本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用的 IAM 示例Amazon SDK for .NET
以下代码示例显示如何通过通过Amazon SDK for .NET使用 IAM。
操作展示如何调用具体的 IAM 函数的代码节选。
方案展示如何通过调用多个 IAM 函数来完成特定任务的代码示例。
每个示例都包含一个指向 GitHub其中包含了有关如何在上下文中设置和运行代码的说明。
操作
以下代码示例显示如何将 IAM policy 添加到角色。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. /// <summary> /// Attach the policy to the role so that the user can assume it. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="policyArn">The ARN of the policy to attach.</param> /// <param name="roleName">The name of the role to attach the policy to.</param> public static async Task AttachRoleAsync( AmazonIdentityManagementServiceClient client, string policyArn, string roleName) { var request = new AttachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }; var response = await client.AttachRolePolicyAsync(request); if (response.HttpStatusCode == System.Net.HttpStatusCode.OK) { Console.WriteLine("Successfully attached the policy to the role."); } else { Console.WriteLine("Could not attach the policy."); } }
-
有关详细信息,请参阅。AttachRolePolicy在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何创建 IAM policy。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. /// <summary> /// Create a policy to allow a user to list the buckets in an account. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="policyName">The name of the poicy to create.</param> /// <param name="policyDocument">The permissions policy document.</param> /// <returns>The newly created ManagedPolicy object.</returns> public static async Task<ManagedPolicy> CreatePolicyAsync( AmazonIdentityManagementServiceClient client, string policyName, string policyDocument) { var request = new CreatePolicyRequest { PolicyName = policyName, PolicyDocument = policyDocument, }; var response = await client.CreatePolicyAsync(request); return response.Policy; }
-
有关详细信息,请参阅。CreatePolicy在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何创建 IAM 角色。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. /// <summary> /// Create a new IAM role which we can attach to a user. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="roleName">The name of the IAM role to create.</param> /// <param name="rolePermissions">The permissions which the role will have.</param> /// <returns>A Role object representing the newly created role.</returns> public static async Task<Role> CreateRoleAsync( AmazonIdentityManagementServiceClient client, string roleName, string rolePermissions) { var request = new CreateRoleRequest { RoleName = roleName, AssumeRolePolicyDocument = rolePermissions, }; var response = await client.CreateRoleAsync(request); return response.Role; }
-
有关详细信息,请参阅。CreateRole在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何创建 IAM 用户。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. /// <summary> /// Create a new IAM user. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="userName">A string representing the user name of the /// new user.</param> /// <returns>The newly created user.</returns> public static async Task<User> CreateUserAsync( AmazonIdentityManagementServiceClient client, string userName) { var request = new CreateUserRequest { UserName = userName, }; var response = await client.CreateUserAsync(request); return response.User; }
-
有关详细信息,请参阅。CreateUser在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何创建 IAM 访问密钥。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. /// <summary> /// Create a new AccessKey for the user. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="userName">The name of the user for whom to create the key.</param> /// <returns>A new IAM access key for the user.</returns> public static async Task<AccessKey> CreateAccessKeyAsync( AmazonIdentityManagementServiceClient client, string userName) { var request = new CreateAccessKeyRequest { UserName = userName, }; var response = await client.CreateAccessKeyAsync(request); if (response.AccessKey is not null) { Console.WriteLine($"Successfully created Access Key for {userName}."); } return response.AccessKey; }
-
有关详细信息,请参阅。CreateAccessKey在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何删除 IAM 角色策略。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using System.Threading.Tasks; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; public class DeleteRolePolicy { /// <summary> /// Initializes the IAM client object and then calls DeleteRolePolicyAsync /// to delete the Policy attached to the Role. /// </summary> public static async Task Main() { var client = new AmazonIdentityManagementServiceClient(); var response = await client.DeleteRolePolicyAsync(new DeleteRolePolicyRequest { PolicyName = "ExamplePolicy", RoleName = "Test-Role", }); if (response.HttpStatusCode == System.Net.HttpStatusCode.OK) { Console.WriteLine("Policy successfully deleted."); } else { Console.WriteLine("Could not delete pollicy."); } } }
-
