使用 IAM 策略 - 适用于 Java 的 AWS 开发工具包
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 IAM 策略

创建策略

要创建新策略,请在 CreatePolicyRequest 中向 的 AmazonIdentityManagementClient 方法提供策略名称和 JSON 格式的策略文档。createPolicy

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.CreatePolicyRequest; import com.amazonaws.services.identitymanagement.model.CreatePolicyResult;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); CreatePolicyRequest request = new CreatePolicyRequest() .withPolicyName(policy_name) .withPolicyDocument(POLICY_DOCUMENT); CreatePolicyResult response = iam.createPolicy(request);

IAM 策略文档是使用明确语法的 JSON 字符串。下面的示例中提供了向 DynamoDB 发出特定请求的访问权。

public static final String POLICY_DOCUMENT = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"logs:CreateLogGroup\"," + " \"Resource\": \"%s\"" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"dynamodb:DeleteItem\"," + " \"dynamodb:GetItem\"," + " \"dynamodb:PutItem\"," + " \"dynamodb:Scan\"," + " \"dynamodb:UpdateItem\"" + " ]," + " \"Resource\": \"RESOURCE_ARN\"" + " }" + " ]" + "}";

请参阅 上的完整示例GitHub。

获取策略

要检索现有策略,请调用 AmazonIdentityManagementClient 的 getPolicy 方法,并在 GetPolicyRequest 对象中提供策略的 ARN。

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.GetPolicyRequest; import com.amazonaws.services.identitymanagement.model.GetPolicyResult;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); GetPolicyRequest request = new GetPolicyRequest() .withPolicyArn(policy_arn); GetPolicyResult response = iam.getPolicy(request);

请参阅 上的完整示例GitHub。

附加角色策略

您可以将策略附加到IAM角色,方式是调用 的 AmazonIdentityManagementClient 方法,并在 attachRolePolicy 中为其提供角色名称和策略 ARN。AttachRolePolicyRequest

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.AttachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.AttachedPolicy;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); AttachRolePolicyRequest attach_request = new AttachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(POLICY_ARN); iam.attachRolePolicy(attach_request);

请参阅 上的完整示例GitHub。

列出附加的角色策略

通过调用 AmazonIdentityManagementClient 的 listAttachedRolePolicies 方法列出角色中附加的策略。这获取一个 ListAttachedRolePoliciesRequest 对象,其中包含要列出其策略的角色名称。

对返回的 getAttachedPoliciesListAttachedRolePoliciesResult 对象调用 以获取附加的策略的列表。如果 ListAttachedRolePoliciesResult 对象的 getIsTruncated 方法返回 true,调用 ListAttachedRolePoliciesRequest 对象的 setMarker 方法并使用其再次调用 listAttachedRolePolicies 来获取下一批结果,则结果可能被截断。

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesRequest; import com.amazonaws.services.identitymanagement.model.ListAttachedRolePoliciesResult; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); ListAttachedRolePoliciesRequest request = new ListAttachedRolePoliciesRequest() .withRoleName(role_name); List<AttachedPolicy> matching_policies = new ArrayList<>(); boolean done = false; while(!done) { ListAttachedRolePoliciesResult response = iam.listAttachedRolePolicies(request); matching_policies.addAll( response.getAttachedPolicies() .stream() .filter(p -> p.getPolicyName().equals(role_name)) .collect(Collectors.toList())); if(!response.getIsTruncated()) { done = true; } request.setMarker(response.getMarker()); }

请参阅 上的完整示例GitHub。

分离角色策略

要从角色分离策略,请调用 AmazonIdentityManagementClient 的 detachRolePolicy 方法,并在 DetachRolePolicyRequest 中为其提供角色名称和策略 ARN。

导入

import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyRequest; import com.amazonaws.services.identitymanagement.model.DetachRolePolicyResult;

代码

final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); DetachRolePolicyRequest request = new DetachRolePolicyRequest() .withRoleName(role_name) .withPolicyArn(policy_arn); DetachRolePolicyResult response = iam.detachRolePolicy(request);

请参阅 上的完整示例GitHub。

更多信息