Permission
ram.services.k8s.aws/v1alpha1
| Type | Link |
|---|---|
| GoDoc | ram-controller/apis/v1alpha1#Permission |
Metadata
| Property | Value |
|---|---|
| Scope | Namespaced |
| Kind | Permission |
| ListKind | PermissionList |
| Plural | permissions |
| Singular | permission |
Spec
name: string
policyTemplate: string
resourceType: string
tags:
- key: string
value: string
| Field | Description |
|---|---|
| name Required | string Specifies the name of the customer managed permission. The name must be unique within the Amazon Web Services Region. |
| policyTemplate Required | string A string in JSON format string that contains the following elements of a resource-based policy: * Effect: must be set to ALLOW. * Action: specifies the actions that are allowed by this customer managed permission. The list must contain only actions that are supported by the specified resource type. For a list of all actions supported by each resource type, see Actions, resources, and condition keys for Amazon Web Services services (https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the Identity and Access Management User Guide. * Condition: (optional) specifies conditional parameters that must evaluate to true when a user attempts an action for that action to be allowed. For more information about the Condition element, see IAM policies: Condition element (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the Identity and Access Management User Guide. This template can’t include either the Resource or Principal elements. Those are both filled in by RAM when it instantiates the resource-based policy on each resource shared using this managed permission. The Resource comes from the ARN of the specific resource that you are sharing. The Principal comes from the list of identities added to the resource share. |
| resourceType Required | string Specifies the name of the resource type that this customer managed permission applies to. The format is example, to specify an Amazon EC2 Subnet, you can use the string ec2:subnet. To see the list of valid values for this parameter, query the ListResourceTypes operation. |
| tags Optional | array Specifies a list of one or more tag key and value pairs to attach to the permission. |
| tags.[] Required | object A structure containing a tag. A tag is metadata that you can attach to your |
| resources to help organize and categorize them. You can also use them to | |
| help you secure your resources. For more information, see Controlling access | |
| to Amazon Web Services resources using tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html). |
For more information about tags, see Tagging Amazon Web Services resources
(https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the Amazon
Web Services General Reference Guide. || tags.[].key
Optional | string
|
| tags.[].value
Optional | string
|
Status
ackResourceMetadata:
arn: string
ownerAccountID: string
region: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
creationTime: string
defaultVersion: boolean
featureSet: string
isResourceTypeDefault: boolean
lastUpdatedTime: string
permissionType: string
status: string
version: string
| Field | Description |
|---|---|
| ackResourceMetadata Optional | object All CRs managed by ACK have a common Status.ACKResourceMetadata memberthat is used to contain resource sync state, account ownership, constructed ARN for the resource |
| ackResourceMetadata.arn Optional | string ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an “adopted” resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR’s Spec field values. TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 |
| ackResourceMetadata.ownerAccountID Required | string OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource. |
| ackResourceMetadata.region Required | string Region is the AWS region in which the resource exists or will exist. |
| conditions Optional | array All CRS managed by ACK have a common Status.Conditions member thatcontains a collection of ackv1alpha1.Condition objects that describethe various terminal states of the CR and its backend AWS service API resource |
| conditions.[] Required | object Condition is the common struct used by all CRDs managed by ACK service |
| controllers to indicate terminal states of the CR and its backend AWS | |
| service API resource | |
| conditions.[].message Optional | string A human readable message indicating details about the transition. |
| conditions.[].reason Optional | string The reason for the condition’s last transition. |
| conditions.[].status Optional | string Status of the condition, one of True, False, Unknown. |
| conditions.[].type Optional | string Type is the type of the Condition |
| creationTime Optional | string The date and time when the permission was created. |
| defaultVersion Optional | boolean Specifies whether the version of the managed permission used by this resource share is the default version for this managed permission. |
| featureSet Optional | string Indicates what features are available for this resource share. This parameter can have one of the following values: * STANDARD – A resource share that supports all functionality. These resource shares are visible to all principals you share the resource share with. You can modify these resource shares in RAM using the console or APIs. This resource share might have been created by RAM, or it might have been CREATED_FROM_POLICY and then promoted. * CREATED_FROM_POLICY – The customer manually shared a resource by attaching a resource-based policy. That policy did not match any existing managed permissions, so RAM created this customer managed permission automatically on the customer’s behalf based on the attached policy document. This type of resource share is visible only to the Amazon Web Services account that created it. You can’t modify it in RAM unless you promote it. For more information, see PromoteResourceShareCreatedFromPolicy. * PROMOTING_TO_STANDARD – This resource share was originally CREATED_FROM_POLICY, but the customer ran the PromoteResourceShareCreatedFromPolicy and that operation is still in progress. This value changes to STANDARD when complete. |
| isResourceTypeDefault Optional | boolean Specifies whether the managed permission associated with this resource share is the default managed permission for all resources of this resource type. |
| lastUpdatedTime Optional | string The date and time when the permission was last updated. |
| permissionType Optional | string The type of managed permission. This can be one of the following values: * AWS_MANAGED – Amazon Web Services created and manages this managed permission. You can associate it with your resource shares, but you can’t modify it. * CUSTOMER_MANAGED – You, or another principal in your account created this managed permission. You can associate it with your resource shares and create new versions that have different permissions. |
| status Optional | string The current status of the permission. |
| version Optional | string The version of the permission associated with this resource share. |