有关详细信息,请参阅。DeleteRolePolicy在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何删除 IAM 用户。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. /// <summary> /// Delete the user, and other resources created for this example. /// </summary> /// <param name="client">The initialized client object.</param> /// <param name=accessKeyId">The Id of the user's access key.</param>" /// <param name="userName">The user name of the user to delete.</param> /// <param name="policyName">The name of the policy to delete.</param> /// <param name="policyArn">The Amazon Resource Name ARN of the Policy to delete.</param> /// <param name="roleName">The name of the role that will be deleted.</param> public static async Task DeleteResourcesAsync( AmazonIdentityManagementServiceClient client, string accessKeyId, string userName, string policyArn, string roleName) { var detachPolicyResponse = await client.DetachRolePolicyAsync(new DetachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }); var delPolicyResponse = await client.DeletePolicyAsync(new DeletePolicyRequest { PolicyArn = policyArn, }); var delRoleResponse = await client.DeleteRoleAsync(new DeleteRoleRequest { RoleName = roleName, }); var delAccessKey = await client.DeleteAccessKeyAsync(new DeleteAccessKeyRequest { AccessKeyId = accessKeyId, UserName = userName, }); var delUserResponse = await client.DeleteUserAsync(new DeleteUserRequest { UserName = userName, }); }
-
有关详细信息,请参阅。DeleteUser在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何删除 IAM 访问密钥。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. /// <summary> /// Delete the user, and other resources created for this example. /// </summary> /// <param name="client">The initialized client object.</param> /// <param name=accessKeyId">The Id of the user's access key.</param>" /// <param name="userName">The user name of the user to delete.</param> /// <param name="policyName">The name of the policy to delete.</param> /// <param name="policyArn">The Amazon Resource Name ARN of the Policy to delete.</param> /// <param name="roleName">The name of the role that will be deleted.</param> public static async Task DeleteResourcesAsync( AmazonIdentityManagementServiceClient client, string accessKeyId, string userName, string policyArn, string roleName) { var detachPolicyResponse = await client.DetachRolePolicyAsync(new DetachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }); var delPolicyResponse = await client.DeletePolicyAsync(new DeletePolicyRequest { PolicyArn = policyArn, }); var delRoleResponse = await client.DeleteRoleAsync(new DeleteRoleRequest { RoleName = roleName, }); var delAccessKey = await client.DeleteAccessKeyAsync(new DeleteAccessKeyRequest { AccessKeyId = accessKeyId, UserName = userName, }); var delUserResponse = await client.DeleteUserAsync(new DeleteUserRequest { UserName = userName, }); }
-
有关详细信息,请参阅。DeleteAccessKey在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何从角色分离 IAM policy。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. /// <summary> /// Delete the user, and other resources created for this example. /// </summary> /// <param name="client">The initialized client object.</param> /// <param name=accessKeyId">The Id of the user's access key.</param>" /// <param name="userName">The user name of the user to delete.</param> /// <param name="policyName">The name of the policy to delete.</param> /// <param name="policyArn">The Amazon Resource Name ARN of the Policy to delete.</param> /// <param name="roleName">The name of the role that will be deleted.</param> public static async Task DeleteResourcesAsync( AmazonIdentityManagementServiceClient client, string accessKeyId, string userName, string policyArn, string roleName) { var detachPolicyResponse = await client.DetachRolePolicyAsync(new DetachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }); var delPolicyResponse = await client.DeletePolicyAsync(new DeletePolicyRequest { PolicyArn = policyArn, }); var delRoleResponse = await client.DeleteRoleAsync(new DeleteRoleRequest { RoleName = roleName, }); var delAccessKey = await client.DeleteAccessKeyAsync(new DeleteAccessKeyRequest { AccessKeyId = accessKeyId, UserName = userName, }); var delUserResponse = await client.DeleteUserAsync(new DeleteUserRequest { UserName = userName, }); }
-
有关详细信息,请参阅。DetachRolePolicy在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何获取 IAM policy。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; var client = new AmazonIdentityManagementServiceClient(); var request = new GetPolicyRequest { PolicyArn = "POLICY_ARN", }; var response = await client.GetPolicyAsync(request); Console.Write($"{response.Policy.PolicyName} was created on "); Console.WriteLine($"{response.Policy.CreateDate}");
-
有关详细信息,请参阅。GetPolicy在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何获取 IAM 角色。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; var client = new AmazonIdentityManagementServiceClient(); var response = await client.GetRoleAsync(new GetRoleRequest { RoleName = "LambdaS3Role", }); if (response.Role is not null) { Console.WriteLine($"{response.Role.RoleName} with ARN: {response.Role.Arn}"); Console.WriteLine($"{response.Role.Description}"); Console.WriteLine($"Created: {response.Role.CreateDate} Last used on: { response.Role.RoleLastUsed}"); }
-
有关详细信息,请参阅。GetRole在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何获取 IAM 账户密码策略。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; var client = new AmazonIdentityManagementServiceClient(); try { var request = new GetAccountPasswordPolicyRequest(); var response = await client.GetAccountPasswordPolicyAsync(request); Console.WriteLine($"{response.PasswordPolicy}"); } catch (NoSuchEntityException ex) { Console.WriteLine($"Error: {ex.Message}"); }
-
有关详细信息,请参阅。GetAccountPasswordPolicy在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何列出 IAM 的 SAML 提供商。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; var client = new AmazonIdentityManagementServiceClient(); var response = await client.ListSAMLProvidersAsync(new ListSAMLProvidersRequest()); response.SAMLProviderList.ForEach(samlProvider => { Console.WriteLine($"{samlProvider.Arn} created on: {samlProvider.CreateDate}"); });
-
有关 API 详细信息,请参阅《Amazon SDK for .NET API 参考》中的 ListSAMLProviders。
-
以下代码示例显示如何列出 IAM 组。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; var client = new AmazonIdentityManagementServiceClient(); var request = new ListGroupsRequest { MaxItems = 10, }; var response = await client.ListGroupsAsync(request); do { response.Groups.ForEach(group => { Console.WriteLine($"{group.GroupName} created on: {group.CreateDate}"); }); if (response.IsTruncated) { request.Marker = response.Marker; response = await client.ListGroupsAsync(request); } } while (response.IsTruncated);
-
有关详细信息,请参阅。ListGroups在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何列出 IAM 角色的内联策略。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; using System; var client = new AmazonIdentityManagementServiceClient(); var request = new ListRolePoliciesRequest { RoleName = "LambdaS3Role", }; var response = new ListRolePoliciesResponse(); do { response = await client.ListRolePoliciesAsync(request); if (response.PolicyNames.Count > 0) { response.PolicyNames.ForEach(policyName => { Console.WriteLine($"{policyName}"); }); } // As long as response.IsTruncated is true, set request.Marker equal // to response.Marker and call ListRolesAsync again. if (response.IsTruncated) { request.Marker = response.Marker; } } while (response.IsTruncated);
-
有关详细信息,请参阅。ListRolePolicies在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何列出 IAM policy。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; using System; var client = new AmazonIdentityManagementServiceClient(); var request = new ListPoliciesRequest { MaxItems = 10, }; var response = new ListPoliciesResponse(); do { response = await client.ListPoliciesAsync(request); response.Policies.ForEach(policy => { Console.Write($"{policy.PolicyName} "); Console.Write($"with ID: {policy.PolicyId} "); Console.Write($"and ARN: {policy.Arn}. "); Console.WriteLine($"It was created on {policy.CreateDate}."); }); if (response.IsTruncated) { request.Marker = response.Marker; } } while (response.IsTruncated);
-
有关详细信息,请参阅。ListPolicies在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何列出附加到 IAM 角色的策略。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; var client = new AmazonIdentityManagementServiceClient(); var request = new ListAttachedRolePoliciesRequest { MaxItems = 10, RoleName = "testAssumeRole", }; var response = await client.ListAttachedRolePoliciesAsync(request); do { response.AttachedPolicies.ForEach(policy => { Console.WriteLine($"{policy.PolicyName} with ARN: {policy.PolicyArn}"); }); if (response.IsTruncated) { request.Marker = response.Marker; response = await client.ListAttachedRolePoliciesAsync(request); } } while (response.IsTruncated);
-
有关详细信息,请参阅。ListAttachedRolePolicies在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何列出 IAM 角色。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; var client = new AmazonIdentityManagementServiceClient(); // Without the MaxItems value, the ListRolesAsync method will // return information for up to 100 roles. If there are more // than the MaxItems value or more than 100 roles, the response // value IsTruncated will be true. var request = new ListRolesRequest { MaxItems = 10, }; var response = new ListRolesResponse(); do { response = await client.ListRolesAsync(request); response.Roles.ForEach(role => { Console.WriteLine($"{role.RoleName} - ARN {role.Arn}"); }); // As long as response.IsTruncated is true, set request.Marker equal // to response.Marker and call ListRolesAsync again. if (response.IsTruncated) { request.Marker = response.Marker; } } while (response.IsTruncated);
-
有关详细信息,请参阅。ListRoles在Amazon SDK for .NETAPI 参考.
