Changes in the IAM Policy Builder API from version 1 to version 2
This topic details the changes in the IAM Policy Builder API from version 1 (v1) to version 2 (v2).
High-level changes
Change | v1 | v2 |
---|---|---|
Maven dependencies |
|
|
Package name | com.amazonaws.auth.policy |
software.amazon.awssdk.policybuilder.iam |
Class names |
1
Latest
version
API changes
Setting | v1 | v2 |
---|---|---|
Instantiate a policy |
|
|
Set id |
|
|
Set version |
N/A - uses default version of 2012-10-17 |
|
Create statement |
|
|
Set statement |
|
|
Differences in building a statement
Actions
v1
The v1 SDK has enum
typesAction
elements in a policy statement. The following enum
types are some
examples.
The following example shows the SendMessage
constant for
SQSActions
.
Action action = SQSActions.SendMessage;
You cannot specify a NotAction
element to a statement in v1.
v2
In v2, the IamActioncreate
method as shown in the following code.
IamAction action = IamAction.create("sqs:SendMessage");
You can specify a NotAction
for a statement with v2 as shown in the
following code.
IamAction action = IamAction.create("sqs:SendMessage"); IamStatement.builder().addNotAction(action);
Conditions
v1
To represent statement conditions, the v1 SDK uses subclasses of Condition
.
Each Condition
subclass defines a comparison enum
type
to help define the condition. For example, the following shows a not like string comparison
Condition condition = new StringCondition(StringComparisonType.StringNotLike, "key", "value");
v2
In v2, you build a condition for a policy statement by using IamCondition
and provide an IamConditionOperator
, which contains enums
for all
types.
IamCondition condition = IamCondition.create(IamConditionOperator.STRING_NOT_LIKE, "key", "value");
Resources
v1
A policy statement's Resource
element is represented by the SDK's Resource
class. You supply the ARN as a string in the
constructor. The following subclasses provide convenience constructors.
In v1, you can specify a NotResource
element for a Resource
by calling the withIsNotType
method as
shown in the following statement.
Resource resource = new Resource("arn:aws:s3:::mybucket").withIsNotType(true);
v2
In v2, you create a Resource
element by passing an ARN to the IamResource.create
method.
IamResource resource = IamResource.create("arn:aws:s3:::mybucket");
An IamResource
can be set as NotResource
IamResource resource = IamResource.create("arn:aws:s3:::mybucket"); IamStatement.builder().addNotResource(resource);
IamResource.ALL
represents all resources.
Principals
v1
The v1 SDK offers the following Principal
classes to represent types of principals that include
all members:
-
AllUsers
-
AllServices
-
AllWebProviders
-
All
You cannot add a NotPrincipal
element to a statement.
v2
In v2, IamPrincipal.ALL
represents all principals:
To represent all members in other types of principals, use the IamPrincipalType
classes when you create a
IamPrincipal
.
-
IamPrincipal.create(IamPrincipalType.AWS,"*")
for all users. -
IamPrincipal.create(IamPrincipalType.SERVICE,"*")
for all services. -
IamPrincipal.create(IamPrincipalType.FEDERATED,"*")
for all web providers. -
IamPrincipal.create(IamPrincipalType.CANONICAL_USER,"*")
for all canonical users.
You can use the addNotPrincipal
method to represent a NotPrincipal
element when you create a policy statement
as shown in the following statement.
IamPrincipal principal = IamPrincipal.create(IamPrincipalType.AWS, "arn:aws:iam::444455556666:root"); IamStatement.builder().addNotPrincipal(principal);