959043bb705f947d652220f35431c484ef548899b9f81
     *,
     description: typing.Optional[builtins.str] = None,
     document: typing.Optional[PolicyDocument] = None,
-    groups: typing.Optional[typing.Sequence[IGroup]] = None,
+    groups: typing.Optional[typing.Sequence[_IGroupRef_aeb1d9f6]] = None,
     managed_policy_name: typing.Optional[builtins.str] = None,
     path: typing.Optional[builtins.str] = None,
     roles: typing.Optional[typing.Sequence[IRole]] = None,
@@ -16878,7 +17625,7 @@ def _typecheckingstub__dc09c2f794b8d270cf58515acd36f16f22c50e8e485667751a6b6bf54
     pass
 
 def _typecheckingstub__53947185e012309c9619b70da30bfebeef3a52fedd6d8eca19e9a8e96853c82e(
-    group: IGroup,
+    group: _IGroupRef_aeb1d9f6,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -16890,7 +17637,7 @@ def _typecheckingstub__d3b5752936a78a06ee1095be0dc5362932d7db4aa0245a456f4cfea45
     pass
 
 def _typecheckingstub__d3b5f4b1c957b78ec0d5ae0e80dc7f2471a55d293c6a67e32ef5a2046d89543d(
-    user: IUser,
+    user: _IUserRef_b0ccca76,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -16899,7 +17646,7 @@ def _typecheckingstub__9ac402af2b963b15f12c561030bd732418fdef258857572111b9a8118
     *,
     description: typing.Optional[builtins.str] = None,
     document: typing.Optional[PolicyDocument] = None,
-    groups: typing.Optional[typing.Sequence[IGroup]] = None,
+    groups: typing.Optional[typing.Sequence[_IGroupRef_aeb1d9f6]] = None,
     managed_policy_name: typing.Optional[builtins.str] = None,
     path: typing.Optional[builtins.str] = None,
     roles: typing.Optional[typing.Sequence[IRole]] = None,
@@ -16909,6 +17656,36 @@ def _typecheckingstub__9ac402af2b963b15f12c561030bd732418fdef258857572111b9a8118
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__680e816817bfe60e999b472326e5b4b238c62d88192645c5b0bfcd07a0a2a70a(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    url: builtins.str,
+    client_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+    oidc_provider_name: typing.Optional[builtins.str] = None,
+    thumbprints: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__2bbbb35dca97e313a334486d4f1f9ad4d587da8ed7cab00044df51dcffea77cc(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    oidc_provider_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__6981defdaab974b803e9671371e547d5d70ee03239eed02c8d458e1a2e5aa307(
+    *,
+    url: builtins.str,
+    client_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+    oidc_provider_name: typing.Optional[builtins.str] = None,
+    thumbprints: typing.Optional[typing.Sequence[builtins.str]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__270fe9db45fea69c973ea36d667d5236d0463996999ebebabf67dbaafe739d10(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -17311,7 +18088,7 @@ def _typecheckingstub__0475ec23892b6dacf8e0426b204cca68a4091056bb08c20a72dbc06d2
     grantee: IGrantable,
     resource_arns: typing.Sequence[builtins.str],
     conditions: typing.Optional[typing.Mapping[builtins.str, typing.Mapping[builtins.str, typing.Any]]] = None,
-    resource: IResourceWithPolicy,
+    resource: IResourceWithPolicyV2,
     resource_self_arns: typing.Optional[typing.Sequence[builtins.str]] = None,
     statement: PolicyStatement,
 ) -> None:
@@ -17793,7 +18570,7 @@ def _typecheckingstub__4dc4375c7e3b272eef905d1d27c4bd67aa9d9f51ccb424f15955369df
     pass
 
 def _typecheckingstub__703e9a9603562e94536f153d5ccc52492ff19cc38ed968f3b1f3e31592a8ae7f(
-    saml_provider: ISamlProvider,
+    saml_provider: _ISAMLProviderRef_6e369856,
     conditions: typing.Mapping[builtins.str, typing.Any],
 ) -> None:
     """Type checking stubs"""
@@ -17870,7 +18647,7 @@ def _typecheckingstub__f8334d09c64ac01b56e25eccb0dd778a954e4f613c776ac3447cf3f13
     pass
 
 def _typecheckingstub__11057e2b11d9138bde96aa84215de1b5dba16e8c36af672dbebea8a1c33f4310(
-    open_id_connect_provider: IOpenIdConnectProvider,
+    open_id_connect_provider: _IOIDCProviderRef_a866c7c8,
     conditions: typing.Optional[typing.Mapping[builtins.str, typing.Any]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -17882,3 +18659,6 @@ def _typecheckingstub__c7271e79a3715a166397ac94ded3c4043db8b40c10213ffae6abbb3a1
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IAccessKey, IAssumeRolePrincipal, IComparablePrincipal, IGrantable, IGroup, IIdentity, IInstanceProfile, IManagedPolicy, IOidcProvider, IOpenIdConnectProvider, IPolicy, IPrincipal, IResourceWithPolicy, IResourceWithPolicyV2, IRole, ISamlProvider, IUser]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])