-
以下代码示例显示如何列出 IAM 用户。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; var client = new AmazonIdentityManagementServiceClient(); var request = new ListUsersRequest { MaxItems = 10, }; var response = await client.ListUsersAsync(request); do { response.Users.ForEach(user => { Console.WriteLine($"{user.UserName} created on {user.CreateDate}."); Console.WriteLine($"ARN: {user.Arn}\n"); }); request.Marker = response.Marker; response = await client.ListUsersAsync(request); } while (response.IsTruncated);
-
有关详细信息,请参阅。ListUsers在Amazon SDK for .NETAPI 参考.
-
场景
以下代码示例显示了如何:
创建一个没有权限的用户。
创建授予列出账户的 Amazon S3 存储桶的权限的角色
添加策略以允许用户代入该角色。
代入角色并使用临时凭证列出 Amazon S3 存储桶。
删除策略、角色和用户。
- Amazon SDK for .NET
-
提示 要了解如何设置和运行此示例,请参阅GitHub
. using System; using System.IO; using System.Threading.Tasks; using Amazon; using Amazon.IdentityManagement; using Amazon.IdentityManagement.Model; using Amazon.S3; using Amazon.SecurityToken; using Amazon.SecurityToken.Model; public class IAM_Basics { // Values needed for user, role, and policies. private const string UserName = "example-user"; private const string S3PolicyName = "s3-list-buckets-policy"; private const string RoleName = "temporary-role"; private const string AssumePolicyName = "sts-trust-user"; private static readonly RegionEndpoint Region = RegionEndpoint.USEast2; public static async Task Main() { DisplayInstructions(); // Create the IAM client object. var client = new AmazonIdentityManagementServiceClient(Region); // First create a user. By default, the new user has // no permissions. Console.WriteLine($"Creating a new user with user name: {UserName}."); var user = await CreateUserAsync(client, UserName); var userArn = user.Arn; Console.WriteLine($"Successfully created user: {UserName} with ARN: {userArn}."); // Create an AccessKey for the user. var accessKey = await CreateAccessKeyAsync(client, UserName); var accessKeyId = accessKey.AccessKeyId; var secretAccessKey = accessKey.SecretAccessKey; // Try listing the Amazon Simple Storage Service (Amazon S3) // buckets. This should fail at this point because the user doesn't // have permissions to perform this task. var s3Client1 = new AmazonS3Client(accessKeyId, secretAccessKey); await ListMyBucketsAsync(s3Client1); // Define a role policy document that allows the new user // to assume the role. // string assumeRolePolicyDocument = File.ReadAllText("assumePolicy.json"); string assumeRolePolicyDocument = "{" + "\"Version\": \"2012-10-17\"," + "\"Statement\": [{" + "\"Effect\": \"Allow\"," + "\"Principal\": {" + $" \"AWS\": \"{userArn}\"" + "}," + "\"Action\": \"sts:AssumeRole\"" + "}]" + "}"; // Permissions to list all buckets. string policyDocument = "{" + "\"Version\": \"2012-10-17\"," + " \"Statement\" : [{" + " \"Action\" : [\"s3:ListAllMyBuckets\"]," + " \"Effect\" : \"Allow\"," + " \"Resource\" : \"*\"" + "}]" + "}"; // Create the role to allow listing the S3 buckets. Role names are // not case sensitive and must be unique to the account for which it // is created. var role = await CreateRoleAsync(client, RoleName, assumeRolePolicyDocument); var roleArn = role.Arn; // Create a policy with permissions to list S3 buckets var policy = await CreatePolicyAsync(client, S3PolicyName, policyDocument); // Wait 15 seconds for the policy to be created. WaitABit(15, "Waiting for the policy to be available."); // Attach the policy to the role you created earlier. await AttachRoleAsync(client, policy.Arn, RoleName); // Wait 15 seconds for the role to be updated. Console.WriteLine(); WaitABit(15, "Waiting to time for the policy to be attached."); // Use the AWS Security Token Service (AWS STS) to have the user // assume the role we created. var stsClient = new AmazonSecurityTokenServiceClient(accessKeyId, secretAccessKey); // Wait for the new credentials to become valid. WaitABit(10, "Waiting for the credentials to be valid."); var assumedRoleCredentials = await AssumeS3RoleAsync(stsClient, "temporary-session", roleArn); // Try again to list the buckets using the client created with // the new user's credentials. This time, it should work. var s3Client2 = new AmazonS3Client(assumedRoleCredentials); await ListMyBucketsAsync(s3Client2); // Now clean up all the resources used in the example. await DeleteResourcesAsync(client, accessKeyId, UserName, policy.Arn, RoleName); Console.WriteLine("IAM Demo completed."); } /// <summary> /// Create a new IAM user. