Package software.amazon.awssdk.policybuilder.iam

Interface IamPolicy

All Superinterfaces:
ToCopyableBuilder<IamPolicy.Builder,IamPolicy>
All Known Implementing Classes:
DefaultIamPolicy
@ThreadSafe @Immutable public interface IamPolicy extends ToCopyableBuilder<IamPolicy.Builder,IamPolicy>
An AWS access control policy is a object that acts as a container for one or more statements, which specify fine grained rules for allowing or denying various types of actions from being performed on your AWS resources.

By default, all requests to use your resource coming from anyone but you are denied. Access control polices can override that by allowing different types of access to your resources, or by explicitly denying different types of access.

Each statement in an AWS access control policy takes the form: "A has permission to do B to C where D applies".

  • A is the principal - the AWS account that is making a request to access or modify one of your AWS resources.
  • B is the action - the way in which your AWS resource is being accessed or modified, such as sending a message to an Amazon SQS queue, or storing an object in an Amazon S3 bucket.
  • C is the resource - your AWS entity that the principal wants to access, such as an Amazon SQS queue, or an object stored in Amazon S3.
  • D is the set of conditions - optional constraints that specify when to allow or deny access for the principal to access your resource. Many expressive conditions are available, some specific to each service. For example you can use date conditions to allow access to your resources only after or before a specific time.

For more information, see The IAM User Guide

Usage Examples

Create a new IAM identity policy that allows a role to write items to an Amazon DynamoDB table. 
// IamClient requires a dependency on software.amazon.awssdk:iam
try (IamClient iam = IamClient.builder().region(Region.AWS_GLOBAL).build()) {
    IamPolicy policy =
        IamPolicy.builder()
                 .addStatement(IamStatement.builder()
                                           .effect(IamEffect.ALLOW)
                                           .addAction("dynamodb:PutItem")
                                           .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                                           .build())
                 .build();
    iam.createPolicy(r -> r.policyName("AllowWriteBookMetadata")
                           .policyDocument(policy.toJson()));
}

Download the policy uploaded in the previous example and create a new policy with "read" access added to it. 

// IamClient requires a dependency on software.amazon.awssdk:iam
try (IamClient iam = IamClient.builder().region(Region.AWS_GLOBAL).build()) {
    String policyArn = "arn:aws:iam::123456789012:policy/AllowWriteBookMetadata";
    GetPolicyResponse getPolicyResponse = iam.getPolicy(r -> r.policyArn(policyArn));

    String policyVersion = getPolicyResponse.defaultVersionId();
    GetPolicyVersionResponse getPolicyVersionResponse =
        iam.getPolicyVersion(r -> r.policyArn(policyArn).versionId(policyVersion));

    String decodedPolicy = URLDecoder.decode(getPolicyVersionResponse.policyVersion().document(), StandardCharsets.UTF_8);
    IamPolicy policy = IamPolicy.fromJson(decodedPolicy);

    IamStatement newStatement = policy.statements().get(0).copy(s -> s.addAction("dynamodb:GetItem"));
    IamPolicy newPolicy = policy.copy(p -> p.statements(Arrays.asList(newStatement)));

    iam.createPolicy(r -> r.policyName("AllowReadWriteBookMetadata")
                           .policyDocument(newPolicy.toJson()));
}
See Also:

  • Method Details

    • fromJson

      static IamPolicy fromJson(String json)
      Create an IamPolicy from an IAM policy in JSON form.

      This will raise an exception if the provided JSON is invalid or does not appear to represent a valid policy document.

      This is equivalent to IamPolicyReader.create().read(json).

    • create

      static IamPolicy create(Collection<IamStatement> statements)
      Create an IamPolicy containing the provided statements.

      At least one statement is required.

      This is equivalent to IamPolicy.builder().statements(statements).build()

    • builder

      static IamPolicy.Builder builder()
      Create a IamPolicy.Builder for an IamPolicy.

    • id

      String id()
      Retrieve the value set by IamPolicy.Builder.id(String).

    • version

      String version()
      Retrieve the value set by IamPolicy.Builder.version(String).

    • statements

      List<IamStatement> statements()
      Retrieve the value set by IamPolicy.Builder.statements(Collection).

    • toJson

      String toJson()
      Convert this policy to the JSON format that is accepted by AWS services.

      This is equivalent to IamPolicyWriter.create().writeToString(policy) 

      IamPolicy policy =
    IamPolicy.builder()
             .addStatement(IamStatement.builder()
                                       .effect(IamEffect.ALLOW)
                                       .addAction("dynamodb:PutItem")
                                       .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                                       .build())
             .build();
System.out.println("Policy:\n" + policy.toJson());

    • toJson

      String toJson(IamPolicyWriter writer)
      Convert this policy to the JSON format that is accepted by AWS services, using the provided writer.

      This is equivalent to writer.writeToString(policy) 

      IamPolicyWriter prettyWriter =
    IamPolicyWriter.builder()
                   .prettyPrint(true)
                   .build();
IamPolicy policy =
    IamPolicy.builder()
             .addStatement(IamStatement.builder()
                                       .effect(IamEffect.ALLOW)
                                       .addAction("dynamodb:PutItem")
                                       .addResource("arn:aws:dynamodb:us-east-2:123456789012:table/books")
                                       .build())
             .build();
System.out.println("Policy:\n" + policy.toJson(prettyWriter));