使用 IAM 策略 - Amazon SDK for Java 1.x
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

我们宣布了即将推出 end-of-support 的 Amazon SDK for Java (v1)。建议您迁移到 Amazon SDK for Java v2。有关日期、其他详细信息以及如何迁移的信息,请参阅链接的公告。

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 IAM 策略

创建策略

要创建新策略,请在 CreatePolicyRequest 中向 AmazonIdentityManagementClient 的 createPolicy 方法提供策略名称和 JSON 格式的策略文档。

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.CreatePolicyRequest; import com.amazonaws.services.identitymanagement.model.CreatePolicyResult;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); CreatePolicyRequest request = new CreatePolicyRequest() .withPolicyName(policy_name) .withPolicyDocument(POLICY_DOCUMENT); CreatePolicyResult response = iam.createPolicy(request);

IAM policy 文档是使用明确语法的 JSON 字符串。下面的示例中提供了向 DynamoDB 发出特定请求的访问权。

public static final String POLICY_DOCUMENT = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"logs:CreateLogGroup\"," + " \"Resource\": \"%s\"" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"dynamodb:DeleteItem\"," + " \"dynamodb:GetItem\"," + " \"dynamodb:PutItem\"," + " \"dynamodb:Scan\"," + " \"dynamodb:UpdateItem\"" + " ]," + " \"Resource\": \"RESOURCE_ARN\"" + " }" + " ]" + "}";

请参阅 GitHub 上的完整示例

获取策略

要检索现有策略,请调用 AmazonIdentityManagementClient 的 getPolicy 方法,并在 GetPolicyRequest 对象中提供策略的 ARN。

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.GetPolicyRequest; import com.amazonaws.services.identitymanagement.model.GetPolicyResult;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); GetPolicyRequest request = new GetPolicyRequest() .withPolicyArn(policy_arn); GetPolicyResult response = iam.getPolicy(request);

请参阅 GitHub 上的完整示例

附加角色策略

您可以通过调用 AmazonIdentityManagementClient 的 attachRolePolicy 方法,在 AttachRolePolicyRequest 中向其提供角色名称和策略 ARN 来将策略附加到 IAM 角色 (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)。

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.AttachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.AttachedPolicy;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); AttachRolePolicyRequest attach_request = new AttachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(POLICY_ARN); iam.attachRolePolicy(attach_request);

请参阅 GitHub 上的完整示例

列出附加的角色策略

通过调用 AmazonIdentityManagementClient 的 listAttachedRolePolicies 方法列出角色中附加的策略。这需要 ListAttachedRolePoliciesRequest 对象,它包含要列出策略的角色名称。

在返回的 ListAttachedRolePoliciesResult 对象中调用 getAttachedPolicies 来获取所附加策略的列表。如果 ListAttachedRolePoliciesResult 对象的 getIsTruncated 方法返回 true,调用 ListAttachedRolePoliciesRequest 对象的 setMarker 方法并使用其再次调用 listAttachedRolePolicies 来获取下一批结果,则结果可能被截断。

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesRequest; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesResult; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); ListAttachedRolePoliciesRequest request = new ListAttachedRolePoliciesRequest() .withRoleName(role_name); List<AttachedPolicy> matching_policies = new ArrayList<>(); boolean done = false; while(!done) { ListAttachedRolePoliciesResult response = iam.listAttachedRolePolicies(request); matching_policies.addAll( response.getAttachedPolicies() .stream() .filter(p -> p.getPolicyName().equals(role_name)) .collect(Collectors.toList())); if(!response.getIsTruncated()) { done = true; } request.setMarker(response.getMarker()); }

请参阅 GitHub 上的完整示例

分离角色策略

要从角色分离策略,请调用 AmazonIdentityManagementClient 的 detachRolePolicy 方法,并在 DetachRolePolicyRequest 中为其提供角色名称和策略 ARN。

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyResult;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); DetachRolePolicyRequest request = new DetachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(policy_arn); DetachRolePolicyResult response = iam.detachRolePolicy(request);

请参阅 GitHub 上的完整示例

更多信息