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="userName">A string representing the user name of the /// new user.</param> /// <returns>The newly created user.</returns> public static async Task<User> CreateUserAsync( AmazonIdentityManagementServiceClient client, string userName) { var request = new CreateUserRequest { UserName = userName, }; var response = await client.CreateUserAsync(request); return response.User; } /// <summary> /// Create a new AccessKey for the user. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="userName">The name of the user for whom to create the key.</param> /// <returns>A new IAM access key for the user.</returns> public static async Task<AccessKey> CreateAccessKeyAsync( AmazonIdentityManagementServiceClient client, string userName) { var request = new CreateAccessKeyRequest { UserName = userName, }; var response = await client.CreateAccessKeyAsync(request); if (response.AccessKey is not null) { Console.WriteLine($"Successfully created Access Key for {userName}."); } return response.AccessKey; } /// <summary> /// Create a policy to allow a user to list the buckets in an account. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="policyName">The name of the poicy to create.</param> /// <param name="policyDocument">The permissions policy document.</param> /// <returns>The newly created ManagedPolicy object.</returns> public static async Task<ManagedPolicy> CreatePolicyAsync( AmazonIdentityManagementServiceClient client, string policyName, string policyDocument) { var request = new CreatePolicyRequest { PolicyName = policyName, PolicyDocument = policyDocument, }; var response = await client.CreatePolicyAsync(request); return response.Policy; } /// <summary> /// Attach the policy to the role so that the user can assume it. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="policyArn">The ARN of the policy to attach.</param> /// <param name="roleName">The name of the role to attach the policy to.</param> public static async Task AttachRoleAsync( AmazonIdentityManagementServiceClient client, string policyArn, string roleName) { var request = new AttachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }; var response = await client.AttachRolePolicyAsync(request); if (response.HttpStatusCode == System.Net.HttpStatusCode.OK) { Console.WriteLine("Successfully attached the policy to the role."); } else { Console.WriteLine("Could not attach the policy."); } } /// <summary> /// Create a new IAM role which we can attach to a user. /// </summary> /// <param name="client">The initialized IAM client object.</param> /// <param name="roleName">The name of the IAM role to create.</param> /// <param name="rolePermissions">The permissions which the role will have.</param> /// <returns>A Role object representing the newly created role.</returns> public static async Task<Role> CreateRoleAsync( AmazonIdentityManagementServiceClient client, string roleName, string rolePermissions) { var request = new CreateRoleRequest { RoleName = roleName, AssumeRolePolicyDocument = rolePermissions, }; var response = await client.CreateRoleAsync(request); return response.Role; } /// <summary> /// List the Amazon S3 buckets owned by the user. /// </summary> /// <param name="accessKeyId">The access key Id for the user.</param> /// <param name="secretAccessKey">The Secret access key for the user.</param> public static async Task ListMyBucketsAsync(AmazonS3Client client) { Console.WriteLine("\nPress <Enter> to list the S3 buckets using the new user.\n"); Console.ReadLine(); try { // Get the list of buckets accessible by the new user. var response = await client.ListBucketsAsync(); // Loop through the list and print each bucket's name // and creation date. Console.WriteLine(new string('-', 80)); Console.WriteLine("Listing S3 buckets:\n"); response.Buckets .ForEach(b => Console.WriteLine($"Bucket name: {b.BucketName}, created on: {b.CreationDate}")); } catch (AmazonS3Exception ex) { // Something else went wrong. Display the error message. Console.WriteLine($"Error: {ex.Message}"); } Console.WriteLine("Press <Enter> to continue."); Console.ReadLine(); } /// <summary> /// Have the user assume the role that allows the role to be used to /// list all S3 buckets. /// </summary> /// <param name="client">An initialized AWS STS client object.