适用于 Java 的 AWS 开发工具包
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

使用 IAM 策略

创建策略

要创建新策略,请在 CreatePolicyRequest 中向 IamClientcreatePolicy 方法提供策略名称和 JSON 格式的策略文档。

导入

import software.amazon.awssdk.services.iam.model.CreatePolicyRequest; import software.amazon.awssdk.services.iam.model.CreatePolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient;

代码

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); CreatePolicyRequest request = CreatePolicyRequest.builder() .policyName(policy_name) .policyDocument(POLICY_DOCUMENT).build(); CreatePolicyResponse response = iam.createPolicy(request); System.out.println("Successfully created policy: " + response.policy().policyName());

IAM 策略文档是使用明确语法的 JSON 字符串。下面的示例中提供了向 DynamoDB 发出特定请求的访问权。

ic static final String POLICY_DOCUMENT = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"logs:CreateLogGroup\"," + " \"Resource\": \"%s\"" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"dynamodb:DeleteItem\"," + " \"dynamodb:GetItem\"," + " \"dynamodb:PutItem\"," + " \"dynamodb:Scan\"," + " \"dynamodb:UpdateItem\"" + " ]," + " \"Resource\": \"RESOURCE_ARN\"" + " }" + " ]" + "}";

请参阅 GitHub 上的完整示例

获取策略

要检索现有策略,请调用 IamClientgetPolicy 方法,并在 GetPolicyRequest 对象中提供策略的 ARN。

导入

import software.amazon.awssdk.services.iam.model.GetPolicyRequest; import software.amazon.awssdk.services.iam.model.GetPolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient;

代码

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); GetPolicyRequest request = GetPolicyRequest.builder() .policyArn(policy_arn).build(); GetPolicyResponse response = iam.getPolicy(request);

请参阅 GitHub 上的完整示例

附加角色策略

您可以将策略附加到 IAM 角色,方式是调用 IamClientattachRolePolicy 方法,并在 AttachRolePolicyRequest 中为其提供角色名称和策略 ARN。

导入

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors;

代码

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build();
AttachRolePolicyRequest attach_request = AttachRolePolicyRequest.builder() .roleName(role_name) .policyArn(POLICY_ARN).build(); iam.attachRolePolicy(attach_request);

请参阅 GitHub 上的完整示例

列出附加的角色策略

通过调用 IamClientlistAttachedRolePolicies 方法列出角色中附加的策略。这需要 ListAttachedRolePoliciesRequest 对象,它包含要列出其策略的角色名称。

对返回的 ListAttachedRolePoliciesResponse 对象调用 getAttachedPolicies 来获取所附加策略的列表。结果可能被截断;如果 ListAttachedRolePoliciesResponse 对象的 isTruncated 方法返回了 true,请调用 ListAttachedRolePoliciesResponse 对象的 marker 方法。使用返回的标记创建新请求并使用该请求再次调用 listAttachedRolePolicies 以获取下一批结果。

导入

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient; import software.amazon.awssdk.services.iam.model.AttachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.AttachedPolicy; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesRequest; import software.amazon.awssdk.services.iam.model.ListAttachedRolePoliciesResponse; import java.util.ArrayList; import java.util.List; import java.util.stream.Collectors;

代码

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); List<AttachedPolicy> matching_policies = new ArrayList<>(); boolean done = false; String new_marker = null; while(!done) { ListAttachedRolePoliciesResponse response; if (new_marker == null) { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(role_name).build(); response = iam.listAttachedRolePolicies(request); } else { ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder() .roleName(role_name) .marker(new_marker).build(); response = iam.listAttachedRolePolicies(request); } matching_policies.addAll( response.attachedPolicies() .stream() .filter(p -> p.policyName().equals(role_name)) .collect(Collectors.toList())); if(!response.isTruncated()) { done = true; } else { new_marker = response.marker(); } } if (matching_policies.size() > 0) { System.out.println(role_name + " policy is already attached to this role."); return; }

请参阅 GitHub 上的完整示例

分离角色策略

要从角色分离策略,请调用 IamClientdetachRolePolicy 方法,并在 DetachRolePolicyRequest 中为其提供角色名称和策略 ARN。

导入

import software.amazon.awssdk.services.iam.model.DetachRolePolicyRequest; import software.amazon.awssdk.services.iam.model.DetachRolePolicyResponse; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.iam.IamClient;

代码

Region region = Region.AWS_GLOBAL; IamClient iam = IamClient.builder().region(region).build(); DetachRolePolicyRequest request = DetachRolePolicyRequest.builder() .roleName(role_name) .policyArn(policy_arn).build(); DetachRolePolicyResponse response = iam.detachRolePolicy(request);

请参阅 GitHub 上的完整示例

更多信息