{ "description": "Permission is the Schema for the Permissions API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "PermissionSpec defines the desired state of Permission.", "properties": { "name": { "description": "Specifies the name of the customer managed permission. The name must be unique\nwithin the Amazon Web Services Region.\n\nRegex Pattern: `^[\\w.-]*$`", "type": "string" }, "policyTemplate": { "description": "A string in JSON format string that contains the following elements of a\nresource-based policy:\n\n - Effect: must be set to ALLOW.\n\n - Action: specifies the actions that are allowed by this customer managed\n permission. The list must contain only actions that are supported by the\n specified resource type. For a list of all actions supported by each resource\n type, see Actions, resources, and condition keys for Amazon Web Services\n services (https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)\n in the Identity and Access Management User Guide.\n\n - Condition: (optional) specifies conditional parameters that must evaluate\n to true when a user attempts an action for that action to be allowed.\n For more information about the Condition element, see IAM policies: Condition\n element (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html)\n in the Identity and Access Management User Guide.\n\nThis template can't include either the Resource or Principal elements. Those\nare both filled in by RAM when it instantiates the resource-based policy\non each resource shared using this managed permission. The Resource comes\nfrom the ARN of the specific resource that you are sharing. The Principal\ncomes from the list of identities added to the resource share.", "type": "string" }, "resourceType": { "description": "Specifies the name of the resource type that this customer managed permission\napplies to.\n\nThe format is : and is not case sensitive. For example, to specify an Amazon\nEC2 Subnet, you can use the string ec2:subnet. To see the list of valid values\nfor this parameter, query the ListResourceTypes operation.", "type": "string" }, "tags": { "description": "Specifies a list of one or more tag key and value pairs to attach to the\npermission.", "items": { "description": "A structure containing a tag. A tag is metadata that you can attach to your\nresources to help organize and categorize them. You can also use them to\nhelp you secure your resources. For more information, see Controlling access\nto Amazon Web Services resources using tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html).\n\nFor more information about tags, see Tagging Amazon Web Services resources\n(https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the Amazon\nWeb Services General Reference Guide.", "properties": { "key": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "name", "policyTemplate", "resourceType" ], "type": "object", "additionalProperties": false }, "status": { "description": "PermissionStatus defines the observed state of Permission", "properties": { "ackResourceMetadata": { "description": "All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource", "properties": { "arn": { "description": "ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270", "type": "string" }, "ownerAccountID": { "description": "OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.", "type": "string" }, "region": { "description": "Region is the AWS region in which the resource exists or will exist.", "type": "string" } }, "required": [ "ownerAccountID", "region" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource", "items": { "description": "Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states of the CR and its backend AWS\nservice API resource", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the Condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "creationTime": { "description": "The date and time when the permission was created.", "format": "date-time", "type": "string" }, "defaultVersion": { "description": "Specifies whether the version of the managed permission used by this resource\nshare is the default version for this managed permission.", "type": "boolean" }, "featureSet": { "description": "Indicates what features are available for this resource share. This parameter\ncan have one of the following values:\n\n * STANDARD \u2013 A resource share that supports all functionality. These\n resource shares are visible to all principals you share the resource share\n with. You can modify these resource shares in RAM using the console or\n APIs. This resource share might have been created by RAM, or it might\n have been CREATED_FROM_POLICY and then promoted.\n\n * CREATED_FROM_POLICY \u2013 The customer manually shared a resource by attaching\n a resource-based policy. That policy did not match any existing managed\n permissions, so RAM created this customer managed permission automatically\n on the customer's behalf based on the attached policy document. This type\n of resource share is visible only to the Amazon Web Services account that\n created it. You can't modify it in RAM unless you promote it. For more\n information, see PromoteResourceShareCreatedFromPolicy.\n\n * PROMOTING_TO_STANDARD \u2013 This resource share was originally CREATED_FROM_POLICY,\n but the customer ran the PromoteResourceShareCreatedFromPolicy and that\n operation is still in progress. This value changes to STANDARD when complete.", "type": "string" }, "isResourceTypeDefault": { "description": "Specifies whether the managed permission associated with this resource share\nis the default managed permission for all resources of this resource type.", "type": "boolean" }, "lastUpdatedTime": { "description": "The date and time when the permission was last updated.", "format": "date-time", "type": "string" }, "permissionType": { "description": "The type of managed permission. This can be one of the following values:\n\n * AWS_MANAGED \u2013 Amazon Web Services created and manages this managed\n permission. You can associate it with your resource shares, but you can't\n modify it.\n\n * CUSTOMER_MANAGED \u2013 You, or another principal in your account created\n this managed permission. You can associate it with your resource shares\n and create new versions that have different permissions.", "type": "string" }, "status": { "description": "The current status of the permission.", "type": "string" }, "version": { "description": "The version of the permission associated with this resource share.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }