MDAA TS Docs
    Preparing search index...

    Interface GenerateRoleProps

    IAM role generation configuration with persona-based permissions, trust policies, and managed policy attachments. Supports multiple trust principals, conditional access, and both AWS and customer managed policies.

    Use cases: Automated role creation; Persona-based permissions; Multi-principal trust; Conditional access

    AWS: IAM role with configurable trust policy, managed policy attachments, and CDK Nag suppressions

    Validation: trustedPrincipal required; all other properties optional

    interface GenerateRoleProps {
        additionalTrustedPrincipals?: TrustedPrincipalProps[];
        assumeRoleTrustConditions?: { [key: string]: unknown };
        awsManagedPolicies?: string[];
        basePersona?: BasePersona;
        customerManagedPolicies?: string[];
        generatedPolicies?: string[];
        suppressions?: SuppressionProps[];
        trustedPrincipal: string;
        verbatimRoleName?: boolean;
    }

    Hierarchy (View Summary)

    Index

    Properties

    additionalTrustedPrincipals? assumeRoleTrustConditions? awsManagedPolicies? basePersona? customerManagedPolicies? generatedPolicies? suppressions? trustedPrincipal verbatimRoleName?

    Properties

    additionalTrustedPrincipals?: TrustedPrincipalProps[]

    Additional principals that can assume this role beyond the primary. Each can specify additional trusted actions (e.g. sts:SetSourceIdentity).

    Use cases: Multi-service trust; Cross-account sharing; Complex trust relationships

    AWS: IAM role trust policy additional principals

    Validation: Optional; array of valid TrustedPrincipalProps

    assumeRoleTrustConditions?: { [key: string]: unknown }

    IAM conditions for the assume role trust policy (e.g. StringEquals on aws:PrincipalArn). Provides context-aware access restrictions.

    Use cases: Conditional role assumption; IP-based restrictions; Principal ARN constraints

    AWS: IAM trust policy conditions

    Validation: Optional; must be valid IAM condition key-value pairs

    awsManagedPolicies?: string[]

    AWS managed policy names to attach (e.g. "service-role/AWSGlueServiceRole").

    Use cases: Standardized AWS permissions; Common service role policies

    AWS: AWS managed policy attachments on IAM role

    Validation: Optional; array of valid AWS managed policy names

    basePersona?: BasePersona

    Base persona determining the default set of MDAA managed policies attached to the role. Valid values: data-admin, data-engineer, data-scientist.

    Use cases: Standardized permission sets; Role template application

    AWS: MDAA persona-based managed policy attachments

    Validation: Optional; must be valid BasePersona enum value

    customerManagedPolicies?: string[]

    Existing customer managed policy names to attach.

    Use cases: Organization-specific permissions; Pre-existing policy reuse

    AWS: Customer managed policy attachments on IAM role

    Validation: Optional; array of valid customer managed policy names

    generatedPolicies?: string[]

    Names of policies from the generatePolicies config section to attach.

    Use cases: Dynamic policy attachment; Config-driven permission management

    AWS: Generated managed policy attachments on IAM role

    Validation: Optional; must reference valid policy names from generatePolicies config

    suppressions?: SuppressionProps[]

    Suppressions if required by the role configuration.

    trustedPrincipal: string

    Primary trusted principal for the role's trust policy. Supports formats: "this_account", "service:svc.amazonaws.com", "federation:name", or ARN.

    Use cases: Service trust; Cross-account trust; Federation-based assume role

    AWS: IAM role trust policy primary principal

    Validation: Required; must be valid principal identifier

    verbatimRoleName?: boolean

    When true, uses the exact role name without MDAA naming prefixes.

    Use cases: Legacy integration; Exact role name requirements

    AWS: IAM role naming control

    Validation: Optional; boolean

    false

    Settings

    Member Visibility

    On This Page

    Properties