结合使用 IAM 策略与 Amazon SDK for PHP 版本 3 - Amazon SDK for PHP
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

结合使用 IAM 策略与 Amazon SDK for PHP 版本 3

您通过创建策略向用户授予权限。策略是一个文档,其中列出了用户可以执行的操作以及这些操作会影响的资源。默认情况下会拒绝未显式允许的任何操作或资源。可将策略附加到用户、用户组、用户代入的角色以及资源。

以下示例演示如何:

的所有示例代码都可以在此Amazon SDK for PHP处找到 GitHub

凭证

运行示例代码之前,请配置您的 Amazon 凭证,如 凭证 中所述。然后导入 Amazon SDK for PHP,如 基本用法 中所述。

创建策略

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $myManagedPolicy = '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "RESOURCE_ARN" }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": "RESOURCE_ARN" } ] }'; try { $result = $client->createPolicy(array( // PolicyName is required 'PolicyName' => 'myDynamoDBPolicy', // PolicyDocument is required 'PolicyDocument' => $myManagedPolicy )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

将策略附加到角色

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $roleName = 'ROLE_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedRolePolicies = $client->getIterator('ListAttachedRolePolicies', ([ 'RoleName' => $roleName, ])); if (count($attachedRolePolicies) > 0) { foreach ($attachedRolePolicies as $attachedRolePolicy) { if ($attachedRolePolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachRolePolicy(array( // RoleName is required 'RoleName' => $roleName, // PolicyArn is required 'PolicyArn' => $policyArn )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

将策略附加到用户

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); $userName = 'USER_NAME'; $policyName = 'AmazonDynamoDBFullAccess'; $policyArn = 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'; try { $attachedUserPolicies = $client->getIterator('ListAttachedUserPolicies', ([ 'UserName' => $userName, ])); if (count($attachedUserPolicies) > 0) { foreach ($attachedUserPolicies as $attachedUserPolicy) { if ($attachedUserPolicy['PolicyName'] == $policyName) { echo $policyName . " is already attached to this role. \n"; exit(); } } } $result = $client->attachUserPolicy(array( // UserName is required 'UserName' => $userName, // PolicyArn is required 'PolicyArn' => $policyArn, )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

将策略附加到组

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->attachGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

分离用户策略

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachUserPolicy([ // UserName is required 'UserName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

分离组策略

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->detachGroupPolicy([ // GroupName is required 'GroupName' => 'string', // PolicyArn is required 'PolicyArn' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

删除策略

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deletePolicy(array( // PolicyArn is required 'PolicyArn' => 'string' )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

删除角色策略

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteRolePolicy([ // RoleName is required 'RoleName' => 'string', // PolicyName is required 'PolicyName' => 'string' ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

删除用户策略

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteUserPolicy([ // UserName is required 'UserName' => 'string', // PolicyName is required 'PolicyName' => 'string', ]); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }

删除组策略

导入

require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Iam\IamClient;

示例代码

$client = new IamClient([ 'profile' => 'default', 'region' => 'us-west-2', 'version' => '2010-05-08' ]); try { $result = $client->deleteGroupPolicy(array( // GroupName is required 'GroupName' => 'string', // PolicyName is required 'PolicyName' => 'string', )); var_dump($result); } catch (AwsException $e) { // output error message if fails error_log($e->getMessage()); }