</param> /// <param name="roleSession">The name of the session where the role /// assumption will be active.</param> /// <param name="roleToAssume">The Amazon Resource Name (ARN) of the /// role to assume.</param> /// <returns>The AssumedRoleUser object needed to perform the list /// buckets procedure.</returns> public static async Task<Credentials> AssumeS3RoleAsync( AmazonSecurityTokenServiceClient client, string roleSession, string roleToAssume) { // Create the request to use with the AssumeRoleAsync call. var request = new AssumeRoleRequest() { RoleSessionName = roleSession, RoleArn = roleToAssume, }; var response = await client.AssumeRoleAsync(request); return response.Credentials; } /// <summary> /// Delete the user, and other resources created for this example. /// </summary> /// <param name="client">The initialized client object.</param> /// <param name=accessKeyId">The Id of the user's access key.</param>" /// <param name="userName">The user name of the user to delete.</param> /// <param name="policyName">The name of the policy to delete.</param> /// <param name="policyArn">The Amazon Resource Name ARN of the Policy to delete.</param> /// <param name="roleName">The name of the role that will be deleted.</param> public static async Task DeleteResourcesAsync( AmazonIdentityManagementServiceClient client, string accessKeyId, string userName, string policyArn, string roleName) { var detachPolicyResponse = await client.DetachRolePolicyAsync(new DetachRolePolicyRequest { PolicyArn = policyArn, RoleName = roleName, }); var delPolicyResponse = await client.DeletePolicyAsync(new DeletePolicyRequest { PolicyArn = policyArn, }); var delRoleResponse = await client.DeleteRoleAsync(new DeleteRoleRequest { RoleName = roleName, }); var delAccessKey = await client.DeleteAccessKeyAsync(new DeleteAccessKeyRequest { AccessKeyId = accessKeyId, UserName = userName, }); var delUserResponse = await client.DeleteUserAsync(new DeleteUserRequest { UserName = userName, }); } /// <summary> /// Display a countdown and wait for a number of seconds. /// </summary> /// <param name="numSeconds">The number of seconds to wait.</param> public static void WaitABit(int numSeconds, string msg) { Console.WriteLine(msg); // Wait for the requested number of seconds. for (int i = numSeconds; i > 0; i--) { System.Threading.Thread.Sleep(1000); Console.Write($"{i}..."); } Console.WriteLine("\n\nPress <Enter> to continue."); Console.ReadLine(); } /// <summary> /// Shows the a description of the features of the program. /// </summary> public static void DisplayInstructions() { var separator = new string('-', 80); Console.WriteLine(separator); Console.WriteLine("IAM Basics"); Console.WriteLine("This application uses the basic features of the AWS Identity and Access"); Console.WriteLine("Management (IAM) creating, managing, and controlling access to resources for"); Console.WriteLine("users. The application was created using the AWS SDK for .NET version 3.7 and"); Console.WriteLine(".NET Core 5. The application performs the following actions:"); Console.WriteLine(); Console.WriteLine("1. Creates a user with no permissions"); Console.WriteLine("2. Creates a rolw and policy that grants s3:ListAllMyBuckets permission"); Console.WriteLine("3. Grants the user permission to assume the role"); Console.WriteLine("4. Creates an Amazon Simple Storage Service (Amazon S3) client and tries"); Console.WriteLine(" to list buckets. (This should fail.)"); Console.WriteLine("5. Gets temporary credentials by assuming the role."); Console.WriteLine("6. Creates an Amazon S3 client object with the temporary credentials and"); Console.WriteLine(" lists the buckets. (This time it should work.)"); Console.WriteLine("7. Deletes all of the resources created."); Console.WriteLine(separator); Console.WriteLine("Press <Enter> to continue."); Console.ReadLine(); } }
-
有关 API 详细信息,请参阅《Amazon SDK for .NET API 参考》中的以下主题。
-