本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用 IAM 策略
创建策略
要创建新策略,请在方法中提供策略名称和 JSON 格式CreatePolicyRequestcreatePolicy策略文档。
导入
import software.amazon.awssdk.core.waiters.WaiterResponse; import software.amazon.awssdk.services.iam.model.CreatePolicyRequest; import software.amazon.awssdk.services.iam.model.CreatePolicyResponse; import software.amazon.awssdk.services.iam.model.GetPolicyRequest; import software.amazon.awssdk.services.iam.model.GetPolicyResponse; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.waiters.IamWaiter;
代码
public static String createIAMPolicy(IamClient iam, String policyName ) { try { // Create an IamWaiter object IamWaiter iamWaiter = iam.waiter(); CreatePolicyRequest request = CreatePolicyRequest.builder() .policyName(policyName) .policyDocument(PolicyDocument).build(); CreatePolicyResponse response = iam.createPolicy(request); // Wait until the policy is created GetPolicyRequest polRequest = GetPolicyRequest.builder() .policyArn(response.policy().arn()) .build(); WaiterResponse<GetPolicyResponse> waitUntilPolicyExists = iamWaiter.waitUntilPolicyExists(polRequest); waitUntilPolicyExists.matched().response().ifPresent(System.out::println); return response.policy().arn(); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return "" ; }
请参阅上的完整示例
获取策略
要检索现有策略,请调用 IamClient's getPolicy 方法,在对象中提供策略的 ARN。GetPolicyRequest
导入
import software.amazon.awssdk.services.iam.model.GetPolicyRequest; import software.amazon.awssdk.services.iam.model.GetPolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException;
代码
public static void getIAMPolicy(IamClient iam, String policyArn) { try { GetPolicyRequest request = GetPolicyRequest.builder() .policyArn(policyArn).build(); GetPolicyResponse response = iam.getPolicy(request); System.out.format("Successfully retrieved policy %s", response.policy().policyName()); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } }
请参阅上的完整示例
附加角色策略
您可以通过调用 IamClient's attachRolePolicy 方法将策略附加到IAM角色,并在中为其提供角色名称和策略 ARN。AttachRolePolicyRequest
导入
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse; import java.util.List;
代码
public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn ) { try { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName) .build(); ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request); List<AttachedPolicy> attachedPolicies = response.attachedPolicies(); // Ensure that the policy is not attached to this role String polArn = ""; for (AttachedPolicy policy: attachedPolicies) { polArn = policy.policyArn(); if (polArn.compareTo(policyArn)==0) { System.out.println(roleName + " policy is already attached to this role."); return; } } AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.attachRolePolicy(attachRequest); System.out.println("Successfully attached policy " + policyArn + " to role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done"); }
请参阅上的完整示例
列出附加的角色策略
通过调用's listAttachedRolePolicies 方法列出角色 IamClient的附加策略。它需要一个包含角色名称的ListAttachedRolePoliciesRequest
调用返回getAttachedPolicies的ListAttachedRolePoliciesResponseListAttachedRolePoliciesResponse 对象的 isTruncated 方法返回了 true,请调用 ListAttachedRolePoliciesResponse 对象的 marker 方法。使用返回的标记创建新请求并使用该请求再次调用 listAttachedRolePolicies 以获取下一批结果。
导入
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse; import java.util.List;
代码
public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn ) { try { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(roleName) .build(); ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request); List<AttachedPolicy> attachedPolicies = response.attachedPolicies(); // Ensure that the policy is not attached to this role String polArn = ""; for (AttachedPolicy policy: attachedPolicies) { polArn = policy.policyArn(); if (polArn.compareTo(policyArn)==0) { System.out.println(roleName + " policy is already attached to this role."); return; } } AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.attachRolePolicy(attachRequest); System.out.println("Successfully attached policy " + policyArn + " to role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } System.out.println("Done"); }
请参阅上的完整示例
分离角色策略
要将策略与角色分离,请调用 IamClient's detachRolePolicy 方法,在中为其提供角色名称和策略 ARN。DetachRolePolicyRequest
导入
import software.amazon.awssdk.services.iam.model.DetachRolePolicyRequest; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.IamException;
代码
public static void detachPolicy(IamClient iam, String roleName, String policyArn ) { try { DetachRolePolicyRequest request = DetachRolePolicyRequest.builder() .roleName(roleName) .policyArn(policyArn) .build(); iam.detachRolePolicy(request); System.out.println("Successfully detached policy " + policyArn + " from role " + roleName); } catch (IamException e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } }
请参阅上的完整示例
更多信息
-
《IAM 用户指南》中的 IAM 策略概述。
-
《IAM 用户指南》中的 Amazon IAM policy 参考。
-
CreatePolicy在 IAM API 参考中
-
GetPolicy在 IAM API 参考中
-
AttachRolePolicy在 IAM API 参考中
-
ListAttachedRolePolicies在 IAM API 参考中
-
DetachRolePolicy在 IAM API 参考中