本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
在 适用于 PHP 的 Amazon SDK 版本 3 中使用 IAM 策略
您通过创建策略向用户授予权限。策略是一个文档,其中列出了用户可以执行的操作以及这些操作会影响的资源。默认情况下会拒绝未显式允许的任何操作或资源。可将策略附加到用户、用户组、用户代入的角色以及资源。
以下示例演示如何:
-
使用创建托管策略CreatePolicy。
-
使用将策略附加到角色AttachRolePolicy。
-
使用将策略附加到用户AttachUserPolicy。
-
使用将策略附加到群组AttachGroupPolicy。
-
使用删除角色策略DetachRolePolicy。
-
使用删除用户策略DetachUserPolicy。
-
使用移除组策略DetachGroupPolicy。
-
使用删除托管策略DeletePolicy。
-
使用删除角色策略DeleteRolePolicy。
-
使用删除用户策略DeleteUserPolicy。
-
使用删除组策略DeleteGroupPolicy。
的所有示例代码都可以在此 适用于 PHP 的 Amazon SDK 处找到 GitHub
凭证
在运行示例代码之前,请配置您的 Amazon 证书,如中所述凭证。然后导入 适用于 PHP 的 Amazon SDK,如中所述基本用法。
创建策略
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $myManagedPolicy = '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "RESOURCE_ARN" }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": "RESOURCE_ARN" } ] }'; try { $result = $client->createPolicy(array( // PolicyName is required 'PolicyName' => 'myDynamoDBPolicy', // PolicyDocument is required 'PolicyDocument' => $myManagedPolicy )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
将策略附加到角色
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $roleName = 'ROLE_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedRolePolicies = $client->getIterator('ListAttachedRolePolicies', ([ 'RoleName' => $roleName, ])); if (count($attachedRolePolicies) > 0) { foreach ($attachedRolePolicies as $attachedRolePolicy) { if ($attachedRolePolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachRolePolicy(array( // RoleName is required 'RoleName' => $roleName, // PolicyArn is required 'PolicyArn' => $policyArn )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
将策略附加到用户
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $userName = 'USER_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedUserPolicies = $client->getIterator('ListAttachedUserPolicies', ([ 'UserName' => $userName, ])); if (count($attachedUserPolicies) > 0) { foreach ($attachedUserPolicies as $attachedUserPolicy) { if ($attachedUserPolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachUserPolicy(array( // UserName is required 'UserName' => $userName, // PolicyArn is required 'PolicyArn' => $policyArn, )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
将策略附加到组
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->attachGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
分离用户策略
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachUserPolicy([ // UserName is required 'UserName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
分离组策略
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachGroupPolicy([ // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
删除策略
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deletePolicy(array( // PolicyArn is required 'PolicyArn' => 'string' )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
删除角色策略
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteRolePolicy([ // RoleName is required 'RoleName' => 'string', // PolicyName is required 'PolicyName' => 'string' ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
删除用户策略
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteUserPolicy([ // UserName is required 'UserName' => 'string', // PolicyName is required 'PolicyName' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }
删除组策略
导入
require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;
示例代码
$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyName is required 'PolicyName' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }