与 Amazon SDK或CreatePolicy一起使用 CLI - Amazon Organizations
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

与 Amazon SDK或CreatePolicy一起使用 CLI

以下代码示例演示如何使用 CreatePolicy

.NET
Amazon SDK for .NET
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 Amazon 代码示例存储库中进行设置和运行。

using System; using System.Threading.Tasks; using Amazon.Organizations; using Amazon.Organizations.Model; /// <summary> /// Creates a new AWS Organizations Policy. /// </summary> public class CreatePolicy { /// <summary> /// Initializes the AWS Organizations client object, uses it to /// create a new Organizations Policy, and then displays information /// about the newly created Policy. /// </summary> public static async Task Main() { IAmazonOrganizations client = new AmazonOrganizationsClient(); var policyContent = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\" : [{" + " \"Action\" : [\"s3:*\"]," + " \"Effect\" : \"Allow\"," + " \"Resource\" : \"*\"" + "}]" + "}"; try { var response = await client.CreatePolicyAsync(new CreatePolicyRequest { Content = policyContent, Description = "Enables admins of attached accounts to delegate all Amazon S3 permissions", Name = "AllowAllS3Actions", Type = "SERVICE_CONTROL_POLICY", }); Policy policy = response.Policy; Console.WriteLine($"{policy.PolicySummary.Name} has the following content: {policy.Content}"); } catch (Exception ex) { Console.WriteLine(ex.Message); } } }
  • 有关API详细信息,请参阅 “Amazon SDK for .NET API参考 CreatePolicy” 中的。

CLI
Amazon CLI

示例 1:使用策略的文本源文件创建JSON策略

以下示例说明如何创建名为的服务控制策略 (SCP) AllowAllS3Actions。策略内容取自本地计算机上名为 policy.json 的文件。

aws organizations create-policy --content file://policy.json --name AllowAllS3Actions, --type SERVICE_CONTROL_POLICY --description "Allows delegation of all S3 actions"

输出包括一个策略对象,其中包含有关新策略的详细信息:

{ "Policy": { "Content": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"*\"]}]}", "PolicySummary": { "Arn": "arn:aws:organizations::o-exampleorgid:policy/service_control_policy/p-examplepolicyid111", "Description": "Allows delegation of all S3 actions", "Name": "AllowAllS3Actions", "Type":"SERVICE_CONTROL_POLICY" } } }

示例 2:创建以JSON策略为参数的策略

以下示例向您展示了如何创建相同的策略SCP,这次是将策略内容作为JSON字符串嵌入到参数中。字符串必须在双引号前使用反斜杠进行转义,以确保在参数中将其视为文本,参数本身用双引号引起来:

aws organizations create-policy --content "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":[\"*\"]}]}" --name AllowAllS3Actions --type SERVICE_CONTROL_POLICY --description "Allows delegation of all S3 actions"

有关在组织中创建和使用策略的更多信息,请参阅《Amazon Organizations 用户指南》中的“管理组织策略”。

  • 有关API详细信息,请参阅Amazon CLI 命令参考CreatePolicy中的。

Python
SDK适用于 Python (Boto3)
注意

还有更多相关信息 GitHub。查找完整示例,学习如何在 Amazon 代码示例存储库中进行设置和运行。

def create_policy(name, description, content, policy_type, orgs_client): """ Creates a policy. :param name: The name of the policy. :param description: The description of the policy. :param content: The policy content as a dict. This is converted to JSON before it is sent to AWS. The specific format depends on the policy type. :param policy_type: The type of the policy. :param orgs_client: The Boto3 Organizations client. :return: The newly created policy. """ try: response = orgs_client.create_policy( Name=name, Description=description, Content=json.dumps(content), Type=policy_type, ) policy = response["Policy"] logger.info("Created policy %s.", name) except ClientError: logger.exception("Couldn't create policy %s.", name) raise else: return policy
  • 有关API详细信息,请参阅CreatePolicy中的 Amazon SDKPython (Boto3) API 参考。

有关 Amazon SDK开发者指南和代码示例的完整列表,请参阅使用 Amazon Organizations 用一个 Amazon SDK。本主题还包括有关入门的信息以及有关先前SDK版本的详细信息。