本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用 IAM 策略Amazon SDK for PHP版本 3
您通过创建策略向用户授予权限。策略是一个文档,其中列出了用户可以执行的操作以及这些操作会影响的资源。默认情况下会拒绝未显式允许的任何操作或资源。可将策略附加到用户、用户组、用户代入的角色以及资源。
以下示例演示如何:
-
使用 CreatePolicy 创建托管策略。
-
使用 AttachRolePolicy 将策略附加到角色。
-
使用 AttachUserPolicy 将策略附加到用户。
-
使用 AttachGroupPolicy 将策略附加到组。
-
使用 DetachRolePolicy 删除角色策略。
-
使用 DetachUserPolicy 删除用户策略。
-
使用 DetachGroupPolicy 删除组策略。
-
使用 DeletePolicy 删除托管策略。
-
使用 DeleteRolePolicy 删除角色策略。
-
使用 DeleteUserPolicy 删除用户策略。
-
使用 DeleteGroupPolicy 删除组策略。
Amazon SDK for PHPGitHub 上提供了
凭证
运行示例代码之前,请配置Amazon凭证,如中所述设置 凭证. 然后导入Amazon SDK for PHP,如中所述基本用法.
创建策略
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $myManagedPolicy = '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "RESOURCE_ARN" }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": "RESOURCE_ARN" } ] }'; try { $result = $client->createPolicy(array( // PolicyName is required 'PolicyName' => 'myDynamoDBPolicy', // PolicyDocument is required 'PolicyDocument' => $myManagedPolicy )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
将策略附加到角色
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $roleName = 'ROLE_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedRolePolicies = $client->getIterator('ListAttachedRolePolicies', ([ 'RoleName' => $roleName, ])); if (count($attachedRolePolicies) > 0) { foreach ($attachedRolePolicies as $attachedRolePolicy) { if ($attachedRolePolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachRolePolicy(array( // RoleName is required 'RoleName' => $roleName, // PolicyArn is required 'PolicyArn' => $policyArn )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
将策略附加到用户
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $userName = 'USER_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedUserPolicies = $client->getIterator('ListAttachedUserPolicies', ([ 'UserName' => $userName, ])); if (count($attachedUserPolicies) > 0) { foreach ($attachedUserPolicies as $attachedUserPolicy) { if ($attachedUserPolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachUserPolicy(array( // UserName is required 'UserName' => $userName, // PolicyArn is required 'PolicyArn' => $policyArn, )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
将策略附加到组
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->attachGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
分离用户策略
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachUserPolicy(array( // UserName is required 'UserName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
分离组策略
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
删除策略
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deletePolicy(array( // PolicyArn is required 'PolicyArn' => 'string' )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
删除角色策略
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteRolePolicy(array( // RoleName is required 'RoleName' => 'string', // PolicyName is required 'PolicyName' => 'string' )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
删除用户策略
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteUserPolicy(array( // UserName is required 'UserName' => 'string', // PolicyName is required 'PolicyName' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
删除组策略
导入
require 'vendor/autoload.php'; use Aws\Iam\IamClient; use Aws\Exception\AwsException;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyName is required 'PolicyName' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }